{"id":3900,"date":"2025-07-09T07:00:00","date_gmt":"2025-07-09T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3900"},"modified":"2025-07-09T07:00:00","modified_gmt":"2025-07-09T07:00:00","slug":"how-cisos-are-training-the-next-generation-of-cyber-leaders","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3900","title":{"rendered":"How CISOs are training the next generation of cyber leaders"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

It\u2019s easy for cybersecurity leaders to get caught up on the day-to-day of making sure teams are delivering and risks are being managed that the opportunity to prepare those same professionals to become the next generation of leaders is missed.<\/p>\n

But with cybersecurity now firmly positioned as a business-critical function, more CISOs are starting to turn their attention to developing future leaders. While many CISOs came up through the ranks learning on the fly, leaders today are taking on a more intentional and often personal approach to training tomorrow\u2019s leadership pipeline.<\/p>\n

\u201cI think there is a point in your career as a leader where it is healthy to hit the pause button and really reflect on your lessons,\u201d says Yassir Abousselham, founder of Silicon Valley Cyber and former CISO at Splunk and Okta. \u201cBut also start to inquire with your peers about their own lessons.\u201d<\/p>\n

Abousselham explains how much of his own leadership experience was shaped by learning on the job, learning from mistakes, and observing what worked and what didn\u2019t. He points out that while there\u2019s plenty of technical training programs in cybersecurity, few focus on helping cybersecurity professionals transition into leadership.<\/p>\n

But even with experience, he stresses there\u2019s an \u201cart\u201d to developing the leadership skills of others. Abousselham says CISOs need to be deliberate about nurturing leadership in their teams, and to do so fairly. \u201cYou need to make sure you\u2019re cultivating and investing in the growth of every member of the team, without showing up as favoring one specific team member,\u201d he says.<\/p>\n

He explains that process starts with mapping a team member\u2019s strengths and identifying areas for growth across a range of skills. He highlights the importance of scheduling regular one-on-one sessions with team members focused solely on career planning and professional growth.<\/p>\n

In one case, he mentored a leader who struggled with public speaking. Instead of avoiding the issue, Abousselham made it a personal challenge to help him grow, gradually increasing his exposure to speaking opportunities, offering frameworks for structuring ideas, and guiding him in how to approach an audience.<\/p>\n

\u201cPart of it is trying to push the limits and not taking \u2018no\u2019 for an answer,\u201d he says. \u201cIf you see that a skill is extremely important for the growth of a leader, then make it a priority. Put a target around it to make sure that they continue progressing on that skill.\u201d<\/p>\n

Bring structure to leadership pathways<\/h2>\n

While Abousselham champions a personalized, hands-on approach to developing talent, other CISOs are building more formal pathways to support emerging leaders at scale. For others like PayPal CISO Shaun Khalfan, structured development was always part of his career. He participated in formal leadership training programs offered by the Department of Defense and those run by the American Council for Technology. He now applies those insights to building PayPal\u2019s cyber talent pipeline, with a particular focus on developing female and mid-career leaders, supported by a mix of formal and informal internal programs.<\/p>\n

\u201cHow do we ensure that we\u2019re creating avenues and opportunities to develop female leaders throughout organizations \u2026 and coaching them on how to use their voice,\u201d Khalfan says.<\/p>\n

Khalfan believes leadership development must reflect the reality of modern cybersecurity, where technical credibility is no longer enough. He points out that security leaders must now engage with all parts of the business, including at the board level.<\/p>\n

\u201cI would submit that, especially in cybersecurity, which for many years was seen as a back-office, technical engineering function, it\u2019s only recently that the CISO has become a business risk leader,\u201d he says. \u201cCybersecurity is now one of the top three risks for most companies, it\u2019s no longer just about engineering or governance and risk. It\u2019s risk across the company, and it requires working closely with business partners \u2026 which has necessitated the need for proper [leadership] training.\u201d<\/p>\n

Structured development is also happening inside companies like the insurance brokerage firm Brown & Brown. CISO Barry Hensley supports an internal cohort program designed to identify and grow emerging leaders early in their careers. \u201cWe look at our \u2013 I\u2019m going to call it newer or younger \u2013 employees,\u201d he explains. \u201cAnd if you become recognized in your first, second, or third year as having the potential to [become a leader], you get put in a program,\u201d he explains.<\/p>\n

The program, according to Hensley, brings together a cohort of 20 to 30 teammates who meet monthly with the CEO, work on real-world business problems, and receive mentorship from guest speakers. Participants also attend company events for professional development throughout the year. This in addition to other leadership development programs at Brown & Brown, including an enterprise leadership development program that is open to employees for enrolment and other nominated-based programs.<\/p>\n

Leading versus managing<\/h2>\n

A former US Army officer, Hensley sees leadership development not just to build continuity, but as a reflection of organizational health. \u201cI look forward to the day that somebody fills my shoes,\u201d he says. \u201cYou know you\u2019re successful when you\u2019ve worked yourself out of a job.\u201d<\/p>\n

He believes great leaders are shaped by the people they surround themselves with and by having strong role models early in their careers. \u201cI tell people all the time that you ought to be invited and be inspired by the people you work with and for, and you ultimately ought to get an understanding of the type of leader you want to be and the type of people you want to work with based on role models you have.\u201d<\/p>\n

For Hensley, there\u2019s a distinct difference between good leadership and management. He says a leader \u201cinspires and motivates\u201d while a manager focuses on accomplishing tasks to drive efficiency and scale, and don\u2019t often take the time to become effective leaders.<\/p>\n

\u201c<\/strong>A manager does not often get invited to a special moment of a teammate\u2019s life, for example, a wedding or graduation, but if they\u2019re a leader, the teammate would be honored if they could participate in the memorable event as their sincerity is true,\u201d he says.<\/p>\n

Run human-focused programs<\/h2>\n

At Ouellette & Associates, leadership programs are tailored to building the \u201chuman side\u201d of technology, with a specific focus on developing skills such as business acumen, client orientation, and collaboration.<\/p>\n

One of the flagship offerings is Cybersecurity Leadership Experience (CyberLX), a nine-month program which includes one-on-one mentoring by a CISO or senior cyber leader outside of their organization. It also features interactive workshops and a capstone project to apply learnings in practice.<\/p>\n

For Kath Marston, executive director of technology leadership practices at Ouellette & Associates, the business case for investing in leadership development is clear. She warns organizations that fail to develop their people risk losing them, especially in a sector where change is constant and skill sets evolve quickly.<\/p>\n

\u201cIt\u2019s a big playing field out there right now. To attract talent is one thing. To invest in your talent and grow them is another, and that\u2019s how you\u2019ll have longevity in an organization,\u201d she says. \u201cMany organizations attract the talent, but they lose them because they don\u2019t grow their people. Skill sets change, our world changes constantly, we\u2019re always innovating, always dealing with complex environments, so we have to be ready for what\u2019s the competitive advantage.\u201d<\/p>\n

That readiness, Marston argues, is directly tied to leadership. \u201cWe\u2019re always looking for the next cybersecurity or IT leader to become the next CISO or CIO and we\u2019ve got to grow them to get there.\u201d<\/p>\n

Still, even well-meaning organizations can struggle to train their cyber professionals fast enough. As Ouellette & Associates director of leadership programs Jill Lundy explains, the challenge isn\u2019t always a lack of investment. \u201cIt\u2019s just that the time needed hasn\u2019t necessarily been put aside, and they can\u2019t move as quickly as they would like to get everyone up to speed.\u201d<\/p>\n

Spotting a future leader<\/h2>\n

Identifying leadership potential isn\u2019t about a linear checklist, however, it\u2019s about range, according to Khalfan. \u201cDo they understand how the cyber engineering controls and the bits and bytes of code scanning or building secure products translate back to risk?\u201d he asks. \u201cAnd can you articulate that? Can you oscillate between technical speak and business speak?\u201d<\/p>\n

Khalfan believes good CISOs should be able to dive deep with engineers while also leading boardroom conversations. \u201cIt\u2019s been a long time since I\u2019ve written code,\u201d he says, \u201cbut I at least understand how to have a deep conversation and also be able to have a board discussion with someone.\u201d<\/p>\n

Abousselham agrees that technical experience is only one part of the puzzle. He\u2019s more focused on whether someone is ready and willing to step up to taking on a leadership role.<\/p>\n

\u201cOur responsibility as leaders who had the opportunity to actually serve in these roles is to share,\u201d Abousselham says. \u201cIt\u2019s to take time from our busy days to reflect on our lessons, share publicly at scale, and help the newer generation. It\u2019s the right thing to do to help the next generation of cyber leaders.\u201d<\/p>\n

Related reading:<\/p>\n

How talent-strapped CISOs can tap former federal government cyber pros<\/a><\/p>\n

The highest-paying jobs in cybersecurity today<\/a><\/p>\n

What CISOs are doing to lock in cyber talent before they bolt<\/a><\/p>\n

CISOs reposition their roles for business leadership<\/a><\/p>\n

53% of cyber department leaders eyeing the exit
<\/a><\/p>\n

><\/p><\/div>\n\n

><\/p><\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

It\u2019s easy for cybersecurity leaders to get caught up on the day-to-day of making sure teams are delivering and risks are being managed that the opportunity to prepare those same professionals to become the next generation of leaders is missed. But with cybersecurity now firmly positioned as a business-critical function, more CISOs are starting to […]<\/p>\n","protected":false},"author":0,"featured_media":3882,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3900","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3900"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3900"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3900\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3882"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3900"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3900"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3900"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}