The Rise of CISO Resignations
A worrying trend has recently emerged among CISOs (Chief Information Security Officers) - they are resigning. And not just a handful, but almost one third of IT cybersecurity or CISOs in the UK are considering quitting their jobs. Here we look at why and what the consequences may be.
What’s the problem?
Post-pandemic, the ‘Great Resignation’ was an issue for many organisations, with numerous experienced and talented people leaving their jobs for a better work-life balance. The pandemic may have served as a catalyst for people to re-evaluate their life, career and financial situation but those who remained in-situ have been picking up the slack since then, often with a reduced number of team members, a smaller budget and far more technologically-advanced adversaries. Many of the CISOs questioned for the report (30%) cited the desire for a better work-life balance as one of the principle reasons for their potential decision but many others also said that a primary factor was that the nature of their job was changing – that it was moving away from dealing with ‘strategic issues’ and increasingly concentrating on ‘firefighting’.
Technological advances among cyber-criminals have led to a vast increase in cyber attacks and security breaches. The Cyber Security Breaches Survey 2023 studies UK cyber resilience and the latest statistics show that attacks and breaches are a constant threat to businesses and charity organisations, with 32% of businesses and 24% of charities having experienced a breach or an attack over the last 12 months. Medium and large businesses, and charities with an income of over £500,000 were more likely to be at risk, and the cost of dealing with such incidents was on average £1,100. Worryingly, smaller businesses are pushing cyber security down their list of priorities as they deal with issues such as inflation and economic uncertainty.
Other concerning statistics include:
88% of companies in the UK have had breaches in the last 12 months
There are around 65,000 attempts to hack small- and medium-sized businesses in the UK every day – around 4,500 of these are successful – that’s around one every 19 seconds
33% of UK organisations admit that they lost customers after a data breach but 39% admit that they only report the larger breaches
The main challenges that CISOs face are dealing with disparate products and services which may have arisen ad-hoc over a number of years – this presents further issues both when data is analysed and in terms of recruitment.
Cybercrime is evolving at an exponential rate, especially when those threats are automated – we’re hearing a lot about generative AI at the moment, some of which is being used by hackers to add to their arsenals.
Cyber attacks happen every hour of the day, and maintaining a threat detection and response team 24/7 can also be challenging in terms of staffing.
Finally, budgets are being stretched, and cyber security may not be the priority it ought to be in some boardrooms.
By far the most serious challenge for companies and charities is the lack of experienced people to deal with this 24/7 threat. A 2022 report, ‘Cyber Security Skills in the UK Labour Market’, commissioned by the Department for Digital, Culture, Media and Sport, revealed some interesting and alarming findings:
Around 51% of businesses in the UK (697,000) still lack the skilled staff to deal with the threat of cyber crime, incident response and governance, and many of those people charged with dealing with such things lack the confidence to do so
About a third (451,000) businesses acknowledge skills gaps in areas like forensic analysis, penetration testing and security architecture
Almost 37% of businesses (4 in 10) report skills gaps in areas such as incident response and recovery and, more worryingly, don’t outsource this aspect of their cyber security
37% of businesses lack incident management skills
On the whole, management boards lack an understanding of what’s required for good cyber security, and those charged with its oversight have a deep knowledge deficit
Training for individuals in non-cyber sector firms who wish to move into such areas is notably absent. 85% of people working in private sector cyber roles have moved into the role from a non-cyber role, and within the cyber sector only just over half have previous cyber experience.
At the core of all these issues is a lack of cyber talent. The Cyber Security Skills report we mentioned above notes that over half of all private businesses (51% or 697,000 individual companies) have identified a skills gap – that could be simply a lack of staff confidence when dealing with such issues. A third of businesses (451,000) have found they have deeper problems with a lack of technical skills in such things as threat intelligence, penetration testing and interpreting malicious code.
This can be explained by the lack of cyber talent available to them. Over half of UK businesses have had difficulties recruiting specialists, and more than 44% of vacancies were classed as ‘difficult to fill’ – the reasons for this are explained by candidates lacking technical skills and knowledge, but also because there is increased competition from other employers. Skills shortages are reported in both generalist and specialist roles. The Government estimates that there are 58,000 specialists working within cyber firms across the UK at the moment – an increase of 5,300 on 2022 figures. But this is clearly not enough.
Recruitment and retention play a vital role in leading the defence against cyber attacks. However, it’s a challenge, with fewer highly-skilled individuals available and greater demand from both private and public sector employers. Even in the last 12 months we’ve seen the nature of the threat change and evolve, and in order to combat the risk faced by criminals, organisations must take several different approaches to recruitment: they need to compensate their potential employees appropriately; they need to increase the diversity of their teams; and they need to be responsible for training the next generation of cyber-specialists in order to improve their retention figures. Only then will we start to see a reversal of the rise of CISO resignations.