With ongoing expertise gaps, AI reshaping roles and workforce stress as standing considerations for a lot of CISOs, making certain the resilience of the workforce has develop into prime of thoughts. However resulting from finances constraints, return to workplace mandates and groups struggling to maintain up with the risk panorama, CISOs are confronted with an actual problem.
Stephen Ford, VP and CISO at Rockwell Automation, is aware of what many CISOs face: it’s typically tough to search out the correctly expert assets to ship a powerful cybersecurity program and capabilities. “So, workforce sustainability is a crucial consideration,” says Ford.
Workforce resilience requires data-backed planning, managing the talents combine, and taking care of the staff as one other ingredient of danger administration.
How CISOs are approaching workforce planning
As a result of the character of cybersecurity work is unpredictable, Ford actively displays his staff to have a way of how they’re managing. “There’s a good quantity of undertaking work, however there’s additionally a variety of work that’s a response to occasions and relying on what number of occasions or points we run into, we might simply overwhelm the staff,” he says.
This concern is properly based, with the 2025 ISC2 Cybersecurity Workforce Research discovering 47% of individuals report feeling overwhelmed with the workload they’re anticipated to bear.
Jon France, ISC2 CISO, agrees that workforce sustainability — managing stress, burnout and workload — is a standing concern, not a aspect situation.
“Taking care of the staff and leveraging the staff with out killing them is on our agenda too,” says France.
Ford has developed methods to not solely recruit expertise however keep their pursuits and get them by way of the ebbs and flows of every day life in cybersecurity. “I put a spotlight round monitoring the workforce and making an attempt to get an excellent sense of the workloads which are coming in.”
Having a staff that’s correctly staffed is essential and that is the place knowledge is useful to gauge the workload and make the argument to help resourcing. “It will possibly generally be a little bit tough to get your arms round it, however the correct processes and skill to measure work assist to calculate the anticipated workload and decide a suitable useful resource degree to help that workload,” Ford says.
The problem of quantifying workload and justifying resourcing choices is commonplace. Solely 55% of respondents imagine their organizations have the assets wanted to adequately tackle security incidents over the following two to 3 years, in keeping with the ISC2 examine.
Burnout results in job dissatisfaction
Burnout is an ongoing concern for a lot of CISOs and their groups, particularly when unpredictable occasions can set off workload spikes, burnout can escalate quick. “It’s one thing that may overwhelm fairly shortly,” Ford says.
Trade surveys proceed to flash pink on persistent burnout that results in job dissatisfaction. The ISC2 examine discovered nearly half of respondents (48%) saying they felt exhausted making an attempt to maintain on prime of the most recent threats and rising know-how.
Ford approaches it as each a management and an operating-model situation, conserving in contact with workloads within the staff and having a sustainable pipeline of expertise to keep away from overwhelming them with attrition. “I attempt to rent good individuals, empower them to function, and delegate as a lot as I can.”
Whereas it’s laborious to get rid of these points solely, utilizing knowledge to tell staffing ranges, aiming to steadiness workloads as a lot as doable, and taking note of the tradition that surrounds the staff are a few of Ford’s methods.
“We spend time constructing good groups and we have to spend time to grasp the challenges, the workload, and the way they really feel in regards to the work.”
AI as a power multiplier, not a headcount technique
Tooling and know-how have at all times reshaped roles, and it’s no completely different with AI. This time, it’s the size and velocity of adoption, the worry, uncertainty and doubt about what it means for entry-level roles.
Greater than two-thirds (69%) of respondents are on a path in the direction of common AI use, ISC2 signifies, which incorporates evaluating, testing and incorporating these instruments into their operations.
At software program vendor Kantata, there’s a shift in the direction of an AI-augmented workforce mannequin that prioritizes automating high-volume duties and integrating AI co-pilots to behave as a power multiplier for staff members. This contains high-friction areas like TPRM, security assessments akin to RFP/RFI responses, and risk monitoring to considerably cut back operational noise.
“By automating the primary go of knowledge ingestion and alert triaging, our groups can concentrate on high-fidelity incidents and strategic decision-making slightly than repetitive handbook duties,” says Taison Kearney, Kantata’s CISO and DPO.
To make sure this doesn’t merely improve the workload, they reinvest the time saved into formalized upskilling, making certain effectivity beneficial properties help staff longevity {and professional} development. Kearney believes that automation mixed with upskilling helps cut back burnout and permits inside experience to adapt to the risk panorama. “It secures our long-term sustainability by preserving institutional data and offering our expertise with a transparent, high-growth profession path.”
France sees AI altering entry-level work however not erasing it. Citing the instance of SOC analysts, he says it’s not going to interchange the human within the loop. “But it surely’ll get them to a choice faster, or not less than get them to a extra correct image of what’s happening.”
He acknowledges fears about shedding foundational experiences, however he believes we’ve been by way of this with different technical revolutions. “I feel it’ll change some roles, however finally won’t change them. Coupled with that, it’s an effectivity achieve,” France says.
Kearney thinks AI is compressing the profession ladder by automation of repetitive Tier 1 duties that historically served as an entry-level apprenticeship. Consequently, junior roles are shifting from handbook triage in the direction of extra advanced downside fixing — to the good thing about each staff and organizations.
“This forces new hires to own architectural and strategic expertise a lot earlier of their profession, finally doubtlessly driving a better reliance on AI capabilities for these people to achieve success,” Kearney says.
Workers have devoted time for coaching, and the purpose is for the staff to develop the deep architectural data with ‘human-in-the-loop’ experience that’s more and more required for advanced protection. “This strategy transforms the ‘urge to study’ into a transparent profession pathway that values institutional data and steady skilled evolution,” Kearney says.
Constructing the cyber staff amid a ability scarcity
Managing workload is a day-to-day concern however alongside this problem is the duty of constructing the correct cyber staff — utilizing recruitment and creating current workers. But it’s not at all a easy job, nearly two-thirds of respondents within the ISC2 survey recognized important or vital expertise shortages inside their groups, underscoring that the problem is each staffing and functionality.
Ford agrees it’s tough to search out top-tier expertise throughout all of the completely different cybersecurity disciplines, particularly for a big group like Rockwell. His technique entails bringing in a key knowledgeable or two in numerous disciplines with years of expertise and including extra junior, early profession individuals. “Pairing them with seasoned consultants permits you to construct an efficient, sustainable staff over time, and I’ve seen that work extraordinarily properly for organizations with early profession packages.”
He additionally appears for consultants from adjoining disciplines akin to infrastructure, the information middle area or utility improvement eager to interrupt into cyber. “I’m not recruiting for everybody. I’m recruiting for a number of prime consultants after which constructing a pipeline both by way of early profession or different related actions from a know-how area to get an efficient cyber staff,” he says.
Rockwell has school intern and early profession packages and powerful relationships with native universities to usher in early expertise and make them a part of its tasks with hopes of retaining some for full-time employment.
The early profession individuals don’t at all times absolutely grasp the completely different disciplines and actions that one can do in cybersecurity and Ford says they concentrate on serving to them study and achieve an curiosity in cyber. “You find yourself with anyone that’s dedicated by way of time and a really sturdy worker and you can begin constructing the pipeline for senior degree positions.”
The place different organizations could look to fill gaps with exterior suppliers like managed service suppliers, Ford stated Rockwell would slightly domesticate the expertise and experience in-house. He finds it helps develop workers with an understanding of the important data in regards to the group and its operations — slightly than see this worthwhile “thought management” sit outdoors the constructing.
In some circumstances, early careers professionals are in a position to resolve advanced issues based mostly on them being nearer to new know-how. “A few of the youthful generations are literally extra wired and suited to leverage a number of the new applied sciences like AI, whereas a number of the older, extra seasoned professionals could also be extra of a traditionalist,” Ford tells CSO.
Hiring managers and cybersecurity professionals are intently aligned, with the examine displaying downside fixing, collaboration, communications, willingness to study, and strategic considering are the highest non-technical expertise throughout each teams.
France widens what “good security expertise” appears like, emphasizing communication expertise, important considering, and curiosity along with core technical expertise. Approaching it this manner there’s a broader expertise pool to attract from. “You don’t have to come back from a technical background, you may come from adjoining industries and produce these experiences in.”
How CISOs can handle workforce planning
1. Bake in human sustainability
- Deal with stress and burnout like every other danger indicator.
- Design rotations, on‑name insurance policies, and staffing to handle workloads.
2. Use AI to revamp roles, not erase them
- For entry‑degree roles shift duties from:
– Guide sifting → AI‑assisted triage and investigation.
– Pure grunt work → judgment, escalation, and interpretation.
- Keep human within the loop in job descriptions and course of design.
3. Defend foundational studying in an automatic surroundings
- Plan structured expertise pathways: simulations, labs, pink/blue workouts so juniors nonetheless study what AI automates away.
- Pair juniors with senior analysts to upskill and clarify why the tooling is making choices.
4. Plan expertise combine, not simply headcount
- Deliberately recruit for communication, important considering, curiosity, not simply technical certifications.
- Map your staff to each technical depth and enterprise‑danger communication wants.
5. Deal with tradition as a part of resilience
- Delegate, handle staffing pipeline, and take note of staff workload and tradition.
- Encourage leaders to plug into peer networks for each intel sharing and emotional help, recognizing that CISO burnout is a systemic danger.
