Cybersecurity Workforce Crisis: Skills Gaps Overtake Headcount Shortages, Reveals 2026 SANS Report
The cybersecurity sector is facing a critical challenge that extends beyond mere headcount shortages: the existing workforce lacks the necessary skills to combat today’s sophisticated threats. This alarming trend is highlighted in the 2026 SANS | GIAC Cybersecurity Workforce Research Report, presented at the RSAC 2026 conference by James Lyne, CEO of SANS Institute, and Rob T. Lee, Chief AI Officer and Chief of Research.
The Shift in Workforce Challenges
The report draws on insights from nearly 1,000 practitioners, leaders, and HR professionals across six global regions, revealing a pivotal moment for the industry. AI technologies are automating entry-level tasks that have traditionally served as training grounds for future cybersecurity professionals. Concurrently, regulatory compliance is driving a significant overhaul in hiring practices, while a widening skills gap is leading to tangible security failures.
For the first time in the report’s three-year history, skills gaps have emerged as the primary workforce challenge, surpassing headcount shortages. When asked to choose between lacking the right staff and insufficient staff numbers, 60% of organizations identified skills gaps as the more pressing issue, compared to 40% who cited staff shortages. This 20-point difference marks a significant shift from just four points a year prior, indicating a fundamental redefinition of the workforce crisis within the industry.
Rob T. Lee emphasized, “This is no longer a story about filling seats. Organisations have people. But those people are overwhelmed, under-resourced and unable to develop the capabilities they need because they’re too busy running today’s operations. The industry needs to stop counting open positions and start investing in the skills of the people it already has.”
AI’s Impact on Workforce Dynamics
The report indicates that 74% of organizations are already witnessing changes in team size and role structures due to AI. However, governance frameworks have not kept pace with this rapid deployment. Only 21% of organizations have a comprehensive AI security framework in place, while 7% lack any AI policy. Although 54% report having AI governance policies on paper, only 38% provide comprehensive AI security training to their staff.
Lee pointed out that “policy without practice is just paper,” referencing recent incidents where inadequate governance led to significant breaches, such as Meta’s internal AI agent causing a data leak and Codeway’s chat app exposing millions of private messages. He urged organizations to critically evaluate their policies regarding Agentic AI and the connections these agents have within their systems.
The data reveals that AI’s primary impact is on operational efficiency rather than workforce reduction. While 49% of organizations report decreased manual analysis time and 48% cite workflow automation improvements, only 16% have experienced actual headcount reductions. However, the structural implications are profound. Among organizations undergoing role changes, reductions are most pronounced among SOC and security analysts (32%), threat intelligence analysts (26%), and incident responders (22%), roles that have historically been pivotal for developing the next generation of cybersecurity leaders.
New job categories are emerging as well. Among organizations expanding their teams, 34% have created AI/ML security specialist positions, 32% have added AI security engineers, and 30% have employed AI governance analysts. As of March 21, Rob T. Lee noted over 2,500 active AI/ML security engineer postings, a role that barely existed three years ago.
Regulatory Compliance as a Driving Force
The report also highlights a dramatic shift in the impact of regulatory compliance on hiring practices. In 2025, only 40% of organizations reported that regulatory directives influenced their hiring. By 2026, this figure skyrocketed to 95%, marking a 55-point increase—the fastest acceleration of any metric in the report’s history.
James Lyne remarked, “This isn’t mild compliance adjustment. Organisations are building entirely new specialist positions, restructuring teams around regulatory requirements and facing real enforcement consequences if they don’t.”
The regulatory landscape is multifaceted, with NIS2 leading the charge, affecting 30% of organizations, followed by CMMC (29%), DORA (26%), DoD 8140 (24%), and SEC regulations (21%). NIS2 is now actively enforcing compliance, with an estimated 19,000 companies non-compliant as of March 6, 2026, facing fines up to €10 million or 2% of global turnover. The urgency is further heightened by personal liability for executives, as evidenced by the US Department of Justice settling seven cybersecurity fraud cases in 2025 under the False Claims Act.
The demand for new specialist roles has nearly doubled, increasing from 23% to 53% year over year. Framework adoption is also on the rise, with 56% of organizations now utilizing NICE or ECSF workforce frameworks to define cybersecurity roles, up from 46% in 2025.
Consequences of the Skills Gap
The widening skills gap is no longer a theoretical concern; it has resulted in measurable security failures. The report indicates that 27% of organizations have experienced security breaches directly attributable to workforce capability gaps. Skills shortages have also led to delayed projects (57%), increased team burnout (47%), slower incident response (47%), inability to adopt new technologies (42%), and reduced monitoring capabilities (42%).
Budget constraints (36%) and time limitations (21%) account for 57% of the primary obstacles hindering organizations from addressing these gaps. Sixty percent of respondents cite workload as their most significant barrier to training, as teams engaged in operational firefighting struggle to find time to develop the necessary skills to keep pace with evolving threats.
Lee stated, “The industry has been running around saying there are millions of unfilled cybersecurity jobs. That narrative misses the more fundamental problem. If everyone walks away with one thing from this room, it’s this: it is more about skills now than headcount.”
Career Progression and Talent Pipeline Challenges
Unclear career progression has emerged as a significant hiring obstacle, tripling from 9% to 32% year over year, making it the third-largest challenge organizations face in attracting talent. It also ranks as the third-largest retention obstacle at 31%. Despite this, only 24% of organizations report providing well-defined and clearly communicated career paths in cybersecurity.
Organizations are increasingly hiring experienced professionals to meet immediate compliance and capability demands, often at the expense of junior talent development. Senior executives and CISOs now control 53% of hiring decisions. Expert-level roles (15+ years of experience) are the hardest to fill at 27%, with 55% of senior hires taking six months or longer. In contrast, entry-level positions present minimal recruitment challenges at just 4%.
Lyne cautioned, “Cybersecurity practitioners who use AI are quite likely to replace those who don’t. We must be very careful. If we signal that the lower end of cybersecurity is going to be replaced by AI, we won’t have seniors and experts later.”
Evolving Hiring Signals
In a notable shift, cybersecurity certifications have become the leading skill validation method, ranking at 64%, surpassing skills assessments (49%) and internal evaluations (48%). When evaluating cybersecurity staff, 58% of organizations consider certifications either very important or extremely important, while academic degrees rank last among hiring priorities at just 17%.
Technical capability now leads all hiring criteria at 55%, followed by work experience (46%), attitude (37%), and aptitude (34%). The focus of hiring managers has shifted from “What credentials do you hold?” to “Can you demonstrate competency?”
Rising Team Stress and Burnout
The report also reveals that 61% of organizations have reported increased stress within cybersecurity teams over the past two years. The primary drivers of this stress mirror the report’s central findings: workload and understaffing (46%), budget constraints (40%), and threat complexity (40%). Lee highlighted emerging research on “AI fry,” where productivity tools paradoxically increase burnout through constant context switching.
He noted, “I rarely talk to teams that aren’t running some version of 100%. This suggests an enhanced risk that leaders need to pay more attention to than in prior years.”
Strategic Recommendations for Cybersecurity Leaders
The 2026 report outlines nine strategic recommendations for cybersecurity leaders, including:
- Develop an AI governance program and provide baseline AI security training for all employees.
- Build a pipeline of entry-level talent equipped to work alongside AI tools through structured mentorships and on-the-job rotations.
- Use workforce frameworks such as NICE, ECSF, or SCyWF to define job qualifications.
- Create and strengthen career paths for security team members and individual contributors.
- Validate and document team skills to meet regulatory requirements.
- Develop a cyber incident response plan that involves stakeholders beyond the security team.
Case Studies: Navigating Challenges
The report includes three in-depth case studies from organizations tackling these challenges at scale. Microsoft Federal’s Jay Bhalodia discusses how the company views AI as an accelerator for human development rather than a replacement. Bayer’s Global CISO Dr. Kevin Jones outlines the company’s shift from a hierarchical to a skills-based operating model across 90,000 employees. Singapore’s Cyber Security Agency (CSA) shares its national approach to workforce development, having trained over 22,000 individuals since 2020.
Source: www.intelligentciso.com
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
