Cyber Means Business: Gary Brickhouse on Framing the Cybersecurity Talent Shortage as a Business Risk

In this edition of Cyber Means Business, we sit down with Gary Brickhouse, CISO of cybersecurity firm GuidePoint Security, to talk about one of the most persistent challenges facing organizations today: the cybersecurity workforce gap. Drawing on more than 20 years of experience leading security and compliance programs at The Walt Disney Co. and Publix Super Markets, Brickhouse argues the shortage of skilled cyber talent is far more than a staffing issue—it has direct implications for an enterprise’s financial stability, operational resilience, and corporate reputation.

For Gary Brickhouse, the key is helping boards and executive teams understand that hiring and retaining the right cybersecurity talent is not just an HR concern—it’s a core business risk. Addressing it requires the same rigor, investment, and strategic alignment that organizations concentrate on financial and other enterprise risks.

Joan Goodchild: Many leaders still view the cybersecurity talent shortage as a staffing or HR challenge. How do you frame it as a business risk?

Brickhouse: The way I look at it, workforce gaps map directly to the core categories of business risk: financial, operational, reputational, and compliance. Take financial risk—ransomware incidents today can cost an organization hundreds of millions in lost revenue in just days. On the operational side, a shortage of skilled staff means slower patching of vulnerable systems and incident response times, which gives adversaries more time to sit in your environment. And of course, privacy violations can lead to major compliance fines and reputational damage.

So when I talk to boards, I don’t use technical jargon. I connect the dots between talent and those four categories of risk. That’s when security moves from being seen as a cost center to being recognized as a strategic enabler that mitigates otherwise costly risks. 

What are the direct ways talent shortages undermine a company’s resilience?

A lack of staff forces teams into firefighting mode instead of driving a proactive strategy. Patch management, third-party risk reviews, and detection and response activities all slow down. As dwell times - the period attackers remain undetected inside a network –  increase, adversaries gain a stronger foothold in your environment, weakening organizational resilience. Over time, programs like vendor risk assessments often get shelved or become checkbox exercises because there simply aren’t enough people to run them.

Some argue the talent shortage is exaggerated—that the real issue is unrealistic hiring standards. Others say it’s a true skills mismatch. Yet according to ISC², there’s still a global shortfall of 4.8 million cybersecurity professionals in 2025. Where do you land?

I think it’s mostly a mismatch. We don’t have three million open entry-level jobs. What we really need are mid-tier professionals who can contribute right away. The challenge is, when you’re already behind, you don’t have the luxury of spending years training new hires.

That said, forward-looking organizations are investing in creative programs—whether that’s skill-bridge partnerships with the federal government, apprenticeships, or other pipelines that give new entrants hands-on experience.

At GuidePoint, for example, we created GPSU (GuidePoint Security University) to do exactly that. In my security organization,  we recently hired an associate security engineer who had previously served as a first responder. He was able to transition into cybersecurity after completing our GPSU program. The hands-on training provided by GPSU gave him the foundation to step directly into a full-time role on our team.

These kinds of programs help address the mismatch over time, but there’s no quick fix.

Beyond hiring, what role should boards and executive leadership play in addressing the cybersecurity workforce gap?

First, they set the culture. If boards value analytics teams or finance teams for the business impact they deliver, they should view security professionals the same way. Second, they sign the checks. Investments in training, tools, and compensation are critical. And finally, they need to align security talent strategy with overall business risk appetite. It’s a partnership between the CISO, HR, finance, and the CEO—but ultimately, executives have to prioritize and fund it.

How can business leaders measure ROI from cybersecurity workforce development and retention efforts?

It’s not as simple as measuring how many widgets were produced. Much of what we do is like insurance—you only notice when it fails. But you can look at indicators: fewer audit findings, shorter dwell times, stronger incident response capabilities.

The real leap forward is with risk quantification. Using models like FAIR (factor analysis of information risk), you can put a dollar value on risk and show how security investments reduce that exposure. For example: “By investing $400,000 in training and new tools, we reduced our risk exposure by $10 million.” That’s the kind of language boards understand.

What’s your call to action for CISOs who want to address the talent shortage as a business risk?

Don’t frame it as just an HR problem. Position it as a core business risk, tie it to financial and operational outcomes, and push for creative workforce pipelines that bring in and develop the next wave of cyber professionals. That’s how you turn a challenge into an opportunity to strengthen resilience across the enterprise.