Like what you read and curious about the conversation? Visit CISO Perspectives to get further insights into this topic. CISO Perspectives is a weekly column and podcast where Kim Jones explores the evolving landscape of cybersecurity leadership, talent, and risk—because success in cybersecurity is about people, not just technology.
But what do you really want?
Welcome to the CISO Perspectives Weekly Briefing, where we break down this week’s conversation, providing insights into relevant research and information to help you further understand the topics discussed.
At 450 words, this briefing is about a 5-minute read.
Bridging the gap.
When it comes to identifying cyber talent, there has been considerable discourse on how prospective employees can gain meaningful experience, the value of industry certifications, and the importance of obtaining college degrees. Though these conversations are important, it is equally important to emphasize that employers also need to understand and know how to address their existing gaps.
Previously, our conversations have revolved around using skills-based hiring to help find more impactful candidates. While this approach is beneficial and should be adopted, this method is only one part of a larger picture.
Looking at the larger perspective, the World Economic Forum (WEF) released a white paper in 2024 that discussed the merits of introducing a strategic cybersecurity talent framework. In this paper, the WEF explored four key areas to help address these gaps:
- Attracting more talent
- Improve cybersecurity education and training
- Rethinking recruitment practices
- Improving the retention of cybersecurity professionals
Alongside these select efforts, the WEF also emphasized the importance of finding a common language. For example, the WEF notes how terms such as skills shortage, talent shortage, capacity shortage, and experience shortage are all used interchangeably despite having distinct nuances. By first creating a common understanding, CISOs and other leaders can find a common ground to begin effectively tackling these four areas.
While the WEF’s recommendations go far beyond this summary, their key points carry significant merit, and like WEF concluded, leaving these challenges untackled “could have cascading implications for global security, economic stability, and technological innovation.”
Identifying your needs.
While every organization has unique workforce needs, there are universal principles that can serve as guidelines for more effective cybersecurity hiring. These principles include the following:
- Defining your role requirements using a skills framework, such as the NICE Framework.
- Assessing your internal gaps before posting a job.
- Prioritizing talent retention through continuous development.
Organizations must move away from legacy hiring models that have consistently yielded suboptimal results. Instead, organizations need to emphasize finding impactful talent and upskilling existing resources to be more effective.
Alongside adjusting talent expectations and methodologies, cybersecurity leaders need to accept the reality that breaches are going to happen, regardless of how many employees they have, the money invested in tools, or the number of hires they poach.
Driven by fear of incidents, many organizations overlook junior talent that could be nurtured into high-performing practitioners. Instead, they turn towards pouring significant resources into stealing talent for instant impact, even if that impact only lasts until that employee gets a higher offer.
To build a sustainable cyber workforce culture, leaders need to balance their immediate needs with their long-term goals, as anything less will continue to fuel the current challenges.