Gartner Research

CISO Foundations:
Cybersecurity
Talent Strategies
for CISOs

Cybersecurity Research Team

4 October 2022
CISO Foundations: Cybersecurity Talent Strategies
for CISOs
Published 4 October 2022 - ID G00777437 - 8 min read
By Analyst(s): Cybersecurity Research Team
Initiatives: Cybersecurity Leadership

Cybersecurity leaders seek to build skilled cyberteams to respond

to growing threats, but are challenged by supply gaps in the talent
pipeline for cybersecurity specialists. Cybersecurity leaders can
use this research to learn best practices for effective talent
management and development.

Analysis
Accelerated digital transformation of information and services has rendered many
organizations’ cybersecurity teams unable to handle increased demand for cybersecurity
services. Cybersecurity leaders are experiencing challenges with sourcing talent,
developing teams of skilled specialists, retaining talent, preparing for future talent
demands and improving cybersecurity leadership.

To address these challenges and achieve long-term strategic objectives, chief information
security officers (CISOs) should evolve their talent sourcing and development tactics. By
expanding cybersecurity talent pipelines and employing progressive team development
practices, cybersecurity leaders can meet demands for increased cybertalent, despite a
lack of conventionally qualified hires. CISOs should also anticipate emerging cyberthreats
and create new corresponding roles and skills training to address increased demand and
growing threats.

While preparing cyberteams using these core talent management strategies, CISOs must
simultaneously prioritize the development of their own critical leadership skills and
practices to enhance the effectiveness of their security functions.

Gartner, Inc. | G00777437 Page 1 of 9

 As part of Gartner’s CISO Foundations series, this research draws
on our dealings with a large community of clients, with a view to
providing tried-and-tested guidance for CISOs responsible for
building skilled cybersecurity teams. It offers key
recommendations for effective talent management and
development.

Research Highlights
Some recommended content may not be available as part of your current Gartner
subscription.

Implement Unconventional Talent Sourcing to Circumvent Talent Gaps

The labor market for IT employees has been tightening throughout 2022, a trend that
exacerbates hiring challenges for cybersecurity leaders. Although the 2Q22 Gartner Global
Labor Market Survey (GLMS) notes that the number of IT employees seeking employment
has increased by 3% compared with 2Q21, the number of available job openings far
outstrips supply. Demand for cybersecurity professionals is four times higher than the
available supply, according to TalentNeuron data. At the same time, specialists’ optimism
about job opportunities and their expectations of high rewards upon switching employers
continue to increase (by 13.6% in terms of compensation), as also highlighted in the 2Q22
GLMS. The combination of limited availability of cybersecurity talent and high
expectations for new jobs makes it more challenging for organizations to compete for
talent.

For these reasons, CISOs should satisfy talent demands by sourcing staff from less
conventional channels. Look beyond external hiring and capitalize on hidden internal
talent pipelines. Build “unicorn” teams using noncybersecurity talent from other functions
to handle lower-level cybersecurity tasks; this will unburden overwhelmed specialists and
enable cybersecurity expertise to proliferate across business functions. Supplement
internal talent sourcing by expanding applicant pools to reach interested nonconventional
talent, prioritizing competencies and fit over restrictive education and industry experience
requirements. Finally, proactively identify and foster emerging cybersecurity leadership
talent in your existing team as a strategy to retain top cybersecurity talent and mitigate
the shortage of leaders.

Gartner, Inc. | G00777437 Page 2 of 9

■ Foster Emerging Cybersecurity Leaders Now to Enhance Security Program
Sustainability and Effectiveness — Mitigate the shortage of leadership talent by
fostering emerging leaders in your team. Near-term actions include establishing a
“promote from within” principle when filling internal roles, using performance
discussions to identify emerging leadership talent, engaging with learning and
development leaders to gain visibility into existing professional development
programs, and connecting emerging leaders with other business leaders for
mentoring opportunities.

■ Support Product-Line-Aligned IT by Transforming Cybersecurity (Northwestern

Mutual) — Move beyond embedded security staff by devolving responsibility for
security activities to their closest point of consumption. Security at Northwestern
Mutual reinvisioned these activities as products to make them more consumable
for nonsecurity talent to implement.

■ Midsize Enterprises Must Embrace New-Collar Workers in Cybersecurity — Adapt

your hiring practices to source candidates with nontraditional cybersecurity
education by valuing technical expertise in addition to academic knowledge. This
means considering candidates with associate degrees in cybersecurity, industry
certifications and technical high-school degrees.

Evolve Development Strategies for Next-Generation Cybersecurity Teams

and Leaders
Cybersecurity leaders should prioritize experiential training and establish forward-looking
talent strategies to respond to challenges (see Figure 1). Engage current leaders to
develop and retain internal talent based on their experience and feedback, rather than rely
on external partners for training. Promote growth through internal experiential learning
opportunities, such as “security mentoring partners” and “safe to fail” opportunities, in
order to fast-track growth in staff competencies. Prepare future cybersecurity team
leaders by grooming high-performing candidates for leadership positions: do so by
creating strategic leadership succession plans. Currently only a limited number of CISOs
groom future leaders by developing formal and actionable succession plans, as noted by
the Gartner 2022 CISO Effectiveness Diagnostic Tool, which found that only 14% of CISOs
have developed such plans.

Gartner, Inc. | G00777437 Page 3 of 9

■ Ignition Guide to Creating a Strategic Workforce Plan for IT — Use this guide to
create long-term strategic workforce plans that proactively meet the emerging needs
of digital businesses. This guide will help cybersecurity leaders:

■ Identify talent requirements for strategic objectives.

■ Use appropriate sourcing, recruitment, development and redeployment

techniques.

■ Secure buy-in from cross-functional stakeholders.

■ Implement and monitor the success of the workforce plan.

■ Cyber Judgment Presents a New Approach to Informed Risk Decision Making —

Empower decision makers throughout your organization to independently make
informed risk decisions by bolstering their cyber judgment. Decision makers with
high levels of cyber judgment are able to effectively make trade-off decisions
without relying on decision facilitation or automation.

■ Case Study Actionable CISO Succession Planning — Upgrade CISO succession plans
by identifying multiple qualified candidates to groom throughout your organization
(not just the cybersecurity function). Identify high-potential employees (HIPOs) by
evaluating generalizable criteria such as motivation, performance, growth, company
values and technical knowledge.

Gartner, Inc. | G00777437 Page 4 of 9

Figure 1. Strategies for Closing Workforce Capability Gaps

Integrate New Talent Priorities to Prepare for Emerging Cyberdemands

Cybersecurity leaders must be prepared for how digital business initiatives and the
corresponding evolutions of cybersecurity threats will disrupt talent needs and relevant
skills (see Figure 2). Engage in strategic workforce planning to prepare for emerging
cybersecurity positions and develop corresponding competencies. Develop cross-
functional aptitudes and versatility across emerging skill areas while updating jobs to
prepare for new functional roles.

■ Focus on Competencies to Establish Security and Risk Expertise in a Digital World

—Identify the most important competencies for your cybersecurity team. Then
prioritize developing and sourcing those competencies to help cyberteams adapt to
versatile functions, rather than specific roles. Figure 2 portrays the key skill sets to
develop in order to adapt teams to the transition to the cloud.

Gartner, Inc. | G00777437 Page 5 of 9

■ Tool: Cybersecurity Skills Analysis and Presentation for Top Roles — Stay up-to-date
about how cybersecurity skills are evolving in order to understand which skills are
emerging and declining. Present the skill life cycle information to key stakeholders
to obtain support for recruitment and retention strategies, and to update
cybersecurity job descriptions.

■ Cybersecurity Job Description Library — Update framing for job descriptions to

reflect new functional roles and priorities on cybersecurity teams. Learn tactics for
framing and sourcing emerging cybersecurity roles to prepare for the recruitment of
future cybertalent.

■ Gartner Peer InsightsTM ‘Voice of the Customer’: Security Awareness Computer-

Based Training — Learn how cybersecurity leaders are upskilling talent across their
organizations to prepare for emerging cyberthreats. This article synthesizes the peer
perspectives of cybersecurity leaders from across Gartner’s members to create
actionable insights for IT decision makers.

Figure 2. Cloud Security Architecture Skills Scope

Gartner, Inc. | G00777437 Page 6 of 9

Practice Top-Down, Talent-Centric CISO Leadership
Cybersecurity leaders should actively develop their own critical skills, in addition to the
skills of their teams, in order to increase their leadership effectiveness. Actively engage
with and educate executives across your organization on the importance of cybersecurity
investments, cyberawareness and strategic team planning (see Figure 3). Assess the
current effectiveness of the cybersecurity function with holistic performance assessments
to retain talent, boost engagement and modernize the structure of cybersecurity functions
in response to emerging concerns.

■ Leadership Vision for 2022: Security and Risk Management — Discover how
cybersecurity leaders are navigating key challenges and setting priorities for 2022.
Cybersecurity leaders must deliver value to the business to be fully effective in their
role. Consequently, they are increasingly focusing on:

■ Customer concerns.

■ Upskilling others in the organization on cybersecurity.

■ Prioritizing time management and building relationships with other executives

relevant to the effectiveness of cybersecurity.

■ CISO Effectiveness Diagnostic — The Diagnostic is a 15-minute exclusive survey that

enables CISOs to understand their personal effectiveness as leaders and discover
quick, actionable steps to enhance their performance. It builds on in-depth research
on what distinguishes highly effective CISOs, focused on four key areas: service
delivery; functional leadership; scaled governance; and enterprise responsiveness.

■ A Framework to Boost the Cybersecurity Leader’s Effectiveness — Learn how to

achieve greater effectiveness in critical skill areas by interacting with and
influencing executives’ attitudes toward cybersecurity. Effective CISOs should:

■ Prioritize cybersecurity investments.

■ Use future risks to accelerate cyberawareness among staff.

■ Strategically develop cybersecurity talent as a workforce architect.

■ Maintain high performance as a stress navigator.

Gartner, Inc. | G00777437 Page 7 of 9

■ Outcome-Oriented Cybersecurity Services — Retain high-performing talent and
boost team engagement by recognizing the importance of people to functional
cybersecurity performance. Assess cybersecurity functions based on their staff
engagement and stakeholder perceptions, instead of purely on technical metrics,
to create holistic performance assessments.

■ How to Design a Practical Security Organization — Adapt the organizational design

and talent distribution of your cybersecurity function according to its capabilities to
prepare for emerging threats that are reshaping cybersecurity demands. Review
trends in cybersecurity functional and organizational structures, and implement
adaptations that fit your team and the new risks they face.

Figure 3. Relationships Differentiating Top and Bottom Performers

Document Revision History

Cybersecurity Talent Strategies for CISOs - 4 March 2022

Gartner, Inc. | G00777437 Page 8 of 9

© 2024 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of
Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research
organization, which should not be construed as statements of fact. While the information contained in
this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties
as to the accuracy, completeness or adequacy of such information. Although Gartner research may
address legal and financial issues, Gartner does not provide legal or investment advice and its research
should not be construed or used as such. Your access and use of this publication are governed by
Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any
third party. For further information, see "Guiding Principles on Independence and Objectivity."
Gartner research may not be used as input into or for the training or development of generative artificial
intelligence, machine learning, algorithms, software, or related technologies

Gartner, Inc. | G00777437 Page 9 of 9

Actionable, objective insight
Position your IT organization for success. Explore these additional
complimentary resources and tools for cybersecurity leaders:

Report
Cybersecurity Trends: Optimize
for Resilience and Performance
Use this report to equip your cybersecurity
function for greater resilience.
Roadmap
IT Roadmap for Cybersecurity
Create a resilient, scalable and agile
cybersecurity strategy.

Learn More Download Now

eBook
Leadership Vision for Security
and Risk Management Leaders
Explore the top 3 strategic priorities for
security and risk management leaders.
Webinar
Strengthen Your Cybersecurity
Leadership to Navigate Evolving
Security Landscape
Explore this five-part series for insights
into the evolving landscape.

Download Now Watch Now

Already a client?
Get access to even more resources in your client portal. Log In
Connect With Us
Get actionable, objective insight to deliver on your mission-critical
priorities. Our expert guidance and tools enable faster, smarter
decisions and stronger performance. Contact us to become a client:

U.S.: 866 263 8917

International: + 44 (0) 03301 628 476

Become a Client

Learn more about Gartner for Cybersecurity Leaders

gartner.com/en/cybersecurity

Stay connected to the latest insights

© 2024 Gartner, Inc. and/or its affiliates. All rights reserved. CM_GTS_2971747