With ongoing abilities gaps, AI reshaping roles and workforce stress as standing considerations for a lot of CISOs, making certain the resilience of the workforce has turn into high of thoughts. However resulting from price range constraints, return to workplace mandates and groups struggling to maintain up with the menace panorama, CISOs are confronted with an actual problem.
Stephen Ford, VP and CISO at Rockwell Automation, is aware of what many CISOs face: it’s typically troublesome to search out the correctly expert sources to ship a robust cybersecurity program and capabilities. “So, workforce sustainability is an important consideration,” says Ford.
Workforce resilience requires data-backed planning, managing the abilities combine, and taking care of the group as one other ingredient of threat administration.
How CISOs are approaching workforce planning
As a result of the character of cybersecurity work is unpredictable, Ford actively displays his group to have a way of how they’re managing. “There’s a fair amount of project work, but there’s also a lot of work that’s a reaction to events and depending on how many events or issues we run into, we could easily overwhelm the team,” he says.
This concern is effectively based, with the 2025 ISC2 Cybersecurity Workforce Research discovering 47% of members report feeling overwhelmed with the workload they’re anticipated to bear.
Jon France, ISC2 CISO, agrees that workforce sustainability — managing stress, burnout and workload — is a standing concern, not a aspect subject.
“Looking after the team and leveraging the team without killing them is on our agenda too,” says France.
Ford has developed methods to not solely recruit expertise however keep their pursuits and get them by means of the ebbs and flows of each day life in cybersecurity. “I put a focus around monitoring the workforce and trying to get a good sense of the workloads that are coming in.”
Having a group that’s correctly staffed is necessary and that is the place information is useful to gauge the workload and make the argument to assist resourcing. “It can sometimes be a little difficult to get your arms around it, but the right processes and ability to measure work help to calculate the expected workload and determine an acceptable resource level to support that workload,” Ford says.
The problem of quantifying workload and justifying resourcing choices is commonplace. Solely 55% of respondents imagine their organizations have the sources wanted to adequately tackle safety incidents over the following two to 3 years, in accordance with the ISC2 examine.
Burnout results in job dissatisfaction
Burnout is an ongoing concern for a lot of CISOs and their groups, particularly when unpredictable occasions can set off workload spikes, burnout can escalate quick. “It’s something that can overwhelm pretty quickly,” Ford says.
Trade surveys proceed to flash purple on persistent burnout that results in job dissatisfaction. The ISC2 examine discovered virtually half of respondents (48%) saying they felt exhausted attempting to maintain on high of the newest threats and rising expertise.
Ford approaches it as each a management and an operating-model subject, preserving in contact with workloads within the group and having a sustainable pipeline of expertise to keep away from overwhelming them with attrition. “I try to hire good people, empower them to operate, and delegate as much as I can.”
Whereas it’s arduous to remove these points fully, utilizing information to tell staffing ranges, aiming to stability workloads as a lot as attainable, and listening to the tradition that surrounds the group are a few of Ford’s methods.
“We spend time building good teams and we need to spend time to understand the challenges, the workload, and how they feel about the work.”
AI as a power multiplier, not a headcount technique
Tooling and expertise have at all times reshaped roles, and it’s no totally different with AI. This time, it’s the dimensions and pace of adoption, the worry, uncertainty and doubt about what it means for entry-level roles.
Greater than two-thirds (69%) of respondents are on a path in the direction of common AI use, ISC2 signifies, which incorporates evaluating, testing and incorporating these instruments into their operations.
At software program vendor Kantata, there’s a shift in the direction of an AI-augmented workforce mannequin that prioritizes automating high-volume duties and integrating AI co-pilots to behave as a power multiplier for group members. This consists of high-friction areas like TPRM, safety assessments resembling RFP/RFI responses, and menace monitoring to considerably scale back operational noise.
“By automating the first pass of data ingestion and alert triaging, our teams can focus on high-fidelity incidents and strategic decision-making rather than repetitive manual tasks,” says Taison Kearney, Kantata’s CISO and DPO.
To make sure this doesn’t merely enhance the workload, they reinvest the time saved into formalized upskilling, making certain effectivity good points assist group longevity {and professional} progress. Kearney believes that automation mixed with upskilling helps scale back burnout and permits inside experience to adapt to the menace panorama. “It secures our long-term sustainability by preserving institutional knowledge and providing our talent with a clear, high-growth career path.”
France sees AI altering entry-level work however not erasing it. Citing the instance of SOC analysts, he says it’s not going to interchange the human within the loop. “But it’ll get them to a decision quicker, or at least get them to a more accurate picture of what’s going on.”
He acknowledges fears about shedding foundational experiences, however he believes we’ve been by means of this with different technical revolutions. “I think it’ll change some roles, but ultimately will not replace them. Coupled with that, it’s an efficiency gain,” France says.
Kearney thinks AI is compressing the profession ladder by automation of repetitive Tier 1 duties that historically served as an entry-level apprenticeship. Consequently, junior roles are shifting from handbook triage in the direction of extra advanced downside fixing — to the good thing about each staff and organizations.
“This forces new hires to possess architectural and strategic skills much earlier in their career, ultimately potentially driving a higher reliance on AI capabilities for these individuals to be successful,” Kearney says.
Workers have devoted time for coaching, and the objective is for the group to develop the deep architectural information with ‘human-in-the-loop’ experience that’s more and more required for advanced protection. “This approach transforms the ‘urge to learn’ into a clear career pathway that values institutional knowledge and continuous professional evolution,” Kearney says.
Constructing the cyber group amid a talent scarcity
Managing workload is a day-to-day concern however alongside this problem is the duty of constructing the correct cyber group — utilizing recruitment and creating present workers. But it’s not at all a easy process, virtually two-thirds of respondents within the ISC2 survey recognized important or important abilities shortages inside their groups, underscoring that the problem is each staffing and functionality.
Ford agrees it’s troublesome to search out top-tier expertise throughout all of the totally different cybersecurity disciplines, particularly for a big group like Rockwell. His technique entails bringing in a key professional or two in several disciplines with years of expertise and including extra junior, early profession folks. “Pairing them with seasoned experts allows you to build an effective, sustainable team over time, and I’ve seen that work extremely well for organizations with early career programs.”
He additionally seems to be for consultants from adjoining disciplines resembling infrastructure, the information middle area or utility growth eager to interrupt into cyber. “I’m not recruiting for everyone. I’m recruiting for a few top experts and then building a pipeline either through early career or other similar activities from a technology space to get an effective cyber team,” he says.
Rockwell has faculty intern and early profession applications and powerful relationships with native universities to usher in early expertise and make them a part of its initiatives with hopes of retaining some for full-time employment.
The early profession folks don’t at all times absolutely grasp the totally different disciplines and actions that one can do in cybersecurity and Ford says they deal with serving to them study and acquire an curiosity in cyber. “You end up with somebody that’s committed through time and a very strong employee and you can start looking at building the pipeline for senior level positions.”
The place different organizations might look to fill gaps with exterior suppliers like managed service suppliers, Ford mentioned Rockwell would moderately domesticate the expertise and experience in-house. He finds it helps develop workers with an understanding of the important information concerning the group and its operations — moderately than see this beneficial “thought leadership” sit outdoors the constructing.
In some circumstances, early careers professionals are capable of remedy advanced issues based mostly on them being nearer to new expertise. “Some of the younger generations are actually more wired and suited to leverage some of the new technologies like AI, whereas some of the older, more seasoned professionals may be more of a traditionalist,” Ford tells CSO.
Hiring managers and cybersecurity professionals are carefully aligned, with the examine exhibiting downside fixing, collaboration, communications, willingness to study, and strategic considering are the highest non-technical abilities throughout each teams.
France widens what “good security talent” seems to be like, emphasizing communication abilities, important considering, and curiosity along with core technical abilities. Approaching it this manner there’s a broader expertise pool to attract from. “You don’t have to come from a technical background, you can come from adjacent industries and bring those experiences in.”
How CISOs can handle workforce planning
1. Bake in human sustainability
- Deal with stress and burnout like every other threat indicator.
- Design rotations, on‑name insurance policies, and staffing to handle workloads.
2. Use AI to revamp roles, not erase them
- For entry‑degree roles shift duties from:
– Guide sifting → AI‑assisted triage and investigation.
– Pure grunt work → judgment, escalation, and interpretation.
- Preserve human within the loop in job descriptions and course of design.
3. Defend foundational studying in an automatic atmosphere
- Plan structured abilities pathways: simulations, labs, purple/blue workout routines so juniors nonetheless study what AI automates away.
- Pair juniors with senior analysts to upskill and clarify why the tooling is making choices.
4. Plan abilities combine, not simply headcount
- Deliberately recruit for communication, important considering, curiosity, not simply technical certifications.
- Map your group to each technical depth and enterprise‑threat communication wants.
5. Deal with tradition as a part of resilience
- Delegate, handle staffing pipeline, and take note of group workload and tradition.
- Encourage leaders to plug into peer networks for each intel sharing and emotional assist, recognizing that CISO burnout is a systemic threat.
