Key Actionable Insights for CISOs:
- Protect the Cyber Budget with Data
- CISOs should quantify the increased risk created by lost headcount by showing changes in MTTR, vulnerability backlogs, identity exceptions, and incident trends.
- Budget requests should be directly tied to business outcomes such as reducing regulatory exposure, protecting revenue streams, and maintaining operational resilience.
- Rebalance the Talent Strategy
- CISOs should move from role-based hiring to skill-based hiring, placing greater value on cloud, identity, AI, and detection engineering skills.
- Internal “multiskilling lanes” should be created so staff can continuously upskill in AI-assisted detection, cloud security, incident response, and Zero Trust identity.
- Build an AI-Augmented Cyber Program
- CISOs should introduce AI copilots for alert triage, threat-intel summarization, playbook automation, and log synthesis. All AI-driven actions that impact containment, identity, or takedowns should include a human checkpoint to prevent automated missteps.
- Upskill Teams in AI Security
- Teams should be trained in secure prompt engineering, understanding hallucination risks, and defining data-loss boundaries. Staff should learn how attackers use AI—such as prompt injection or data poisoning and be encouraged to pursue recognized AI security certifications.
- Reshape the Org Structure with New AI Roles
- New roles such as AI Security Engineer, AI Incident Response Lead, and AI Governance Analyst should be formally established or evolved from existing positions to ensure the organization has dedicated experts who can secure AI models, manage AI-driven incidents, oversee governance and compliance, and embed responsible AI practices into daily cybersecurity operations.
About the Author
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 – August 2014, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan. He works with cybersecurity technology companies to provide insights and long-term strategic support. Dan is a Senior Fellow with the Center for Digital Government and a contributor to Government Technology magazine. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and non-profit institutions.
The “2025 ISC2 Cybersecurity Workforce Study” was just released, and eye-opening cybersecurity trends are developing that are worth close attention. Let’s explore.
Over the past few years, I have learned quite a bit about the cyber workforce from the annual ISC2 workforce development report. For example, last year I analyzed the ISC2 report in this blog, but significant changes have developed over the past 12 months.
The key takeaway from the 2025 data reveals how staff and budget cuts are increasing perceived security risk, while rapid AI adoption is reshaping skills requirements and creating new career opportunities.
Tara Wisniewski, executive vice president of advocacy, global markets and member engagement for ISC2, commented on the report, “This year’s record survey of more than sixteen thousand professionals shows that skills matter more than ever. Eighty-eight percent have already seen skills needs lead to real consequences, underscoring the importance of investing in people so organizations can adapt as risks evolve.
“Professionals value development, cross-training, and simply feeling heard. They are also leaning into AI, with 70 percent pursuing AI qualifications and most expecting it to create more strategic and communication-focused roles. Cybersecurity has always been about people, and supporting their growth is the surest way to strengthen resilience in the cyber profession.”
Readers can access the report at the ISC2 website here.
Here are some of the report highlights worth mentioning, along with a sample of the data charts (which are used with permission of ISC2). As always, I urge you to visit their website to view the full report and additional details.
“Economic uncertainty continues to weigh heavily on cybersecurity teams — The surge in hiring freezes, layoffs, budget cuts and promotions reported in 2024 shows signs of stabilizing in 2025. Figures are beginning to level off rather than significantly diminishing, intimating the economic drivers that are forcing caution on spending to remain, adding pressure on existing cybersecurity teams. Many in the cybersecurity workforce are worried that economic austerity will harm the security resilience of the organizations in which they work.
“Skills and staff shortages are raising cybersecurity risk levels and challenging business resilience — The economic and budget issues that have held back or diminished hiring and investment in skills have also contributed to knowledge and competency deficits within organizations and their cybersecurity teams. Organizations must find ways to widen their skills base and talent pools — including investing in existing personnel through multiskilling and skills investment — despite budgetary constraints, to bolster cybersecurity capability and meet demand.
“AI has shaken up the cybersecurity workforce, but positivity remains high as professionals foresee career opportunities — AI is redefining both cybercrime and cybersecurity. However, far from being daunted, those within the cybersecurity workforce who are actively using AI tools are positive about the current and future impact of the technology, seeing opportunities for skills development, along with the creation of more and new jobs. They continue to see a symbiotic future where AI enhances the cybersecurity working experience rather than replacing skilled personnel.
“Job satisfaction is positive in the face of extensive disruption, but warning signs exist for team leaders and employers — Workers remain passionate and fulfilled by their career choice, but do not necessarily feel the same about their wider organizations. Employers and hiring managers need to ensure that cybersecurity professionals feel seen and heard, and that they have access to opportunities to advance in their careers and knowledge to remain relevant. Retention may become a challenge when the job market improves.”
I found these charts to be especially intriguing regarding cybersecurity cutbacks and layoffs. The fact that smaller organizations fared better than larger organizations is significant, in my opinion.
Focusing on industries that received the most and least cybersecurity layoffs was also fascinating, with education near the bottom of the list along with nonprofits, whereas IT cloud hosting services showed many more layoffs.
When focusing on budget cuts in cybersecurity, as I mentioned a few weeks ago, we have a very mixed picture across the country in state and local governments.
On the one hand, this ISC2 data shows that governments (non-military) are near the top of the list of industries impacted by cuts, and yet that trend varies from state to state based on their overall state budget situations.
Where are cybersecurity skills needed most? I found this list to be especially helpful, with clarity around the needs for AI skills in cybersecurity.
I was able to speak at a workforce development cyber workshop in early November at North Carolina A&T State University, which is a part of the Carolina Cyber Network. The panel of public- and private-sector industry experts made great points, and they focused on the need for partnerships, collaboration, internships, mentorships and gaining work experience while in school.
What was clear is that there has been a shift in the job market over the past 12 months, and the successful job seekers are those people who are relentless in their pursuit of finding the intersection of business need, skill sets (including experience) and personal passion.
Also keep in mind that demonstrating interpersonal communication skills is a big part of the interview process for most organizations, and this relationship aspect was highlighted as essential by most of the experts who presented at the workshop.
The key takeaway from the 2025 data reveals how staff and budget cuts are increasing perceived security risk, while rapid AI adoption is reshaping skills requirements and creating new career opportunities.
Tara Wisniewski, executive vice president of advocacy, global markets and member engagement for ISC2, commented on the report, “This year’s record survey of more than sixteen thousand professionals shows that skills matter more than ever. Eighty-eight percent have already seen skills needs lead to real consequences, underscoring the importance of investing in people so organizations can adapt as risks evolve.
“Professionals value development, cross-training, and simply feeling heard. They are also leaning into AI, with 70 percent pursuing AI qualifications and most expecting it to create more strategic and communication-focused roles. Cybersecurity has always been about people, and supporting their growth is the surest way to strengthen resilience in the cyber profession.”
WORKFORCE KEY FINDINGS
Readers can access the report at the ISC2 website here.
Here are some of the report highlights worth mentioning, along with a sample of the data charts (which are used with permission of ISC2). As always, I urge you to visit their website to view the full report and additional details.
“Economic uncertainty continues to weigh heavily on cybersecurity teams — The surge in hiring freezes, layoffs, budget cuts and promotions reported in 2024 shows signs of stabilizing in 2025. Figures are beginning to level off rather than significantly diminishing, intimating the economic drivers that are forcing caution on spending to remain, adding pressure on existing cybersecurity teams. Many in the cybersecurity workforce are worried that economic austerity will harm the security resilience of the organizations in which they work.
“Skills and staff shortages are raising cybersecurity risk levels and challenging business resilience — The economic and budget issues that have held back or diminished hiring and investment in skills have also contributed to knowledge and competency deficits within organizations and their cybersecurity teams. Organizations must find ways to widen their skills base and talent pools — including investing in existing personnel through multiskilling and skills investment — despite budgetary constraints, to bolster cybersecurity capability and meet demand.
“AI has shaken up the cybersecurity workforce, but positivity remains high as professionals foresee career opportunities — AI is redefining both cybercrime and cybersecurity. However, far from being daunted, those within the cybersecurity workforce who are actively using AI tools are positive about the current and future impact of the technology, seeing opportunities for skills development, along with the creation of more and new jobs. They continue to see a symbiotic future where AI enhances the cybersecurity working experience rather than replacing skilled personnel.
“Job satisfaction is positive in the face of extensive disruption, but warning signs exist for team leaders and employers — Workers remain passionate and fulfilled by their career choice, but do not necessarily feel the same about their wider organizations. Employers and hiring managers need to ensure that cybersecurity professionals feel seen and heard, and that they have access to opportunities to advance in their careers and knowledge to remain relevant. Retention may become a challenge when the job market improves.”
DIGGING DEEPER INTO THE DATA
On the one hand, this ISC2 data shows that governments (non-military) are near the top of the list of industries impacted by cuts, and yet that trend varies from state to state based on their overall state budget situations.
FINAL THOUGHTS
I was able to speak at a workforce development cyber workshop in early November at North Carolina A&T State University, which is a part of the Carolina Cyber Network. The panel of public- and private-sector industry experts made great points, and they focused on the need for partnerships, collaboration, internships, mentorships and gaining work experience while in school.
What was clear is that there has been a shift in the job market over the past 12 months, and the successful job seekers are those people who are relentless in their pursuit of finding the intersection of business need, skill sets (including experience) and personal passion.
Also keep in mind that demonstrating interpersonal communication skills is a big part of the interview process for most organizations, and this relationship aspect was highlighted as essential by most of the experts who presented at the workshop.
By: Dan Lohrmann (Cybersecurity Leader, Technologist, and Author)
Original link to the blog: Click Here
Comments