Think diamonds are rare? Global mines produced 6.9MM carats of them in the first quarter of 2024, according to numbers from global diamond company De Beers. Savvy marketing helps us think of them as rare. Information Security Officers (ISOs), on the other hand, are genuinely undersupplied. According to Zippia, about 12K information security officers work in the US. They could quit their existing jobs and apply for one of the approximately 146K job openings for Information Security Officers (ISO).That imbalance probably won’t improve anytime soon. The Bureau of Labor Statistics also says that a growing threat of cyberattacks means that the need for information security analysts will grow by nearly a third from 2022 to 2032. Retaining ISO TalentInformation security is of vital importance to any financial services company, and community financial institutions (CFIs) are no exception. To bolster their information security programs, some CFIs may use automated solutions in lieu of an ISO to help reduce risk, meet compliance requirements, and manage third-party risk. Others use these tools to help reduce the stress an ISO experiences and help that person keep track of multiple responsibilities. Because the demand for ISO expertise is so high and the supply so low, sometimes the duties of an ISO are fulfilled by a Chief Technology Officer or a similar role. For CFIs with existing Information Security Officers, retaining their services is key, although a challenge for a position that can be done remotely, which puts the competition — and alternative job opportunities — at the global level instead of just regional. Burnout is also common.It’s smart to take whatever proactive steps you can to keep your ISO happy, whether that’s keeping compensation up to date, staying flexible about working conditions, finding ways to reduce or automate repetitive tasks, or offering perks that are particularly attractive to that employee. Ensure that your entire security team feels valued and heard and that your staff have opportunities to grow.Handling a ResignationThe sheer number of available ISO jobs and the fact that the job can be stressful means that, sooner or later, your ISO may leave. Preparing for that eventuality can help ensure that your organization doesn’t drop the ball after an ISO — or someone else who handles information security duties — gives notice. Getting ready for the possibility that your ISO will leave is a lot like succession planning for any executive position. You should do the following to ensure continuity of an ISO’s responsibilities:
- Review their security duties. Understand what your ISO does in the course of a year. Review their security tasks and the last 12 months of assessments to ensure that your security policies are being followed. Confirm that all related documentation and assessment records are available and safely stored.
- Evaluate vendors and governance. An ISO typically manages vendors. Create a comprehensive overview of those vendors to know what they do for your CFI, how to contact them, and obtain updates on any current projects. Review existing governance processes to see if any enhancements need to be made.
- Be aware of your audit schedule. Cybersecurity involves a regular rotation of audits and regulatory exams. Mark these on a calendar, taking particular note of when the next few exams and audits will take place. Ensure that you have a plan for any challenges that may arise in a future audit.
- Reduce manual processes. If you haven’t already used technological solutions to automate repetitive ISO tasks, consider what you could handle more efficiently. Transitioning to a new ISO can be a great opportunity to change processes in ways that make that person’s work both easier and more effective. These changes may also help your next ISO stay in the job longer.
- Transition access for the successor. In the name of security, ensure that the former ISO’s access credentials have been revoked or transferred to the individual bearing those responsibilities afterward.
There aren’t enough ISOs for all the organizations that need them, and most CFIs should expect to eventually lose theirs. Preparing now for that possibility can make the transition much less stressful, as well as increase the likelihood that the next ISO will remain in the position longer.