SANS 2026 Report Exposes Cybersecurity Skills Crisis, Endangering Critical Infrastructure and OT Sectors
A recent report from the SANS Institute and GIAC has revealed a significant shift in the cybersecurity workforce landscape, emphasizing that the core issue is no longer merely headcount but rather the capabilities of existing teams. The report indicates that while organizations have personnel in place, many lack the essential skills required to effectively combat current threats. Approximately 60% of organizations report that their teams do not possess the necessary skills, and regulatory pressures on hiring have surged dramatically from 40% to 95% within just one year. Alarmingly, 27% of organizations have experienced breaches directly linked to these capability gaps, highlighting a critical vulnerability in the cybersecurity framework.
The Evolving Cyber Workforce
Titled “The Evolving Cyber Workforce: AI, Compliance, and the Battle for Talent,” the SANS 2026 report marks a pivotal moment in its three-year history by identifying skills gaps as the foremost challenge facing the industry, surpassing headcount shortages. When asked to differentiate between “not having the right staff” and “not enough staff,” a striking 60% of organizations pointed to skills gaps as the more pressing issue, compared to only 40% who cited staffing shortages. This 20-point disparity has widened sharply from just four points a year ago, indicating a fundamental shift in how the industry perceives its workforce crisis.
For operators in industrial and critical infrastructure sectors, this distinction is crucial. Failures in these environments are not solely due to understaffing; they often occur when teams lack the specialized skills necessary to secure complex operational technology (OT) systems, manage risks, and respond to incidents in real time.
Rob T. Lee, Chief AI Officer and Chief of Research at SANS, articulated this concern, stating, “This is no longer a story about filling seats. Organizations have people. But those people are overwhelmed, under-resourced, and unable to develop the capabilities they need because they’re too busy running today’s operations. The industry needs to stop counting open positions and start investing in the skills of the people it already has.”
Structural Strain in the Cybersecurity Labor Market
The SANS 2026 report, based on responses from 947 global participants, captures a cybersecurity labor market undergoing significant structural strain. This strain is particularly evident in critical infrastructure and industrial environments, where regulatory exposure, operational risk, and legacy complexities converge. The data indicates a shift from reactive hiring to capability-driven restructuring, with tangible consequences already manifesting in operational resilience and security outcomes.
AI adoption is further complicating this landscape. Approximately 74% of cybersecurity teams report that AI is actively altering team sizes and role structures. In industrial settings, where security teams operate under tight constraints, this introduces both opportunities and instability. While AI has reduced manual analysis time for 49% of organizations and automated workflows for 48%, only 16% report actual workforce reductions. This suggests that while efficiency gains are being realized, they are not sufficient to close the talent gap in critical sectors.
The Impact of AI on Workforce Dynamics
AI is fundamentally reshaping the nature of work within cybersecurity. Entry-level roles, such as Security Operations Center (SOC) analysts, threat intelligence analysts, and incident responders, have experienced reductions of 32%, 26%, and 22%, respectively. These positions have traditionally served as the training ground for cybersecurity talent. In industrial environments, where institutional knowledge and system familiarity are paramount, the erosion of entry-level pathways poses a risk to long-term workforce sustainability.
Conversely, new roles are emerging rapidly. Approximately 34% of organizations have introduced AI or machine learning security specialists, 32% have added AI security engineers, and 30% have created AI governance analyst positions. These roles require a hybrid skill set that combines cybersecurity expertise, data science, and regulatory knowledge. For critical infrastructure operators, this creates a dual challenge: maintaining legacy OT security while simultaneously developing new AI-related capabilities.
Regulatory Pressures and Specialist Hiring
The report highlights that regulatory pressures are accelerating this transformation. About 68% of organizations report experiencing moderate to extreme impacts from regulations on hiring, with 95% acknowledging some level of regulatory influence overall, a significant increase from 40% in 2025. For sectors directly affected by frameworks like NIS2 and DORA, this pressure is not merely theoretical; it is actively reshaping workforce composition and necessitating rapid capability validation.
James Lyne, CEO of SANS Institute, noted, “This isn’t mild compliance adjustment. Organizations are building entirely new specialist positions, restructuring teams around regulatory requirements, and facing real enforcement consequences if they don’t.”
The regulatory push has led to a surge in the need for specialist roles, with the proportion of organizations requiring new specialists jumping from 23% to 53% in just one year. This demand reflects entirely new categories of expertise tied to compliance, resilience, and reporting obligations, often translating into roles focused on OT risk, incident coordination, and regulatory audit readiness.
Challenges in Hiring and Career Progression
Despite these structural efforts, hiring challenges are intensifying, particularly for expert roles. About 27% of organizations report that expert positions are the most difficult to fill, followed by 22% for senior roles and 23% for mid-level positions. Collectively, these account for 72% of recruitment difficulties, while only 4% report challenges in hiring entry-level staff. This imbalance is especially concerning for industrial cybersecurity, which relies heavily on experienced professionals capable of navigating complex, high-risk environments.
Time-to-hire data further underscores this pressure, revealing that 55% of senior roles take six months or longer to fill, while 38% of expert roles remain vacant for over a year. For critical infrastructure operators, these delays translate into prolonged exposure to risk, particularly in sectors such as energy, manufacturing, and utilities, where threat actors are increasingly active.
The report also highlights a growing crisis in career progression. Approximately 32% of organizations cite unclear career paths as a major hiring challenge, a significant increase from just 9% the previous year. Only 24% report having well-defined and clearly communicated cybersecurity career paths. In industrial environments, where knowledge transfer and long-term expertise development are essential, this lack of structured progression threatens workforce continuity.
Training Constraints and Operational Impact
Training constraints exacerbate the skills gap issue. About 60% of organizations cite a lack of time as the primary barrier to training, while 54% point to budget limitations. These constraints are particularly acute in critical infrastructure sectors, where teams are often stretched thin managing live operations. Consequently, teams are unable to develop skills because they are preoccupied with immediate threats.
The operational impact of these skills gaps is already measurable. Around 57% of organizations report delayed projects due to workforce limitations, while 47% experience increased burnout and another 47% report slower incident response. In critical infrastructure, these outcomes carry higher stakes, as delays or failures in response can disrupt essential services and create cascading economic effects.
More concerning is that 42% of organizations state that skills gaps hinder the adoption of new technologies, and another 42% report reduced monitoring capabilities. This is particularly relevant in industrial settings, where modernization initiatives such as IIoT and smart manufacturing depend on secure deployment. Without the necessary skills, digital transformation itself becomes a risk vector.
Breaches and Skills Gaps
A direct indicator of risk is that 27% of organizations report experiencing breaches as a result of workforce skills gaps. This statistic underscores a shift in how cyber risk must be understood, moving beyond mere technological vulnerabilities to encompass human capability gaps that can be exploited.
The SANS 2026 report reveals a clear trend in how organizations validate skills. Approximately 64% rely on cybersecurity certifications as their primary validation method, significantly ahead of skills assessments at 49% and internal evaluations at 48%. In regulated industrial sectors, certifications are becoming a proxy for trust, providing a standardized way to demonstrate capability in environments where failure can have systemic consequences.
Governance Gaps and AI Adoption
One overlooked aspect is the governance gap surrounding AI. While 54% of organizations report having AI security policies, only 38% provide any form of comprehensive training. This disconnect is particularly concerning in industrial environments, where operational technology teams already operate with limited visibility and specialized tools. Introducing AI without aligned training frameworks risks creating uneven adoption, inconsistent decision-making, and untracked risk exposure across operational sites.
This gap is further highlighted by the fact that 24% of organizations have no AI governance plans, even as 74% report that AI is influencing team structures. This “deploy first, govern later” approach is especially dangerous in critical infrastructure, where unvalidated automation decisions can directly impact safety, uptime, and process integrity.
Conclusion
The SANS 2026 report outlines a clear need for organizations to formalize AI governance and introduce baseline AI security training across the workforce. This should begin with high-exposure teams and scale over time, rather than allowing adoption to outpace oversight. Additionally, rebuilding the talent pipeline from the ground up is essential, as entry-level development cannot be neglected even as AI reshapes junior roles.
Organizations are encouraged to adopt established frameworks like NICE or ECSF to define roles, standardize skills, and align hiring with operational and regulatory expectations. Integrating cybersecurity into enterprise decision-making is also vital, as boards and non-technical stakeholders must be included in regular security discussions.
Finally, defining and communicating clear career pathways is crucial. Organizations should create structured progression models for cybersecurity professionals and validate team capabilities through certifications and documented skill assessments. Without this clarity, retention challenges and skills gaps will continue to reinforce one another.
Source: industrialcyber.co
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
