The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team.

However, the talent shortage doesn’t just impact present-day security concerns. The lack of a skilled workforce now will affect the future. It’s not just entry-level positions that organizations struggle to fill; roles in leadership, including CISOs and CSOs, are vacant. And without talent in place to learn the ropes, future security management could become placeholders rather than active leaders.

Cybersecurity needs leaders who understand security’s role within the organization’s business operations. But where will those leaders emerge from in the future?

The origin of the CISO

The first time the title “chief information security officer” (CISO) was used came in the mid-1990s. Citicorp (now Citigroup) hired Steve Katz after the company was hit with a series of cyberattacks. The internet was in its earliest stages at that time when organizations were less dependent on computers and online connections. Back then, workers were lucky to have an email address that went beyond internal communications.

Katz had experience in security, or as SecurityWeek put it, “played at the edge of security before security existed – he worked on product lifecycle and quality assurance, and included a requirement for an ID and password module in COBOL and FORTRAN” before taking on the newly invented role of CISO. That in itself was unusual, as the security team and its leadership usually came from the IT department. They had the necessary technology bonafides but learned security on the job.

The workforce gap

According to the (ISC)2 2022 Workforce Study, the cybersecurity workforce stands at nearly 5 million worldwide and has been growing at a 26% year-over-year increase. There are still more than 3 million jobs that need to be filled.

“A cybersecurity workforce gap jeopardizes the most foundational functions of the profession like risk assessment, oversight and critical systems patching,” the study stated. Current cybersecurity employees feel that understaffed teams put the organization at a higher risk for an attack.

Adding to this problem is the growing need for specialization within the cybersecurity profession. Gone are the days when an entry-level security worker’s primary task was reading logs. According to an ISACA study, the skills most lacking include cloud computing, coding, security and data controls, behavioral analytics and software development. The top five roles that organizations need to fill today, the study found, were in cloud security, identity and access management, data protection,  incident response and DevSeOps.

It’s not just entry-level and mid-level cybersecurity talent that’s lacking. While it isn’t as big a problem, many companies have openings for various levels of management positions. For example, 17% of those surveyed said their CISO position is open. In addition, 25% are in need of a senior manager or director of cybersecurity.

Where CISOs are coming from

The skills most lacking, according to the ISACA study, aren’t in cloud computing and data protection. The greatest talent shortage is in soft skills. Cybersecurity isn’t doing a good job of developing leadership skills, including communication or flexibility. The next group of leaders isn’t being developed in college, which will impact the future of CISOs.

The 2022 Global Chief Information Security Officer (CISO) Survey from Heidrick & Struggles finds that CISOs are regularly on the move, with more than half saying that they came to their current job from another CISO position, especially for those in their job for a year or less. Those who have been in their job long-term are coming from other types of jobs. Most of their previous experience comes from IT. However, the report said, “we are seeing other types of functional expertise emerging, notably software engineering, which increased from 7% last year to 10% this year.”

Expect this trend of looking outside of the security talent pool for leadership positions to continue. It will likely grow even more pronounced as older professionals retire and middle-aged professionals burn out. The talent shortage may cause employers to prioritize retaining skilled workers, especially those in specialized areas who defend popular attack vectors, rather than promoting them to management positions. Alternatively, the CISO could end up becoming a hybrid worker who must maintain their hands-on security functioning while also managing the duties of a C-suite executive.

Facing modern threats

Today’s CISO should understand “the breadth of technology used and desired by the organization complies with the regulations via control frameworks, assesses information asset risk, expands security beyond the organization (such as cloud, mobile, social media, threat intelligence networking) and knows how the privacy regulations affect the organization (where the data is, how it is being used and how it is being protected),” according to a Dark Reading article. By this standard, the best CISO (or CSO or anyone in cybersecurity leadership) will come from a background with strong security, data privacy and compliance experience.

But, as a member of the executive team, the CISO needs to consider security alongside business operations and goals. Organizations will look for candidates with a business background combined with a technology background. They may also develop employees who have shown leadership capabilities without initial cybersecurity experience.

Thirty years after Citigroup hired its first CISO, it looks like Steve Katz was a unicorn: someone who came into the role because of his exceptional background in security. CISOs today continue to come from other disciplines and learn the security side. But as cyber threats get more complicated and we grow more technologically dependent, CISOs will need a solid security background. As long as the talent gap widens, it will remain difficult to find leadership candidates from that pool of contenders.