Security Leaders Confront Skills Gaps Within Their Teams
In a pivotal turn, cybersecurity chief information officers (CISOs) now express greater concern over the skills and capabilities of their teams than about headcount and unfilled vacancies, according to findings from a recent survey. This marks a significant shift in priorities, shedding light on the challenges faced by security leaders amidst evolving technology landscapes, notably the rise of artificial intelligence and quantum computing.
The survey, part of the SANS/GIAC 2026 Cybersecurity Workforce Research Report, involved 947 CISOs from various global sectors and revealed an alarming statistic: 60% of respondents identified “not having the right staff” as their primary concern, 20% higher than those who cited “not enough staff.” This stark finding illustrates the urgent need for organizations to focus not merely on hiring but on enhancing the skills of their current personnel.
Rob T. Lee, the Chief of Research at SANS, emphasized the pressing challenges stemming from rapid AI deployment. Companies are integrating new technological stacks across all operational facets, which in turn creates significant skill disconnects among their existing workforce. CISOs increasingly grapple with the crucial questions of whether to create new positions or augment the duties of current staff to meet these mounting demands. He articulated the dilemma succinctly: “Do we need new positions? Are these additional duties for existing staff? How do we identify and measure success?”
The broader market presents a conundrum for CISOs. The reality is that hiring additional skilled cybersecurity professionals proves problematic due to shortages and exorbitant costs. “You can’t hire your way to success,” Lee stated. His remarks underscore the vital necessity for organizations to pivot their focus towards budget allocations for skill enhancement rather than solely recruitment.
Yet Lee acknowledged the ambiguity surrounding the exact nature of the skills gap, noting that simple survey questions often fail to capture the complexities involved. Future surveys will delve deeper into this issue, seeking to construct a more nuanced understanding.
Marling Engle, CEO of Cyberstar—an organization specializing in automated cyber talent management—echoed this sentiment, stating that the discrepancy between market needs and available skill sets is alarming. He illustrated how companies often seek overly advanced qualifications for entry-level positions, exacerbating hiring difficulties. He advocate for the adoption of standardized cyber skill frameworks, such as those developed by the National Initiative for Cybersecurity Education in the United States. These frameworks provide a structured language to articulate skills and roles, creating clearer pathways for training and development.
Engle’s insights also touched on the frequent occurrence of “title drift” within the cybersecurity field. This phenomenon, where job titles fail to reflect actual responsibilities, complicates both recruitment and team dynamics. The analogy to the medical profession—where a heart surgeon is mistakenly given the title without the requisite qualifications—underscores the potential risks of this issue.
Despite the structured frameworks, Engle proposed that possessing technical skills alone does not sufficiently prepare individuals for success in cybersecurity roles. The critical nature of these positions requires practitioners to understand the operational aspects of their organizations. JC Vega, a cybersecurity consultant and former U.S. Army colonel, emphasized that this knowledge is often acquired through practical experience rather than formal training.
Vega voiced concern about the impending retirement of seasoned cybersecurity professionals. The next generation, primarily composed of individuals who have specialized exclusively in cybersecurity, may lack the operational insight that comes from diverse professional experiences. “Now you have people coming up who are all cyber, and they’ve never done anything else. They don’t have the operational experience,” he warned.
John Felker, a former Coast Guard official, added another layer to the discussion by pointing out the importance of leadership skills in cybersecurity roles. Drawing from his experiences, Felker emphasized that first assignments for Coast Guard graduates used to include foundational roles that imparted essential leadership skills. However, current graduates from the Coast Guard Academy’s new cybersecurity program might not receive that same breadth of experience, raising concerns about their preparedness for future challenges.
Felker proposed a dual-track approach within organizations: one for individuals focused solely on advancing their cybersecurity and AI capabilities, and another for those interested in broader business functions. This strategy could help individuals develop a well-rounded skill set that draws from both technical proficiency and operational understanding.
Lastly, an anonymous executive from a large corporation provided insight into the broader implications of these skills gaps. The executive noted that the demands of the cybersecurity profession often extend beyond a traditional workweek, necessitating continuous learning and adaptation. This reality underscores a cultural issue where curiosity and proactive engagement become critical differentiators among professionals.
The growing emphasis on coordination rather than deep technical expertise within organizations highlights a disturbing trend: gaps in skills can lead to missed detections, slower response times, and underexplored risks. As the cybersecurity landscape continues to evolve, this misalignment will increasingly manifest in operational vulnerabilities that organizations cannot afford to overlook.
In conclusion, the pressing imperative for CISOs is to bridge the skills gap within their teams, focusing on both recruitment and ongoing professional development. As technology evolves, so too must the skill sets required to protect organizations from emerging threats. The intersection of operational acumen and technical expertise will be paramount in cultivating a robust cybersecurity workforce prepared for future challenges.