The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team.

However, the talent shortage doesn’t just impact present-day security concerns. The lack of a skilled workforce now will affect the future. It’s not just entry-level positions that organizations struggle to fill; roles in leadership, including CISOs and CSOs, are vacant. And without talent in place to learn the ropes, future security management could become placeholders rather than active leaders.

Cybersecurity needs leaders who understand security’s role within the organization’s business operations. But where will those leaders emerge from in the future?

The Origin of the CISO

The first time the title “chief information security officer” (CISO) was used came in the mid-1990s. Citicorp (now Citigroup) hired Steve Katz after the company was hit with a series of cyberattacks. The internet was in its earliest stages at that time when organizations were less dependent on computers and online connections. Back then, workers were lucky to have an email address that went beyond internal communications.

Katz had experience in security, or as SecurityWeek put it, “played at the edge of security before security existed – he worked on product lifecycle and quality assurance, and included a requirement for an ID and password module in COBOL and FORTRAN” before taking on the newly invented role of CISO. That in itself was unusual, as the security team and its leadership usually came from the IT department. They had the necessary technology bonafides but learned security on the job.

The Workforce Gap

According to the (ISC)2 2022 Workforce Study, the cybersecurity workforce stands at nearly 5 million worldwide and has been growing at a 26% year-over-year increase. There are still more than 3 million jobs that need to be filled.

“A cybersecurity workforce gap jeopardizes the most foundational functions of the profession like risk assessment, oversight and critical systems patching,” the study stated. Current cybersecurity employees feel that understaffed teams put the organization at a higher risk for an attack.

Adding to this problem is the growing need for specialization within the cybersecurity profession. Gone are the days when an entry-level security worker’s primary task was reading logs. According to an ISACA study, the skills most lacking include cloud computing, coding, security and data controls, behavioral analytics and software development. The top five roles that organizations need to fill today, the study found, were in cloud security, identity and access management, data protection,  incident response and DevSeOps.

It’s not just entry-level and mid-level cybersecurity talent that’s lacking. While it isn’t as big a problem, many companies have openings for various levels of management positions. For example, 17% of those surveyed said their CISO position is open. In addition, 25% are in need of a senior manager or director of cybersecurity.

Where CISOs are Coming From

The skills most lacking, according to the ISACA study, aren’t in cloud computing and data protection. The greatest talent shortage is in soft skills. Cybersecurity isn’t doing a good job of developing leadership skills, including communication or flexibility. The next group of leaders isn’t being developed in college, which will impact the future of CISOs.

The 2022 Global Chief Information Security Officer (CISO) Survey from Heidrick & Struggles finds that CISOs are regularly on the move, with more than half saying that they came to their current job from another CISO position, especially for those in their job for a year or less. Those who have been in their job long-term are coming from other types of jobs. Most of their previous experience comes from IT. However, the report said, “we are seeing other types of functional expertise emerging, notably software engineering, which increased from 7% last year to 10% this year.”

Expect this trend of looking outside of the security talent pool for leadership positions to continue. It will likely grow even more pronounced as older professionals retire and middle-aged professionals burn out. The talent shortage may cause employers to prioritize retaining skilled workers, especially those in specialized areas who defend popular attack vectors, rather than promoting them to management positions. Alternatively, the CISO could end up becoming a hybrid worker who must maintain their hands-on security functioning while also managing the duties of a C-suite executive.

Facing Modern Threats

Today’s CISO should understand “the breadth of technology used and desired by the organization complies with the regulations via control frameworks, assesses information asset risk, expands security beyond the organization (such as cloud, mobile, social media, threat intelligence networking) and knows how the privacy regulations affect the organization (where the data is, how it is being used and how it is being protected),” according to a Dark Reading article. By this standard, the best CISO (or CSO or anyone in cybersecurity leadership) will come from a background with strong security, data privacy and compliance experience.

But, as a member of the executive team, the CISO needs to consider security alongside business operations and goals. Organizations will look for candidates with a business background combined with a technology background. They may also develop employees who have shown leadership capabilities without initial cybersecurity experience.

Thirty years after Citigroup hired its first CISO, it looks like Steve Katz was a unicorn: someone who came into the role because of his exceptional background in security. CISOs today continue to come from other disciplines and learn the security side. But as cyber threats get more complicated and we grow more technologically dependent, CISOs will need a solid security background. As long as the talent gap widens, it will remain difficult to find leadership candidates from that pool of contenders.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read