This is the fourth Sunday letter we have written for the executive who is reading on a quiet evening with the laptop half-closed. The previous letters addressed the questions to ask, the personal liability exposure, and the governance question of risk appetite. This one addresses the question that quietly governs every other security decision your organization makes and that most boards refuse to ask out loud: do we have the cyber talent we need, and if not, what are we doing about it.
The World Economic Forum has, for three years running, identified the global cyber workforce gap as one of the most consequential constraints on enterprise resilience. ISC2 estimates the shortage at approximately four million professionals worldwide. The IBM Cost of a Data Breach report consistently shows that organizations with severe staffing shortages in security pay materially more per incident. Yet most boards engage with this topic through the proxy of the security budget rather than the substance of the workforce question itself. The budget question is easy. The workforce question is hard. And the workforce question is the one that determines whether the budget produces any defensible outcome.
Why Cyber Talent Has Become a Boardroom Question in 2026
The work has changed faster than the workforce has. Cloud-native architectures, AI and ML integration, regulatory complexity, and the maturation of adversary tradecraft have all pulled the required skill profile of a security professional in directions that traditional hiring funnels have not kept pace with. The CISO who reports a fully staffed organization is in many cases reporting a fully staffed organization for a workload that no longer exists. The workload that does exist is partially served, partially deferred, and partially outsourced through arrangements that the board does not see in the org chart.
“The talent question is rarely the headcount question. It is the capability question hidden inside a headcount answer. A team can be at full headcount and short on the four capabilities that would change the trajectory of the next breach. The board that asks the right question gets a different answer than the board that asks the easy one.”
Senior cyber talent strategy, iSECTECH engagement notes
What Cyber Talent Strategy Actually Looks Like at a Mature Organization
A mature cyber talent strategy is not a hiring plan. It is a multi-year sequence of decisions about which capabilities the organization builds internally, which it sources through partnerships, which it accepts as gaps with named compensating controls, and which it plans to retire because the work is changing underneath them. The strategy is reviewed annually by the executive team, signed off by the board, and benchmarked against the threat landscape rather than against the peer organization down the street. The peer benchmark is a comfort. The threat benchmark is a defense.
Three Boardroom Conversations That Defined This Letter
The first boardroom conversation involved a CEO who asked, in the middle of a quarterly review, whether the company had ever lost a candidate to a competitor for compensation reasons. The CISO had to say yes, and the conversation that followed reshaped the compensation philosophy for security roles. The second conversation involved a board chair who asked whether the company had a named successor for the CISO role; there was not one, and within a quarter a deputy role had been created and funded. The third conversation involved a non-executive director who asked what fraction of the security team had been at the company longer than three years; the answer was eleven percent, and the retention plan that followed reduced incident response cycle time by a measurable margin within a year.
The Three Habits of Boards That Manage Cyber Talent Well
The first habit is treating talent as a multi-year strategic question rather than an annual budgeting question. The second habit is asking about capability coverage, not headcount coverage, in every quarterly security review. The third habit is sponsoring a named succession plan for the CISO and the two roles below the CISO, treating this as a fiduciary responsibility comparable to financial succession planning. The CISA guidance on cyber workforce development has, since 2024, explicitly framed succession planning as a board-level concern rather than an HR matter.
“The companies that have the best cyber outcomes over five-year horizons are the ones whose boards treated the talent question with the same seriousness they treated the capital allocation question. The two are connected. The companies that treat them as separate problems get outcomes that reflect that separation.”
Wendy Nather, public commentary on security workforce strategy
Why the Talent Conversation Belongs in the Boardroom Rather Than HR
The talent conversation is a security conversation. The compensation philosophy for security roles affects retention, and retention affects incident response readiness. The succession plan for the CISO is a continuity question, and continuity is a board governance matter. The capability coverage decision involves accepting or rejecting risk, and risk acceptance is a board function. The organizations that treat cyber talent as an HR matter delegate the question into a function that does not own the consequences. The boards that hold the question themselves own the consequences and act accordingly.
What to Read Before Monday Morning
Three things to read before Monday morning. The most recent ISC2 Cybersecurity Workforce Study, which provides a clear picture of the workforce gap and the dynamics shaping it. The most recent World Economic Forum Global Cybersecurity Outlook, which frames the workforce question in the broader resilience context. And one internal artifact: the most recent attrition report for the security organization, with the reasons cited by departing employees during exit interviews. The third is the most useful of the three, and it is the one most boards have never seen.
What to Do This Week
Three concrete actions for this week. Ask the CISO for a one-page capability coverage map showing which capabilities are fully internal, which are partially served, which are sourced externally, and which are accepted as named gaps. Ask the CHRO for the attrition data for the security organization over the past three years with reasons cited. Have a one-hour conversation with the CISO that is exclusively about people rather than tools or threats.
Talk to a Senior cyber talent strategy Practitioner
If your organization is working through a cyber talent strategy, a CISO succession plan, or a compensation philosophy review for security roles, our senior practitioners can help. Talk to a senior iSECTECH practitioner about a confidential conversation on the workforce questions most relevant to your situation.
Why the Most Effective Talent Decision Is Often the Boring One
The decisions that produce the largest measurable change in cyber talent retention are rarely the headline-grabbing ones. They are the boring ones: clear career paths, predictable promotion cycles, time-boxed on-call rotations, and a manager who is allowed to advocate for compensation revisions outside the annual cycle. The companies that have built durable security organizations did so by being relentless about the boring decisions while the rest of the industry chased perks and signing bonuses.
“The retention programs that worked were the ones that treated security professionals as professionals first and security as the discipline second. The retention programs that failed were the ones that treated security as a special category whose practitioners would tolerate conditions other professionals would not.”
iSECTECH cyber talent strategy review summary
The Quiet Power of Asking About People in a Tools Conversation
The most useful question a board can ask in a security review is the one that interrupts the tools conversation with a people question. Who would have caught that, and were they on shift? What is our coverage if that person leaves? Is the runbook owned by someone who can still be reached? The questions reframe the discussion from procurement to readiness, and readiness is what the board is ultimately accountable for. The companies that have integrated this discipline into their quarterly cadence produce different outcomes than the companies that treat tools and people as separate conversations.