Dynamic capabilities allow organizations to adapt and address industry changes like digital transformation. Learning, although broad, is crucial to any business capability model. Generated organizational knowledge presents itself in new patterns of activity which can successfully solve problems for the business. Learning helps in recognizing those dysfunctional routines and preventing strategic blind spots. As security leaders, it is our responsibility to anticipate and prepare for future changes, think strategically to plan and execute initiatives for business success. We understand the likelihood and impact of cybersecurity and technology risks and seek to reduce those risks to securely enable the business. It is not just about what capabilities to prioritize, it is also about what skills are needed to recruit, hire, and retain cybersecurity talent to reduce cyber risk. CISO’s focus on the risk. We should prioritize hiring based on critical business risks and what knowledge and skills are required first to secure the business. Many organizations still lack the cybersecurity basics, skipping the fundamentals – yet we have a skills gap, demand gap or talent shortage within the industry? If we were to utilize a risk-based approach to untapped cyber talent in the form of a business capability model, a CISO would then have a prioritized list of roles to recruit, hire, and retain value protectors. This leads to: We need to become better business partners linking our next generation of cybersecurity professionals to our desired outcomes and address the what and how. Disclosures and disclaimers: Everything I write here reflects my personal views alone. Unless explicitly stated otherwise.