Observations from my recent CISO role hunt

Last year I began looking for my next security leadership position having taken the opportunity to leave my previous role following the successful completion of significant structural changes. I took the first few months of the search process at a very slow pace to enable me to enjoy the summer holidays with my children and help with a kitchen renovation, but as the summer holidays drew to a close I actively stepped up my role hunting. 

I adopted a number of strategies including engaging with well known security recruiters, engaging with executive search firms, researching large local companies and their talent acquisition portals, signing up to online job boards and finally, using the black hole of LinkedIn to find and apply for numerous roles.

What I can honestly say is that this was the hardest and longest it took me to find my next role in the field of cyber security in over 25 years. I'm sure there are many factors that contributed to this but below are my personal observations on the current Cyber Security recruitment market and how I found the process of acquiring my next role.

Security Leadership Vacancy Scarcity

Despite 2023 Gartner research that indicated 25% of CISO's will change careers by 2025, the realisation of this forecast isn't yet apparent, although we can't rule out a mass exodus later this year …... My assumption, supported by anecdotal evidence, is that economic and geopolitical uncertainties over the past few years has lead to a reduction in existing CISOs either taking their next step, or that new security leadership positions aren't being created (despite an increasing need) as rapidly as we might have expected, despite increasingly regulation and board level visibility required for cyber security such as that implemented by the SEC.  

Faux Security Leadership Vacancies

There is a constant theme across social media posts from candidates and recruitment consultants about the all encompassing expectations of roles being posted online for security leaders, whether titled "Head of", "Director of" or in some cases “CISO”. Many of these roles seem to require applicants to be hands on technical experts in security tooling, policy and procedure writers, project managers, risk analysts, incident responders, secure application development engineers, pen testers, third party supplier risk assurance consultants, operational resilience/business continuity experts, data protection practitioners, regulatory compliance management professionals, security certification management audit specialists and, last but not least, security strategy development and leaders.  

Each of these security domains is in many larger organisations a function in its own right, yet the reality is that whilst many companies (small and large) are recognising they need to improve cyber security, the budgets for staffing aren't stretching beyond one or two individuals to do everything. Social media commentary would seem to validate that companies are therefore trying to attract staff into these all encompassing and impossible roles through the lure of a leadership job title, yet in many cases these roles are reporting into a Head/Director of IT (or similar level), and definitely not at or into a member of the companies executive committee.

Applicant Overload

I've historically been a big fan of LinkedIn, with the majority of my previous roles secured as a result of recruitment consultants finding my profile online and reaching out to discuss opportunities. That said, over the past couple of years I have seen LinkedIn descend into a purely numbers game job board.

Companies and recruitment consultants are able to easily (and cost effectively?) get open roles onto LinkedIn, very quickly get thousands of impressions, views and many hundreds of applications, either through the Easy Apply route or via redirection to their online Applicant Tracking Systems. I'm sure from a pure metrics perspective this looks incredibly impressive but ultimately this means someone (or something….read ubiquitous AI) doing a lot of CV sifting to attempt to find the best candidates.

This puts a lot of onus, and rightly so, on candidates improving their profiles to enable them to leverage/game the system to get their CV's in front of the actual hiring manager (creating a growing industry of professional CV writers or Generative AI CV assessment/improvement services). I've even read of candidates using white text to hide key words that aren't part of their experience to get their applications higher up the sifting ladder.

I believe this is leading to an expectation gap and disenchantment for candidates. Why? Because in the vast majority of cases the unsuccessful outcome is at best an automated generic rejection email or more likely complete radio silence. Correspondingly for candidates the job search process is descending into the same numbers game as they apply for any and every role they can in the hope that one or two result in being able to talk to by a human being and that the role they applied for turns out to hopefully be one they are excited to pursue.

How things turned out 

Ultimately (after 6 months) I did find a professionally rewarding interim role and, true to many of my previous ones, this came about as a result of a fantastic head hunter who used the old fashioned method of networking, LinkedIn and their experience to find potential candidates, taking time to speak with myself (and I am sure other candidates) before introducing me (and others) to their client.

My key takeaway from this experience is how much value a traditional head hunter/recruitment consultant continues to bring to the table, for both candidate and client, and I fully expect to maintain and leverage the relationships I have with those I have worked with and/or been recruited by when I come to grow my team in the future.

What I will be interested to see over time though, is whether the trend towards mass application acquisition, aligned with AI driven automated applicant tracking systems, results in better or worse long term recruitment outcomes for candidates and clients. Or will this result in faster staff turnover due to misaligned expectations between employer and employee?

What's next?

With my Interim role now complete I have taken the exciting decision to establish myself as an independent security consultant, providing vCISO, Security Assessment and Security Transformation Programme services. I am really excited to have already onboarded my first vCISO client and am looking forward to growing the Help4Security business over the coming year(s) as I leverage my extensive End User and Consultancy leadership experience.