Leadership training and skills are severely lacking in the cybersecurity industry, according to ISC2’s Cybersecurity Leadership Survey.
The accreditation and training body found that in responses to open-ended inquiries, survey participants indicated that their cybersecurity leaders demonstrate limited or no skills in areas such as communication, strategic mindset and business acumen.
Speaking to Infosecurity, ISC2 CISO, Jon France, explained that the findings are a major concern, especially at a time when regulations push cyber responsibility into the boardroom, making cybersecurity very much a business issue.
This necessitates qualities like communication and strategizing among leaders in the sector as they are required to speak the language of business.
“Security is not the treatment of business, it is part of business,” France said.
Communication was considered the most important quality in a leader, cited by 85% of respondents in the survey. This was followed by being strategic (41%), open-minded (37%) and technically skilled (33%).
Just 20% cited business acumen as a key leadership quality for a cybersecurity manager.
The study polled 259 cybersecurity professionals, 48% of whom have formal leadership responsibilities such as managing teams or departments, and 41% having informal leadership responsibilities, including training or mentoring other team members.
Cybersecurity’s Maturation Process
The lack of leadership skills is partly caused by the limited formal training in this area provided to cybersecurity leaders and those aspiring to reach such roles, the report found.
Less than two-thirds (63%) of respondents said they had received formal leadership training, with 81% stating that they learn primarily through observing other leaders.
Additionally, 86% said “experiences with previous supervisors, managers and executives in the private sector” shaped their “outlook on what makes a good leader.”
France believes a factor in the limited formal leadership training on offer in cybersecurity is the fact the industry is still relatively young and going through maturation, having emerged from the general technology field.
This means the sector is catching up in terms of the ‘softer’ skills needed for leadership roles, such as strategy and communication, as it traditionally focused on technical skills.
Historically, promotion in cybersecurity has been achieved primarily through technical prowess, which is a contributing factor to the deficit in leadership skills, France noted.
“What makes a good manager, leader and strategist isn’t necessarily the same as makes a good technologist,” he said.
In addition to growing their own leadership skills, France advised security leaders to design training programs for staff that balance technical and non-technical components to ensure they are developing skills for future leadership positions.
Additionally, he urged aspiring leaders to try and gain experience working across other areas of the business to assist their preparation.
“Go and get some wider business experience, go and spend some time with other departments, learn what the greater needs of the business are,” said France.
ISC2 Pushes Back on Workforce Study Criticisms
ISC2 has recently been criticized by some cyber professionals for the methodology and messaging it uses around its annual Cybersecurity Workforce Study, which in 2024 estimated the cybersecurity workforce gap to be 4.8 million.
This included an open letter to the ISC2 Board written by renowned cybersecurity professional and current CISO at CYE, Ira Winkler, in October 2024.
Winkler’s open letter accused the body of “knowingly pushing a false narrative of a plentiful job market” by suggesting there are 4.8 million open positions at a time when actual cybersecurity employment is stagnant as well as significant redundancies in the sector.
France pushed back against these criticisms when speaking to Infosecurity. He emphasized that the study did not claim the 4.8 million gap relates to open positions.
Instead, the figure is based upon asking respondents how many cybersecurity professionals they need to adequately secure their organization.
“I think there are interpretation differences here,” he said, adding: “It’s really about how the industry needs to grow to sufficiently secure our digital infrastructures.”
France also noted that the 2024 Workforce Study accurately reported a contraction in the cybersecurity jobs market, caused by budget constraints due to the overall economic situation. He said these findings demonstrates that the methodology used broadly shows what is happening in the real world.
France added that the core methodology used to conduct the annual survey will not change as this will ensure there is an accurate comparison of trends on previous years’ reports.