The global cybersecurity skills shortage is a well-documented challenge affecting organizations across all industries. A 35% growth in information security analyst roles is expected to occur between 2021 and 2031, according to the U.S. Bureau of Labor Statistics. As the cybersecurity jobs market continues to grow, the gap between the number of qualified security professionals and open jobs will only increase.
One effect of this long-term talent gap is a diminished security leadership pipeline. In a recent Gartner survey, 57% of respondents said they are struggling to find and hire emerging security leaders -- individuals who are not currently working in a formal leadership position or role, but have demonstrated the requisite aptitude, competencies and capabilities needed to lead a cybersecurity organization in the future. Retention is a challenge, too, given the average tenure for a CISO is between 18 and 26 months.
Organizations have a short window to identify, foster and hopefully retain a pipeline of emerging security leaders to ensure the long-term sustainability and effectiveness of their security programs.
Organizations facing these challenges must look to alternative mechanisms to fill the skills gap and create a strong plan for future security leadership. Here are key steps CISOs should take to mitigate implications arising from a shortage of emerging leadership talent.
Identify and foster internal security talent
A key behavior exhibited by leading CISOs is having a formal and actionable succession plan. Another key differentiator is that leading CISOs focus their talent strategies on the future security skills needed by the enterprise. Adopting these practices is fundamental to fostering and protecting the organization's pipeline of emerging security leadership talent to ensure the sustainability and continuous improvement of its cybersecurity risk posture.
In the near term, IT and security leadership should establish "promote from within" as a first principle when filling internal cybersecurity leadership roles. This helps establish a succession plan for team leaders, middle management and ultimately CISO-level roles, supporting the longer-term sustainability of the security program. It also helps retain top security talent by showing them there is a clear and attainable career path at the organization should they stay.
Use regular performance and career discussions to start proactively identifying, evaluating and fostering emerging cybersecurity leaders. This signals to those interested in stepping up into more senior roles that their line managers are taking an active interest in their development.
CISOs can also work with HR to define critical leadership competencies required within their organizational context. Then, conduct a skills assessment across the IT workforce that includes an evaluation of leadership competencies. This helps identify team members with the leadership attributes, aptitude and interest who could develop to take on future leadership roles. Typical competencies for emerging security leaders include adaptability, ability to coach and mentor junior staff, communication, business acumen, decisiveness and diversity of opinion.
As emerging security talent is identified, seek coaching and mentoring from business leaders for these individuals. Exposing emerging security leaders to experienced business mentors internally helps them become more familiar with the organization's business operations, context, strategic objectives and risk appetite in a friendly and safe setting. In turn, it enables talent to begin developing these important behaviors earlier, shortening the runway to full effectiveness once appointed to leadership roles. It also helps business leadership by fostering greater familiarity within the security team, which, over time, makes for more business-centric security advice and improved information risk decision-making.
Use creative strategies to hire and develop leaders
Latent security leadership talent may exist outside of the IT or security team. In the longer term, security and business leaders must employ creative strategies to discover, hire and develop talent.
Consider a security champion program, for example, where members of the business or IT teams receive additional training on security issues and act as local advocates, performing roles such as disseminating security-related messaging, answering security-related questions, promoting secure practices and interfacing with security experts. Such a program not only supports current security behavior and culture initiatives, but it can also help identify emerging business leaders considering a career change to cybersecurity who can be mentored to aid in their transition over time.
CISOs should also use a portion of any increased funding for a leadership scholarship program. The knowledge imparted via external, business-centric courses such as MBA programs will help emerging security leaders gather foundational knowledge, skills and business acumen. Awarding scholarship funds across multiple individuals not only sends positive signals about potential career development to the rest of the workforce, but also enables multiple emerging leaders to develop at the same time. These programs could become a differentiating employee value proposition, helping attract new talent to the organization in a tight labor market.
Finally, identify opportunities to free up time for leadership development. Often, there is limited time to develop emerging talent due to high demands placed on the security workforce. CISOs can find the time by identifying opportunities for creating capacity and operational efficiency. This is achievable by outsourcing more commoditized security functions to managed security service providers or using security orchestration, automation and response or AI-enabled capabilities to reduce time spent on security processes.
What if they leave?
There is, of course, no guarantee an investment in fostering cybersecurity leadership talent will result in a high-potential individual staying until they are able to fill a future leadership vacancy. Other factors are key determinants of how long they stick around, including the prevailing corporate culture, perceptions about the quality of the organization's leadership or the individual's ability to secure a better role in another organization.
Any investment in an individual's development can only make them more attractive to other organizations. CISOs need to reconcile that they may not retain their proteges or see a full return on their development investment. However, clear benefits are associated with continuing to develop emerging talent without these guarantees in place.
Emerging leaders are more productive and effective in their roles when they're being developed. Additionally, valued employees are less likely to become disgruntled or, worse, malicious insiders -- an especially important consideration for cybersecurity personnel with elevated system access.
Departing emerging leaders are also more likely to provide positive sentiments about the organization if asked by those in their professional networks applying to the organization, making it a more attractive opportunity in a high-demand skills market.
About the author
Richard Addiscott is an analyst at Gartner covering topics focused on improving security risk management maturity and outcomes, optimizing organizational security risk postures and demonstrating clear alignment between security and strategic business outcomes.