Four Takeaways from CISOs on Talent Strategy

Community Blog
Written by Laurel Hiestand

DECEMBER 5, 2023

Like all C-level leaders, CISOs started the year amidst economic uncertainty and the need to optimize costs and increase operational efficiencies. In addition, they face a threat landscape that’s constantly changing and the addition of new technologies, like generative AI tools, that require them to balance the needs of the business with risk management. CISOs in Evanta communities often tell us it is challenging to find skilled cybersecurity workers who can keep up with their evolving needs and fit into their budgets.

With all of the changes in the workforce in the past few years, we wondered how CISOs were impacted as they try to recruit and retain cybersecurity talent. Here are some highlights from our recent Community Pulse Survey, in which more than 350 security leaders gave us their thoughts on talent strategies.

1. Skilled Roles Are Harder to Fill

Half of CISOs (50%) report that the skilled roles in their organizations seem harder to fill than in past years. Thirty-seven percent say that it is about the same as prior years, and 13% do not think it’s harder to fill roles currently.

2. Recruitment vs Retention

An astonishing 96% of CISOs believe that recruiting is either “very challenging” (43%) or “somewhat challenging (53%) right now. This represents a higher percentage of executives reporting that recruiting is “very challenging” than any other C-suite role we surveyed. Only 4% of security leaders say that recruiting is not challenging at present. 

Retention is slightly less of a challenge for CISOs, with 82% categorizing it as challenging. Nineteen percent say it is “very challenging,” and 63% report that it is “somewhat challenging.” Eighteen percent of CISOs do not think retention is challenging.

3. Upskilling & Reskilling Current Employees

CISOs have multiple strategies to address their talent shortages, with 21% saying they are upskilling or reskilling current employees. Seventeen percent of security leaders are focusing on retaining people in key positions. Sixteen percent cite both outsourcing or contracting some roles and internal promotions as other tactics. 

In the comments for “Other” strategies, CISOs say they are “hiring junior people based on potential rather than expertise,” and several mentioned internship and apprenticeship programs.

On a related question, 64% of CISOs say they are either very confident (12%) or somewhat confident (52%) in their organizations’ ability to upskill or reskill the workforce to close the skill gaps. Twenty-seven percent are neutral, and 8% are not confident about upskilling talent at their company. Only 2% of security leaders report that their organization does not have a strategy to upskill the workforce. 

4. Factors Impacting Their Talent Strategy

When asked about the factors that are impacting their recruiting and retention strategies, 31% of CISOs cite the need for specific skill sets, such as cybersecurity skills. Another 28% say that their budget or a lack of resources is impacting talent strategies. Twenty-two percent  believe that workplace policies, such as returning to the office, may be a factor.

Under “Other” possible factors, CISOs suggest that the “speed of the competition,” “high salary demands,” and “new rules about return to work” are impacting their workforce strategies.

Forward-Looking Talent Strategies

We asked CISOs an open-ended question at the end of the survey about their talent strategies, specifically if their approach had changed after several tumultuous years of workforce trends. (We surveyed them previously during the Great Resignation and the Race for Talent.) 

Here is a sample of their responses on what their strategies look like now and in the year ahead:

Get creative – and more consideration given to ‘growing’ the talent by hiring more junior or less experienced staff and providing them with the training and exposure to upskill.”

Hire for potential – meaning, the candidate has the potential to fulfill the job requirements, but not necessarily the past experience to exactly match the open job requisition.”

Cross training is a priority now, and working with the IT folks on cyber hygiene so that we can have a more effective vulnerability and patch management process. Also looking into compensation and training opportunities to help retain employees.”

It's important to meet employees where they are in terms of location. While I do see value in in-person meetings, I also don't think it's wise to lose skilled talent by forcing an in-the-office policy. I have said for over 20 years now – either the work is getting done or it isn't.”

Recruiting in cybersecurity is not a new challenge for CISOs. In fact, two CISOs in Evanta communities contributed to our Executive Blog this year, offering creative and innovative ways to build pipelines with security talent. You can read more on this topic from Steven Aiello, Security and Compliance Practice Director (CISO) of consulting company AHEAD, here, and Joshua Dray, CISO of San Jacinto College, here.

If you find data and insights like these valuable, check out your regional Evanta CISO community and apply to join. We also have a busy season of executive programs available – check out an upcoming opportunity to get together with your CISO peers.

Laurel Hiestand headshot

Laurel Hiestand

Sr Director, Content at Evanta, a Gartner Company