April 21, 2023 By Sue Poremba 4 min read

The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team.

However, the talent shortage doesn’t just impact present-day security concerns. The lack of a skilled workforce now will affect the future. It’s not just entry-level positions that organizations struggle to fill; roles in leadership, including CISOs and CSOs, are vacant. And without talent in place to learn the ropes, future security management could become placeholders rather than active leaders.

Cybersecurity needs leaders who understand security’s role within the organization’s business operations. But where will those leaders emerge from in the future?

The origin of the CISO

The first time the title “chief information security officer” (CISO) was used came in the mid-1990s. Citicorp (now Citigroup) hired Steve Katz after the company was hit with a series of cyberattacks. The internet was in its earliest stages at that time when organizations were less dependent on computers and online connections. Back then, workers were lucky to have an email address that went beyond internal communications.

Katz had experience in security, or as SecurityWeek put it, “played at the edge of security before security existed – he worked on product lifecycle and quality assurance, and included a requirement for an ID and password module in COBOL and FORTRAN” before taking on the newly invented role of CISO. That in itself was unusual, as the security team and its leadership usually came from the IT department. They had the necessary technology bonafides but learned security on the job.

The workforce gap

According to the (ISC)2 2022 Workforce Study, the cybersecurity workforce stands at nearly 5 million worldwide and has been growing at a 26% year-over-year increase. There are still more than 3 million jobs that need to be filled.

“A cybersecurity workforce gap jeopardizes the most foundational functions of the profession like risk assessment, oversight and critical systems patching,” the study stated. Current cybersecurity employees feel that understaffed teams put the organization at a higher risk for an attack.

Adding to this problem is the growing need for specialization within the cybersecurity profession. Gone are the days when an entry-level security worker’s primary task was reading logs. According to an ISACA study, the skills most lacking include cloud computing, coding, security and data controls, behavioral analytics and software development. The top five roles that organizations need to fill today, the study found, were in cloud security, identity and access management, data protection,  incident response and DevSeOps.

It’s not just entry-level and mid-level cybersecurity talent that’s lacking. While it isn’t as big a problem, many companies have openings for various levels of management positions. For example, 17% of those surveyed said their CISO position is open. In addition, 25% are in need of a senior manager or director of cybersecurity.

Where CISOs are coming from

The skills most lacking, according to the ISACA study, aren’t in cloud computing and data protection. The greatest talent shortage is in soft skills. Cybersecurity isn’t doing a good job of developing leadership skills, including communication or flexibility. The next group of leaders isn’t being developed in college, which will impact the future of CISOs.

The 2022 Global Chief Information Security Officer (CISO) Survey from Heidrick & Struggles finds that CISOs are regularly on the move, with more than half saying that they came to their current job from another CISO position, especially for those in their job for a year or less. Those who have been in their job long-term are coming from other types of jobs. Most of their previous experience comes from IT. However, the report said, “we are seeing other types of functional expertise emerging, notably software engineering, which increased from 7% last year to 10% this year.”

Expect this trend of looking outside of the security talent pool for leadership positions to continue. It will likely grow even more pronounced as older professionals retire and middle-aged professionals burn out. The talent shortage may cause employers to prioritize retaining skilled workers, especially those in specialized areas who defend popular attack vectors, rather than promoting them to management positions. Alternatively, the CISO could end up becoming a hybrid worker who must maintain their hands-on security functioning while also managing the duties of a C-suite executive.

Facing modern threats

Today’s CISO should understand “the breadth of technology used and desired by the organization complies with the regulations via control frameworks, assesses information asset risk, expands security beyond the organization (such as cloud, mobile, social media, threat intelligence networking) and knows how the privacy regulations affect the organization (where the data is, how it is being used and how it is being protected),” according to a Dark Reading article. By this standard, the best CISO (or CSO or anyone in cybersecurity leadership) will come from a background with strong security, data privacy and compliance experience.

But, as a member of the executive team, the CISO needs to consider security alongside business operations and goals. Organizations will look for candidates with a business background combined with a technology background. They may also develop employees who have shown leadership capabilities without initial cybersecurity experience.

Thirty years after Citigroup hired its first CISO, it looks like Steve Katz was a unicorn: someone who came into the role because of his exceptional background in security. CISOs today continue to come from other disciplines and learn the security side. But as cyber threats get more complicated and we grow more technologically dependent, CISOs will need a solid security background. As long as the talent gap widens, it will remain difficult to find leadership candidates from that pool of contenders.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today