With ongoing abilities gaps, AI reshaping roles and workforce stress as standing considerations for a lot of CISOs, making certain the resilience of the workforce has turn out to be prime of thoughts. However resulting from finances constraints, return to workplace mandates and groups struggling to maintain up with the menace panorama, CISOs are confronted with an actual problem.
Stephen Ford, VP and CISO at Rockwell Automation, is aware of what many CISOs face: it’s typically troublesome to seek out the correctly expert assets to ship a powerful cybersecurity program and capabilities. “So, workforce sustainability is a vital consideration,” says Ford.
Workforce resilience requires data-backed planning, managing the talents combine, and taking care of the group as one other ingredient of threat administration.
How CISOs are approaching workforce planning
As a result of the character of cybersecurity work is unpredictable, Ford actively displays his group to have a way of how they’re managing. “There’s a good quantity of mission work, however there’s additionally a number of work that’s a response to occasions and relying on what number of occasions or points we run into, we might simply overwhelm the group,” he says.
This concern is effectively based, with the 2025 ISC2 Cybersecurity Workforce Examine discovering 47% of individuals report feeling overwhelmed with the workload they’re anticipated to bear.
Jon France, ISC2 CISO, agrees that workforce sustainability — managing stress, burnout and workload — is a standing concern, not a facet concern.
“Taking care of the group and leveraging the group with out killing them is on our agenda too,” says France.
Ford has developed methods to not solely recruit expertise however preserve their pursuits and get them by the ebbs and flows of every day life in cybersecurity. “I put a spotlight round monitoring the workforce and making an attempt to get a great sense of the workloads which can be coming in.”
Having a group that’s correctly staffed is necessary and that is the place information is useful to gauge the workload and make the argument to help resourcing. “It could generally be somewhat troublesome to get your arms round it, however the correct processes and talent to measure work assist to calculate the anticipated workload and decide an appropriate useful resource stage to help that workload,” Ford says.
The problem of quantifying workload and justifying resourcing selections is commonplace. Solely 55% of respondents consider their organizations have the assets wanted to adequately tackle safety incidents over the subsequent two to a few years, in keeping with the ISC2 examine.
Burnout results in job dissatisfaction
Burnout is an ongoing concern for a lot of CISOs and their groups, particularly when unpredictable occasions can set off workload spikes, burnout can escalate quick. “It’s one thing that may overwhelm fairly shortly,” Ford says.
Trade surveys proceed to flash crimson on persistent burnout that results in job dissatisfaction. The ISC2 examine discovered nearly half of respondents (48%) saying they felt exhausted making an attempt to maintain on prime of the newest threats and rising expertise.
Ford approaches it as each a management and an operating-model concern, preserving in contact with workloads within the group and having a sustainable pipeline of expertise to keep away from overwhelming them with attrition. “I attempt to rent good individuals, empower them to function, and delegate as a lot as I can.”
Whereas it’s arduous to eradicate these points completely, utilizing information to tell staffing ranges, aiming to stability workloads as a lot as potential, and taking note of the tradition that surrounds the group are a few of Ford’s methods.
“We spend time constructing good groups and we have to spend time to grasp the challenges, the workload, and the way they really feel in regards to the work.”
AI as a drive multiplier, not a headcount technique
Tooling and expertise have at all times reshaped roles, and it’s no completely different with AI. This time, it’s the size and velocity of adoption, the worry, uncertainty and doubt about what it means for entry-level roles.
Greater than two-thirds (69%) of respondents are on a path in the direction of common AI use, ISC2 signifies, which incorporates evaluating, testing and incorporating these instruments into their operations.
At software program vendor Kantata, there’s a shift in the direction of an AI-augmented workforce mannequin that prioritizes automating high-volume duties and integrating AI co-pilots to behave as a drive multiplier for group members. This contains high-friction areas like TPRM, safety assessments similar to RFP/RFI responses, and menace monitoring to considerably scale back operational noise.
“By automating the primary go of information ingestion and alert triaging, our groups can deal with high-fidelity incidents and strategic decision-making reasonably than repetitive handbook duties,” says Taison Kearney, Kantata’s CISO and DPO.
To make sure this doesn’t merely improve the workload, they reinvest the time saved into formalized upskilling, making certain effectivity beneficial properties help group longevity {and professional} progress. Kearney believes that automation mixed with upskilling helps scale back burnout and permits inside experience to adapt to the menace panorama. “It secures our long-term sustainability by preserving institutional data and offering our expertise with a transparent, high-growth profession path.”
France sees AI altering entry-level work however not erasing it. Citing the instance of SOC analysts, he says it’s not going to switch the human within the loop. “However it’ll get them to a choice faster, or at the least get them to a extra correct image of what’s happening.”
He acknowledges fears about dropping foundational experiences, however he believes we’ve been by this with different technical revolutions. “I feel it’ll change some roles, however finally won’t exchange them. Coupled with that, it’s an effectivity achieve,” France says.
Kearney thinks AI is compressing the profession ladder by automation of repetitive Tier 1 duties that historically served as an entry-level apprenticeship. Consequently, junior roles are shifting from handbook triage in the direction of extra complicated drawback fixing — to the good thing about each workers and organizations.
“This forces new hires to own architectural and strategic abilities a lot earlier of their profession, finally doubtlessly driving the next reliance on AI capabilities for these people to achieve success,” Kearney says.
Workers have devoted time for coaching, and the purpose is for the group to develop the deep architectural data with ‘human-in-the-loop’ experience that’s more and more required for complicated protection. “This strategy transforms the ‘urge to study’ into a transparent profession pathway that values institutional data and steady skilled evolution,” Kearney says.
Constructing the cyber group amid a talent scarcity
Managing workload is a day-to-day concern however alongside this problem is the duty of constructing the correct cyber group — utilizing recruitment and creating present workers. But it’s in no way a easy job, nearly two-thirds of respondents within the ISC2 survey recognized vital or important abilities shortages inside their groups, underscoring that the problem is each staffing and functionality.
Ford agrees it’s troublesome to seek out top-tier expertise throughout all of the completely different cybersecurity disciplines, particularly for a big group like Rockwell. His technique entails bringing in a key knowledgeable or two in numerous disciplines with years of expertise and including extra junior, early profession individuals. “Pairing them with seasoned consultants lets you construct an efficient, sustainable group over time, and I’ve seen that work extraordinarily effectively for organizations with early profession applications.”
He additionally appears to be like for consultants from adjoining disciplines similar to infrastructure, the info heart house or software improvement eager to interrupt into cyber. “I’m not recruiting for everybody. I’m recruiting for a couple of prime consultants after which constructing a pipeline both by early profession or different comparable actions from a expertise house to get an efficient cyber group,” he says.
Rockwell has school intern and early profession applications and powerful relationships with native universities to herald early expertise and make them a part of its tasks with hopes of retaining some for full-time employment.
The early profession individuals don’t at all times totally grasp the completely different disciplines and actions that one can do in cybersecurity and Ford says they deal with serving to them study and achieve an curiosity in cyber. “You find yourself with anyone that’s dedicated by time and a really sturdy worker and you can begin constructing the pipeline for senior stage positions.”
The place different organizations could look to fill gaps with exterior suppliers like managed service suppliers, Ford stated Rockwell would reasonably domesticate the expertise and experience in-house. He finds it helps develop workers with an understanding of the vital data in regards to the group and its operations — reasonably than see this invaluable “thought management” sit outdoors the constructing.
In some instances, early careers professionals are in a position to clear up complicated issues primarily based on them being nearer to new expertise. “Among the youthful generations are literally extra wired and suited to leverage a number of the new applied sciences like AI, whereas a number of the older, extra seasoned professionals could also be extra of a traditionalist,” Ford tells CSO.
Hiring managers and cybersecurity professionals are intently aligned, with the examine exhibiting drawback fixing, collaboration, communications, willingness to study, and strategic pondering are the highest non-technical abilities throughout each teams.
France widens what “good safety expertise” appears to be like like, emphasizing communication abilities, vital pondering, and curiosity along with core technical abilities. Approaching it this fashion there’s a broader expertise pool to attract from. “You don’t have to come back from a technical background, you possibly can come from adjoining industries and convey these experiences in.”
How CISOs can handle workforce planning
1. Bake in human sustainability
- Deal with stress and burnout like some other threat indicator.
- Design rotations, on‑name insurance policies, and staffing to handle workloads.
2. Use AI to revamp roles, not erase them
- For entry‑stage roles shift duties from:
– Guide sifting → AI‑assisted triage and investigation.
– Pure grunt work → judgment, escalation, and interpretation.
- Preserve human within the loop in job descriptions and course of design.
3. Shield foundational studying in an automatic surroundings
- Plan structured abilities pathways: simulations, labs, crimson/blue workouts so juniors nonetheless study what AI automates away.
- Pair juniors with senior analysts to upskill and clarify why the tooling is making selections.
4. Plan abilities combine, not simply headcount
- Deliberately recruit for communication, vital pondering, curiosity, not simply technical certifications.
- Map your group to each technical depth and enterprise‑threat communication wants.
5. Deal with tradition as a part of resilience
- Delegate, handle staffing pipeline, and take note of group workload and tradition.
- Encourage leaders to plug into peer networks for each intel sharing and emotional help, recognizing that CISO burnout is a systemic threat.
