{"id":3538,"date":"2025-06-16T07:00:00","date_gmt":"2025-06-16T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3538"},"modified":"2025-06-16T07:00:00","modified_gmt":"2025-06-16T07:00:00","slug":"what-cisos-are-doing-to-lock-in-cyber-talent-before-they-bolt","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3538","title":{"rendered":"What CISOs are doing to lock in cyber talent before they bolt"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The cybersecurity talent crunch isn\u2019t new, but for CISOs the challenge is no longer just about hiring, it\u2019s also about holding onto the talent they already have. A recent report by IANS Research and Artico Search indicated that more than 60% of cyber professionals are contemplating switching jobs<\/a> within the next 12 months. Among those considering a change, dissatisfaction with career progression emerged as a key issue.<\/p>\n

With demand outpacing supply and professionals regularly fielding offers, retention needs to be top of mind for CISOs. Still, some argue the real issue lies in how the shortage is framed. But the problem may be widely misunderstood, according to Tom Chapman, co-founder and director of cybersecurity recruitment firm Iceberg.<\/p>\n

\u201cI don\u2019t believe there\u2019s a cybersecurity skills gap,\u201d he says. \u201cWhat I believe is there\u2019s a training and development gap.\u201d Chapman explains that many graduates find it hard to land their first job because employers often prefer candidates with years of experience. \u201cNine times out of 10, organizations aren\u2019t paying us to find graduates. They\u2019re coming to us to find skills that have been harnessed over a period of time that are hard to get.\u201d<\/p>\n

Chapman says because of this dynamic, roles that fall in the mid-career range, requiring six to 10 years of experience, are among the hardest to fill. \u201cThese people are already embedded in good organizations and are probably working on really impactful projects,\u201d he says.<\/p>\n

Jessica Cassidy, co-founder and practice lead at OPCyberTalent, agrees that the mid-career gap is a critical pressure point and for this reason she believes there is a talent shortage problem. She points out that unlike more mature fields such as software engineering, the cybersecurity industry is still growing and developing the talent pool it needs.<\/p>\n

\u201cThere is a shortage because we\u2019re playing catch-up,\u201d Cassidy says. \u201cThere\u2019s a shortage because we only have a certain population. Now, we\u2019ve got a bigger population of entry-level professionals, but we\u2019ve also got bigger problems. We\u2019ve also got these senior folks who have been in the business for quite some time and they\u2019re getting ready to retire or move onto less stressful roles, so we\u2019ve got this gap of the three to eight years\u2019 experience, and it\u2019s a pretty big gap, and that\u2019s what people want.\u201d<\/p>\n

These mid-career professionals are particularly valuable because they\u2019re still eager, affordable, and adaptable. \u201cThey\u2019re in roles where they\u2019re getting paid pretty well and those security teams don\u2019t want to lose them, and they do whatever they can to keep them. But you\u2019ve got these new roles, and more security problems are opening up, so how do you plug that gap with more junior folks? That\u2019s what most talent teams and executives are thinking about,\u201d Cassidy says.<\/p>\n

Why do cyber professionals leave?<\/h2>\n

Understanding what drives people to leave their roles is the first step to fixing it. Cassidy identifies several red flags that can push talent away, including a reactive rather than proactive cybersecurity culture, poor leadership, limited scope for influence or advancement, and pay.<\/p>\n

Chapman adds that lack of internal opportunities can be another major reason that drives talent away. He shares the story of how a SOC analyst felt invisible in his organization.<\/p>\n

\u201cHe\u2019d been in the same role for almost three years, and he\u2019s that sort of individual that doesn\u2019t complain and always delivers,\u201d Chapman explains. \u201cUnder the radar, he was upskilling himself on his own; he\u2019s a hungry individual who wants to learn. Although he\u2019s in a SOC role, he\u2019s looking at more threat hunting and purple teaming. But no one had ever asked him what direction he wanted to go in, or what sort of occasions he was eyeing up, or what technology he wanted to explore or get exposure to. So, when we called, he was all ears. He told me that he didn\u2019t know that he was allowed to ask.\u201d<\/p>\n

Chapman points out that many cyber professionals are problem-solvers first and career planners second, which is why regular career conversations are essential. \u201cIf you\u2019re not having regular, proactive conversations about growth and motivation, you\u2019re leaving the door wide open for attrition,\u201d he warned.<\/p>\n

Build teams from within<\/h2>\n

Recruiting talent from within the business and training existing employees, even those traditional IT roles, is what helped another CISO, Chapman shares. \u201cI always ask CISOs, \u2018Have you looked internally first?\u2019\u201d he says.<\/p>\n

He explains how the CISO of an industrial organization needed OT security engineers but found them hard to source. Instead of hiring externally, he turned to his plant\u2019s control engineers. \u201c[He] asked, who knows the environment better than anyone? Who\u2019s curious about security? And then offered those opportunities internally \u2026 and found a couple of people that were interested in cybersecurity, but had no idea about a pathway into cybersecurity,\u201d Chapman explains.<\/p>\n

\u201cIt wasn\u2019t casual [training]; he built a training and development program that covered core security concepts, practical skills, and he paired them with mentors from the existing security team, ran workshops, and even brought in some guest instructors.\u201d<\/p>\n

The approach led to stronger retention, a more resilient team, and deeper cross-functional understanding. \u201cWhat really stood out was it was inclusive,\u201d Chapman says. \u201cThere were engineers who never thought they could pivot into cybersecurity. What was really interesting about that story is that there\u2019s a particular woman, formerly a control engineer, she\u2019s now running vulnerability assessments across all the plants.\u201d<\/p>\n

\u201cWhere this team had traditional security engineers for OT environments, they also have OT engineers now doing cybersecurity, so both parts of the team are helping each other learn more about the systems.\u201d<\/p>\n

Cassidy echoes this sentiment, emphasizing the importance of succession planning. She says programs such as internships and apprenticeships are critical, especially for identifying those eager to pivot into cybersecurity roles.<\/p>\n

\u201cMaybe there\u2019s someone in a help desk role that really wants that cyber role. Or there\u2019s someone in software engineering, and they\u2019re tired of code, and want to do something else. Whatever that may be, they need an opportunity,\u201d Cassidy says. \u201cIt\u2019s realising you\u2019ve got these eager people that want to do that job. So how do you bridge that gap with those hungry and talented folks?\u201d<\/p>\n

Support growth with certification and autonomy<\/h2>\n

Another strategy the experts advise that can help both retention and professional development is offering support for industry certifications.<\/p>\n

\u201cCertifications are worth their weight in gold,\u201d Chapman says. \u201cCovering the cost of credentials, which can run to $10,000 or more, can be a major factor in whether someone stays or goes\u201d.<\/p>\n

Cassidy points out that in addition to certifications, there are other upskilling opportunities such as a cybersecurity bootcamp, or online, self-paced programs, signing up for a centre of excellence, while also giving individuals the opportunity to shadow someone already in cybersecurity.<\/p>\n

What\u2019s important, they both argue, is to create an environment where professionals feel there\u2019s room to grow, whether that\u2019s building a new team, influencing tool selection, or developing custom solutions. \u201cIf you\u2019re hiring for a mid-level manager, if they\u2019re going to inherit a team, is that really a big sell? Whereas if you\u2019re going to let them build a team from scratch, then that\u2019s exciting,\u201d says Chapman.<\/p>\n

Cassidy recommends tying development to incremental financial increases, a model that rewards commitment and progression. \u201cIf you\u2019re training those folks and giving them incremental financial increases as they hit certain milestones, say every eight to 12 months or if they meet certain KPIs, it can make a difference. I\u2019m not saying it has to be 10% each time, it could just be a bonus. People are financially motivated.\u201d<\/p>\n

Ultimately, retention and growth aren\u2019t about ticking boxes, it\u2019s about building relationships and understanding what benefits can be gained by both the cyber professional and their managers.<\/p>\n

\u201cIt\u2019s a joint process. It\u2019s not one-size-fits-all, but that\u2019s why it\u2019s so important to talk to your staff and work out internally, \u2018Okay, this employee\u2019s motivations are X and Y. What am I doing to help them in that journey or aid that progression?\u2019 And not enough people are asking themselves that question,\u201d Chapman says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The cybersecurity talent crunch isn\u2019t new, but for CISOs the challenge is no longer just about hiring, it\u2019s also about holding onto the talent they already have. A recent report by IANS Research and Artico Search indicated that more than 60% of cyber professionals are contemplating switching jobs within the next 12 months. Among those […]<\/p>\n","protected":false},"author":0,"featured_media":3539,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3538","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3538"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3538"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3538\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3539"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}