As cybersecurity risks grow more severe, and the obstacles organizations must navigate to meet their regulatory and compliance obligations more complex, businesses are scrambling not just to staff rank-and-file security roles, but to gird their senior ranks with experienced talent.
The problem: there’s little talent to be had at either level – and qualified personnel, if they’re not snatched up by a competitor, come with a steep price tag.
A recent report by (ISC)² found a global cybersecurity workforce gap of 3.4 million workers, which is a number, to put it in perspective, that would account for almost three-quarters of the existing talent pool. Nearly half of the organizations participating in that survey said the reason for the shortage boiled down to a lack of available talent – while another third said they either couldn’t retain talent, couldn’t afford it, or both.
Within their most senior ranks, organizations face an even more pronounced expertise deficit. Based on an analysis of publicly available data, the Forbes Technology Council earlier this year reported that 9 in 10 public companies lack even a single board director with cybersecurity expertise – and that there’s a shortfall of more than 2,700 directors across the Russell 3000, which accounts for the majority of publicly traded companies. (Only half of the Fortune 500 has appointed a board member with the requisite experience.)
If the scarcity of expertise puts organizations at higher risk for data breach and more vulnerable to cybercrime, it also exposes them to sharpening regulatory scrutiny. Imminent changes to the SEC’s Cybersecurity Incident and Governance Disclosure Obligations for Public Companies will require public companies not only to describe how they’re managing cybersecurity risks, but to disclose what expertise, if any, their board members might possess.
But in the absence of full-time board-level expertise, organizations may rely more heavily, at least in the short term, on vCISOs – both to represent the business’s cybersecurity and compliance interests to investors and external stakeholders, and to provide redundancy where it’s needed.
“The SEC is forcing companies to have at least one person on their board with a cybersecurity background, but those people are expensive and there aren’t many of them out there,” Heather Lantz, senior vice president of cybersecurity at Ascend Technologies, said on a recent episode of Apptega’s Risky Business Podcast. “So the vCISO can act as a broad representative and help them deliver what’s needed from a compliance perspective.”
“I believe we’re going to have more companies engaging them because it’s hard to keep a CISO for long,” she continued. “We even have clients that have a CISO in place, but still want a vCISO program for resiliency.”
One potential hurdle to CISOs joining board ranks is that, generally, they lack prior board experience. So while, according to a recent Heidrick report, 56% of CISOs said their ideal next role was to sit on a board of directors, only 14% said they currently held that role.
In this sense, the vCISO position may be beneficial both for security-bereft organizations, and as a vehicle – with the help of the managed service providers (MSPs) that are placing them – to help cybersecurity experts secure elusive board-level roles.
For more about the role of the vCISO, how organizations are leveraging it to fill talent gaps, and what MSPs can do to optimize the vCISO engagement for their clients, check out our latest episode of The Risky Business Podcast.
