Almost three years ago, one of the most historic hacks happened: Target disclosed that 40 million of its of its customers’ credit and debit card data had been compromised. Bloomberg Businessweek called it "the biggest retail hack in U.S. history."
The fallout was huge. The company spent tens of millions of dollars in the following months trying to clean up the mess. In the end, then-CEO Gregg Steinhafel stepped down, the company paid $10 million to the victims of the hack, its chief security officer left the company, and Target ultimately lost millions of dollars due to a subsequent loss of sales.
This was a watershed moment for the big companies in terms of security. About five months after the breach was announced, security journalist Brian Krebs wrote "It’s now clear that Target and other major retailers have been spending money in the wrong places—and that they’ve left a gaping hole in the Internet for hackers to keep stealing yours." Now, more than two years later, security is still a huge problem for large and small organizations alike and companies are scrambling to find the proper leadership.
Some might characterize the last few years as a "gold rush" for security professionals. It’s becoming increasingly clear that hackers are going to continue hacking, and businesses are scrambling to bring in the leaders they need to fend off these increasing attacks.
A recent report from Cisco puts it bluntly, "cybersecurity skills are in high demand, yet in short supply." With this, large organizations are scrambling to figure out how best to implement a proper security strategy all the while struggling to find the best people to execute the tasks. More than half of the organizations surveyed in the Cisco report sought security consulting, indicating that there's a continual gap of internal knowledge.
The big issue is understanding how to position the problem. For years, security was something of an operational issue—a decision made and implemented by middle management. Top decision-makers didn’t really understand the inner workings of IT, so they likely didn’t have much stake in a company’s security posture.
But as targets become more widespread, it’s now a leadership issue. And titles like CISO (Chief Information Security Officer) and CSO (Chief Security Officer) are becoming C-level staples.
The problem, however, isn’t just in the job creation—it’s in finding people with the correct skill set. Larry Ponemon, the chairman and founder of the Ponemon Institute, which researches data security practices, explains that for companies looking for security top brass, they need someone with more than just good on the ground skills. "A lot of organizations," he says, "will hire people who do security with an IT background."
More pertinent is that they aren’t fluent in the language of business. For a role like a CISO, it’s not just about finding problems and implementing solutions—it’s more explaining why it’s so important to a board. Once organizations figure out a new security posture from the inside out, a CISO will have to explain why they’ll likely have to increase the budget by 10% to combat security flaws.
Finding this talent is difficult too. That’s why large companies are now flocking to the big security conferences around the world, such as RSA and Black Hat. It’s a major networking event for the professional inside the industry to meet up with the companies scrambling to cover their tracks.
More, executive recruiting firms are now focusing much more on security expertise. As Ponemon puts it, they're an "emerging cottage industry of headhunters." These firms are capitalizing on the gold rush, positioning themselves as the best way to find C-level employees with the correct security expertise.
Though headhunting may seem like a smart way for some, there may be more direct routes. Christopher Ahlberg, cofounder and CEO of the cybersecurity startup Recorded Future, has found great success in tapping military and government alumni. His firm lives and breathes security—its keystone product combs the open web for potential hacking rumblings and uses machine learning to predict when a breach may occur—so it’s imperative that everyone inside understand the industry. But as he sees it, the necessary skills can come from places other than an IT department. He says he looks "mainly for people who understand intelligence."
The ultimate thing about creating a security product—as well as an internal security posture—is dealing with unknowns; when something happens from an external source, how do you protect yourself. Those with military backgrounds are trained rigorously to deal with precisely these quandaries. So Ahlberg says he's had resounding success plucking people who are "retiring" from the government and having his team train them inside the world of cybersecurity. (Of course, he probably gets some help in finding the best and brightest government officials thanks to funding from the CIA’s venture arm In-Q-Tel.)
Despite the need, the market is anything but stable. For many top-level security leaders, the job is stressful and difficult to navigate. "It’s not as glamorous as you might think," says Ponemon. More, companies consistently try to poach people, so the average span of a leading security job may only last a few years. Not to mention, when a breach does happen it’s the leader who will take the blame and likely have to move on.
The only way for this to smooth out is to get more experienced people in the industry. The job requires a tiny quadrant inside a large technological venn diagram of skills. Education institutions are beginning to offer programs to teach cybersecurity as a standalone skill, and this could alleviate the job crunch down the line. But for now, it’s a mad dash for large companies to not only say they’re ready but also truly be ready.
And, of course,those who have the leading roles have to be prepared for the worst. In some ways, roles like CISO are the hardest because everything is good when nothing happens. Then, when one misstep occurs, millions of dollars are at stake. And even if the best security practitioners are trying to secure an organization, they can often get blindsided.
"It's one of those jobs that's ungrateful," says Ahlberg. And sometimes the cards can get stacked against you. But perhaps with better sourcing and more direct training, the recruitment process will be a little less like the Wild West.