Sixty percent of chief information security officers now cite the cybersecurity skills gap as their primary workforce concern, overtaking headcount shortfalls for the first time, according to the SANS/GIAC 2026 Cybersecurity Workforce Research Report, which surveyed 947 security leaders across industries globally.
- 60% of CISOs named “not having the right staff” as their top challenge; only 40% chose “not enough staff”
- AI is the primary driver: rapid enterprise AI deployment has exposed gaps in what existing teams know how to secure
- The report identifies nine strategic recommendations, led by developing formal AI governance programs and baseline AI security training
- Hiring alone will not close the gap: the market for highly skilled AI-security practitioners is too small and too expensive
SANS 2026 Report: CISOs Rank the Cybersecurity Skills Gap Above Headcount for the First Time
Rob T. Lee, SANS Institute’s chief of research, sees a direct line from AI adoption to the skills shift. Corporations have deployed AI across every business function, creating a technology stack that security teams were not hired or trained to defend. The gap that emerged is not in org-chart slots, Lee said; it is in what the people filling those slots are equipped to do.
The challenge compounds at the assessment layer. “It is hard to assess through a simple survey question,” Lee acknowledged. Marling Engle, CEO of Cyberstar, an automated cyber talent management platform, put the problem plainly: companies are posting entry-level roles that require advanced competencies “because they don’t have a good match for what is in the field and what they actually need.”
Two structural fixes are available today, both grounded in standardized skills frameworks. The National Initiative for Cybersecurity Education (NICE) framework and its international equivalents provide shared vocabulary for what a given role actually requires. Engle urges CISOs to simply pick one. The discipline prevents what he calls title drift — a phenomenon where a practitioner claims a role title that does not match their daily function, an error he compares to labeling a pediatrician as a heart surgeon.
Why AI Widens the Cybersecurity Skills Gap Faster Than Hiring Can Close It
The skills narrative in the SANS/GIAC report carries a structural argument that conventional workforce planning tends to miss. Technical training addresses what someone knows; it does not address what they can do when systems fail in ways that affect real operations. JC Vega, a cybersecurity consultant and retired U.S. Army colonel, frames the gap as operational experience, not technical certification: “I can teach anyone IT, or cyber. I cannot teach you operations.”
The same AI wave that created the cybersecurity skills gap is also accelerating the speed at which existing knowledge becomes outdated. Senior practitioners who built the profession understand organizational risk at an operational level. The current cohort of incoming professionals has grown up inside purpose-built cyber roles, without the cross-functional exposure that built that intuition. As Vega notes: “You have people coming up who are all cyber, and they have never done anything else.” That experience deficit is not a training deficiency; training can close knowledge gaps but cannot substitute for the pattern-recognition built over years of cross-functional work.
One senior security executive, speaking on condition of anonymity because their employer did not authorize media comments, put the time commitment explicitly: “At least early in your career, this is not a nine-to-five job. The pace of change across threats, technology and attack surface forces you to keep learning outside of standard hours. If you do not, you fall behind quickly.”
Three Actions CISOs Can Take This Quarter to Address the Cybersecurity Skills Gap
The SANS/GIAC report’s nine strategic recommendations translate to three immediate actions, each targeting a different layer of the gap.
Audit every open role against a standardized framework before posting. Engle’s recommendation is to map each open position to NICE or an equivalent framework before writing the job description. The exercise frequently reveals that a perceived senior-architect need is actually a SOC analyst with scripting skills — a far more available and affordable profile. Skipping this step is how organizations accumulate mismatched teams that cannot deliver on their actual operational mandate.
Build an AI security training program before the next AI tool deployment, not after. Lee’s core finding is that organizations deployed AI first and discovered skill gaps second. The report’s primary strategic recommendation treats AI security training as a prerequisite for enterprise AI rollout, not a remediation activity after an incident surfaces the gap. Baseline AI security literacy — what the models can be manipulated into doing, what the pipeline attack surface looks like — is now a floor-level expectation for any security team.
Create two visible career tracks and surface them during hiring. John Felker, a former U.S. Coast Guard officer who served as deputy chief of service cyber command and later as assistant director at the Cybersecurity and Infrastructure Security Agency (CISA), proposes a dual-track model: one for practitioners who want deep technical specialization, one for those who want operational breadth across business and security functions. Surfacing these tracks in job postings attracts candidates with the right intentions before the first interview. For the 947 CISOs surveyed in the SANS/GIAC 2026 Cybersecurity Workforce Research Report, the 60-to-40 split on the cybersecurity skills gap is a signal that the profession’s core competency model is changing faster than the pipeline that feeds it.
Join our LinkedIn group Information Security Community!
