in Uncategorized

How CISOs can build a resilient workforce

on Share

With ongoing skills gaps, AI reshaping roles and workforce stress as standing concerns for many CISOs, ensuring the resilience of the workforce has become top of mind. But due to budget constraints, return to office mandates and teams struggling to keep up with the threat landscape, CISOs are faced with a real challenge.

Stephen Ford, VP and CISO at Rockwell Automation, knows what many CISOs face: it’s often difficult to find the properly skilled resources to deliver a strong cybersecurity program and capabilities. “So, workforce sustainability is an important consideration,” says Ford.

Workforce resilience requires data-backed planning, managing the skills mix, and looking after the team as another element of risk management.

How CISOs are approaching workforce planning

Because the nature of cybersecurity work is unpredictable, Ford actively monitors his team to have a sense of how they’re managing. “There’s a fair amount of project work, but there’s also a lot of work that’s a reaction to events and depending on how many events or issues we run into, we could easily overwhelm the team,” he says.

This concern is well founded, with the 2025 ISC2 Cybersecurity Workforce Study finding 47% of participants report feeling overwhelmed with the workload they’re expected to bear.

Jon France, ISC2 CISO, agrees that workforce sustainability — managing stress, burnout and workload — is a standing concern, not a side issue.

“Looking after the team and leveraging the team without killing them is on our agenda too,” says France.

Ford has developed strategies to not only recruit talent but maintain their interests and get them through the ebbs and flows of daily life in cybersecurity. “I put a focus around monitoring the workforce and trying to get a good sense of the workloads that are coming in.”

Having a team that’s properly staffed is important and this is where data is helpful to gauge the workload and make the argument to support resourcing. “It can sometimes be a little difficult to get your arms around it, but the right processes and ability to measure work help to calculate the expected workload and determine an acceptable resource level to support that workload,” Ford says.

The challenge of quantifying workload and justifying resourcing decisions is commonplace. Only 55% of respondents believe their organizations have the resources needed to adequately address security incidents over the next two to three years, according to the ISC2 study.

Burnout leads to job dissatisfaction

Burnout is an ongoing concern for many CISOs and their teams, especially when unpredictable events can trigger workload spikes, burnout can escalate fast. “It’s something that can overwhelm pretty quickly,” Ford says.

Industry surveys continue to flash red on persistent burnout that leads to job dissatisfaction. The ISC2 study found almost half of respondents (48%) saying they felt exhausted trying to keep on top of the latest threats and emerging technology.

Ford approaches it as both a leadership and an operating-model issue, keeping in touch with workloads in the team and having a sustainable pipeline of talent to avoid overwhelming them with attrition. “I try to hire good people, empower them to operate, and delegate as much as I can.”

While it’s hard to eliminate these issues entirely, using data to inform staffing levels, aiming to balance workloads as much as possible, and paying attention to the culture that surrounds the team are some of Ford’s strategies.

“We spend time building good teams and we need to spend time to understand the challenges, the workload, and how they feel about the work.”

AI as a force multiplier, not a headcount strategy

Tooling and technology have always reshaped roles, and it’s no different with AI. This time, it’s the scale and speed of adoption, the fear, uncertainty and doubt about what it means for entry-level roles.

More than two-thirds (69%) of respondents are on a path towards regular AI use, ISC2 indicates, which includes evaluating, testing and incorporating these tools into their operations.

At software vendor Kantata, there’s a shift towards an AI-augmented workforce model that prioritizes automating high-volume tasks and integrating AI co-pilots to act as a force multiplier for team members. This includes high-friction areas like TPRM, security assessments such as RFP/RFI responses, and threat monitoring to significantly reduce operational noise.

“By automating the first pass of data ingestion and alert triaging, our teams can focus on high-fidelity incidents and strategic decision-making rather than repetitive manual tasks,” says Taison Kearney, Kantata’s CISO and DPO.

To ensure this doesn’t simply increase the workload, they reinvest the time saved into formalized upskilling, ensuring efficiency gains support team longevity and professional growth. Kearney believes that automation combined with upskilling helps reduce burnout and allows internal expertise to adapt to the threat landscape. “It secures our long-term sustainability by preserving institutional knowledge and providing our talent with a clear, high-growth career path.”

France sees AI changing entry-level work but not erasing it. Citing the example of SOC analysts, he says it’s not going to replace the human in the loop. “But it’ll get them to a decision quicker, or at least get them to a more accurate picture of what’s going on.”

He acknowledges fears about losing foundational experiences, but he believes we’ve been through this with other technical revolutions. “I think it’ll change some roles, but ultimately will not replace them. Coupled with that, it’s an efficiency gain,” France says.

Kearney thinks AI is compressing the career ladder by automation of repetitive Tier 1 tasks that traditionally served as an entry-level apprenticeship. Consequently, junior roles are shifting from manual triage towards more complex problem solving — to the benefit of both employees and organizations.

“This forces new hires to possess architectural and strategic skills much earlier in their career, ultimately potentially driving a higher reliance on AI capabilities for these individuals to be successful,” Kearney says.

Staff have dedicated time for training, and the goal is for the team to develop the deep architectural knowledge with ‘human-in-the-loop’ expertise that’s increasingly required for complex defense. “This approach transforms the ‘urge to learn’ into a clear career pathway that values institutional knowledge and continuous professional evolution,” Kearney says.

Building the cyber team amid a skill shortage

Managing workload is a day-to-day concern but alongside this challenge is the task of building the right cyber team — using recruitment and developing existing staff. Yet it’s by no means a simple task, almost two-thirds of respondents in the ISC2 survey identified critical or significant skills shortages within their teams, underscoring that the challenge is both staffing and capability.

Ford agrees it’s difficult to find top-tier talent across all the different cybersecurity disciplines, especially for a large organization like Rockwell. His strategy entails bringing in a key expert or two in different disciplines with years of experience and adding more junior, early career people. “Pairing them with seasoned experts allows you to build an effective, sustainable team over time, and I’ve seen that work extremely well for organizations with early career programs.”

He also looks for experts from adjacent disciplines such as infrastructure, the data center space or application development keen to break into cyber. “I’m not recruiting for everyone. I’m recruiting for a few top experts and then building a pipeline either through early career or other similar activities from a technology space to get an effective cyber team,” he says.

Rockwell has college intern and early career programs and strong relationships with local universities to bring in early talent and make them part of its projects with hopes of retaining some for full-time employment.

The early career people don’t always fully grasp the different disciplines and activities that one can do in cybersecurity and Ford says they focus on helping them learn and gain an interest in cyber. “You end up with somebody that’s committed through time and a very strong employee and you can start looking at building the pipeline for senior level positions.”

Where other organizations may look to fill gaps with external providers like managed service providers, Ford said Rockwell would rather cultivate the talent and expertise in-house. He finds it helps develop staff with an understanding of the critical knowledge about the organization and its operations — rather than see this valuable “thought leadership” sit outside the building.

In some cases, early careers professionals are able to solve complex problems based on them being closer to new technology. “Some of the younger generations are actually more wired and suited to leverage some of the new technologies like AI, whereas some of the older, more seasoned professionals may be more of a traditionalist,” Ford tells CSO.

Hiring managers and cybersecurity professionals are closely aligned, with the study showing problem solving, collaboration, communications, willingness to learn, and strategic thinking are the top non-technical skills across both groups.

France widens what “good security talent” looks like, emphasizing communication skills, critical thinking, and curiosity in addition to core technical skills. Approaching it this way there is a broader talent pool to draw from. “You don’t have to come from a technical background, you can come from adjacent industries and bring those experiences in.”

How CISOs can manage workforce planning

1. Bake in human sustainability

  • Treat stress and burnout like any other risk indicator.
  • Design rotations, on‑call policies, and staffing to manage workloads.

2. Use AI to redesign roles, not erase them

  • For entry‑level roles shift tasks from:

              – Manual sifting → AI‑assisted triage and investigation.

              – Pure grunt work → judgment, escalation, and interpretation.

  • Maintain human in the loop in job descriptions and process design.

3. Protect foundational learning in an automated environment

  • Plan structured skills pathways: simulations, labs, red/blue exercises so juniors still learn what AI automates away.
  • Pair juniors with senior analysts to upskill and explain why the tooling is making decisions.

4. Plan skills mix, not just headcount

  • Intentionally recruit for communication, critical thinking, curiosity, not just technical certifications.
  • Map your team to both technical depth and business‑risk communication needs.

5. Treat culture as part of resilience

  • Delegate, manage staffing pipeline, and pay attention to team workload and culture.
  • Encourage leaders to plug into peer networks for both intel sharing and emotional support, recognizing that CISO burnout is a systemic risk.

You May Also Like

Uncategorized

Fahndung nach Kopf von Black Basta

View Post
Uncategorized

Cyberbedrohungen erkennen und reagieren: Was NDR, EDR und XDR unterscheidet

View Post
Uncategorized

HPE OneView vulnerable to remote code execution attack

View Post