Vacant roles, cautious hiring, limited budgets and tired teams are real issues. But this narrative only covers part of the problem, according to Llewellyn Willemse, CISSP. For many, the deeper issue today isn’t just whether there are enough cybersecurity professionals. It’s whether we cybersecurity professionals have the authority, context and governance structure needed to turn our skills into resilience.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
I’ve experienced plenty of shifts in my own career. I started as a technician and moved through infrastructure, security systems, operations, governance and risk. Early on, workforce shortages were often obvious in practical ways: too few people to patch systems, rebuild servers, review logs, or respond to incidents. Today, shortages look different. The people may be present, the tools may be deployed and the policies may exist. Yet organizations still struggle to make timely, defensible decisions when pressure arises.
This is why I see the workforce challenge as a governance issue as much as a staffing issue.
More Than a Title
One practical lesson I’ve learned is that job titles often don’t accurately reflect capability. Two people may hold similar roles yet respond differently under pressure. One person may connect a vulnerability, an operational dependency and a business consequence in one conversation. The other may be technically skilled but unable to prioritize without a checklist. Both individuals are valuable, but they can’t be seen as interchangeable.
This is important because the organizations we serve often respond to pressure by asking for more roles, tools or reports. Sometimes this request is necessary, but I’ve also been party to situations where the true shortage wasn't headcount. It was, instead, a lack of people who could translate uncertainty into decisions the business could own. This type of capability does not automatically appear when a vacancy is filled. It must be developed, protected and supported by the surrounding operational model.
The strongest teams I have worked in weren’t always the largest. They were teams where responsibility, authority and escalation paths were clear. Conversely, the weakest models often had capable people grappling with unclear accountability, waiting for decisions from leaders who did not fully grasp the risks, or being expected to compensate for organizational ambiguity with personal effort.
The Impact of Emerging Technology
We cybersecurity professionals can handle hard work. What drains us is having responsibility without the power to act.
Artificial intelligence (AI) is intensifying this pattern. Much of the conversation around AI in cybersecurity still discusses whether it will replace analysts or lower the need for people. I think this view is too narrow. In practice, AI is not eliminating the need for human judgment. It is elevating that judgment higher up the value chain and reducing the time available to make decisions.
Automation can link alerts, summarize evidence and speed up detection. It can also generate more findings, more exceptions, greater urgency and more questions from the business. But better visibility doesn’t always mean less work. Sometimes it means that our organization can finally see how much work has always been there.
This is why I would be cautious about treating AI solely as a productivity solution to the workforce shortage. Yes, AI can reduce repetitive tasks, but it can also increase pressure on those expected to validate its output. Someone must still decide whether an AI-generated finding is significant, whether the business impact is real, whether the evidence is strong enough and whether a risk should be accepted, escalated or eliminated.
Note that these are not entry-level decisions: they require experience, judgment and confidence. If we automate the lower levels of security work without intentionally developing those judgment capabilities, we may undermine the very pipeline on which we rely for future resilience.
Stress Factors
This is one reason why burnout remains a serious signal. I don’t see burnout in cybersecurity as just a personal wellness issue; it often reflects poor governance design. When every significant exception must be resolved by the same senior analyst, architect or manager, the organization does not have itself a hero, but a single point of failure.
I’ve witnessed this pattern in practice – in infrastructure, security controls and operational risk decisions. A technical team identifies a weakness. The weakness is understood; the solution may be clear. Yet the decision stalls because ownership is unclear, funding is uncertain, or leadership wants the risk lowered without accepting the operational impact. The practitioner then becomes the translator, negotiator, evidence collector and risk bearer. That work is important, but when it becomes informal and constant, it becomes unsustainable.
Regulations and Standards
Regulation is bringing this issue to light. Frameworks and guidelines like the NIS2 Directive, ISO/IEC 27001, the Payment Card Industry Data Security Standard (PCI DSS) and the Cybersecurity Maturity Model Certification (CMMC) are not just technical or compliance exercises. They compel our organizations to prove control, ownership and accountability.
That is a necessary change. Cybersecurity risk should not stay hidden within the IT function. It affects operational continuity, legal exposure, financial performance and trust. However, increased executive accountability can create a new tension: leaders may now be accountable for cyber outcomes they don’t yet understand well enough to manage. When this occurs, the pressure shifts ‘downwards’ to the security team without a corresponding increase in their authority, budget, or decision support.
This is where compliance can become misleading. Passing an audit does not automatically demonstrate resilience. I’ve been in environments where:
- Documentation looked mature, but the actual decision model was fragile
- People understood the control requirements but did not know who could accept risk
- Staff were familiar with the policy, but didn’t know how to respond when reality contradicted it
- Teams had evidence for an assessor, but not always clarity for an incident
Compliance is important. I work in governance and risk, so I’m not against having a framework. My point is that compliance is the starting point, not the endpoint. A resilient organization must be able to make good decisions under imperfect conditions. That requires more than paper controls. It needs leaders who understand their roles, practitioners who can communicate risk clearly and operational models that do not punish people for bringing up uncomfortable facts.
This changes how I view the workforce issue. I no longer begin with the question “How many people do we need?” I start with different questions, like: “What decisions must be made under pressure? Who is responsible for them? What evidence do they need? What skills are necessary to support them? Where does authority actually reside?”
Rethinking How We Find and Develop Good People
Answering these questions leads to a different workforce strategy. Recruitment is still important, but it cannot be the only solution. We must also develop capabilities around risk translation, communication, incident decision-making, regulatory evidence, AI assurance and leadership judgment. We need to nurture people who can navigate between technical details and business consequences without losing credibility in either direction. This is why I also think retention needs to be viewed differently.
Many people don’t leave demanding jobs solely because the work is tough, but because they are frequently asked to absorb risks that their organization hasn’t learned to own itself. When skilled practitioners feel like they are the control, rather than part of a controlled system, fatigue is inevitable.
This development cannot be left to chance. We need to expose early-career professionals to real risk decisions, not just ticket queues and tool consoles. We need to provide mid-career professionals with pathways to enhance their judgment, influence, and governance capabilities. And senior professionals need support, not just a channel for escalation. Executives need enough understanding of cybersecurity to make decisions instead of outsourcing responsibility to the technical team.
I believe the future of the cybersecurity workforce will be defined not just by how many positions we fill. It will be defined by whether we can transform skills into accountable capabilities. The skills shortage is real, but it is no longer the complete story. AI has not decreased the need for people; it has raised the value of human judgment. Regulations have not made accountability optional; they have made it clear. Economic pressure has not reduced the need for resilience; it has made weak operational models harder to conceal.
Cybersecurity teams don’t need another slogan telling us to do more with less. We need governance structures that enable us to do the right work with the right authority. Until organizations address that, the workforce challenge will continue to show up as hiring pressure, burnout, and skills gaps, even when talented individuals are present.
Llewellyn Willemse, CISSP, has 18 years of experience in mining, critical infrastructure, enterprise security and IT. He has held specialist, management and governance roles focused on security systems, infrastructure, cyber risk and business-aligned security strategy. His cybersecurity work spans governance, risk, compliance, security operations and enterprise resilience.
