The global cybersecurity skills shortage is a well-documented challenge affecting organizations across all industries. A 35% growth in information security analyst roles is expected to occur between 2021 and 2031, according to the U.S. Bureau of Labor Statistics. As the cybersecurity jobs market continues to grow, the gap between the number of qualified security professionals and open jobs will only increase.
One effect of this long-term talent gap is a diminished security leadership pipeline. In a recent Gartner survey, 57% of respondents said they are struggling to find and hire emerging security leaders — individuals who are not currently working in a formal leadership position or role, but have demonstrated the requisite aptitude, competencies and capabilities needed to lead a cybersecurity organization in the future. Retention is a challenge, too, given the average tenure for a CISO is between 18 and 26 months.
Organizations have a short window to identify, foster and hopefully retain a pipeline of emerging security leaders to ensure the long-term sustainability and effectiveness of their security programs.
Organizations facing these challenges must look to alternative mechanisms to fill the skills gap and create a strong plan for future security leadership. Here are key steps CISOs should take to mitigate implications arising from a shortage of emerging leadership talent.
A key behavior exhibited by leading CISOs is having a formal and actionable succession plan. Another key differentiator is that leading CISOs focus their talent strategies on the future security skills needed by the enterprise. Adopting these practices is fundamental to fostering and protecting the organization’s pipeline of emerging security leadership talent to ensure the sustainability and continuous improvement of its cybersecurity risk posture.
In the near term, IT and security leadership should establish “promote from within” as a first principle when filling internal cybersecurity leadership roles. This helps establish a succession plan for team leaders, middle management and ultimately CISO-level roles, supporting the longer-term sustainability of the security program. It also helps retain top security talent by showing them there is a clear and attainable career path at the organization should they stay.
Use regular performance and career discussions to start proactively identifying, evaluating and fostering emerging cybersecurity leaders. This signals to those interested in stepping up into more senior roles that their line managers are taking an active interest in their development.
CISOs can also work with HR to define critical leadership competencies required within their organizational context. Then, conduct a skills assessment across the IT workforce that includes an evaluation of leadership competencies. This helps identify team members with the leadership attributes, aptitude and interest who could develop to take on future leadership roles. Typical competencies for emerging security leaders include adaptability, ability to coach and mentor junior staff, communication, business acumen, decisiveness and diversity of opinion.
As emerging security talent is identified, seek coaching and mentoring from business leaders for these individuals. Exposing emerging security leaders to experienced business mentors internally helps them become more familiar with the organization’s business operations, context, strategic objectives and risk appetite in a friendly and safe setting. In turn, it enables talent to begin developing these important behaviors earlier, shortening the runway to full effectiveness once appointed to leadership roles. It also helps business leadership by fostering greater familiarity within the security team, which, over time, makes for more business-centric security advice and improved information risk decision-making.
Latent security leadership talent may exist outside of the IT or security team. In the longer term, security and business leaders must employ creative strategies to discover, hire and develop talent.
Consider a security champion program, for example, where members of the business or IT teams receive additional training on security issues and act as local advocates, performing roles such as disseminating security-related messaging, answering security-related questions, promoting secure practices and interfacing with security experts. Such a program not only supports current security behavior and culture initiatives, but it can also help identify emerging business leaders considering a career change to cybersecurity who can be mentored to aid in their transition over time.
CISOs should also use a portion of any increased funding for a leadership scholarship program. The knowledge imparted via external, business-centric courses such as MBA programs will help emerging security leaders gather foundational knowledge, skills and business acumen. Awarding scholarship funds across multiple individuals not only sends positive signals about potential career development to the rest of the workforce, but also enables multiple emerging leaders to develop at the same time. These programs could become a differentiating employee value proposition, helping attract new talent to the organization in a tight labor market.
Finally, identify opportunities to free up time for leadership development. Often, there is limited time to develop emerging talent due to high demands placed on the security workforce. CISOs can find the time by identifying opportunities for creating capacity and operational efficiency. This is achievable by outsourcing more commoditized security functions to managed security service providers or using security orchestration, automation and response or AI-enabled capabilities to reduce time spent on security processes.
There is, of course, no guarantee an investment in fostering cybersecurity leadership talent will result in a high-potential individual staying until they are able to fill a future leadership vacancy. Other factors are key determinants of how long they stick around, including the prevailing corporate culture, perceptions about the quality of the organization’s leadership or the individual’s ability to secure a better role in another organization.
Any investment in an individual’s development can only make them more attractive to other organizations. CISOs need to reconcile that they may not retain their proteges or see a full return on their development investment. However, clear benefits are associated with continuing to develop emerging talent without these guarantees in place.
Emerging leaders are more productive and effective in their roles when they’re being developed. Additionally, valued employees are less likely to become disgruntled or, worse, malicious insiders — an especially important consideration for cybersecurity personnel with elevated system access.
Departing emerging leaders are also more likely to provide positive sentiments about the organization if asked by those in their professional networks applying to the organization, making it a more attractive opportunity in a high-demand skills market.
About the author
Richard Addiscott is an analyst at Gartner covering topics focused on improving security risk management maturity and outcomes, optimizing organizational security risk postures and demonstrating clear alignment between security and strategic business outcomes.
Make the case for an SD-WAN implementation, and explore the benefits and main use cases for SD-WAN in enterprises, beyond …
Rising cloud costs have prompted organizations to consider white box switches to lower costs and simplify network management. …
Hewlett Packard Enterprise also unveiled plans to acquire Athonet, an Italian company that provides cellular technology for …
While the finance and tech sectors shuddered after the sudden demise of two tech-focused banks, financial damage appears to be …
As artificial intelligence adoption increases, experts believe it’s time for Congress to enact AI regulations to safeguard …
Agility, experimentation and empathy are critical drivers to a successful digital transformation. Learn why IT leaders should …
Before organizations migrate to Windows 11, they must determine what the best options are for licensing. Learn about the choices …
UEM software is vital for helping IT manage every type of endpoint an organization uses. Explore some of the top vendors and how …
Office 365 MDM and Intune both offer the ability to manage mobile devices, but Intune provides deeper management and security. …
AWS Compute Optimizer and Cost Explorer monitor, analyze and optimize your cloud costs. Compare the two tools to choose which is …
Azure management groups, subscriptions, resource groups and resources are not mutually exclusive. Businesses can — and often do …
Amazon CodeGuru reviews code and suggests improvements to users looking to make their code more efficient as well as optimize …
QLC flash offers high density but has lifecycle limitations. But what does it really cost compared with TLC and MLC, and how are …
UK startup Deep Green has saved Exmouth Leisure Centre thousands in energy costs through deployment of mini-datacentres
There is mounting anecdotal evidence that enterprises are struggling to ensure their statements of intent on sustainability are …
All Rights Reserved, Copyright 2000 – 2023, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information
Leave a Reply