Individuals with strong cybersecurity skills are in high demand. That’s no secret. What’s most important is the fact that the shortage is preventing many enterprises from building sustainable cybersecurity talent pipelines.
According to World Economic Forum statistics, only 14% of organizations are confident they have the people and skills required to meet their cybersecurity objectives.
Here’s a quick rundown of seven factors that are impacting security leaders’ abilities to ensure they have the cybersecurity skills their organizations need.
1. Restricted budgets, increased burnout
Budget cuts often drive a security team shortage, says Sameer Ansari, global CISO solutions leader at enterprise consulting firm Protiviti. “CISOs are being asked to do more with less,” he states.
Ansari also notes a growing burnout trend, one that sees existing cybersecurity talent increasingly searching for other opportunities due to the high stress and always-on mentality needed by competent cyber professionals. “Increasing threat complexity is also a challenge CISOs face when trying to source new talent,” he adds.
Given the fact that the expert shortage isn’t likely to abate soon, many CISOs are now turning to managed services, Ansari says. “We’re hearing from a number of clients that there are certain operational services they’re looking to outsource so they don’t have to worry about dealing with attrition or sourcing talent.”
Ansari reports that he’s also encountering a growing number of CISOs who are looking internally to fill security roles, seeing if they can retrain software engineers, for example, to gain additional cybersecurity skills to fill-in talent gaps.
2. Emerging technologies
New technologies, particularly AI, are contributing to a cyber landscape that’s evolving so quickly it’s hard for even highly skilled cybersecurity professionals to pace, says Dan Lohrmann, CISO at enterprise strategy and consulting firm Presidio.
AI-driven threats keep moving the target, allowing cybercriminals to attack with unprecedented levels of speed and agility, Lohrmann says. “New AI defense tools also require fresh skillsets, forcing cybersecurity professionals to either learn how to operate and work alongside a new system or be left behind.” He adds that the cybersecurity skills gap is especially pronounced in the public sector, due to hiring freezes, budget cuts, and various cyber grants drying up.
Lohrmann notes that CISOs often fail to frame the skills gap as a business risk. “They neglect to properly communicate its consequences to the board and executive leadership.” Other big mistakes, he notes, is neglecting to take care of the skilled cyber workers they already have and setting unrealistic job requirements.
3. Conflicting expectations
Employers and potential security team candidates often aren’t on the same page, and that mismatch in expectations is the driving force behind the perceived skills gap, says Brandyn Fisher, security services director at Centric Consulting.
“Organizations often rigidly pursue candidates with a ‘picture perfect’ profile, expecting senior expertise at compensation levels that don’t match the needed experience,” he states. “On the flip side, some candidates expect high salaries and specialized work immediately after graduation.”
Remarkably, despite over a decade of talk about a cyber skills gap, organizations still manage to fill roles. “This suggests that the real challenge is misaligned expectations, not a lack of capable professionals,” Fisher says. He believes that employers need to be realistic about what they are requesting and what they are offering. “Candidates, likewise, should understand the value they bring and the experience they still need to build,” Fisher advises. “Resetting expectations on both sides will help close this gap.”
4. Outdated thinking, strategies, or operations
CISOs play a strategic role in managing cyber risk, but narrowing the skills gap requires a multi-disciplinary approach, says Adi Karisik, vice president and CTO of intelligence and cyber at systems engineering and technical services firm Amentum.
Many organizations resist change, often adhering to outdated processes developed decades ago, Karisik states. “For instance, decision-making may hinge on legacy systems designed by individuals who have long since retired, leaving critical operations vulnerable and slow to adapt.”
Organizations must embrace cultural change and modernization, Karisik advises. “Cyber threats will not wait for industries to catch up,” he warns. “To stay ahead, businesses must invest in cultivating a workforce that’s not only skilled, but also capable of responding dynamically to the ever-changing demands of cybersecurity.”
5. Skills and training mismatches
The single biggest skills gap driver is the mismatch between how cybersecurity talent is traditionally trained and the abilities CISOs actually need, says Ron Delfine, executive director of the career center at Carnegie Mellon University’s Heinz College.
The most effective CISOs focus on building skills internally, Delfine says. “From a career development perspective, this means investing in interdisciplinary education that blends cybersecurity, management, and policy, as well as developing internal talent through structured upskilling and leadership pathways, not just external hiring and creating teams with complementary skill sets.”
Failing to build and maintain a strong cybersecurity team can lead to relying on a small number of senior leaders, Delfine says. It can also increase staff burnout. “All of these factors can lead to slower incident response and recovery due to poor cross-functional coordination as well as difficulty justifying security investments to executives and boards,” he says.
6. Systemic cyber strategy disconnects
The cybersecurity skills gap has moved beyond being a hiring challenge to become a direct operational risk, warns Yash Patel, a senior security engineer at Microsoft. “While organizations continue to invest in advanced security tools, many lack the human capability required to operate, interpret, and adapt those tools effectively,” he explains. “The result is a widening disconnect between security intent and security outcomes.”
Successful CISOs focus on building capability, not just headcount, Patel states. This means hiring based on curiosity and problem-solving ability, investing in hands-on learning, and creating environments in which teams can practice investigations and threat analysis. “Embedding security knowledge across IT and engineering functions also helps reduce dependency on a small group of specialists,” he says.
Operationally, the cyber skills gap creates weak and fragile defenses. “Tools may be deployed correctly, but detections are poorly tuned, incidents are addressed superficially, and root causes remain unresolved,” Patel warns. “Many breaches occur not because controls were missing, but because teams lacked the expertise to act on early warning signs.”
7. Failing to simplify and scale
Top CISOs accept two facts up front: Teams will always be somewhat understaffed and that the threat landscape is moving at lightning speed, says Aman Sirohi, CISO at data security firm Cyberhaven.
The most effective CISOs don’t try to hire their way out, Sirohi says. “Instead, they narrow the gap by scaling the team through automation, simplifying security operations, improving signal-to-noise, and leveraging AI,” he states. “The fastest path forward is simplifying the environment, engineering repeatable security outcomes, and using technology to turn people into force multipliers.”
No Responses