Talent

In recent months, I have had the opportunity and necessity to look more closely at how we are, in general, in the cybersecurity community. This observation includes not only market volume in comparison to other types of projects/services but also its relevance to the business, training offerings, and the creation of new products and companies. Despite the challenges becoming increasingly numerous and significant, we have seen clear and evident growth and improvement in all possible indicators. Companies specializing in cybersecurity have barely noticed the crisis, and for those opting for entrepreneurship, there is a large volume of investment available in our sector.

1. 📈 Growth and Resilience of the Cybersecurity Market

   • Cybersecurity in Spain has shown significant growth, reaching a market volume of 1.95 billion euros in 2022, with continued growth expected. The companies in the sector have demonstrated significant resilience against recent economic crises.

2. 🌐 Impact of Digital Transformation

   • Companies that effectively integrate cybersecurity into their digital transformation processes experience more effective transformations, which improves their growth and competitiveness in the market.

3. 🚀 Strategic Importance of Cybersecurity

   • Cybersecurity is gaining strategic importance within companies, increasingly being included in board discussions. This integration helps better manage risks and optimize business operations.

From an institutional standpoint, there has long been a “recommendation” that cybersecurity be represented on the board of directors. Nationally, we are discussing what the most appropriate governance would be, but in any case, it seems clear that there is an intention to push forward cybersecurity initiatives:

1. One of the key objectives of the CNMV’S Cybersecurity Code is to raise awareness among governance bodies and executive teams about their role and responsibility in cybersecurity. It is recommended that at least one board member has experience in cybersecurity management. Additionally, the document emphasizes the importance of continuous training and awareness in cybersecurity as fundamental tools for strengthening protection against cyberattacks. (1)

2. The transposition of the NIS2 Directive also aligns with these initiatives, establishing a framework for managing cybersecurity at the national and European level, which includes creating a coordination body to improve resilience against cyber risks.

And yet, while young talent leans towards security, at the senior level, there are more and more examples of CISOs transitioning to CIO/CTO/CDO positions or looking to make such transitions or simply focusing on communication, coordinating Masters, and different types of “side hustles.”**

Those of us who have been around for a while remember how the CIO was ignored in relevant issues and decisions were made without considering their opinion (as an example, I recall the purchase of dot matrix printers for all civil registries in Spain because they supposedly created an “impression,” when laser printing was already a reality in all companies and there was no difference in the outcome). However, finally, all stakeholders understood that they could no longer “ignore” what the CIO contributed to the business.

In our case, as we face day-to-day realities, despite changes in the market and regulations, the same is not happening.

There is tremendous pressure on the costs of professionals, without taking into account, as happens with specialized platforms (cybersecurity platforms and pen-testing including their own MDRs or services based on independent researches with the same pricing in all countries are widely growing in Spain), that the key lies in specialization and cannot currently be sifted through the outsourcing sieve, as can be done in other cases. (Equally applicable to AI and the implementation of agents through LLMs)

Regarding the positions of CISOs, despite exposure for better or worse for all of us, in most cases, there is no proportional “weight” in the organization relative to the task entrusted, and there is a real possibility of lacking complete visibility of the organization’s security posture.

(1) For more details on the CNMV’S Cybersecurity and its implications, you can consult information disseminated by the CNMV and other related articles that delve into these corporate governance practices in the context of cybersecurity (El Derecho) (Economist & Jurist) (CyberSecurity News) (Protección Data).