{"id":16171,"date":"2026-05-05T09:10:54","date_gmt":"2026-05-05T09:10:54","guid":{"rendered":"https:\/\/newestek.com\/?p=16171"},"modified":"2026-05-05T09:10:54","modified_gmt":"2026-05-05T09:10:54","slug":"cisos-step-up-to-the-security-workforce-challenge","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16171","title":{"rendered":"CISOs step up to the security workforce challenge"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A robust cybersecurity program needs a range of skilled people, yet many CISOs continue to face an ongoing skills shortage \u2014 and the squeeze may only get worse as AI gains traction.<\/p>\n

Some 95% of cybersecurity practitioners and decision-makers\u00a0noted at least one security skills gap at their organization, with almost 60% citing critical or significant skills gaps, according to ISC2\u2019s 2025 Cybersecurity Workforce Study<\/a>.<\/p>\n

AI is the most pressing skill need, followed by cloud security, risk assessment, application security, security engineering, and governance, risk, and compliance (GRC), the survey found.<\/p>\n

There are no simple solutions for a profession that requires passion, curiosity, and a thirst for defending systems. Such professionals are a rare breed.<\/p>\n

\u201cYou need to have a special mindset,\u201d says Juan Gomez-Sanchez<\/a>, VP of cyber resilience at McLane Company.<\/p>\n

\u201cWhile IT people are obsessed with how things work, security people are obsessed with how things break, and people who are truly effective and passionate about that can be difficult to find,\u201d says Gomez-Sanchez.<\/p>\n

Add to that the fact that the cyber degree studies are challenging, technology is changing rapidly, and the profession is still comparatively young, and the true extent of the problem becomes clear.<\/p>\n

If CISOs can\u2019t hire the skills they need, some will look toward in-house training and development to foster the expertise they need.<\/p>\n

\u201cHiring certain types of security professionals can be very difficult because the skills are not held by a lot of people, so I look for someone who\u2019s got a solid security foundation in one or more other areas and transition them,\u201d says Keith Turpin<\/a>, CISO of The Friedkin Group.<\/p>\n

This is its own challenge, requiring time and a good deal of unlearning certain things and honing that \u2018how to break\u2019 security mindset. For example, Turpin says, upskilling \u201csomeone who\u2019s competent in networking, server administration, or software development to the equivalent security role takes an additional two years.\u201d<\/p>\n

Turpin has found that just establishing the security mindset can take up to a year within that timeframe. \u201cInstead of thinking, \u2018How do I keep it going,\u2019 as the security person it\u2019s thinking, \u2018How can it go wrong.\u2019 It\u2019s a different approach,\u201d he says.<\/p>\n

\u201cIf I can find someone who\u2019s got the right drive, the right people skills, they\u2019re a good cultural fit, and they have the potential, I can turn them into a good technologist,\u201d adds Turpin, who like Gomez-Sanchez will be inducted into the CSO Hall of Fame<\/a> this year.<\/p>\n

Gomez-Sanchez and Turpin are speaking at the CSO Cybersecurity Awards & Conference, May 11-13.\u00a0<\/em>Reserve your place<\/em><\/strong><\/a>.<\/em><\/strong><\/p>\n

AI changes the equation<\/h2>\n

And then there\u2019s AI. When it comes to security, AI may help partially offset cyber skills shortages by automating certain tasks<\/a>, but it also ramps up cyberattack volumes and expands the organizational attack surface, without fixing CISOs\u2019 ongoing talent pipeline problems<\/a>. In fact, AI may end up worsening the structural skills shortage.<\/p>\n

\u201cYou can have 100, 1,000, 10,000 instances of AI doing the work of enabling attacks at much greater scale, including against smaller, less protected targets because they\u2019re now within reach because the barrier is lower,\u201d says Turpin.<\/p>\n

This increases the pressure on defenders, putting more pressure on the workforce challenge, even as AI helps automate some tasks. But it\u2019s not going away and will only increase in importance for both attackers and defenders.<\/p>\n

\u201cI\u2019m encouraging my teams to look for opportunities to leverage AI and look at how our vendors are leveraging AI,\u201d he says.<\/p>\n

\u201cThis is what we\u2019re going to be dealing with five years down the road. It\u2019s going to be the center of technology so we can\u2019t afford not to learn this,\u201d he adds.<\/p>\n

Reducing the organizational risk of skills shortages<\/h2>\n

Skills shortages are more than just an inconvenience; they pose organizational risks on par with threats and malicious attacks, says Gomez-Sanchez, who views them \u201cmuch the way that you think about threat actors and vulnerabilities.\u201d<\/p>\n

\u201cYour ability to execute is limited by the amount of people you have to actually do the work,\u201d he explains.<\/p>\n

As a result, Gomez-Sanchez encourages CISOs to view the skills gaps and talent shortages as a first-class security risk that needs to be managed as a KPI for the security function. \u201cOur ability to attract and retain good talent is a major measure of capability,\u201d he says.<\/p>\n

Being structural rather than temporary, skills gaps place significant pressure on CISOs\u2019 sourcing decisions. \u201cSecurity people may choose to do things differently, especially as it relates to insourcing or outsourcing because of the talent shortage,\u201d Gomez-Sanchez notes.<\/p>\n

By the same token, staffing constraints can shape architecture and tooling choices. For example, Gomez-Sanchez adds, a host of best-of-breed point tools instead of a more integrated platform usually requires more headcount and expertise to stitch together.<\/p>\n

Gomez-Sanchez also gives the example of adopting a single hyperscaler versus a multicloud strategy and the increase in human workload and skills required to secure it. \u201cUltimately, you want to leverage native controls within the hyperscaler, and that requires you to have specialized skills in each one of those,\u201d he says.<\/p>\n

CISO have also looked to automation to absorb some headcount pressure, but doing so isn\u2019t always a simple fix. Gomez-Sanchez sees agent-enabled automation as a means for providing more firepower for developers and analysts, among other roles. But the reality of agentic AI capabilities for cybersecurity remains a work in progress<\/a>.<\/p>\n

What\u2019s clear is that persistent talent shortages are forcing CISOs to rethink hiring and training as one of numerous ways to reduce the risk that comes with the skills gap. This entrenched problem \u2014 and CISOs\u2019 attempts to address it \u2014 will also have a significant impact on the decisions security leaders will make regarding cyber architecture, platforms, processes, and AI use ahead.<\/p>\n

The cyber talent gap is putting increasing pressure on the cyber agenda, and your peers are already adapting. Hear Juan Gomez-Sanchez, Keith Turpin, Jen Spencer, and other leading CISOs share what\u2019s working at the CSO Cybersecurity Awards & Conference, May 11-13.\u00a0Secure your seat before it fills up<\/strong><\/a>.<\/em><\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A robust cybersecurity program needs a range of skilled people, yet many CISOs continue to face an ongoing skills shortage \u2014 and the squeeze may only get worse as AI gains traction. Some 95% of cybersecurity practitioners and decision-makers\u00a0noted at least one security skills gap at their organization, with almost 60% citing critical or significant skills gaps, according to ISC2\u2019s 2025 Cybersecurity Workforce Study. AI… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16171","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16171"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16171\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}