Two-thirds (66%) of global CISOs say they are struggling to recruit the right talent and a similar number believe shortages will only get worse, according to a new study from Marlin Hawk.
The global executive recruiter surveyed 500 cybersecurity leaders working in businesses with 500 or more employees across the US, Europe and APAC, to compile its report, Global Snapshot: The CISO in 2020.
It found CISOs in APAC are encountering most difficulties with recruitment: 91% of respondents there said it was hard to find the right talent, versus 61% in the UK and 54% in the US. Globally, the main challenges revolved around candidates lacking the right technical knowledge (34%), the right experience (30%) and being the right culture fit (10%).
Although 73% of respondents are under 45-years-old, there may be long-term trouble ahead for many companies. The average tenure as CISO is four years globally, and 85% of respondents said they are actively looking for a new role or would consider one if approached.
The report warned in particular of a “brain drain” from the public sector, where over a quarter of respondents are actively pursuing new roles. Over half (52%) said they wanted a new challenge whilst 37% pointed to better compensation.
A further 62% of CISOs think the global cybersecurity talent shortage will get worse over the next five years.
This chimes with data from other sources, including the (ISC)2, whose most recent study reported a global shortfall in security professionals in excess of four million. This included 561,000 in North America and a 2.6 million shortfall in APAC, while the shortage in Europe rose by over 100% from the previous year to 291,000.
Ron Green, CSO at Mastercard, argued that the right technology could help to alleviate skills challenges.
“Machine learning and automation are going to be really helpful to current and future CISOs,” he said.
“Businesses are still going to need smart humans on security but already the humans that are in our security operations centers are being overwhelmed with things they have to monitor and you can't simply keep putting in more people because there aren't enough.”