Exploring Discrepancies In CISO Job Advertisements: An Analysis - Leonhard Kurthen and Daniel Fall

[Applause] hi good to be here good to see you here um I obviously scared off my co- speaker because I mean look at the title it's really boring does it so I'm not going to speak about the title um I'll just hop in with a question in your direction is there anyone in the audience that holds a degree in either computer science or information systems that's not too unexpected is there anyone in the audience that has a cisp certification maybe both and the degree and a degree in computer science well if you match that criteria you I can tell you you would be the perfect Sizzle at least as it comes to job descriptions so what I'm speaking about

today is is actually a thing that I recognized in the past that um and I've been working with sizzors I've been working as a Sizzle and I'll come to the point what is a what would I see as a definition for a Sizzle but there seems to be very different expectations when it comes to the role of the sizzle so what we asked ourselves is does might this be might the the job advertising be the start of this mess so what we did is like in the first place we've been working with sizzles we've been asking sizzles and then we scrolled through basically through job advertisements in the last month and ask ourselves what what might

we be able to find here all right it's not boring agenda I mean obviously we analyzed some data so I'll I'll walk you through this um I'll I'll walk you through our objectives obviously and then give you some let's not talk about the agenda um I like to tell stories and I'll start with a story um I'm working with a colleague that has quite some experience not just an it and it security information security he he's in the scene for I think almost 30 years so he's been working as a CIO sizo interim sizzo and he also is my C uh he's my CEO um and he was recently working as a position as an interim

Sizzle at a larger company I think the revenue is around 1 billion a year and and he was working at the interims position for around one year and the thing is what usually comes after an interim position is someone else gets in place and obviously that um you would have to look for that position or for that person so that's what they did and what they got was a bunch of CVS I mean highly qualified CVS and you would find these what I've been talking about like degrees phds and computer science Information Systems cyber security you'd find all the certifications that you know sors and CIS and then it comes to the interview and there was quite a mismatch between

all these certifications and the knowledge on the paper and what people brought because the s a position for a corporation with a revenue about one 1 billion let's think it through let's just keep it easy or simple 10% it budget right around another 10 to 20 in in security that's 10 Millions right that's that's a bit so so usually on that level you speak to the board you have to be able to speak to the board I mean you need to understand your language and sad story is like during the interviews what my colleague realized that almost none of them was was even able to speak that language and so we asked ourself does it have to do with the job

ad advertisement already because are we attracting the wrong people or the wrong skill set and that's basically what we do or what we did in the past so yeah okay okay so what's a Sizzle please don't nail me down on that definition it's just a few aspects that I feel or we feel are crucial to this pos position and obviously it really defers I mean if you have a large Enterprise with 10 billions in Revenue it's a different position as you would have it in anme obviously that's that's for sure but in generally what we expect from the C is like it's someone that is a leader on ENT on on a senior executive uh level

that can speak to the board so present to the board and understands their problems rather than technical issues um you would have usually the overall responsibility information for information security could include even data privacy related issues physical security so not just the technical expert um expertise right and usually you're responsible for the all of our strategy the security programs in the Enterprise so that is roughly let's say a simple definition and um so the question was does this match with the reality in job advertisements or even in uh in corporations out there so does it we were curious and uh obviously we we wanted to not just give some different perspectives on the topic so we asked ourselves um what are the

typical resources that cesos get according to these advertisements because usually you would expect that what's written down there should be part of the reality right or that your future reality if you apply for such a job um secondly are there a regional variations for example between d and a region and the USA and well um and are these requirements aligned with best practices and when I say best practices I mean there is not a best practice out there that tells you how to be a Sizzle it's not but there's certain laws or legislation that do hold requirements for SOS like for example Independence right or you probably need a budget if you don't have a budget it's

hard to make we were talking about this sin today like you need to spend money that's it and in the end brings us to the question does all the mass insecurity that we somehow saw with our clients in the past start with the job advertisement so the description of your job how did we do it I'll take it I'll take the short path I mean we use some platforms that hold job advertisements these days LinkedIn and Google for example they aggregate right so they craw the web and you you'll find a lot there and then we have inded and glass do huge platforms so after going through all of these platforms there was not much out there left and we did this for

the last three months by the way we still doing it so this is ongoing and we found 459 job advertisements in this period and we we had to go through a manual selection and that's for a good reason I mean you could obviously automate this the problem is that there is job advertisements if you read through them and you realize they are not looking for a sizzo position so we're yeah I mean ISB I'll talk about that phenomenon in Germany later on um we're we've been looking for J job advertisements to clearly look for a leader that has the overall responsibility that does not report to someone in the group rather than having group level responsibility

for information security does have the budget and has a see in his name so and that's is sometimes is quite cryptic um if you read the advertisements and you you read read through and you realize that's not a Sizzle okay so we had a manual selection process then obviously we were trying to filter what sort of position industri is ETC um next step is the the analysis part I'm not going to explain in detail that's that's the research part I me building categories codes and then it's a qualitative analysis so we had to understand stand in an inductive way what are the codes that we're going to use what's our coding scheme so we went through every

job advertisement coded it and then went through the data analysis um and I'm I'm really I'm not going to present too much data today rather than the findings or interesting aspect aspects that we've found so that's our category system obviously we've been interested in the qualification and the requirements I mean what do we expect from a Sizzle these days in terms of what we make public the roles the responsibilities I mean reporting lines quite interesting right who do they report to um team budget individual resource um and a small disclaimer here obviously there is job advertisements out there that are not out there because a lot of recruiting companies would recruit sizzles for for large Enterprises um

especially in Germany we find that case very often and we've we've been speaking to recruiters as well but that's the blind spot here let's hop in okay so for the some of you that that that have have obviously bring the CV for for a Sizzle you would see you better move to the US because at least what from what you expect in terms of salary um you can expect quite some salary as a Sizzle there and that is interesting and I want to start there I mean obviously from from data wise there is not much to say about the duck region because they don't tell too much about the salary but interestingly enough if they do they tell me that well after the

25k Mark there is not much coming there and that is really matches with our reality that we know and even people that we worked with and now the question that I would raise is I mean that's a sea level person inside your Enterprise that's responsible for your all over security and you're not willing to P them pay them well so question if that would work um on the other hand side what we found is that a security team that I think is really really required in a larger Enterprise you wouldn't I mean it's not a oneman show right you're a sort of the governor but you need someone that works I mean we're talking about it security cyber security

incident response we're talking about the compliance aspects that's nothing it's not a on man show so we rarely found um job advertisements that clearly tell you that there is a team we also found that a budget that is that you are that even you are a budget holder only was in about 13 177% in the of the job advertisements and that's not good news because um to be fair if I would apply for a job and I don't see that I get a team in the budget I would probably not apply seriously um and no free coffee I mean I would not get up without uh without a coffee I can tell you there's a two positions where you coffee and

vegetables so if you're interested I hold the database and these are recent job advertisements so let me know all right contrl C control V yeah that that's that's a huge problem here I mean if you go through the advertisements there's a lot of copy paste um not in a sense that they copy the whole uh job offering but we also found that one like same job offer different uh uh company well why does this scare me off because the thing is it's a very individual position and you really need to know what you're looking for I mean that's the person you pay to protect your Enterprise right I mean that doesn't match with control C control B

and it also tells me that some companies and we found that in the and in the reality as well don't really know what they're looking for so it's best guess it's cat GPT really or someone the HR department so hey can you please just write a job offering for a Sizzle so let's just find someone that does this job um academic background I mean I for myself I have a background in computer science I have an MBA but yeah I started in computer science and that's what they mostly looking for I'm not saying this is wrong totally not I mean you need a deeper understanding of security from technical side and then you need to

build on top risk management compliance you need to speak to a legal department as well as the CEO right as well as the CFO so we're talking about risk in in in in numbers not in uh not in actual and Technical risk so um on the other hand side we find that at least in in a in about a quarter of the offerings St asking for leadership experience yeah now the question is the one thing is is hard facts like back cisp all the certifications um that's what they require and then the leadership experience seems to come while you're on that track I don't know if that's the reality there's so there is no real

proof for that and there's a slight M mismatch that we feel here and soft skills I mean that's the part that's often not mentions and mentioned and in some or at least least there seems to bit a a direction that all these offerings go and mostly they they really concentrate on the technical aspects let's talk about the independence that that's really made me curious and I wasn't aware of that I mean we've seen that in in reality that people do not um directly report to the board but it seems like this problem is bigger than expected because honestly and that's the same thing and if I see a job at as a szone and they tell me to

report to the CIO I can immediately tell you that I would not apply because you're not independent right do you want to make the rules for someone that pays your salary I mean that doesn't make sense and that is a conflict and I would say usually you you would avoid that in in regulated sectors like Financial Services you have a three layers of Defense um principle and but obviously there's a lot of organizations that still think it's a good idea to do it that way and that would scare me off to be to be honest then are we looking really for a Sizzle that's the same question if someone does not report to the board or really in in an indirect

manner then the question is how much power do you have and that if you bring that together with what we've already seen maybe you don't have a budget even I mean what what are you expected to do there how are you going to improve the security posture of a company without budget without a team and lack of authority well um let's talk about the German ISB phenomenon um that's interesting because especially in D region especially in Germany we found even though we've been looking for the sizzo we obviously found and that's the sheer that's the that's the algorithm behind it a lot of um offerings for the ISB or the iso so the information security officer in

German which is obviously not what you typically expect to be a Sizzle rather than an administrative position there is variances in that position obviously but it's like somewhere in the leaves of the tree in terms of the organizational chart usually you don't have a direct budget in in in in a of a lot of cases and I'm not going to talk about this particular position because it's a different story but we find that often in Germany and that's interesting that we didn't find too much Sizzle positions rather than ISB positions and it's a whole different mandate in my opinion so yeah who needs a team if you have a CP that's that's a nsh so if you bring a

cisp you get the job but you don't get a team necessarily and obviously there's a massive Gap in between the level of detail and the description between dck region and the USA so whilst they are seem to reporting to the CIO quite often they do have quite precise understanding of what a szo needs so if you have a look on the German site and all these job advertisements are like I mean I could I could easily cheat GPT that that would be even better sometimes or I could just use any best practice and write like what I do I expect from an information security management system and that's it so room for improvement I would

say well conclusion I mean that was only a small portion of what we realized but I think what's clear here and that is very very interesting is that a lot of parties and corporates out there don't really know what they're looking for I mean they're not possibly or they're not willing to tell us if they are willing to spend money for that topic and we've been talking about uh a lot of technical issues today and I mean very interesting ones and I think you need money in your organization to tackle them and the money usually resides with the sizzo or should and so should the responsibility and that's something we don't clearly see in these job advertisements and

obviously that's not the full reality but it's one portion of it right right and that's where it starts and that's what got us curious um and here obviously is the disclaimer I mean it's job advertisements the reality might be different but I would say we have room for improvement here because there's people out there that think about working in as Azle that want to go in that career path and I think well it would be just fair for them to get a um a professional job offer like that explains what is really required whilst our um finding was that what you see there is either pretty generic or is like I want to have it all I mean I want

to have the person that speaks with the CFO the CEO the that knows their language is probably well prepared in terms of leadership for the last 10 years has experience in Financial Risk Management does hold a cisp is a pen tester um does have a sizzo was in in an audit situation for the last 10 years really that's what you also get so you're asking for either a lot or nothing and I don't think that's a good starting point for any anyone that wants to become a Sizzle because there is a mismatch in the expectation of the applicants and what the um what the Enterprise actually wants and that will lead to a situation where both will not

feel comfortable so that's it for today um I hope I could give you a good idea of what we did there and I'm happy to answer your question and thanks for having me [Applause] here cool thank you very much Daniel a very interesting talk um and very to say surprising and alarming results that you had um some questions do we have another microphone or all right thank you um for displaying my uh pain points there um I've just got a more kind of a recent question regarding regulations that are up and Rising nowadays especially um in the US with what the SEC now requires for companies that um uh that are actually on on Wall

Street and um where they are now requiring to have um specifically cyber security or security knowledge in the board yeah right which is very similar to also what we see in Europe with n to with Dora explicitly on the financial side where it's also said you need to have this experience on the top level management um so from what I understood from your research that is basically just based on the last 3 months of positions that you have um um basically researched so I kind of would strongly suggest to to keep on the research to see if if that really changes somehow within the next couple of months and years maybe um but question really is

did you see a change already in there that would maybe display this position is more on the board management side because it's needed for those regulatory requirements or direct interaction with the board well we interesting question um first yes we see even from the from the description we read that there is a direct interaction but the I mean reporting to the boards like here's a report is you could count that as a direct uh reporting line but it usually is not it's like informative there's not no Authority behind it um I mean interestingly enough I was surprised I was expecting actually to see much more us companies like going that path and having the sizzle as part of the board

because that is really becoming the best practice and having them report to this uh to the to the C uh CEO or CFO rather than the um Co so I was surprised that's not reality right now and I think that's quite interesting right does that answer your question obviously there's some regulation in in Europe also going on we're talking about n we're talking in Germany the the crus dark Gazette crus itself that will change a lot but I think in the end it's not just about um the question where do you recite in that organization but do you really have that mandate and I think that has been a problem in the

past

hi there so first thank you so much for the content it was very very helpful um I I I would like to hear your opinion in regarding you know ceso and cyber security city of talent how do at your own opinion how do we solve that in the next 5 10 years as far there's a high demand like you mentioned but there's no people ready yeah appreciate that that's a very interesting question I don't have a solution yet no I think um we as and that's actually why we we have been working on that um we need to make people aware of it I mean not everyone in that audience is even thinking about becoming a sizzo but

there is cyber security and Information Security Experts it experts that think might think of this being a part of their career right and I think it's important that we start early because um the step from a security engineer or cyber expert to a Sizzle that's a huge gap in between so what you need rather than the technical expertise is a lot of a lot of um knowledge about the organization organizational structures business processes risk management even from a v from a public accountant perspective like the internal control system km and there's a lot to learn there a huge learning curve and we are not even addressing that in a in a professional manner that's but there's a

a lot of soft skills they're asking for rather than like um asking for an explicit um learning path or anything so we need to build that like we we need to train people that's the answer we need right hey uh thank you for the presentation again um actually last week I think I've read um post on LinkedIn uh from uh someone from us was talking about that uh most of the seource has a background in auditing or risk management but they see a kind of shift that companies are looking uh starting to look for someone also with uh more technical background is that also something that we see in in Europe yes and no I mean um yes

obviously there there's there's good reason to hire someone that has a background in as a public accountant for example because usually you know the weak spots from compliance perspective and I understand that but my don't see a clear shift I rather see that job advertisements are looking for the technical um um experts rather than the um Auditors or accountants so and that's interesting because I mean from a from a public accountant perspective it's it's a don't get me wrong here I mean it's it's doing a checklist right we had that today and being a sizzo is like creating a resilient organization in terms of cyber security it's not having that checklist completed and being compliance

it's only one part of it so we really need to bring that together I think thank you very much for your talk um I was late so I might might have missed one thing um have you analyzed um what size the companies were um who were looking for caos and second um it was it the first higher or um follow up higher on this position because this makes for me a difference I for example I was the caes for a small to medium company and then company has 200 employees the cesu is already the important role no doubt the Mandate is the second important thing but as a ceso you have them the fullblown area of activities not

responsibilities but activities so getting back to the question from the analysis how about the size of the companies and first higher or the second higher or the third higher yeah um that's a weak spot um I mean as as I already mentioned we the the the research is still ongoing and we are doing that in the background right now for the job advertisements that we went through because it's sort of we're in the middle of our research so I don't have a precise answer I know that there is a correlation already between the industry and the size so and we're talking about the revenue because the number of employees is hard to get from uh like from oen perspective here so um

yes and no I mean we realize that there is definitely some job offerings where I know that for good reason there is no full-blown security team whilst um and the second question um first or second hiring how to judge I mean we we we could only find out if we give them a call maybe that's the next step and by the way one of the next steps that we are going to do is like really speak with the scissors on the other end and also with the CEOs and maybe maybe the HR departments that bring out the job offerings just one real quick minor thing that just came to my um attention now when you talked about we need to

train people basically right what this role is all about I think if you're looking at this room or who's here this is more about spreading awareness what this role is basically implying right but I think training should be what this role is and what this role is all about should be more really on the sea level and the board management board member side because they need to be aware of what this cesil Ro really implies and what he's really responsible for so I think even they have sometimes the completely wrong picture of that role which is why this then triples down basically into these kinds of weird um uh uh tasks and and responsibilities that you see in

positions I I somewhat agree it's but I feel it's a it's a shared responsibility the Board needs to be aware that the people they hire in such a position are first leaders that do have the Mandate and the authority and get the power to do so on the other hand and that's what I said with my initial story that we um that I was talking about like the interim sizzo and then the next sizzo that that came it we did have some CVS here that clearly didn't fit with that position so on the other hand side the scios their future SOS need to be able to speak that language at least I mean the expectation

from the board is that a sizo understands their legal structure their Global uh processes around a global Enterprise they understand the differences between different comp sets of compliance around um certain regions they assume that people understand what in a public accountant asks what authorities asks for and I think you need to be able to speak that language and that's that's on the side of the sizzle right so I think it's a shared responsibility and we need to get that together um cool on thank you very much also for the good questions thanks