April 21, 2023 By Sue Poremba 4 min read

The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team.

However, the talent shortage doesn’t just impact present-day security concerns. The lack of a skilled workforce now will affect the future. It’s not just entry-level positions that organizations struggle to fill; roles in leadership, including CISOs and CSOs, are vacant. And without talent in place to learn the ropes, future security management could become placeholders rather than active leaders.

Cybersecurity needs leaders who understand security’s role within the organization’s business operations. But where will those leaders emerge from in the future?

The origin of the CISO

The first time the title “chief information security officer” (CISO) was used came in the mid-1990s. Citicorp (now Citigroup) hired Steve Katz after the company was hit with a series of cyberattacks. The internet was in its earliest stages at that time when organizations were less dependent on computers and online connections. Back then, workers were lucky to have an email address that went beyond internal communications.

Katz had experience in security, or as SecurityWeek put it, “played at the edge of security before security existed – he worked on product lifecycle and quality assurance, and included a requirement for an ID and password module in COBOL and FORTRAN” before taking on the newly invented role of CISO. That in itself was unusual, as the security team and its leadership usually came from the IT department. They had the necessary technology bonafides but learned security on the job.

The workforce gap

According to the (ISC)2 2022 Workforce Study, the cybersecurity workforce stands at nearly 5 million worldwide and has been growing at a 26% year-over-year increase. There are still more than 3 million jobs that need to be filled.

“A cybersecurity workforce gap jeopardizes the most foundational functions of the profession like risk assessment, oversight and critical systems patching,” the study stated. Current cybersecurity employees feel that understaffed teams put the organization at a higher risk for an attack.

Adding to this problem is the growing need for specialization within the cybersecurity profession. Gone are the days when an entry-level security worker’s primary task was reading logs. According to an ISACA study, the skills most lacking include cloud computing, coding, security and data controls, behavioral analytics and software development. The top five roles that organizations need to fill today, the study found, were in cloud security, identity and access management, data protection,  incident response and DevSeOps.

It’s not just entry-level and mid-level cybersecurity talent that’s lacking. While it isn’t as big a problem, many companies have openings for various levels of management positions. For example, 17% of those surveyed said their CISO position is open. In addition, 25% are in need of a senior manager or director of cybersecurity.

Where CISOs are coming from

The skills most lacking, according to the ISACA study, aren’t in cloud computing and data protection. The greatest talent shortage is in soft skills. Cybersecurity isn’t doing a good job of developing leadership skills, including communication or flexibility. The next group of leaders isn’t being developed in college, which will impact the future of CISOs.

The 2022 Global Chief Information Security Officer (CISO) Survey from Heidrick & Struggles finds that CISOs are regularly on the move, with more than half saying that they came to their current job from another CISO position, especially for those in their job for a year or less. Those who have been in their job long-term are coming from other types of jobs. Most of their previous experience comes from IT. However, the report said, “we are seeing other types of functional expertise emerging, notably software engineering, which increased from 7% last year to 10% this year.”

Expect this trend of looking outside of the security talent pool for leadership positions to continue. It will likely grow even more pronounced as older professionals retire and middle-aged professionals burn out. The talent shortage may cause employers to prioritize retaining skilled workers, especially those in specialized areas who defend popular attack vectors, rather than promoting them to management positions. Alternatively, the CISO could end up becoming a hybrid worker who must maintain their hands-on security functioning while also managing the duties of a C-suite executive.

Facing modern threats

Today’s CISO should understand “the breadth of technology used and desired by the organization complies with the regulations via control frameworks, assesses information asset risk, expands security beyond the organization (such as cloud, mobile, social media, threat intelligence networking) and knows how the privacy regulations affect the organization (where the data is, how it is being used and how it is being protected),” according to a Dark Reading article. By this standard, the best CISO (or CSO or anyone in cybersecurity leadership) will come from a background with strong security, data privacy and compliance experience.

But, as a member of the executive team, the CISO needs to consider security alongside business operations and goals. Organizations will look for candidates with a business background combined with a technology background. They may also develop employees who have shown leadership capabilities without initial cybersecurity experience.

Thirty years after Citigroup hired its first CISO, it looks like Steve Katz was a unicorn: someone who came into the role because of his exceptional background in security. CISOs today continue to come from other disciplines and learn the security side. But as cyber threats get more complicated and we grow more technologically dependent, CISOs will need a solid security background. As long as the talent gap widens, it will remain difficult to find leadership candidates from that pool of contenders.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today