Cyber Security

How CISOs can build strong employees

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 1 day ago
0 0 7 minutes read
How CISOs can build strong employees

With ongoing skills gaps, AI reshaping roles and workforce stress as a constant concern for many CISOs, ensuring workforce sustainability has become top of mind. But with budget constraints, back office workloads and teams struggling to keep up with the threat landscape, CISOs are facing a real challenge.

Stephen Ford, VP and CISO at Rockwell Automation, knows what many CISOs face: it’s often difficult to find resources with the right skills to deliver a robust cybersecurity program and capabilities. “So, the sustainability of the workforce is important,” Ford said.

Workforce resilience requires data-driven planning, managing skill sets, and team building as another component of risk management.

How CISOs approach workforce planning

Because the nature of cybersecurity work is unpredictable, Ford actively monitors his team to get a feel for how they’re doing. “There is a lot of project work, but there is also a lot of work related to events and depending on how many events or problems we face, we could easily defeat the team,” he said.

This concern is well-founded, with the 2025 ISC2 Cybersecurity Workforce Study finding 47% of participants report feeling overwhelmed by the work they are expected to carry.

Jon France, ISC2 CISO, agrees that workforce resilience – managing stress, burnout and workload – is an ongoing concern, not a side issue.

“Taking care of the team and using the team without killing it is in our plans as well,” said France.

Ford has developed strategies that not only attract talent but also retain their interests and transfer them to the problems and flows of everyday life in cyber security. “I’m focused on monitoring the workforce and trying to get a good feel for the workloads ahead.”

Having the right staffing team is important and this is where data helps to measure workload and make the case for supporting service provision. “Sometimes it can be difficult to get your arms around you, but the right procedures and the ability to measure the work helps to calculate the expected load and determine the acceptable resource level to support that load,” said Ford.

The challenge of balancing workload and justifying resource acquisition decisions is common. Only 55% of respondents believe their organizations have the necessary resources to deal with security incidents in the next two or three years, according to the ISC2 survey.

Burnout causes job dissatisfaction

Burnout is a constant concern for many CISOs and their teams, especially when unexpected events can cause an increase in workload, burnout can quickly escalate. “It’s something that can quickly become overwhelming,” Ford said.

Industry surveys continue to turn red with chronic burnout leading to job dissatisfaction. The ISC2 survey found nearly half of respondents (48%) said they felt tired trying to keep up with the latest threats and emerging technologies.

Ford sees it as a leadership and operating model problem, communicating with the workforce and having a continuous pipeline of talent to avoid burnout. “I try to hire the right people, empower them, and delegate as much as possible.”

While it is difficult to completely eliminate these problems, using data to inform staffing levels, aiming to balance workloads as much as possible, and paying attention to the culture surrounding the team are some of Ford’s strategies.

“We spend time building good teams and we need to spend time to understand the challenges, the workload, and how they feel about the work.”

AI as a force multiplier, not a computational strategy

Tools and technology have always reshaped roles, and AI is no exception. In this case, the rate and speed of adoption, fear, uncertainty and doubt about what it means for entry-level roles.

More than two-thirds (69%) of respondents are on the path towards regular use of AI, ISC2 shows, including testing, evaluating and integrating these tools into their work.

At software vendor Kantata, there is a shift toward an AI-augmented workforce model that prioritizes automating high-volume tasks and integrating AI pilots to act as force multipliers for team members. This includes high-impact areas such as TPRM, security assessments such as RFP/RFI responses, and threat monitoring to significantly reduce operational noise.

“By automating the first pass of data entry and alert processing, our teams can focus on high-fidelity incidents and strategic decision-making instead of repetitive manual tasks,” said Taison Kearney, Kantata’s CISO and DPO.

To ensure that this does not simply increase the workload, they reinvest the time saved in formal skills development, ensuring that it achieves support team efficiency and professional growth. Kearney believes that automation combined with upskilling helps reduce burnout and allows internal technology to adapt to the threat landscape. “It secures our long-term sustainability by preserving institutional knowledge and providing our talent with a clear, growing career path.”

France sees AI replacing entry-level work but not eliminating it. Giving the example of SOC analysts, he says there will be no replacement for a top-level person. “But it will get them to a decision faster, or at least get them a more accurate picture of what’s going on.”

He acknowledges fears about losing the basic experience, but believes we’ve moved past it with other technological changes. “I think it will change some roles, but ultimately it won’t replace them. Along with that, it’s an effective benefit,” said France.

Kearney thinks AI is depressing the career ladder by automating the repetitive Tier 1 jobs that used to serve as entry-level learning. Therefore, small roles are changing from solving more complex problems – to the benefit of both employees and organizations.

“This forces new hires to develop skills and strategies much earlier in their careers, ultimately driving a higher reliance on AI capabilities for these people to succeed,” Kearney said.

Employees have dedicated time to training, and the goal is for the team to develop a deep knowledge of the architecture with the ‘human-in-the-loop’ expertise that is so necessary in complex security. “This approach transforms the ‘desire to learn’ into a clear career path that informs the institution’s knowledge and ongoing evolution,” Kearney said.

Building an online team amid a skills shortage

Managing workload is a daily concern but alongside this challenge is the task of building the right online team – using recruiting and developing existing staff. However, it is by no means an easy task, almost two-thirds of the respondents in the ISC2 survey identified a significant or significant skills shortage in their teams, emphasizing that the challenge is both personnel and competence.

Ford acknowledges that it is difficult to find top-level talent across the various cybersecurity sectors, especially for a large organization like Rockwell. His strategy includes bringing in a key expert or two in various fields with years of experience and adding younger, younger people to the job. “Pairing with seasoned professionals allows you to build a successful, strong team over time, and I’ve seen that work very well in organizations with early career plans.”

He is also looking for professionals from related fields such as infrastructure, data center space or application development who are willing to enter cyberspace. “I’m not recruiting everyone. I’m recruiting a few top professionals and building a pipeline maybe through early stage work or other jobs like this in the tech space to get an active online team,” he says.

Rockwell has programs for college students and early career programs and strong relationships with local universities to bring in early talent and make them part of its projects in hopes of retaining others for full-time employment.

Early careers don’t always fully understand the different fields and jobs one can do in cybersecurity and Ford says it’s focused on helping them learn and get interested in the Internet. “You end up with someone who is committed over time and a strong employee and you can start looking at building a pipeline for senior positions.”

Where other organizations may look to fill gaps with outside providers such as managed services providers, Ford said Rockwell would like to cultivate talent and expertise internally. He finds that it helps to develop employees by understanding critical information about the organization and its operations – rather than seeing this important “thought leadership” sitting outside the building.

In some cases, early career professionals are able to solve complex problems based on their proximity to new technologies. “Some of the younger generations are actually more wired and are apt to use some of the new technologies like AI, while some of the older, more seasoned professionals may be traditionalists,” Ford tells CSO.

Hiring managers and cybersecurity professionals are closely aligned, with research showing problem solving, collaboration, communication, willingness to learn, and strategic thinking are top non-technical skills for both groups.

France is expanding what “good defensive talent” looks like, emphasizing communication skills, critical thinking, and curiosity over critical technical skills. Approaching it this way has a wider talent pool to draw from. “You don’t have to come from the technology sector, you can come from nearby industries and bring that experience.”

How CISOs can manage workforce planning

1. Bake in human sustainability

  • Treat stress and burnout like any other risk indicator.
  • Design rotations, on-call policies, and workload management personnel.

2. Use AI to redesign roles, not erase them

  • For entry-level roles switch jobs from:

– Manual surfing → AI-assisted trial and investigation.

– Pure complaint function → judgment, escalation, and interpretation.

  • Keep people on track with job descriptions and process design.

3. Protect basic learning in the default setting

  • Set up structured skills methods: simulations, labs, red/blue exercises so the little ones can still learn what the AI ​​does for itself.
  • Pair junior and senior analysts to develop skills and explain why the tool makes decisions.

4. Plan a combination of skills, not just memorization

  • Intentionally recruit connections, critical thinking, curiosity, not just technical certifications.
  • Guide your team through both technical depth and business risk communication needs.

5. Treat culture as part of resilience

  • Delegate, manage the staff pipeline, and take care of the team’s responsibility and culture.
  • Encourage leaders to tap into peer networks for both brainstorming and emotional support, recognizing that CISO burnout is a systemic risk.
Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 1 day ago
0 0 7 minutes read
Photo of pleasuremandarya@gmail.com

pleasuremandarya@gmail.com

Related Articles

Global Research Strategy Note for Institutions, Companies, and Employees

Global Research Strategy Note for Institutions, Companies, and Employees

1 hour ago
AI Agents: The Next Wave Identity Dark Matter

AI Agents: The Next Wave Identity Dark Matter

3 hours ago
Will the Solana price go down now that it is charting a bearish flag pattern?

Will the Solana price go down now that it is charting a bearish flag pattern?

5 hours ago
SloppyLemming Targets Pakistan and Bangladesh Governments Using Two Chains of Viruses

SloppyLemming Targets Pakistan and Bangladesh Governments Using Two Chains of Viruses

8 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button