April 21, 2023 By Sue Poremba 4 min read

The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team.

However, the talent shortage doesn’t just impact present-day security concerns. The lack of a skilled workforce now will affect the future. It’s not just entry-level positions that organizations struggle to fill; roles in leadership, including CISOs and CSOs, are vacant. And without talent in place to learn the ropes, future security management could become placeholders rather than active leaders.

Cybersecurity needs leaders who understand security’s role within the organization’s business operations. But where will those leaders emerge from in the future?

The origin of the CISO

The first time the title “chief information security officer” (CISO) was used came in the mid-1990s. Citicorp (now Citigroup) hired Steve Katz after the company was hit with a series of cyberattacks. The internet was in its earliest stages at that time when organizations were less dependent on computers and online connections. Back then, workers were lucky to have an email address that went beyond internal communications.

Katz had experience in security, or as SecurityWeek put it, “played at the edge of security before security existed – he worked on product lifecycle and quality assurance, and included a requirement for an ID and password module in COBOL and FORTRAN” before taking on the newly invented role of CISO. That in itself was unusual, as the security team and its leadership usually came from the IT department. They had the necessary technology bonafides but learned security on the job.

The workforce gap

According to the (ISC)2 2022 Workforce Study, the cybersecurity workforce stands at nearly 5 million worldwide and has been growing at a 26% year-over-year increase. There are still more than 3 million jobs that need to be filled.

“A cybersecurity workforce gap jeopardizes the most foundational functions of the profession like risk assessment, oversight and critical systems patching,” the study stated. Current cybersecurity employees feel that understaffed teams put the organization at a higher risk for an attack.

Adding to this problem is the growing need for specialization within the cybersecurity profession. Gone are the days when an entry-level security worker’s primary task was reading logs. According to an ISACA study, the skills most lacking include cloud computing, coding, security and data controls, behavioral analytics and software development. The top five roles that organizations need to fill today, the study found, were in cloud security, identity and access management, data protection,  incident response and DevSeOps.

It’s not just entry-level and mid-level cybersecurity talent that’s lacking. While it isn’t as big a problem, many companies have openings for various levels of management positions. For example, 17% of those surveyed said their CISO position is open. In addition, 25% are in need of a senior manager or director of cybersecurity.

Where CISOs are coming from

The skills most lacking, according to the ISACA study, aren’t in cloud computing and data protection. The greatest talent shortage is in soft skills. Cybersecurity isn’t doing a good job of developing leadership skills, including communication or flexibility. The next group of leaders isn’t being developed in college, which will impact the future of CISOs.

The 2022 Global Chief Information Security Officer (CISO) Survey from Heidrick & Struggles finds that CISOs are regularly on the move, with more than half saying that they came to their current job from another CISO position, especially for those in their job for a year or less. Those who have been in their job long-term are coming from other types of jobs. Most of their previous experience comes from IT. However, the report said, “we are seeing other types of functional expertise emerging, notably software engineering, which increased from 7% last year to 10% this year.”

Expect this trend of looking outside of the security talent pool for leadership positions to continue. It will likely grow even more pronounced as older professionals retire and middle-aged professionals burn out. The talent shortage may cause employers to prioritize retaining skilled workers, especially those in specialized areas who defend popular attack vectors, rather than promoting them to management positions. Alternatively, the CISO could end up becoming a hybrid worker who must maintain their hands-on security functioning while also managing the duties of a C-suite executive.

Facing modern threats

Today’s CISO should understand “the breadth of technology used and desired by the organization complies with the regulations via control frameworks, assesses information asset risk, expands security beyond the organization (such as cloud, mobile, social media, threat intelligence networking) and knows how the privacy regulations affect the organization (where the data is, how it is being used and how it is being protected),” according to a Dark Reading article. By this standard, the best CISO (or CSO or anyone in cybersecurity leadership) will come from a background with strong security, data privacy and compliance experience.

But, as a member of the executive team, the CISO needs to consider security alongside business operations and goals. Organizations will look for candidates with a business background combined with a technology background. They may also develop employees who have shown leadership capabilities without initial cybersecurity experience.

Thirty years after Citigroup hired its first CISO, it looks like Steve Katz was a unicorn: someone who came into the role because of his exceptional background in security. CISOs today continue to come from other disciplines and learn the security side. But as cyber threats get more complicated and we grow more technologically dependent, CISOs will need a solid security background. As long as the talent gap widens, it will remain difficult to find leadership candidates from that pool of contenders.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today