A strong security-focused culture and adherence to best practices helps companies attract and retain cybersecurity talent. (ISC)² commissioned the study to better understand how successful organizations are overcoming the shortage of skilled cybersecurity talent in a demand-heavy, competitive recruitment environment.
“The growing cybersecurity workforce gap has received a lot of media attention. What we haven’t heard as much about is how some companies are actually succeeding in building their security teams even in the face of this competition for talent. Our empirical analysis shows the demonstrable effect cybersecurity leaders can achieve by fostering a strong cybersecurity culture,” said (ISC)² Director of Cybersecurity Advocacy for North America John McCumber. “The human factors of information security are most effectively accessed, developed, and employed by organizations with this critical professional leadership. This new report provides a window into how this gap can be leveraged by individuals and organizations alike to dramatically improve the protection and management of critical information assets.”
The data is based on a survey of 250 U.S. cybersecurity professionals with oversight of hiring and managing security departments, who say their organization does an adequate job of ensuring it has enough cybersecurity expertise on staff.
Key insights from the study include:
- 97% of respondents indicated that their entire executive management team understands the importance of strong security practices and reinforces those messages with staff
- When asked which tactics were used to successfully build a strong cyber team, 70% said they hire certified security professionals, 70% train and promote from within, and 52% attribute their success to drafting clear job descriptions
- 86% said their company employs a CISO. Of these, 57% of the CISOs report directly to either the CEO or the board of directors, indicating the level of importance associated with the position
- 58% of these companies cited having a strong risk management policy as the #1 reason they are confident their capabilities are adequate to protect their enterprise
- About half (51%) of these companies say they employ at least two dedicated cybersecurity staff, which they believe is critical to cybersecurity readiness
- 79% of companies said their cybersecurity staff’s average tenure is at least three years
- 50% have been able to hire talent from the government sector. 67% said salary was the biggest draw, while 60% cited the opportunity to work with a strong leadership team, and 59% believe the opportunity to work for a mission-based organization helps win over recruits from the public sector.