CISO shortage may reflect unrealistic job expectations
A new report warns of a CISO shortage, but interviews suggest the reality is more complex. The gap may reflect unrealistic job expectations rather than a true talent shortage.
Report claims a global CISO shortage, but CIOs and analysts describe a more nuanced reality:
A 2026 Cybersecurity Ventures and Sophos report estimates 35,000 CISOs worldwide supporting hundreds of millions of businesses, framing a significant global leadership gap in cybersecurity.
Interviews with CIOs and analysts suggest cybersecurity hiring conditions vary widely, with some organizations reporting no difficulty finding qualified security leaders.
Experts say the CISO role has expanded, contributing to burnout and turnover.
MSSPs and vCISOs are increasingly used to extend cybersecurity leadership, but internal accountability remains essential for effective security governance.
A new report suggests the world may be facing a shortage of cybersecurity leaders -- but the reality inside organizations is more complicated.
A 2026 report from Cybersecurity Ventures and Sophos argues that there are just 35,000 CISOs worldwide serving roughly 359 million businesses -- a 10,000-to-1 ratio it describes as a major gap in global cybersecurity leadership. The report warns that organizations without CISO-level expertise face heightened exposure to cyber risk and points to managed security service providers (MSSPs) and virtual CISOs (vCISOs) as key mechanisms for bringing CISO-level leadership to organizations -- particularly SMBs.
However, interviews with CIOs and analysts suggest the picture is more nuanced. Organizations are experiencing cybersecurity leadership needs differently. Some say they are not struggling to hire qualified security leaders, while others say their lack of a dedicated CISO is a strategic choice rather than a talent constraint.
One reason people perceive a CISO shortage is that the job itself has changed, said Erik Avakian, technical counselor at Info-Tech Research Group. The modern CISO role has expanded to include security, compliance, board reporting and AI risk -- making it a highly demanding position that is difficult for one person to cover.
"Organizations want the CISO to be Superman, when in reality, they missed the opportunity to recruit talent properly," Avakian said.
As a result, what looks like a global shortage may in many cases reflect how organizations are defining and overloading the role itself, contributing to burnout, turnover and the perception of a talent gap.
A CISO shortage is not showing up everywhere
The reality of a cybersecurity leadership shortage is not uniform across organizations. Some CIOs say they are not having trouble hiring qualified cybersecurity talent, especially leadership roles.
I've encountered a highly skilled applicant pool with plenty of qualified candidates for a leadership role.
Scott SandersCIO of Sikich
"We've been building out our cybersecurity program over the last couple of years and haven't had trouble finding good people. I can't speak for every industry or organization size, but among my peers, a talent crisis isn't something that comes up in conversation," said Chase Snuffer, CIO of Rayburn Electric Cooperative, a midsize utility company based in Rockwall, TX.
Others echo that view, pointing to a strong pool of applicants for cybersecurity leadership positions.
"From personal experience, I've encountered a highly skilled applicant pool with plenty of qualified candidates for a leadership role," said Scott Sanders, CIO of Sikich, a large professional services firm based in Chicago.
At the same time, leaders at larger organizations acknowledge pressure in the broader talent market but stop short of calling it a critical shortage. That variation reflects how cybersecurity hiring varies across organizations, depending on size and structure.
"The supply-demand curve for cyber talent is moving in the wrong direction, but I wouldn't say it's an issue that needs boardroom-level visibility at this point," said Chris Drumgoole, president of global infrastructure services at DXC Technology, a global IT services firm.
Many organizations are looking for a 'Superman' CISO
The perceived cybersecurity talent shortage may be driven less by a lack of qualified candidates and more by how organizations define the role itself. Over time, the CISO position has expanded beyond traditional security leadership to include risk management, compliance and board-level reporting. That broader scope has made the role more demanding for a single executive to sustain, contributing to burnout and turnover.
I've seen so many job openings for these types of positions, and so many of them are asking for the kitchen sink
Erik AvakianTechnical counselor at Info-Tech Research Group
That expansion has also affected how organizations write job descriptions. Hiring managers often create long requirement lists that include deep technical expertise, executive leadership skills and formal academic credentials.
"I've seen so many job openings for these types of positions, and so many of them are asking for the kitchen sink, including things like master's degrees and a whole array of other prerequisites, which, in reality, few people have," Avakian said.
According to Avakian, organizations should focus less on degrees and more on experience and leadership skills, such as decision-making under pressure and communication, when hiring security leaders.
Organizations can also address the hiring challenge by investing in internal leadership training.
"The best technician might not naturally transition into becoming the best leader, so we pay a lot of attention to conscious leadership training and contextual immersion to turn technical experts into impactful leaders," Drumgoole said.
Not all organizations need a dedicated CISO
Not every organization without a CISO is struggling to hire one. In some cases, the absence of a standalone CISO reflects a strategic decision. For instance, at Rayburn Electric, cybersecurity leadership sits directly within the CIO role by design.
"The structure is a conscious decision based on where we are as an organization. I carry both the CIO and CISO roles, and that comes with real tradeoffs," Snuffer said. "The upside is that … having one person accountable for both the security posture and the UX means decisions are made with the full picture in mind."
In this model, security decisions are centralized in one executive role, rather than split between a CIO and a separate CISO. Typically, the CIO oversees IT systems and business technology operations, while the CISO focuses on cybersecurity strategy and risk management. At Rayburn Electric, Snuffer holds both roles -- a structure he said helps align security controls with operational needs, even if it also spreads his attention across multiple priorities.
MSSPs can extend security -- but leadership should remain in-house
For many organizations, cybersecurity leadership is increasingly taking shape as a hybrid model where internal teams retain ownership over security strategy, while external providers extend coverage and capability.
At Rayburn Electric, the CIO handles both CIO and CISO responsibilities internally and uses outside support to fill operational gaps, such as after-hours monitoring and strategic guidance.
"We use an MSSP for after-hours SOC coverage. We don't run a 24/7 internal operation, so we fill that gap and escalate to our team when something needs attention," Snuffer said. "We also work with a vCISO and outside consultants to stay current on where the industry is headed."
Rayburn Electric designed this approach to extend internal capability rather than replace it, particularly during off-hours or periods of high alert activity.
A similar structure exists at Sikich, where cybersecurity leadership remains in-house while an MSSP provides continuous monitoring support.
"Our information security team uses an MSSP for continuous 24/7 alert monitoring and coverage, while our information security leadership and strategy remain firmly in-house," Sanders said.
These models suggest a broader pattern: MSSPs and advisory services are becoming a practical way to extend cybersecurity operations, even for midsize and large organizations. However, the effectiveness of that approach depends on strong internal ownership of security decisions.
For smaller organizations without internal security depth, full reliance on external providers may be necessary. However, as organizations scale, keeping leadership inside the business -- whether in the form of a CISO or not -- becomes critical for context, speed and risk management.
Tim Murphy is an award-winning reporter covering IT strategy for Informa TechTarget.
