Maybe there isn’t a CISO shortage after all

The perceived CISO shortage may result from unrealistic job expectations

The conversation around a global shortage of Chief Information Security Officers (CISOs) often misses the underlying issue: the way we define the role itself. The 2026 report by Cybersecurity Ventures and Sophos estimates there are about 35,000 CISOs worldwide serving 359 million businesses, a striking 10,000-to-1 ratio. On paper, it looks like a major leadership gap. But numbers sometimes hide the real story. Inside many organizations, the problem is that the role has become almost impossible for one person to cover.

Modern CISOs face an overwhelming scope. Their job now stretches from cybersecurity strategy to compliance, crisis management, and even oversight of AI-related risks. Erik Avakian, Technical Counselor at Info-Tech Research Group, puts it bluntly: companies want “a Superman” but often fail to hire intelligently or build the right support structures around the leader they already have. Organizations that overload their CISOs with every conceivable security function do more harm than good, pushing talent toward burnout and turnover.

For executives, the takeaway is about creating smarter job architectures. Few leaders can deliver excellence across every domain of cybersecurity, governance, and data protection simultaneously. Instead, leadership structures should separate operational management from strategic oversight. This creates both sustainability and focus. Properly designed roles also give CISOs time to think long-term rather than constantly react to threats.

What looks like a “shortage” is, in many cases, a design flaw. Decision-makers should see the CISO as a strategic leader supported by the right systems, deputies, and technologies. When expectations align with reality, the so-called shortage begins to dissolve.

Cybersecurity leadership shortages are not uniform across organizations

The supposed global CISO shortage does not play out evenly across industries. Some firms are finding it tough to hire security leaders; others are not. The difference lies in how they position and define the role. Chase Snuffer, CIO of Rayburn Electric Cooperative, says his organization hasn’t struggled to find qualified cybersecurity leadership. Similarly, Scott Sanders, CIO of Sikich, describes a steady flow of experienced candidates. These perspectives challenge the idea of a universal crisis.

Larger enterprises often face a different dynamic. They operate in markets where competition for top cybersecurity talent is rising. Chris Drumgoole, President of Global Infrastructure Services at DXC Technology, notes that while the supply-demand curve for cyber talent is “moving in the wrong direction,” it’s not yet a concern requiring board-level intervention. In other words, the gravity of the situation varies depending on company size, maturity, and geographic location.

Executives should avoid treating this as a one-size-fits-all problem. Smaller or mid-sized organizations might adapt faster because they are often more flexible in combining leadership roles or redefining job scopes. Large multinationals, meanwhile, have more complex ecosystems that require dedicated, specialized leadership. Understanding these differences makes workforce planning more efficient and realistic.

If your company believes it faces a CISO shortage, consider whether that perception stems from market conditions, or internal expectations. The ability to attract and retain cybersecurity leaders often reflects company culture, competitive positioning, and leadership alignment more than market scarcity. Focusing on clarity of role, organizational mission, and internal leadership development can often do more than simply throwing higher salaries or broader search campaigns at the problem.

Expanded job requirements for CISOs escalate hiring challenges and contribute to turnover

The role of the Chief Information Security Officer has expanded far beyond what it was a decade ago. It’s no longer limited to overseeing network defenses or managing data protection. Today, the CISO is expected to lead risk management, compliance, privacy, and even communicate directly with the board about strategic business impact. The problem is that most job descriptions haven’t adapted to the reality that no single person can master this entire spectrum.

Many of these postings demand an exhaustive mix of credentials, advanced degrees, deep technical expertise, and high-level leadership experience, to the point of impossibility. Erik Avakian, Technical Counselor at Info-Tech Research Group, has observed this pattern firsthand, describing many CISO vacancies as “asking for the kitchen sink.” This approach drastically narrows the candidate pool because it filters out strong leaders who may not check every academic or certification box but possess the decision-making and resilience the role truly requires.

Chris Drumgoole, President of Global Infrastructure Services at DXC Technology, emphasizes another key angle, investing in internal leadership development. The best technical expert doesn’t automatically become a strong executive leader. Drumgoole recommends deliberate training programs to transition skilled specialists into capable strategic leaders who can think across business, risk, and technology. That shift, building leaders rather than constantly searching for mythical talent, could resolve much of what is seen as a systemic shortage.

For decision-makers, this is not about lowering standards. It’s about prioritizing what really matters. Strong communication, collaborative thinking, and sound judgment under pressure are often more valuable than another certification. Executives should focus on creating pathways for existing employees to grow into leadership roles, not just recruiting externally. Long-term capability is built through deliberate development, not by overloading job listings with unattainable expectations.

Expanding the role without redefining its limits burns people out and weakens corporate resilience. Simplifying expectations while strengthening internal pipelines makes leadership succession smoother and reduces risk exposure from constant turnover. Companies that act early on this front will build a more stable cybersecurity culture across all levels of the enterprise.

Strategic integration of cybersecurity leadership roles as a viable alternative to dedicated CISOs

Not every organization needs a dedicated CISO. Some decide that combining technology and cybersecurity leadership into a single role fits their operations better. Chase Snuffer, CIO of Rayburn Electric Cooperative, shared that his company made a deliberate choice to integrate cybersecurity oversight within the CIO position. He sees this integrated structure as a strength, it enables faster decision-making and ensures that technology and security considerations remain aligned under one accountable leader.

This approach often makes sense for mid-sized organizations or those with limited resources. Having one executive manage both technology strategy and security governance allows for cohesive planning and fewer competing priorities. However, this design brings trade-offs. The combined workload can stretch an executive thin, and it requires strong delegation and clear boundaries to prevent critical areas from being neglected. Still, when managed well, it results in more agile governance and a unified view of technology and risk.

For large enterprises, this model may be less feasible due to the scale and regulatory complexity they face. But for smaller and mid-market firms, it can optimize leadership efficiency and keep costs under control. What matters most is conscious design, understanding where the organization is in its maturity curve and aligning structure with that reality.

Combining the roles of CIO and CISO shouldn’t be a reaction to talent shortages or cost constraints; it should be a business decision grounded in organizational needs. Executives must ensure that whoever holds both roles has the authority, support, and resources to manage both effectively. Regular review and continuous adjustment are key to maintaining balance.

When done thoughtfully, this merged leadership structure can strengthen coordination between IT operations and cybersecurity. It creates accountability that covers both risk management and user experience, something that many organizations struggle to balance when responsibilities are split.

Hybrid security models leveraging MSSPs and vCISOs enhance internal capabilities

The shift toward hybrid cybersecurity leadership structures has accelerated because it works. Many organizations are realizing they don’t need to handle every operational detail in-house to maintain strong cybersecurity. Instead, they retain strategic control internally while outsourcing specialized or round-the-clock tasks to partners. Managed Security Service Providers (MSSPs) and virtual CISOs (vCISOs) allow internal teams to focus on oversight, leadership, and governance while relying on external experts to handle continuous monitoring and threat detection.

At Rayburn Electric Cooperative, Chase Snuffer, who holds both CIO and CISO responsibilities, explained that the company uses an MSSP to manage after-hours Security Operations Center (SOC) coverage and a vCISO for strategic guidance. This combination gives them the flexibility to stay aligned with industry trends without overextending internal teams. Similarly, Scott Sanders, CIO of Sikich, reported that his firm’s internal information security leadership remains in-house while its MSSP provides 24/7 alert monitoring. Their internal teams keep full control over security policy and decision-making, ensuring accountability remains within the organization.

For executives, this approach offers an operational advantage: organizations gain access to global expertise while maintaining the contextual understanding only insiders hold. It balances agility and compliance without inflating headcount or diluting strategic vision. The model is especially effective for mid-sized companies, where resources are deliberate and decision speed is critical. However, this structure requires clear governance, communication, and defined boundaries of responsibility between internal leaders and external providers.

Outsourcing does not mean handing over leadership. The organization must always retain final authority and direction. Strong relationships with external partners can enhance resilience, but weak oversight can introduce risk. Executives need to ensure that partnerships are configured around shared accountability, measurable outcomes, and rapid information flow. When managed well, hybrid models can scale efficiently with business growth and evolving threat landscapes.

The narrative of a global CISO shortage oversimplifies complex organizational design challenges

The widespread belief in a global CISO shortage simplifies what is essentially an organizational design challenge. After examining hiring patterns, role definitions, and leadership structures, it becomes clear that the issue isn’t a lack of talent, it’s how organizations are structuring and managing cybersecurity leadership. Expanding job descriptions, blurred responsibilities, and outdated operating models have created a perception that there are too few qualified people to fill CISO roles. The reality is that many organizations are defining the position too narrowly or expecting too much from a single individual.

Modern cybersecurity demands agility. Some organizations are distributing cybersecurity responsibilities among multiple executives, while others use shared or fractional leadership models. These approaches, once seen as temporary measures, are becoming part of standard business strategy. They allow companies to scale leadership capacity more effectively and adapt to evolving risk environments. It also means the definition of what constitutes a “CISO” is changing, moving from a role-based identity to a function-based one.

For decision-makers, this calls for a reassessment of structure rather than a focus on recruitment panic. The goal should be to design leadership systems that are resilient, flexible, and matched to actual organizational maturity. Companies that invest in talent development and internal succession planning can avoid dependence on an overstretched job market. They can also build a culture of shared responsibility for cybersecurity that runs through the executive team, not just through one individual.

The world does not lack capable security professionals, it lacks coherent strategies for deploying them effectively. C-suite teams should move beyond the headline narrative of scarcity and prioritize structural clarity, leadership pipelines, and scalable governance models. Doing so strengthens both leadership continuity and organizational security posture, regardless of market fluctuations in CISO availability.

Main highlights

• Reevaluate the CISO role before recruiting more leaders: The perceived CISO shortage often stems from overloaded job expectations and poor role design. Leaders should streamline responsibilities and support structures before assuming a talent gap.
• Recognize that hiring challenges are uneven across industries: Not every organization faces cybersecurity leadership shortages. Executives should tailor hiring strategies to company size, market, and industry context rather than following broad trends.
• Redefine CISO qualifications to emphasize leadership over credentials: Expansive job requirements narrow candidate pools and increase turnover. Leaders should focus on decision‑making ability, communication, and resilience while developing internal leadership pipelines.
• Consider integrated leadership structures where practical: Combining CIO and CISO responsibilities can improve alignment and efficiency in midsize organizations. Executives should make this a conscious design choice, ensuring focus and accountability remain balanced.
• Adopt hybrid security models to extend internal capability: Leveraging MSSPs and vCISOs allows organizations to scale security operations without losing strategic control. Leaders should maintain clear oversight and internal ownership of key security decisions.
• Reframe the “CISO shortage” as an organizational design challenge: The issue is structural, not purely about headcount. Executives should strengthen internal succession planning, clarify cybersecurity ownership, and design roles that promote sustainability over unrealistic performance.