A robust cybersecurity program needs a range of skilled people, yet many CISOs continue to face an ongoing skills shortage — and the squeeze may only get worse as AI gains traction.
Some 95% of cybersecurity practitioners and decision-makers noted at least one security skills gap at their organization, with almost 60% citing critical or significant skills gaps, according to ISC2’s 2025 Cybersecurity Workforce Study.
AI is the most pressing skill need, followed by cloud security, risk assessment, application security, security engineering, and governance, risk, and compliance (GRC), the survey found.
There are no simple solutions for a profession that requires passion, curiosity, and a thirst for defending systems. Such professionals are a rare breed.
“You need to have a special mindset,” says Juan Gomez-Sanchez, VP of cyber resilience at McLane Company.
“While IT people are obsessed with how things work, security people are obsessed with how things break, and people who are truly effective and passionate about that can be difficult to find,” says Gomez-Sanchez.
Add to that the fact that the cyber degree studies are challenging, technology is changing rapidly, and the profession is still comparatively young, and the true extent of the problem becomes clear.
If CISOs can’t hire the skills they need, some will look toward in-house training and development to foster the expertise they need.
“Hiring certain types of security professionals can be very difficult because the skills are not held by a lot of people, so I look for someone who’s got a solid security foundation in one or more other areas and transition them,” says Keith Turpin, CISO of The Friedkin Group.
This is its own challenge, requiring time and a good deal of unlearning certain things and honing that ‘how to break’ security mindset. For example, Turpin says, upskilling “someone who’s competent in networking, server administration, or software development to the equivalent security role takes an additional two years.”
Turpin has found that just establishing the security mindset can take up to a year within that timeframe. “Instead of thinking, ‘How do I keep it going,’ as the security person it’s thinking, ‘How can it go wrong.’ It’s a different approach,” he says.
“If I can find someone who’s got the right drive, the right people skills, they’re a good cultural fit, and they have the potential, I can turn them into a good technologist,” adds Turpin, who like Gomez-Sanchez will be inducted into the CSO Hall of Fame this year.
Gomez-Sanchez and Turpin are speaking at the CSO Cybersecurity Awards & Conference, May 11-13. Reserve your place.
AI changes the equation
And then there’s AI. When it comes to security, AI may help partially offset cyber skills shortages by automating certain tasks, but it also ramps up cyberattack volumes and expands the organizational attack surface, without fixing CISOs’ ongoing talent pipeline problems. In fact, AI may end up worsening the structural skills shortage.
“You can have 100, 1,000, 10,000 instances of AI doing the work of enabling attacks at much greater scale, including against smaller, less protected targets because they’re now within reach because the barrier is lower,” says Turpin.
This increases the pressure on defenders, putting more pressure on the workforce challenge, even as AI helps automate some tasks. But it’s not going away and will only increase in importance for both attackers and defenders.
“I’m encouraging my teams to look for opportunities to leverage AI and look at how our vendors are leveraging AI,” he says.
“This is what we’re going to be dealing with five years down the road. It’s going to be the center of technology so we can’t afford not to learn this,” he adds.
Reducing the organizational risk of skills shortages
Skills shortages are more than just an inconvenience; they pose organizational risks on par with threats and malicious attacks, says Gomez-Sanchez, who views them “much the way that you think about threat actors and vulnerabilities.”
“Your ability to execute is limited by the amount of people you have to actually do the work,” he explains.
As a result, Gomez-Sanchez encourages CISOs to view the skills gaps and talent shortages as a first-class security risk that needs to be managed as a KPI for the security function. “Our ability to attract and retain good talent is a major measure of capability,” he says.
Being structural rather than temporary, skills gaps place significant pressure on CISOs’ sourcing decisions. “Security people may choose to do things differently, especially as it relates to insourcing or outsourcing because of the talent shortage,” Gomez-Sanchez notes.
By the same token, staffing constraints can shape architecture and tooling choices. For example, Gomez-Sanchez adds, a host of best-of-breed point tools instead of a more integrated platform usually requires more headcount and expertise to stitch together.
Gomez-Sanchez also gives the example of adopting a single hyperscaler versus a multicloud strategy and the increase in human workload and skills required to secure it. “Ultimately, you want to leverage native controls within the hyperscaler, and that requires you to have specialized skills in each one of those,” he says.
CISO have also looked to automation to absorb some headcount pressure, but doing so isn’t always a simple fix. Gomez-Sanchez sees agent-enabled automation as a means for providing more firepower for developers and analysts, among other roles. But the reality of agentic AI capabilities for cybersecurity remains a work in progress.
What’s clear is that persistent talent shortages are forcing CISOs to rethink hiring and training as one of numerous ways to reduce the risk that comes with the skills gap. This entrenched problem — and CISOs’ attempts to address it — will also have a significant impact on the decisions security leaders will make regarding cyber architecture, platforms, processes, and AI use ahead.
The cyber talent gap is putting increasing pressure on the cyber agenda, and your peers are already adapting. Hear Juan Gomez-Sanchez, Keith Turpin, Jen Spencer, and other leading CISOs share what’s working at the CSO Cybersecurity Awards & Conference, May 11-13. Secure your seat before it fills up.
Read More from This Article: CISOs step up to the security workforce challenge
Source: News