The skills gap cybersecurity leaders are facing right now

Cybersecurity leadership is in the midst of a fundamental shift, and the hiring market is responding.

“This is the hottest CISO hiring market that I’ve been a part of in 10 years of doing this,” says Sean Cleary, partner at executive search firm Riviera Partners and head of the firm’s cybersecurity practice.

Driving that surge is a sharp rise in both requirements and compensation. The most sought-after CISOs — particularly those with expanded mandates — are now being compensated on par with the most senior product and engineering leaders, says Cleary. “Cyber price tags are rising across the board.”

What was once a technical and defensive function is now a core driver of business strategy, and the pressure on leaders is piling up. The result is a widening gap between average and elite cybersecurity leaders, and a surge in demand for those who can operate at the highest level.

Few people have a clearer view of this transition than Cleary. Having placed CISOs across startups and global enterprises, Cleary is seeing a new archetype emerge, as well as a growing disconnect between what companies need and what the market can supply.

Here, he shares what he believes is driving the shift and what separates the best from the rest.

The cybersecurity leadership skills gap is widening

Demand for modern cybersecurity leaders is outpacing available talent in both volume and skill set.

“There’s a really significant delta between a CISO and the folks that report into them,” says Cleary. “It’s just not a really developed candidate pool.”

The challenge is structural. The most sought-after leaders combine deep technical expertise — typically in engineering — and executive-level experience. But that pairing can be hard to come by.

“That’s the most popular flavor of security leader right now…and [security] historically is not necessarily a field that great, innovative engineers want to move into,” he says.

At the same time, the role itself is evolving faster than the talent pipeline can adapt. As AI reshapes both the threat landscape and how software is built, companies need leaders who can operate in both domains, and few candidates can.

As a result, corporate demand and market supply are drifting apart.

CISOs are taking on broader, business-critical mandates

The scope of the cybersecurity leader is expanding beyond traditional boundaries. “We’re seeing really top-tier security leaders take on these expanded scopes.”

Once a solely protective role, cybersecurity is now deeply embedded in how businesses operate and grow. Under pressure to move faster in the AI era, boards increasingly expect CISOs to weigh in on both risk mitigation and where risk can enable growth.

“They’re looking for a level of business acumen from CISOs that will enable them to advise the corporation on what risks [they] take,” says Cleary.

“I truly wonder if we’re going to be calling CISOs ‘CISO’ as much as we are now in three years.”

In practice, this means top security leaders are stepping into responsibilities that look much more like general management, spanning product, engineering, and broader strategic decision-making.

“The CISO role is evolving very quickly into…much more of a comprehensive leader at the executive level,” says Cleary. “I think there’s a world where they become really much more of an ingrained business leader in the executive ranks.”

What sets elite cybersecurity leaders apart

When technical competence is a given, becoming a top cybersecurity leader comes down to business impact.

“Good cybersecurity leaders are very technical,” says Cleary. “Elite cybersecurity leaders combine that with providing value to the business so that it is unquestioned how important they are.”

The best leaders can translate complex technical risks into clear strategic decisions — particularly in fast-moving areas like AI — and embed security directly into products and systems.

“When we hear from folks that have worked with great CISOs…it’s often about a business impact.”

“Companies are [looking for] someone who’s got the technical acumen to understand a quickly evolving field,” explains Cleary. For example, “How do you think about governance as a security leader? And how can you break that down into simple terms for non-technical or non-security leaders?”

This also means operating differently, focusing on efficiency and system design to deliver stronger outcomes with fewer resources, says Cleary. “It’s not about, ‘How large can you scale your team?’ It’s about, ‘How efficient [are you]? How much automation are you using?’”

The security leaders of the future look more like enterprise leaders who happen to specialize in security.

Advice for aspiring cybersecurity leaders

For those looking to step into the next generation of leadership roles, that path is becoming clearer, if more demanding.

Cleary’s advice is to deliberately move beyond functional siloes. “If you’re a VP or director…go make friends with some of your peers and other business functions,” he says. “The people who are on the quickest trajectory into security leadership roles at the C-level…have great relationship-building and collaboration skills across all functions.”

This means:

• Building fluency in how the business functions
• Developing relationships outside security
• Getting exposure to product, engineering, and commercial decision-making

Just as importantly, aspiring leaders need to rethink how they add value. It’s not by building the biggest team or deploying the most tools: Having real influence at the highest levels of the organization comes from designing systems and driving tangible business results.

“The days of just picking a bunch of tools off the shelves in some of these innovative companies is long over,” Cleary says. “You need someone who really can build.”

De-risking the security leader

A new, hybrid cybersecurity leader is emerging. They blend technical depth, business leadership, defensive thinking, and strategic impact. As the talent gap widens, the difference between good and elite will only become more pronounced.

From Cleary’s perspective, cybersecurity has gone from a back-office function to a core driver of how modern enterprises move, build, and compete.

In the AI era, the most risky thing a security leader can be is just a security leader.

*Note: Insight Partners has invested in Riviera Partners.