Chief Information Security Officers are a relatively rare breed. Information security is, after all, a relatively recent addition or subset to IT, and while most large organizations now do profess to having a CISO, CSO or head of information security, many still don’t. Indeed, it’s often the case that a company appoints its first CISO in the aftermath of a data breach - like Target did in 2014 or Sony in 2011.
However, landing yourself a CISO, and a good one at that, isn’t straightforward.
It’s well documented that the InfoSec landscape has a huge skills gap, with Cisco, training body ISC2 and other authorities putting the shortage around 1.5 to 2 million personnel , and ISACA speaking of a “ missing generation ” of security staff.
This shortage - though disputed by some, including the Department of Homeland Security, is most keenly felt with network analysts and - increasingly - data scientists, but it also impacts firms at CISO level too.