There is no doubt that in the world we’ve created, enterprises require new technologies, evolving security strategies, machine learning, and AI to improve their cybersecurity postures. It is proven that machines, unlike us, can keep the work going through good and bad times—even during a pandemic. There are tasks beyond human capabilities and tasks machines are more efficient at, but it is undeniable that humans are resourceful and intelligent, and their input is necessary, especially when it comes to making major decisions in an organization.
AI is all about analyzing patterns by crunching data, but machines cannot see beyond the data. Humans can. With intuition and creativity, humans can understand situations from a holistic perspective and definitely manage employees better than a machine.
Without a human-centric approach, many organizations lack the fundamental skills to defend themselves against the most sophisticated attacks. A common pain point organizations face is a lack of skills in the cybersecurity community. The good news is that surveys conducted by Gartner in 2021 show that the gap between cyber skills demand and supply has been narrowing. However, this trend appears to be only short-term and will be counteracted by significant growth rates in the cybersecurity job market through 2030. This trend applies not only to employees but also to boards of directors (BoDs).
Boards need more tech-savvy executives
According to a Gartner survey, 88% of BoDs see cybersecurity as a business risk rather than a technology risk, but only 12% have a dedicated, board-level cybersecurity committee. Although business leaders know their enterprises must be secured against threats, the responsibility for security mostly falls on IT leadership, such as the CIO or CISO. “Yet, business leaders make decisions every day, without consulting the CIO or CISO, that impact the organization’s security,” said Paul Proctor, research vice president at Gartner.
Furthermore, a 2020 Deloitte study confirms that 79% of high-performing companies have at least one board member with technology experience, compared to 52% of baseline organizations. Without significant digital experience on the board, firms must look to tech executives’ strategic expertise.
Information risk and security are becoming a distributed C-suite responsibility, no longer limited to IT management. This has led to senior leaders outside of IT increasingly hiring their own technology talent and actively shaping their digital strategy to test and scale digital business ideas.
CISOs have a shorter tenure than CIOs
As BoDs rush to bridge the talent gap, they will have to be mindful of the amount of time these leaders spend in their roles. Multiple industry sources state that the average tenure for a CISO is 18-26 months shorter than the average four-year tenure of a CIO. This is because they either are fired due to a data breach or they resign for better pay and a better work-life balance.
According to Cybersecurity Ventures, 24% of CISOs in Fortune 500 organizations have been in their role for an average of one year. This means that organizations have a short window in which to identify, foster, and retain a pipeline of emerging security leaders to ensure the long-term sustainability and effectiveness of their security programs. In parallel, Gartner predicts that by 2025, the global shortage of qualified emerging security leaders will result in a 20% rise in salaries for even inexperienced cybersecurity leaders.
An “emerging security leader” is an individual who is not currently working in a formal leadership position but has demonstrated the requisite aptitude, competencies, and capabilities needed to lead a cybersecurity organization soon.
Cultivate and nurture IT leadership in organizations
Hiring security leaders is expensive, which is why businesses are allocating separate funds for them. This is especially difficult for SMBs where these hired security leaders feel undervalued and decide that there is no reason to stay in the organization.
In hiring, leaders should consider shifting to a competency-based assessment of emerging security leaders rather than focusing purely on skills and experience. They can start by conducting a skills assessment across the security and IT workforce, including an evaluation of current leadership competencies. This will identify which team members have the leadership attributes, aptitude, and interests that could be fostered for future leadership roles.
Encouraging these emerging security leaders to interact with experienced business mentors inside the organization will help them become more familiar with the organization’s business operations, context, strategic objectives, and risk appetites in a friendly, safe setting. Also, they will develop a more holistic understanding of the distinctive functions of the organization. Promoting leadership from within the organization will aid in retaining top security talent by showing them that there is a clear, attainable career path for them if they stay.
There is not a one-size-fits-all mold for an effective board composition. BoDs should consider their composition carefully to ensure that they have the right skills and experiences to allow for diversity of thought and innovative, strategic discussions. Above all, as boardrooms evolve to navigate an increasingly complicated world, they should definitely steer clear of automating decision-making.