According to the 2024 ISC2 cyber workforce study, cyber professionals are facing one of the most challenging threat landscapes seen in the last five years – exacerbated by the increasingly widening cyber skills gap.
Currently, the active global cyber workforce sits at 5.5 million, but the total workforce needed to satisfy demand has increased by 8.1% year-on-year and sits at 10.2 million globally.
Fuelling this staffing crisis is a landscape of hiring freezes, a small hiring pool and tight budgets. So when the right people are found for vacancies, leaders must create a culture that will encourage them to stay. However, creating such workplaces needs the combined efforts of the CISO (or cyber leader equivalent) and HR. No function can do this alone.
The Cyber Role Model
In the current threat landscape, CISOs simply don’t have the bandwidth to act as technical and people lead. Workloads are high for cyber leaders, 25% of whom have experienced layoffs and 37% have faced budget cuts. And while they will no doubt be capable managers, they may lack some specialist skills to fully embrace both roles.
That’s not to say CISOs don’t have an important people role to play in their teams. They do. CISOs are critical figureheads of the cyber function – a team that works within challenging environments. For this reason, they need to act as role models to their teams and use their influence to lead by example when establishing a healthy workplace culture. This is fundamental to improving retention and job satisfaction within cyber.
But what exactly does being a good role model mean? In this case, it’s about demonstrating habits that keep work manageable. Implementing flexible working options allows teams to manage life outside of work and maintain other commitments such as childcare. Plus, it reduces the pressure to be ‘on’ 24/7 and means that teams can still prioritise the downtime they need to recharge.
Building Resiliency With HR
One in four CISOs is considering leaving their jobs due to burnout from long hours. With CISOs themselves overworked, there is all the more reason to seek help in the journey to building more resilient cyber workplaces. This is where HR comes in. HR and hiring managers can help build a strong, trusted and inclusive team by partnering with the cyber function. During my career, I’ve seen how the best teams manage this. Here are some of the strategies they use:
- Taking on temporary resources to support teams: Tight budgets make alleviating pressures on the team challenging and blanket hiring freezes can seemingly remove the option of bringing more hands on deck to balance the workload. However, CISOs and HR can use an alternative strategy to avoid burnout or low morale within their teams. Taking on temporary contractual help can enable leaders to bring on the extra help they need even during hiring freezes and budget constraints. Deploying temporary cyber practitioners can be financed through a different CaPex budget, rather than permanent staff allocation and saves companies the cost of national insurance and holiday pay, for example.
- Building resilience with diversity: Diversity of skills and thinking is essential for tackling cyber-attacks. For this reason, HR must focus on breaking down barriers in cyber by promoting diversity in skills and backgrounds within their teams. This can be achieved by diversifying the hiring process. This both broadens the talent pool and provides unique perspectives on how cyber threats impact different business areas, ultimately creating a more resilient cyber team and strengthening the organisation’s defences.
- Don’t be trapped by traditional CVs: Cyber has a small talent pool with competitive salaries, making it challenging to hire for. HR and cyber leaders need to avoid creating more restrictions for themselves by remaining open to considering candidates who may not fit the traditional mould of what a cyber employee looks like. This could mean opening up hiring cycles to be more accommodating to career changers with valuable transferrable skills such as communication and teamwork, or those from non-traditional cyber backgrounds such as not having a STEM degree.
- Reskilling from within: Leaders may find a strong talent pool already exists within their organisations and can find loyal talent within existing business functions. Those responsible for championing cyber best practices in other lines of business may already have some skills well-suited to a career change. Similarly, to avoid losing loyal talent to redundancies, reskilling internal talent into the cyber function can retain those with strong business knowledge and remove a lengthy external hiring process. The CISO and HR team can then work closely to reskill individuals in the technical and impact foundational skills they need.
Strength in Partnership
While they can’t build a strong team alone, the CISO should act as a strong role model to build a strong team culture from the top down and foster an engaged and motivated team. But, ultimately, they also need to team up with HR to recruit, train, and retain top talent, ensuring the cyber function is well-equipped to tackle the ever-evolving threat landscape.
Andrea has worked in cyber for almost 20 years in a number of roles, the most recent of which is as a Co-founder of CAPSLOCK, an award-winning company that reskills adults into cyber professionals. She previously worked as a senior academic; co-authoring and delivering a GCHQ-certified Masters cyber security degree and publishing extensively in the area of computer science and cyber security. She has also spent time in industry working as a cyber consultant to public and private sector organisations. She was recently granted full membership to the Chartered Institute of Information Security and is passionate about helping the cyber industry become a more diverse place to learn and work.
