The Cybersecurity Skillcycle Is Getting Faster. How Are You Adapting To It?
Brendan created a recent post entitled "The Buck Stops At Cybersecurity." Here is a part that caught my wandering eye:
I am complaining about a lack of focus on the end result because this lack of focus makes your support team a drag to deal with, but it makes your cybersecurity team ineffective. Cybersecurity is about results. You don't get credit for having a firewall, you get credit for having a properly configured firewall whose effectiveness you can confirm on an on-going basis.
I'm sure you thought it: I will never lack for work if I can create a "properly configured firewall whose effectiveness you can confirm on an on-going basis."
As a cybersecurity leader I'm sure you're thinking: "Cybersecurity is about focusing on the end result."
As you toil away in 2025 these thoughts are valid and accurate and profitable. Keep thinking them!
It turns out that the skills you need to be effective in cybersecurity keep changing. You can continue to sun yourself in the glowing fireball of your company's need for cybersecurity. But let's be real: the speed of change, both technology-oriented change and business-oriented change, is increasing.
You need to more than keep up. You need to anticipate and adapt to thrive. Guess what the alternative to thriving is.
Let's talk about the skills needed in the cybersecurity skillcycle.
Leader:
You as a cybersecurity leader (CISO, CIO, CTO) have a role that goes beyond technical leadership. We write a lot about team leadership as being critical to cybersecurity success. Our friend Gordy Curphy, the Doyen of Team Leadership Talent, had this to say recently about leading a team. It is so pithy that it needs to live here:
Clarifying organizational purpose is important: clarifying team purpose even more so. Helping members understand how the team fits into the bigger picture and their roles in making it happen is critical. Far too many leaders erroneously assume that this is obvious when it’s often not the case. With all the context changes facing organizations and teams these days these occasional reminders and discussions are key enablers of team success.
It all boils down to how Gordy puts it here when you think about your next performance review.
In terms of managing your career: you need to anticipate skill needs -- both business skills and technologist skills and, sure, political skills -- and create an action plan. And then prepare to execute the plan. And then execute it.
From a cybersecurity leadership skillcycle perspective you should anticipate that by 2027:
1. your knowledge of AI-based cybersecurity platforms, probably incorporating no- or low-code environments, will need to be improved, along with how these shifts will change how your team coordinates with other organizational functions
2. you need to become a more charismatic leader with executive presence though acquiring "costly signals" to deal with a Board that may be reluctant to pay up for your new AI-based cybersecurity platform
3. you will need coaching
Individual contributor:
You were the most amazing technologist on Day 0 of your job, which was the day you got hired. You were just as good on Day 1, the day you started. And from there your skills degraded. Subtly, sure, but your cybersecurity skill set is exactly like a new car: worth more when you bought it than when you drove it off the lot.
In terms of managing your career: you need to anticipate technologist skill needs to be successful now and in 5 years, and then create an action plan. And then prepare to execute the plan. And then execute it.
Why 5 years?
I came across this fascinating piece by Scott Reida entitled "Applying the Rule of 72 to Workforce Skill Obsolescence and Productivity Degradation." In brief, he applies a financial model called "the rule of 72" which is used to estimate how long it takes an investment to double: divide 72 by an annual growth rate, and you’ll get the number of years it takes to double your money. His example is: at a 6% return (about the rate of the US stock market), your investment would double in 12 years (72 ÷ 6 = 12). Then he applies it to technologist skills.
He created two metrics for this analysis (quoting at length /minor tweak):
Current Adoption: the % of people in the role who have the skill today, and 3-Year Compound Annual Growth Rate (CAGR): the projected compound annual growth rate of that skill over the next three years. Note that a 3-year CAGR represents the steady annual growth rate at which a value would have increased over a three-year period if it had grown at the same rate each year, when compounding annually.
He uses a flipped 'rule of 72' approach (again at length):
Ask when your current skillset will be overwritten.
72 ÷ weighted average 3-Year CAGR = years to obsolescence
To calculate that weighted average, multiply each skill’s adoption % by its 3-Year CAGR, sum it, and divide by the total adoption %. If a role’s resulting CAGR is 9%, then:
72 ÷ 9 = 8 years to being outdated, if no upskilling or reskilling occurs. That is also to suggest that they decline by 100 / 8 = 12.5% each year (on a straight line).
In case you're wondering, the CAGR for Customer Service and Support is 10.6. In Reida's model, that means that this skill has 72 / 10.6 = 6.8 years until it is outdated. The CAGR for IT Infrastructure is 16.8 (outdated in 4.3 years) and the CAGR for Cloud Engineering -- the highest value in Reida's model -- is 28.9 (outdated in 2.5 years). Interpretation: customer service skills don't change rapidly, while cloud engineering skills change every 2.5 years.
That's where we get 5 years.
His overall take-away is this:
When it comes to role design, this perspective prompts a shift in mindset: talent is a dynamic portfolio. It needs regular rebalancing to match the evolution of the skills that define success in a given job. Static roles built on static competencies will always underperform in fast-moving markets. Similarly, hiring priorities should shift toward candidates already building strength in high-growth skills, particularly those residing in the top-right or top-left of the scatterplot. These individuals are either aligned with the current trajectory of the role or they’re ahead of the curve and positioned to lead transformation.
One key takeaway for individuals: learning is always good, but targeted learning is essential. Not all skills are created equal in terms of strategic value or shelf life. You don’t need to chase every shiny tool or trend. Instead, prioritize skill-building in areas that are core to your current role or directly aligned with the role you aspire to hold. That’s where your learning will compound, not just accumulate.
From a cybersecurity individiaul contributor skillcycle perspective you should anticipate that by 2027:
1. your knowledge of AI-based cybersecurity platforms, probably incorporating no- or low-code environments and cloud engineering and how that will shift your role, needs to be your top priority.
2. you must be vigilant about which of your skills are current, which should be discarded, and which you should acquire. This is an active and, yes, time-consuming and expensive process. Your alternative is losing your livelihood.
3. you're the boss of your career, and you need a team to help you grow it.
Ask us how you can anticipate, adapt, and thrive as a cybersecurity practitioner and leader.
Comments
Post a Comment