We Predict The CISO Talent Dilemma If You Don't Become Better At Managing Talent Development

You're out of time.

Ross Young posted recently on LinkedIn about "The Three Kinds of CISOs." It's a compact but targeted post. In his view, CISOs are one of three types: reactive, proactive, or predictive. Let's review.

The first type, the reactive CISO, is a short-timer; why it exists at all is a mystery.

The second type, the proactive one, sounds great...two years ago. And sure, being proactive is good as an employee and a professional. While it's good, it's not good enough. Because you're out of time., because, yes here we go, AI is not proactive -- it's active. 

That leave Ross telling us about the third CISO type, those who are predictive:

"The CISOs who will matter in five years aren't running better audit programs. They're running AI agents that never sleep, never miss a commit, and never need to be asked."

We completely agree that being predictive is right -- definitely better than being proactive, for example, and don't even start about being reactive.

Let's extend this discussion beyond Ross' LinkedIn post.

How do you become predictive? Well, Brendan has been posting about internal candidates, yin and yang, buying and building. In each case there is a tactical talent decision requiring an answer relative to the AI arms race. Brendan's posts provide excellent fodder for considerations that must be met here and now.

Critical tactical decisions need to be managed to address the strategic question of how you convert your proactive talent and then maintain its high capacity for a predictive workforce. Let's say it another way: your better hires now who are naturally proactive need to be intentionally managed to become your predictive cadre later. 

Rock: you need CISOs & staff who are at the cutting edge of predictive cybersecurity.

Hard place: so does everyone else and what's working now won't work later.

Here's more about that "later" part. Investors are insistent about this expectation of future and ongoing value creation. Creating value through talent doesn't happen in a vacuum or because you claim to have hired "the best of the best." 

[Let's be blunt: have you ever, and I mean at any time, heard of -- even second-hand -- an organization that boasted about hiring 'the best of the best' also deploy the best talent management program to build and maintain the same acumen of that 'best of the best'? No you have not.]

Creating value through talent requires that you continuously, directly, and thoughtfully manage the development of your employees. Hiring for talent is the correct first step; then you need to manage the talent you bought so that it returns dividends. There are exactly three dividends: (a) cybersecurity; (b) increased performance capacity; (c) growth of organizational value.

I did a presentation at a professional conference in New Orleans on 1 May 2026. This conference is for world-wide leaders in the development and application of organizational behavioral science. My presentation, Climbers vs. performers: Disentangling executive confidence from competence, centered on the science behind employees who aspire to leadership (HiPos) and those who are effective as leaders. The science says this about managing talent development:

1. You can do something for free that is remarkably effective: newcomer socialization. A meta-analysis of 83 field experiments by Liu et al. (2024, Psychological Bulletin) found that structured socialization programs raise newcomer retention by an odds ratio of 1.46. Yep math nerds, that's a 46% gain. That's a real number with real causal weight from real field experiments and not lab simulations. The effect is strongest when programs identify effective task behaviors, encourage proactivity, and facilitate social integration, delivered in person and across multiple sessions rather than dumped in a single onboarding day. The cost is the time of the people already in your organization. The return on investment shows up as people who stay, perform, and start contributing to your predictive capacity instead of churning out before they ever got there.

2. People who emerge as leader candidates do this: get noticed. People who perform well as leaders do this: deliver outcomes. Those lists do not overlap. You need to measure and monitor both lists. Badura et al.'s (2022, Journal of Applied Psychology) integrative review of 270 primary studies treats leadership emergence as its own construct, with its own predictor structure, separable from leadership effectiveness. Galvin et al. (2024, Journal of Applied Psychology) push it further by naming the failure modes: over-emergence (the person who climbs without performing), under-emergence (the person who performs without climbing), and congruent emergence (the alignment your HiPo program is actually trying to achieve). Be careful, for the predictors shift as people move up: Lewis' (2023) eight-year longitudinal study at the executive level found that the competencies correlated with actualized potential at the emerging-leader level -- delivering results, taking on challenges, collaborating -- were not significant at the advanced-leader level, where strategic thinking, global acumen, inspirational leadership, and talent strategy were what mattered. A single generic CISO HiPo model applied across the pipeline guarantees you'll mistake climbers for performers and miss the under-emerging performers entirely, while wasting money and time.

3. People are not their talent profiles. You need to manage the person's development intentionally so that they leverage their talents to perform. That happens through three things, in this order: diagnose, design, deliver. Diagnose means assessment that's future-focused, placing the person in a simulated role two to three levels above their current one and watching how they handle challenges they have never faced (Lewis, 2023). The question isn't "Has this person succeeded here?" It's "Can this person perform there?" Design means matching the developmental coaching intervention to the gap, with a specific behavioral target, not generic coaching engagements that produce generic conversation. Deliver means the conditions Liu et al.'s (2024) meta-analysis surfaced for any structured intervention: in-person beats remote, staggered beats one-shot, and tied to a live objective beats abstract. Strip those conditions out and the effect attenuates.

Back to Ross. The predictive CISO he describes, the one running AI agents that never miss a commit, doesn't materialize because you wrote "predictive" in the job description. That CISO exists because someone, somewhere upstream built the talent system that turned a proactive technical hire into a strategic predictive operator with the range to lead in an environment that didn't exist when they were trained. The rock and the hard place don't go anywhere. The only move is to build the system.

You don't get a predictive CISO cadre by hoping for one, you get it by building the diagnostic-to-development pipeline that turns a proactive hire into a person who can think two moves ahead of an adversary that never sleeps.

Time's up for mediocrity in managing talent development. If you're not doing it intentionally, you're doing it wrong.

Ask us how you must improve your talent development game -- and how that leads to you winning.

(image credit: Metropolitan Museum of Art, CC0, via Wikimedia Commons)