Cybersecurity Leadership Challenges in an Evolving Threat Landscape

It is not surprising that good cybersecurity leaders can be hard to find. The role requires a person with a rare combination of IT expertise, cybersecurity knowledge, and interpersonal and management skills. Cybersecurity leaders face many of the same challenges as leaders in other business areas: managing a budget, leading a team, making strategic decisions, and meeting the expectations of upper management. However, they are tasked with an additional undertaking that most leaders are not: thwarting bad actors that seek to intentionally and maliciously undermine their work and cause security mechanisms to fail.

Compounding this already complicated mission, cybersecurity leaders must also be able to convey information in a meaningful way to a diverse group of stakeholders with differing levels of technical expertise. This can be especially difficult for those coming from an environment where their focus has historically been boots-on-the-ground execution of cybersecurity operations. As with any business area, functioning in a leadership role in cybersecurity often requires developing new strengths and engaging with people and environments that are outside of one’s comfort zone.

As a result, demand is outpacing supply for cybersecurity leaders, particularly chief information security officers (CISOs), who can deliver both technical expertise and leadership capabilities. According to Richard Brinson, chief executive officer (CEO) of cybersecurity consultancy firm Savanti, there is a severe shortage of candidates who possess the requisite cybersecurity subject matter expertise, understand business, and have the leadership qualities and presence to hold their own in a boardroom environment.¹

Real Threats with High Stakes

According to the Fortinet 2024 Cybersecurity Skills Gap Report, 87% of leaders said their organization experienced one or more security breaches in 2023, and more than half of those respondents indicated that breaches cost them more than US$1 million in lost revenue, fines, and other expenses.²

The potential of advanced artificial intelligence (AI) represents another challenge in the purview of the CISO. Organizations are eager to leverage AI to capitalize on opportunities to improve business processes or introduce new products, but the deployment of AI systems comes with cybersecurity risk, leaving the CISO to ponder how to maximize security without inhibiting innovation. Meanwhile, generative AI is enabling faster identification and response to cyberthreats, but it is also making it easier for adversaries, with less of the skills and resources that are traditionally required, to launch attacks that are more sophisticated and larger in scale.³

Regulatory requirements aimed at mitigating cyberthreats and promoting public welfare add to the complexity of the cybersecurity leader’s job. As public demand for greater transparency and accountability around security incidents drives emerging regulation, it has the potential to place the CISO in the crosshairs. CISOs and information security professionals may find themselves individually named as defendants in legal proceedings, facing regulatory, shareholder, and even criminal actions.⁴

Understandably, this causes some candidates to question whether the rewards are worth the risk. In Splunk’s State of Security 2024 report, 76% of respondents say that tightening compliance mandates that increase personal liability make cybersecurity a less attractive field.⁵ Nevertheless, there are actionable strategies that can help address the overwhelming challenges facing today’s cybersecurity leaders. To successfully juggle the demands of leadership with the ever-present threat of cyberattack, cybersecurity leaders must engage with a broad network from which to draw support, communicate well, look to the future, and build and encourage strong teams.

Engage

Cybersecurity leaders must engage with a broad network of interested parties inside and outside of their organization, not only to deal with the demands of the job, but also to progress to a place where cybersecurity acts as an enabler to the enterprise. Building and managing this network of engagements is one of the most challenging aspects of the job, but at its core, it is about committing to frequent, open communication that builds trust.

Fortunately, most boards of directors (BoDs) understand the importance of cybersecurity in today’s threat landscape. Scores of risk rankings, such as the World Economic Forum’s Global Risks Report 2024, consistently place cyber among the top sources of risk.⁶ What is less clear, however, is whether BoDs and cybersecurity leaders are properly aligned on the quality of the overall cybersecurity program and how areas such as risk management, threat mitigation, and incident response should be managed. Still, the need for engagement extends beyond the BoD and top management. Employees across the organization should have an appropriate grasp of its approach to cybersecurity, how that strategy is being executed, and their role in the process.

To ensure that this happens, cybersecurity leaders must be able to network, synthesize information, lead conversations, and communicate effectively. Effective communication encompasses fundamental aspects such as frequency of communication, clarity of information, and regard for the perspective of the reader/listener (i.e., relevance)—but it does not always come naturally. As is the case with technical knowledge, these critical skills must be honed over time with training and experience.

Communicate Risk

Newer cybersecurity leaders, in particular, tend to take a threat-centric approach to cyberrisk management. However, a cybervulnerability is not the same as risk.⁷ While threat identification is a key aspect of risk assessment, the first question the risk assessment process must answer is “What are our organization’s most important IT assets?”⁸

There is a delicate balance between assessing risk based on the severity of the threat and assessing it based on the value of what is being protected. There are limited resources, and new threat vectors are being developed and improved upon all the time. Cybersecurity leaders must secure agreement and buy-in from top management and the board to ensure that decisions about time, personnel, and budget allocation are defensible and based on shared priorities. To accomplish this, they must translate cyberthreat and vulnerability information into terms of likelihood, the potential impact on business objectives, and legal, financial, and reputational damage.

Look Ahead

Cybersecurity personnel are conditioned to respond to inquiries about the current state of cybersecurity. “Is our data safe?” “Are our systems secure?” “Are we fully compliant with regulations?” With so many clear and present dangers, it is difficult for cybersecurity leaders to focus on potential future threats. As technology advances at an unprecedented pace and organizations continually innovate and adapt, securing the present can only offer temporary success. Put bluntly, “Organizations cannot afford to fall behind, and the legacy technology of yesterday is no match for the speed and sophistication of the modern adversary.”⁹

The best cybersecurity leaders inspire the BoD and top management to look beyond responding to the issues of the day and focus instead on preparing the organization for the future. To visualize the organization’s future cybersecurity needs, the cybersecurity leader must maintain knowledge of four key aspects:

1. Upcoming changes to the organization’s strategy
2. Emerging regulations and other developments that may impose requirements on the organization and its cybersecurity practices
3. Cutting-edge tools and techniques for fighting cyberattacks
4. The latest trends in cybercrime

Once again, this requires the cybersecurity leader to tap into their network to stay current on these topics; it cannot be done in a vacuum. However, by maintaining a solid understanding of these four things, cyberleaders can achieve a level of foresight that will keep the organization from wasting resources or exposing vulnerabilities due to a lack of long-term planning.

Build a Great Team

Often there tends to be a “hero mentality” within the CISO community.¹⁰ In reality, however, cybersecurity leaders cannot act alone to protect the enterprise from cyberthreats. Regardless of how elegantly a cybersecurity program is designed, it takes a great team with depth and breadth of expertise and skills to implement such a program effectively. This is another one of the most challenging aspects of the job, in part because of the difficulty in sourcing talent.

A report by the World Economic Forum (WEF) indicates a shortage of nearly four million cybersecurity professionals worldwide, paired with a consistent year-over-year increase in the demand for qualified cybersecurity professionals.¹¹ The same report highlights several strategies to increase the odds of building a team that will not only excel, but stand the test of time:

• Identify and recruit from fresh cyber talent pools, including tapping into public-private collaboration efforts designed to provide individuals of all backgrounds and career levels access to cybersecurity education opportunities.
• Offer continuous learning opportunities to existing employees, which may be accomplished through upskilling current cybersecurity hires or reskilling individuals within the organization who possess other skills that could translate to a cybersecurity role.¹² Upskilling in the cybersecurity field can include obtaining certifications, but leaders should also be open to providing educational opportunities such as seminars and webinars, facilitating working groups with third parties or suppliers, and granting staff opportunities to give presentations.
• Develop a cyberaware workforce, which remains a critical component of any cyberrisk management strategy. Malware, phishing, password attacks, and social engineering attacks are not going away anytime soon. When employees know about these common attack vectors, they can serve as a solid first line of defense.¹³

A team can even expand beyond the cybersecurity leader’s direct reports. For example, leaders could invite guest speakers to share insights on industry trends and topics or participate in professional organizations to share ideas with other cybersecurity leaders. Organizations such as the US Cybersecurity and Infrastructure Security Agency, the US Department of Defense (DoD) Industrial Base Collaborative Information Sharing Environment (DCISE), and the US National Security Agency (NSA) offer up-to-date threat intelligence. The private sector can also explore partnerships with academia to tap into cutting-edge research and help ensure that cybersecurity curricula align with industry requirements.¹⁴

Depending on the headcount and skillsets they have on board, cybersecurity leaders may also choose to integrate support from third-party providers specializing in certain areas. This approach could be used to cover a gap or deficiency, or in the case of a managed service provider, to ease the burden on staff from operational activities so that they can focus on long-term goals. The flip side of this approach for the cybersecurity leader, however, is that it adds to managerial effort as it relates to third-party risk and controls.

Finally, one of the most important tasks in building a good cyber team is to engage with human resources (HR) and ensure that HR and recruitment teams are equipped with the necessary skills and training to execute the hiring strategy effectively.¹⁵ Data from the WEF report shows that only 25% of cyberleaders feel that their HR teams understand cybersecurity hiring needs well enough to properly prescreen candidates.¹⁶ For example, in cybersecurity, candidates are often more likely to have begun their careers in other areas or be self-taught. If HR is not attuned to this nuance, and instead is overly focused on certifications or credentials, then it could be overlooking talented candidates.¹⁷

Motivate and Encourage

Building a great team is crucial, but morale can be a particularly challenging aspect of leading a cybersecurity team because of the often thankless nature of the work. A perceived lack of appreciation is a key driver of attrition in the cybersecurity field, which is why it is important for leaders to find ways to celebrate the success and achievements of their teams, including:

• Defining goals and objectives that are specific to the cybersecurity team and tracking progress against those goals, celebrating achievement
• Periodically reaching out to senior leaders to recognize staff members by name for their accomplishments
• Implementing a reward/recognition program for outstanding work, or leveraging an existing one within the organization
• Continually emphasizing the role cybersecurity plays in the organization’s overall success

Additionally, finite resources and competing priorities will inevitably result in the cybersecurity team being constrained in terms of what it wants to do to keep the organization safe. During these instances, it is crucial for the leader to be able to empathize with their team and help them understand the bigger picture. This requires conveying that there is not necessarily a lack of appreciation for cybersecurity.

Mental health and stress management are also critical aspects of keeping a good team together over the long term. The WEF highlighted two of the main causes of attrition among cybersecurity professionals:¹⁸

• Unrealistic expectations and poor work/life balance
• Prolonged exposure to stress, which not only results in a decline in individual performance and overall workplace happiness but can also have serious implications for employees’ physical and mental health in the form of burnout

According to a recent report, 74% of cybersecurity professionals globally have taken approximately 3.4 sick days per year due to work-related mental well-being issues.¹⁹ Burnout results in not only a human toll, but a financial impact as well. The report states that 41% of enterprise leaders in the United Kingdom and 45% in the United States estimate the 12-month financial cost of stress, fatigue, or burnout for their enterprises to be between £3-4 million and US$2.5-3.8 million, respectively.

Speaking to the SANS Cybersecurity Leadership Summit in 2022, Mark Dunkerley, director of IT architecture and cybersecurity for Coca-Coca Bottlers, emphasized that security leaders must act in the best interest of their employees.²⁰ This includes respecting personal time and being aware of work/life balance and the need to unplug. “I have heard firsthand the perception that cybersecurity has a 24/7 requirement,” Dunkerley said. “We as leaders have the ability to help change this perception.”

Conclusion

The job of a cybersecurity leader entails so much more than identifying and neutralizing threats. To succeed as a cybersecurity leader in today’s environment requires the interpersonal skills to engage and communicate with a wide variety of stakeholders, not only to deliver information, but to ensure understanding and alignment. It also requires the ability to build a great team and give them the support they need to do their jobs well in the face of extraordinary pressure. The data is clear: Those who are able to master this approach will find themselves in very high demand.

Endnotes

¹ Easy Prey Podcast, “Cybersecurity Leadership Is Broken with Richard Brinson and Rachel Briggs,” 1 February 2023
² Fortinet, 2024 Cybersecurity Skills Gap Global Research Report, 2024
³ Crowdstrike, 2024 Global Threat Report
⁴ Research, S.; “The Evolution of Cybersecurity Liability for the C-Suite,” TrueFort, 10 May 2024
⁵ Splunk, State of Security 2024, 2024
⁶ World Economic Forum, Global Risks Report 2024, 10 January 2024
⁷ Tunggal, A.T.; “How to Perform a Cybersecurity Risk Assessment,” UpGuard, 16 September 2024
⁸ Tunggal; “How to Perform”
⁹ Crowdstrike, 2024 Global Threat Report
¹⁰ WhatIsMyIPAddress.com, “Cybersecurity Leadership: A Business Challenge in a Tech-Centered World”
¹¹ World Economic Forum, “Why Closing the Cyber Skills Gap Requires a Collaborative Approach,” 23 July 2024
¹² World Economic Forum, “Why Closing the Cyber”
¹³ World Economic Forum, “Why Closing the Cyber”
¹⁴ World Economic Forum, Strategic Cybersecurity Talent Framework, April 2024
¹⁵ World Economic Forum, Strategic Cybersecurity Talent Framework
¹⁶ World Economic Forum, Strategic Cybersecurity Talent Framework
¹⁷ Effect, F.; “Overcoming the Cybersecurity Talent Shortage in 2025,” Field Effect, 29 May 2024
¹⁸ World Economic Forum, Strategic Cybersecurity Talent Framework
¹⁹ Orphie, “New Research Reveals that Cybersecurity Burnout Costs US Enterprises Over $626 Million Annually and UK Enterprises Over £130 Million Annually,” Hack the Box, 18 June 2024
²⁰ SANS Institute, “Building a Cybersecurity Program From the Ground Up,” YouTube, 15 November 2022

KEVIN M. ALVERO | CISA, CDPSE, CFE

Is the chief compliance officer at Integral Ad Science. He leads the company’s regulatory and industry standards compliance initiatives, spanning its global ad verification products and services.

ROBERT JANECEK

Is the chief information officer at Integral Ad Science. He is responsible for the company’s technology systems and infrastructure worldwide and owns the company’s cybersecurity strategy and resiliency initiatives.