The Biggest Challenge for CISOs Isn't What You Think

The Biggest Challenge for CISOs Isn't What You Think

The biggest challenge for CISOs in the next five years won’t be blockbuster malware, shadow IT, the explosion of connected devices, or even regulatory pressure.

The biggest challenge will be a human one: hiring and retaining enough skilled professionals to make a security program work in the face of increasing complexity.

Retention amidst a skills shortage

The cybersecurity skills shortage is a well-known issue. An (ISC)2 study found that 63% of organizations are experiencing a shortage of IT staff dedicated to cybersecurity, and nearly 60% of organizations say they are at moderate or extreme risk of cyber attacks as a result.

This isn’t just a recruiting challenge, it’s a retention challenge as well. IT and security professionals face long work hours, high-pressure situations, and alert fatigue that compound stress and burnout, and 65% of these professionals are considering quitting.

Even CISOs themselves are burning out. 88% of CISOs report working more than 40 hours per week, and 51% of tech executives experience stress-related illnesses as a direct result of breaches and outages.

In response to the talent shortage, many organizations have to rely on remote, third-party, and temporary teams — in a 2019 Deloitte survey, the majority of CISOs (81%) indicated that full-time employees made up less than 20% of their cyber teams.

Overcoming the challenge

Navigating the modern risk landscape is a huge challenge, and regardless of whether a team is in-house or remote, it needs to be top-notch. This is a tall order, made taller by the talent shortage. There’s no one answer for CISOs, but a combination of different initiatives could ease the negative effects of the skills shortage.

Internal team development

Professional development for internal teams is a win-win. When employees gain new skills, they don’t just perform better in their roles — they also feel more engaged and are more likely to stay with their organization. In fact, 93% of employees would stay at a company longer if it invested in their careers.

With cybersecurity becoming more complex every day, sponsoring certification courses for motivated employees will pay off in the long run. Cybersecurity certifications help employees excel in their current roles and prepare them for higher-level positions, so they’re a wise investment for CISOs.

Making cybersecurity an organization-wide effort

The immense stress felt by cybersecurity professionals is in part due to the misconception that sole responsibility for the organization’s cybersecurity falls on their shoulders. In reality, all business units should be responsible for upholding an organization-wide cybersecurity culture.

Maintaining buy-in from the C-suite and Board is perhaps the most important component of an organization’s cybersecurity culture. In order to implement effective change, executive leadership has to understand the importance of cybersecurity in the context of the organization’s goals.

With executive buy-in, broader cybersecurity initiatives like security awareness training can be implemented, with a focus on prevention rather than remediation.

Cybersecurity should also have a voice in vendor procurement. Procurement teams can evaluate risk associated with onboarding each vendor and ensure that security obligations are clearly spelled out in contracts.

Employee engagement and anti-burnout actions

Some of the best retention strategies for cybersecurity professionals will be the same as retention strategies for any other position: benefits and engagement.

Paid time off and employee wellness programs are particularly important for high-stress positions. As part of these programs, some companies offer free gym memberships, healthy snacks, yoga classes, or even massages.

There should also be a mental health component to wellness programs — mental health issues cost the U.S. 35 million lost work days and $105 billion in lost productivity every year. To reduce burnout, some companies encourage employees to take “mental health days” when necessary.

Employees also need to know that their concerns are being heard and taken seriously. Organizations can utilize employee engagement surveys to check in and identify areas for improvement, and create communication channels between staff and leadership.


The biggest challenge on the horizon for CISOs will have more to do with recruiting and retention than cyber attacks. From the talent shortage to structural changes, it will be harder than ever to maintain solid IT and cybersecurity teams, and CISOs will need to adjust to the changing HR climate just as they adjust to evolving cyber attacks.