Skip to content
Menu
menu

Illustration by iStock; Security Management

ISC2 Survey Highlights Leadership Skill Gaps

Cybersecurity professionals are used to searching for vulnerabilities and then striving to mitigate them. They are now applying that analysis to their own leadership skills.

In a new ISC2 survey, respondents were notably self-aware when evaluating their leadership and business acumen skill gaps, recognizing overall shortfalls in communication and business strategy.

“The study found that the cybersecurity professionals who responded are very self-aware,” says Andy Woolnough, executive vice president of corporate affairs for ISC2. “This is not something that they don’t know. It’s that self-awareness coupled with their natural curiosity… they are part of an industry that objectively looks at gaps and flaws and tries to fix them. They’re doing the same here.”

The survey polled 259 cybersecurity professionals—48 percent with formal leadership responsibilities (leading teams or departments) and 41 percent with informal leadership responsibilities (senior professionals who train or mentor other team members). Less than two-thirds of respondents said they have received comprehensive formal training for their current and future jobs, especially on leadership skills and strategy. Instead, they learn through observation—81 percent said they learn primarily through observing leaders, and 86 percent said their outlook on what makes a good leader has been shaped by experiences with previous supervisors, managers, and executives.

This style of observation means cybersecurity professionals notice their managers’ shortcomings. When asked by ISC2 what qualities they consider important in a leader, communication is cited by 85 percent of all respondents, followed by being strategic at 41 percent.

Business acumen ranked fairly low (32 percent by managers and 13 percent among team members), but it underpins cybersecurity leaders’ challenges in other fields like communication and effectively aligning with business strategy, Woolnough says.

Although cybersecurity leaders often climb the ranks due to technical expertise, when they reach a leadership or management position they find a new range of skills are needed, including people development, how to manage team performance and give actionable performance reviews, budgeting, and advocating for security’s value to organizational leadership, Woolnough adds.

“While they might be great at their tradecraft… it doesn’t always translate to being a very good leader,” he says.

This can have lasting consequences for cybersecurity functions and organizations as a whole, especially if a cybersecurity leader cannot effectively communicate how their function protects and supports growth drivers—particularly during an economic downturn. In that environment, organizations may feel tempted to cut back on functions they consider compliance-centric and instead invest in growth engines like sales, marketing, or innovation labs. But with the overall cyber workforce growth stalling even as cyber regulations increase, this can be a dangerous move.

“Cybersecurity needs to contextualize their value to make that sell,” Woolnough says. “When everything dries up and your business is focusing on the things that are keeping it alive… as a leader you need that skill to say that ‘this is still important.’ It’s even more important when you’re introducing untested technology like AI into the organization.”

This is where the communication skill gap cited by ISC2 survey respondents comes into play. It’s less about person-to-person communication and more about being able to effectively contextualize cybersecurity for stakeholders across the organization from the board to the C-suite to the frontline.

In open-ended responses about leadership mistakes, survey respondents complained about poor communication most often. ISC2 called out responses about inadequately communicating with business management, which results in an incomplete picture of business requirements that cybersecurity must try to fill. Leaders also failed to explain priorities to team members, including during incidents, and failing to make themselves understood by stakeholders.

The organizational risk appetite is not just the purview of the cybersecurity function, but cyber has a big impact on risk management so it needs to be involved in that calculus. Successful cybersecurity leaders will get involved in broader risk discussions, think strategically about where the organization needs to go, and structure talent development programs to fulfill their long-term goals, Woolnough explains.

In conjunction with the survey results, ISC2 announced a new series of virtual cybersecurity leadership workshops in collaboration with the Cybersecurity Leadership Program. The series will focus on strategic thinking, business acumen, and communication skills.

Formal leadership training is relatively prevalent among formal cybersecurity leaders already—77 percent said they have had some, the survey found. Only 53 percent of informal leaders have had formal training. Most cybersecurity professionals said this training would be internal and provided by their employer, but 59 percent of formal leaders pursued additional training on their own.

“The results suggest a need for more formal training,” ISC2 concluded. “Allowing cybersecurity professionals to learn primarily by observing leaders may perpetuate bad habits, even if there is a side benefit of showing team members how not to act in positions of leadership. Organizations will be better prepared for cybersecurity risks if they institute comprehensive formal training.

“To determine their needs in this area, organizations should review their training practices and poll their teams to identify areas needing improvement,” ISC2 continued. “Formal training, with an emphasis on skills such as communication and strategy, leads to a better organizational structure with properly defined roles. Ultimately, it creates a more robust cybersecurity posture.”

 

 

arrow_upward