Cyber Workforce Risk Management: Addressing Our Greatest Vulnerability in 2025

Author: Deidre Diamond

The last few years have left us grappling with significant cybersecurity challenges, extending beyond the CVEs, SEC breach reporting, and ransomware attacks headlines. Widespread budget cuts, an increase in outsourced talent, layoffs, and full-time roles placed on hold have disrupted the operational progress. At the same time, contracting positions have increased, the job-matching system remains broken, and severe burnout continues to take its toll on the cyber workforce. As we enter 2025, it’s clear these hurdles demand resilience, innovative solutions and revisiting how we simultaneously support the business, cyber operational and strategic progression, and the cybersecurity profession.

Many of you have asked about the current cybersecurity talent landscape and the role of CyberSN’s Cybersecurity Workforce Risk Management Program in addressing these issues, this blog is intended to answer this question. One of our long-time clients, Rob Suarez, an enterprise CISO, shared his feedback after a year with this program: “The work CyberSN is doing is the stepping stone to operational efficiencies that everyone is struggling to achieve.”

Lowering Risk with a Cybersecurity Workforce Risk Management Program

Workforce risk management has been a cornerstone of my professional career, beginning when I entered the industry shortly after college. My mentor, whom I worked alongside for 21 years across three different organizations, often said, “Our assets go up and down the elevator every day; our job is to care for them.” 

“Caring for them” started with knowing what we expected out of people and clearly defining  measurable agreements of tasks and projects; with daily, weekly and monthly reporting for  each of my direct reports. While also being an individual contributor. This was the foundation to operational success and high achieving teams. Is this easy to do? No. Absolutely not. Is it harder in this day and age? Yes, absolutely. Hard is just hard, not impossible, we all do hard things all the time. We can manage our team's focus to this detail today, I promise and I have proof.

Consider these findings as further persuasion of the problem: “83% of IT security professionals admit that they or someone in their department has made errors due to burnout, resulting in a security breach—39% having witnessed this more than once” (Source: Devo and Wakefield Research, Sept 2023). Additionally, “59% of security professionals are suffering from burnout, ultimately impacting job performance and weakening cyber defenses during a skills shortage” (Source: CyberArk, Nov 2023).

Cybersecurity Workforce Challenges Are Increasing Organizational Risk 

1. Constant Change of Job Roles: Cybersecurity professionals’ job responsibilities change frequently—often every 90 days in the enterprise. As a result, cybersecurity job descriptions and titles rarely reflect how an organization is utilizing an individual. Yet, organizations rely on these outdated and vague job descriptions to shape their security strategies and capabilities, define goals and timelines, manage workloads, and assess performance, income, and promotions.These job responsibility shifts, driven by changing cyber project priorities, team turnover, or budget adjustments; create a disconnect between documented cyber roles and actual responsibilities. This, in turn, hinders the ability to accurately identify your organization's cybersecurity capability gaps, your ability to retain talent, and your ability to avoid talent burnout.
2. Mismatched Workloads and Cybersecurity Burnout: Looking deeper, individuals are being tasked with work they are not motivated to do or best skilled to perform, due to these gaps in organizational capabilities. This then creates low professional efficacy, and talent misalignment that escalates into severe cyber burnout, mistakes, resignations, and security breaches.
3. The Need to Justify Cybersecurity Headcount: Cybersecurity leaders are under constant pressure to justify their headcount and cybersecurity budgets. Without clear understanding and visualization of how every employee is being utilized currently along with the visualization of the organization’s cyber capabilities, it’s impossible to defend cyber talent needs effectively. We have seen this struggle for over ten years and it's only getting worse.
4. Misalignment to Cyber Strategies: When we don’t clearly understand and aren’t able to visualize the gaps between the activities of the cybersecurity team and the strategic objectives set by leadership, we don’t hit our strategic goals and we can’t get to automation or repeatability. This misalignment results in conflicting priorities, loss of time, lack of focus, and lack of feeling accomplished. Leading to burnout, talent retention issues, and high organizational risk.

Any one of the above challenges increases the overall risk of an organization to significant levels. So, let's do something about it!

Solving Workload Management, Reaching Operational Efficiency and Professional Efficacy

The foundation starts with a common language for cybersecurity roles and responsibilities. CyberSN created a cybersecurity job taxonomy 8 years ago. This taxonomy is at the core of our solution to cyber workforce risk. The link between workload management and security is clear: mistakes by cybersecurity professionals are being made and at no fault of their own. They are overworked, wearing too many hats, undervalued, misunderstood, and viewed as a cost. This, coupled with the relentless fight against adversaries and an ever growing attack surface, has led to widespread cybersecurity burnout, little advancement in repeatability and automation of mindless tasks, and raising organizational risk. 

CyberSN Platform and Service are addressing these challenges:

1. Talent Utilization: Documentation, Visualization, and Updating: We document and provide visualization of how each employee is being utilized. Leveraging the CyberSN Platform. Managers are able to keep their employees' job descriptions continuously updated to reflect how the organization is currently using their time. This clarity provides cybersecurity leaders with a real-time view of workload distribution, enabling better workload management, offering a solution through CyberSN’s Platform to align job descriptions with cyber capabilities. With this transparency and visualization, roles can be updated, cyber department capabilities tracked, and objectives aligned.

2. Organizational Capability Mapping and Visualization: Understanding individual roles to a structured organizational capabilities framework, cybersecurity leaders gain the insights needed to identify gaps, evaluate strengths, and align cyber talent with their overall security strategy. This approach serves as a foundation for developing strategic roadmaps, refining priorities, addressing critical capabilities gaps, and ensuring efficient program execution. It empowers cybersecurity leaders to foster team growth while driving measurable progress toward current and future security objectives.

3. Aligning Career Aspirations with Workload Management: By documenting tasks and projects directly with each employee and discussing how they enjoy what they are doing daily, we are able to have career discussions that can be taken into account for organizational planning while also giving career planning support to employees. This information, captured in the CyberSN Platform, enables managers to create a culture of professional efficacy with their employees while also enhancing productivity and cybersecurity talent retention, while reducing organizational risks.

Empowering Cyber Leaders with Insights and Visualization of Cyber Capabilities

In closing, I need to say the well-being of the cybersecurity community is our greatest risk and we can no longer ignore it or assume leaving organizations will make things better—it won’t. As managers (anyone can be a leader, but being a manager means taking responsibility for a team’s workload) and as the leaders of our teams, we must implement programs that are both visible and effective. When we do, we can communicate effectively, truly lower our organizational risk and provide professional efficacy to our talent. 

Without a cybersecurity workforce risk management program, these very serious challenges will persist. At CyberSN, we’re addressing these challenges by equipping cybersecurity leaders with the insights and tools needed to manage workloads and cybersecurity talent effectively. Spreadsheets alone can’t capture the value of your talent or justify the cybersecurity budget you need. With the right tools and data-driven insights, you can build and retain a cybersecurity workforce that enhances both performance and security while securing executive buy-in.

Expansion into IT Workforce Risk Management

To further enhance workforce efficiencies, we have officially expanded our taxonomy in 2025 to include IT, recognizing the vital interplay between cybersecurity and IT teams. Both teams rely on each other to operate effectively, and this expanded taxonomy will provide IT leaders with the same insights and solutions across critical IT categories, including:

• Infrastructure and Operations
• Help Desk/Service Desk
• Enterprise Architecture and IT Strategy
• Cloud Computing
• Emerging Technology and Innovation
• IT Service Management
• Solution Engineering and Automation
• IT Compliance
• Telecommunications
• Specialized Roles (ERP, CRM, ATS, etc)

We can impact our biggest vulnerability. Reach out anytime as we are here to support the community. To learn more about our cybersecurity and IT workforce risk management programs, get in touch here.