Actionable Insights for CISOs
1. Treat Workforce Stability as a Core Risk Management Priority
-
Don’t view layoffs, freezes, and budget cuts as HR issues, tie them directly to enterprise risk metrics.
-
Build executive dashboards that show how staffing reductions correlate to exposure, incident response time, and control maturity.
-
Proactively communicate to boards how austerity measures increase measurable cyber risk.
2. Invest in Skills Development, Not Just Headcount
-
Shift strategy from “hiring gaps” to “capability gaps”, map required competencies vs existing team strengths.
-
Establish structured multiskilling programs: cross-training SOC analysts into cloud security, GRC professionals into AI governance, etc.
3. Make AI Fluency a Strategic Workforce Priority
-
Don’t just deploy AI tools, develop AI-literate cybersecurity professionals.
-
Define AI skill roadmaps: detection engineering with AI, AI threat modeling, governance frameworks, and secure AI development practices.
-
Encourage teams to experiment, measure outcomes, and build AI-assisted workflows instead of fearing displacement.
4. Strengthen Team Engagement and Retention Before the Market Rebounds
-
Focus on culture: ensure cybersecurity professionals feel valued, included in decisions, and heard by leadership.
-
Build clear career pathways and visible growth opportunities to prevent attrition when hiring accelerates again.
-
Prioritize mentorship, leadership development, and internal mobility.
5. Build Resilience Through Collaboration and Talent Pipelines
-
Expand beyond traditional hiring: partner with universities, apprenticeship programs, and community networks.
-
Develop internship-to-hire pipelines and early-career security learning environments.
-
Encourage knowledge exchange with industry peers to compensate for expertise shortages.
6. Align Cyber Talent Strategy with Business Strategy
-
Identify where business growth intersects with emerging cyber needs—especially AI, cloud, identity, and resilience.
-
Hire and train for communication, stakeholder engagement, and strategic influence—not only technical depth.
-
Position cybersecurity leaders as business enablers, not just defenders.
About Author:
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader. Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 – August 2014, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan. He works with cybersecurity technology companies to provide insights and long-term strategic support. Dan is a Senior Fellow with the Center for Digital Government and a contributor to Government Technology magazine. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and non-profit institutions.
Now, let’s hear directly from Dan Lohrmann on this subject:
The “2025 ISC2 Cybersecurity Workforce Study” was just released, and eye-opening cybersecurity trends are developing that are worth close attention. Let’s explore.
The key takeaway from the 2025 data reveals how staff and budget cuts are increasing perceived security risk, while rapid AI adoption is reshaping skills requirements and creating new career opportunities.
Tara Wisniewski, executive vice president of advocacy, global markets and member engagement for ISC2, commented on the report, “This year’s record survey of more than sixteen thousand professionals shows that skills matter more than ever. Eighty-eight percent have already seen skills needs lead to real consequences, underscoring the importance of investing in people so organizations can adapt as risks evolve.
“Professionals value development, cross-training, and simply feeling heard. They are also leaning into AI, with 70 percent pursuing AI qualifications and most expecting it to create more strategic and communication-focused roles. Cybersecurity has always been about people, and supporting their growth is the surest way to strengthen resilience in the cyber profession.”
WORKFORCE KEY FINDINGS
Readers can access the report at the ISC2 website here.
Here are some of the report highlights worth mentioning, along with a sample of the data charts (which are used with permission of ISC2). As always, I urge you to visit their website to view the full report and additional details.
“Economic uncertainty continues to weigh heavily on cybersecurity teams — The surge in hiring freezes, layoffs, budget cuts and promotions reported in 2024 shows signs of stabilizing in 2025. Figures are beginning to level off rather than significantly diminishing, intimating the economic drivers that are forcing caution on spending to remain, adding pressure on existing cybersecurity teams. Many in the cybersecurity workforce are worried that economic austerity will harm the security resilience of the organizations in which they work.
“Skills and staff shortages are raising cybersecurity risk levels and challenging business resilience — The economic and budget issues that have held back or diminished hiring and investment in skills have also contributed to knowledge and competency deficits within organizations and their cybersecurity teams. Organizations must find ways to widen their skills base and talent pools — including investing in existing personnel through multiskilling and skills investment — despite budgetary constraints, to bolster cybersecurity capability and meet demand.
“AI has shaken up the cybersecurity workforce, but positivity remains high as professionals foresee career opportunities — AI is redefining both cybercrime and cybersecurity. However, far from being daunted, those within the cybersecurity workforce who are actively using AI tools are positive about the current and future impact of the technology, seeing opportunities for skills development, along with the creation of more and new jobs. They continue to see a symbiotic future where AI enhances the cybersecurity working experience rather than replacing skilled personnel.
“Job satisfaction is positive in the face of extensive disruption, but warning signs exist for team leaders and employers — Workers remain passionate and fulfilled by their career choice, but do not necessarily feel the same about their wider organizations. Employers and hiring managers need to ensure that cybersecurity professionals feel seen and heard, and that they have access to opportunities to advance in their careers and knowledge to remain relevant. Retention may become a challenge when the job market improves.”
DIGGING DEEPER INTO THE DATA
FINAL THOUGHTS
I was able to speak at a workforce development cyber workshop in early November at North Carolina A&T State University, which is a part of the Carolina Cyber Network. The panel of public- and private-sector industry experts made great points, and they focused on the need for partnerships, collaboration, internships, mentorships and gaining work experience while in school.
What was clear is that there has been a shift in the job market over the past 12 months, and the successful job seekers are those people who are relentless in their pursuit of finding the intersection of business need, skill sets (including experience) and personal passion.
Also keep in mind that demonstrating interpersonal communication skills is a big part of the interview process for most organizations, and this relationship aspect was highlighted as essential by most of the experts who presented at the workshop.
By, Dan Lohrmann
Original Link to the Blog: Click Here
Comments