{"id":15884,"date":"2026-03-02T07:08:11","date_gmt":"2026-03-02T07:08:11","guid":{"rendered":"https:\/\/newestek.com\/?p=15884"},"modified":"2026-03-02T07:08:11","modified_gmt":"2026-03-02T07:08:11","slug":"how-cisos-can-build-a-resilient-workforce","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15884","title":{"rendered":"How CISOs can build a resilient workforce"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

With ongoing skills gaps, AI reshaping roles and workforce stress as standing concerns for many CISOs, ensuring the resilience of the workforce has become top of mind. But due to budget constraints, return to office mandates and teams struggling to keep up with the threat landscape, CISOs are faced with a real challenge.<\/p>\n

Stephen Ford<\/a>, VP and CISO at Rockwell Automation, knows what many CISOs face: it\u2019s often difficult to find the properly skilled resources to deliver a strong cybersecurity program and capabilities. \u201cSo, workforce sustainability is an important consideration,\u201d says Ford.<\/p>\n

Workforce resilience requires data-backed planning, managing the skills mix, and looking after the team as another element of risk management.<\/p>\n

How CISOs are approaching workforce planning<\/h2>\n

Because the nature of cybersecurity work is unpredictable, Ford actively monitors his team to have a sense of how they\u2019re managing. \u201cThere\u2019s a fair amount of project work, but there\u2019s also a lot of work that\u2019s a reaction to events and depending on how many events or issues we run into, we could easily overwhelm the team,\u201d he says.<\/p>\n

This concern is well founded, with the 2025 ISC2 Cybersecurity Workforce Study<\/a> finding 47% of participants report feeling overwhelmed with the workload they\u2019re expected to bear.<\/p>\n

Jon France, ISC2 CISO, agrees that workforce sustainability \u2014 managing stress, burnout and workload \u2014 is a standing concern, not a side issue.<\/p>\n

\u201cLooking after the team and leveraging the team without killing them is on our agenda too,\u201d says France.<\/p>\n

Ford has developed strategies to not only recruit talent but maintain their interests and get them through the ebbs and flows of daily life in cybersecurity. \u201cI put a focus around monitoring the workforce and trying to get a good sense of the workloads that are coming in.\u201d<\/p>\n

Having a team that\u2019s properly staffed is important and this is where data is helpful to gauge the workload and make the argument to support resourcing. \u201cIt can sometimes be a little difficult to get your arms around it, but the right processes and ability to measure work help to calculate the expected workload and determine an acceptable resource level to support that workload,\u201d Ford says.<\/p>\n

The challenge of quantifying workload and justifying resourcing decisions is commonplace. Only 55% of respondents believe their organizations have the resources needed to adequately address security incidents over the next two to three years, according to the ISC2 study.<\/p>\n

Burnout leads to job dissatisfaction<\/h2>\n

Burnout is an ongoing concern for many CISOs and their teams, especially when unpredictable events can trigger workload spikes, burnout can escalate fast. \u201cIt\u2019s something that can overwhelm pretty quickly,\u201d Ford says.<\/p>\n

Industry surveys continue to flash red on persistent burnout that leads to job dissatisfaction. The ISC2 study found almost half of respondents (48%) saying they felt exhausted trying to keep on top of the latest threats and emerging technology.<\/p>\n

Ford approaches it as both a leadership and an operating-model issue, keeping in touch with workloads in the team and having a sustainable pipeline of talent to avoid overwhelming them with attrition. \u201cI try to hire good people, empower them to operate, and delegate as much as I can.\u201d<\/p>\n

While it\u2019s hard to eliminate these issues entirely, using data to inform staffing levels, aiming to balance workloads as much as possible, and paying attention to the culture that surrounds the team are some of Ford\u2019s strategies.<\/p>\n

\u201cWe spend time building good teams and we need to spend time to understand the challenges, the workload, and how they feel about the work.\u201d<\/p>\n

AI as a force multiplier, not a headcount strategy<\/h2>\n

Tooling and technology have always reshaped roles, and it\u2019s no different with AI. This time, it\u2019s the scale and speed of adoption, the fear, uncertainty and doubt about what it means for entry-level roles.<\/p>\n

More than two-thirds (69%) of respondents are on a path towards regular AI use, ISC2 indicates, which includes evaluating, testing and incorporating these tools into their operations.<\/p>\n

At software vendor Kantata, there\u2019s a shift towards an AI-augmented workforce model that prioritizes automating high-volume tasks and integrating AI co-pilots to act as a force multiplier for team members. This includes high-friction areas like TPRM, security assessments such as RFP\/RFI responses, and threat monitoring to significantly reduce operational noise.<\/p>\n

\u201cBy automating the first pass of data ingestion and alert triaging, our teams can focus on high-fidelity incidents and strategic decision-making rather than repetitive manual tasks,\u201d says Taison Kearney<\/a>, Kantata\u2019s CISO and DPO.<\/p>\n

To ensure this doesn\u2019t simply increase the workload, they reinvest the time saved into formalized upskilling, ensuring efficiency gains support team longevity and professional growth. Kearney believes that automation combined with upskilling helps reduce burnout and allows internal expertise to adapt to the threat landscape. \u201cIt secures our long-term sustainability by preserving institutional knowledge and providing our talent with a clear, high-growth career path.\u201d<\/p>\n

France sees AI changing entry-level work but not erasing it. Citing the example of SOC analysts<\/a>, he says it\u2019s not going to replace the human in the loop. \u201cBut it\u2019ll get them to a decision quicker, or at least get them to a more accurate picture of what\u2019s going on.\u201d<\/p>\n

He acknowledges fears about losing foundational experiences, but he believes we\u2019ve been through this with other technical revolutions. \u201cI think it\u2019ll change some roles, but ultimately will not replace them. Coupled with that, it\u2019s an efficiency gain,\u201d France says.<\/p>\n

Kearney thinks AI is compressing the career ladder by automation of repetitive Tier 1 tasks that traditionally served as an entry-level apprenticeship. Consequently, junior roles are shifting from manual triage towards more complex problem solving \u2014 to the benefit of both employees and organizations.<\/p>\n

\u201cThis forces new hires to possess architectural and strategic skills much earlier in their career, ultimately potentially driving a higher reliance on AI capabilities for these individuals to be successful,\u201d Kearney says.<\/p>\n

Staff have dedicated time for training, and the goal is for the team to develop the deep architectural knowledge with \u2018human-in-the-loop\u2019 expertise that\u2019s increasingly required for complex defense. \u201cThis approach transforms the \u2018urge to learn\u2019 into a clear career pathway that values institutional knowledge and continuous professional evolution,\u201d Kearney says.<\/p>\n

Building the cyber team amid a skill shortage<\/h2>\n

Managing workload is a day-to-day concern but alongside this challenge is the task of building the right cyber team \u2014 using recruitment and developing existing staff. Yet it\u2019s by no means a simple task, almost two-thirds of respondents in the ISC2 survey identified critical or significant skills shortages within their teams, underscoring that the challenge is both staffing and capability.<\/p>\n

Ford agrees it\u2019s difficult to find top-tier talent across all the different cybersecurity disciplines, especially for a large organization like Rockwell. His strategy entails bringing in a key expert or two in different disciplines with years of experience and adding more junior, early career people. \u201cPairing them with seasoned experts allows you to build an effective, sustainable team over time, and I\u2019ve seen that work extremely well for organizations with early career programs.\u201d<\/p>\n

He also looks for experts from adjacent disciplines such as infrastructure, the data center space or application development keen to break into cyber. \u201cI\u2019m not recruiting for everyone. I\u2019m recruiting for a few top experts and then building a pipeline either through early career or other similar activities from a technology space to get an effective cyber team,\u201d he says.<\/p>\n

Rockwell has college intern and early career programs and strong relationships with local universities to bring in early talent and make them part of its projects with hopes of retaining some for full-time employment.<\/p>\n

The early career people don\u2019t always fully grasp the different disciplines and activities that one can do in cybersecurity and Ford says they focus on helping them learn and gain an interest in cyber. \u201cYou end up with somebody that\u2019s committed through time and a very strong employee and you can start looking at building the pipeline for senior level positions.\u201d<\/p>\n

Where other organizations may look to fill gaps with external providers like managed service providers, Ford said Rockwell would rather cultivate the talent and expertise in-house. He finds it helps develop staff with an understanding of the critical knowledge about the organization and its operations \u2014 rather than see this valuable \u201cthought leadership\u201d sit outside the building.<\/p>\n

In some cases, early careers professionals are able to solve complex problems based on them being closer to new technology. \u201cSome of the younger generations are actually more wired and suited to leverage some of the new technologies like AI, whereas some of the older, more seasoned professionals may be more of a traditionalist,\u201d Ford tells CSO.<\/p>\n

Hiring managers and cybersecurity professionals are closely aligned, with the study showing problem solving, collaboration, communications, willingness to learn, and strategic thinking are the top non-technical skills across both groups.<\/p>\n

France widens what \u201cgood security talent\u201d looks like, emphasizing communication skills, critical thinking, and curiosity in addition to core technical skills. Approaching it this way there is a broader talent pool to draw from. \u201cYou don\u2019t have to come from a technical background, you can come from adjacent industries and bring those experiences in.\u201d<\/p>\n

How CISOs can manage workforce planning<\/h2>\n

1. Bake in human sustainability<\/strong><\/p>\n