SANS Research: The Cybersecurity Talent Shortage Narrative Is Wrong. The Real Crisis Is Skills, and AI Just Rewrote the List.
Third annual SANS | GIAC Cybersecurity Workforce Report surveyed ~1,000 global respondents and finds 60% of organizations say their teams lack the right skills to defend against today’s threats, while AI reshapes entry-level roles, regulatory hiring surges from 40% to 95%, and 27% of organizations report breaches directly tied to capability gaps
Bethesda, MD, March 31, 2026 (GLOBE NEWSWIRE) -- The cybersecurity workforce has a bigger problem than headcount: the people already on the team don't have the skills to match today's threats. That is the tone of the central findings of the 2026 SANS | GIAC Cybersecurity Workforce Research Report, unveiled at RSAC 2026 by SANS Institute CEO James Lyne and Chief AI Officer & Chief of Research Rob T. Lee. Drawing on responses from almost 1,000 practitioners, leaders, and HR professionals across six global regions, the report reveals an industry at an inflection point: AI is automating the entry-level work that has historically trained cybersecurity’s next generation, regulatory compliance is forcing the most dramatic hiring overhaul in years, and the widening skills gap is producing real, measurable security failures.
For the first time in the report’s three-year history, skills gaps decisively overtook headcount shortages as the industry’s top workforce challenge. When asked to choose between "not having the right staff" and "not enough staff," 60% of organizations identified skills gaps as the greater problem, compared to 40% citing staffing shortages. That 20-point gap has widened sharply from just four points a year ago, signaling a fundamental shift in how the industry defines its workforce crisis.
“This is no longer a story about filling seats,” said Rob T. Lee, SANS Chief AI Officer & Chief of Research. “Organizations have people. But those people are overwhelmed, under-resourced, and unable to develop the capabilities they need because they’re too busy running today’s operations. The industry needs to stop counting open positions and start investing in the skills of the people it already has.”
AI Is Reshaping the Cybersecurity Workforce Faster Than Governance Can Keep Up
The report documents a workforce in active transformation. 74% of organizations report that AI is already impacting their cybersecurity team size and role structures. Yet governance lags far behind deployment: only 21% have a comprehensive AI security framework in place, while 7% have no AI policy at all. More than half of organizations (54%) report having AI governance policies on paper, but only 38% actually provide comprehensive AI security training to staff.
“Policy without practice is just paper,” Lee told the packed RSAC audience, pointing to recent incidents including Meta’s internal AI agent triggering a data breach on March 19 and Codeway’s chat app exposing 300 million private messages from 25 million users. “What does your policy say about agentic AI? Can people use agents in your organization? What are they connected to? These are the questions organizations should be answering right now.”
The data reveals that AI’s primary impact is on efficiency, not elimination. 49% of organizations report reduced manual analysis time, and 48% cite workflow automation gains. Only 16% report actual headcount reduction. But the structural implications run deeper: among organizations experiencing role changes, SOC and security analysts lead reductions at 32%, followed by threat intelligence analysts at 26% and incident responders at 22%. These are precisely the entry-level positions where the next generation of cybersecurity leaders has traditionally learned their craft.
At the same time, entirely new job categories are emerging. Among organizations adding roles, 34% have filled AI/ML security specialist positions, 32% added AI security engineers, and 30% employed AI governance analysts. Rob T. Lee reported finding more than 2,500 active AI/ML security engineer postings on job platforms as of March 21, a category that barely existed three years ago.
Regulatory Compliance Emerges as the Biggest Hiring Driver in Cybersecurity History
The report’s most dramatic year-over-year shift is in regulatory impact. In 2025, 40% of organizations reported that regulatory directives were affecting their hiring practices. In 2026, that number surged to 95%, a 55-point increase that represents the fastest acceleration of any metric in the report’s history.
“That is a pretty fascinating shift,” said James Lyne, CEO of SANS Institute. “This isn’t mild compliance adjustment. Organizations are building entirely new specialist positions, restructuring teams around regulatory requirements, and facing real enforcement consequences if they don’t.”
The regulatory pressure is coming from multiple directions. NIS2 leads at 30% of organizations reporting hiring impact, followed by CMMC at 29%, DORA at 26%, DoD 8140 at 24%, and SEC regulations at 21%. NIS2 is now in active enforcement mode, with approximately 19,000 companies estimated non-compliant as of March 6, 2026, and fines up to €10 million or 2% of global turnover in play. Personal liability for executives adds urgency: the U.S. Department of Justice settled seven cybersecurity fraud cases in 2025 under the False Claims Act.
The demand for new specialist roles nearly doubled, jumping from 23% to 53% year over year. Framework adoption is accelerating in parallel: 56% of organizations now use NICE or ECSF workforce frameworks to define cybersecurity roles, up from 46% in 2025.
The Skills Gap Is Producing Measurable Security Failures
The consequences of widening skills gaps are no longer theoretical. The report documents that 27% of organizations have experienced actual security breaches as a direct result of workforce capability gaps. Skills shortages also drive delayed projects (57%), increased team burnout (47%), slower incident response (47%), inability to adopt new technologies (42%), and reduced monitoring capabilities (42%).
Budget limitations (36%) and time constraints (21%) account for 57% of the primary obstacles preventing organizations from closing those gaps. Sixty (60%) cite lack of time due to workload as their single greatest training barrier. Teams caught in operational firefighting simply cannot pause to develop the skills they need to keep pace with evolving threats.
“The industry has been running around saying there are millions of unfilled cybersecurity jobs,” Lee said from the RSAC stage. “That narrative misses the more fundamental problem. If everyone walks away with one thing from this room, it’s this: it is more about skills now than headcount.”
Career Progression Crisis Threatens Talent Pipeline
Unclear career progression tripled as a hiring obstacle, surging from 9% to 32% year over year, making it the third-largest challenge organizations face in attracting talent. It also ranks as the third-largest retention obstacle at 31%. Yet only 24% of organizations report providing well-defined and clearly communicated cybersecurity career paths.
Organizations are rebuilding from the top down, hiring experienced professionals to meet immediate compliance and capability demands rather than investing in junior talent development. Senior executives and CISOs now control 53% of hiring decisions. Expert-level roles (15+ years of experience) are the hardest to fill at 27%, and 55% of senior hires take six months or longer. Entry-level positions, by contrast, present minimal recruitment challenges at just 4%.
“Cybersecurity practitioners who use AI are quite likely to replace those who don’t,” said Lyne. “We have to be very careful. If we signal that the lower end of cybersecurity is going to be replaced by AI, even if that’s not the truth, and we don’t end up with enough practitioners learning foundational skills, we won’t have seniors and experts later. We all end up pointing at everyone else, and we end up with a gap in the future.”
Certifications Surpass Academic Degrees as Top Hiring Signal
In a decisive shift, cybersecurity certifications now rank as the industry’s leading skill validation method at 64%, ahead of skills assessments at hiring (49%) and internal evaluations (48%). When evaluating cybersecurity staff, 58% of organizations consider certifications either very important or extremely important. Academic degrees, meanwhile, rank last among hiring priorities at just 17%.
Technical capability now leads all hiring criteria at 55%, followed by work experience at 46%, attitude at 37%, and aptitude at 34%. The question hiring managers are asking has shifted from “What credentials do you hold?” to “Can you demonstrate competency?”
Team Stress Rises as Burnout Compounds the Skills Gap
61% of organizations report increased stress within cybersecurity teams over the past two years. The top drivers mirror the report’s central findings: workload and understaffing (46%), budget constraints (40%), and threat complexity (40%). James Lyne flagged emerging research on “AI fry,” where productivity tools paradoxically increase burnout through constant context switching. “I rarely talk to teams that aren’t running some version of 100%,” he told the audience. “This suggests an enhanced risk that leaders need to pay more attention to than in prior years.”
What the Report Recommends
The 2026 report outlines nine strategic recommendations for cybersecurity leaders, including: develop an AI governance program and provide baseline AI security training for all employees; build a pipeline of entry-level talent equipped to work alongside AI tools through structured mentorships and on-the-job rotations; use workforce frameworks such as NICE, ECSF, or SCyWF to define job qualifications; create and strengthen career paths for security team members and individual contributors; validate and document team skills to meet regulatory requirements; and develop a cyber incident response plan that involves stakeholders beyond the security team.
Real-World Case Studies: Microsoft, Bayer, and CSA Singapore
The report features three in-depth case studies from organizations navigating these challenges at scale. Microsoft Federal’s Jay Bhalodia describes how the company frames AI as an accelerator for human development, not a replacement: “The real risk isn’t the AI itself. It’s using AI to automate these growth pathways instead of focusing on accelerating them.” Bayer’s Global CISO Dr. Kevin Jones details the company’s radical shift from hierarchy to a skills-based operating model across 90,000 employees. And Singapore’s Cyber Security Agency (CSA) shares its national approach to workforce development, having trained over 22,000 individuals since 2020.
About the Research
The 2026 Cybersecurity Workforce Research Report by SANS | GIAC surveyed 947 global respondents across six regions: North America (56%), Europe (16%), Latin America (14%), Asia-Pacific (7%), Africa (5%), and the Middle East (2%). Respondents represent cybersecurity/InfoSec leadership (72%), HR/talent acquisition professionals (16%), and those with both responsibilities (12%). Organizations span small businesses to enterprises with more than 100,000 employees across more than 20 industry sectors. This is the third annual edition of the report.
Download the full report and register for the upcoming June 24, 2026 webcast “Inside the 2026 Cyber Workforce” where industry leaders translate the research findings into actionable insights on hiring, skill development, and workforce strategy: https://go.sans.org/OOjNhB
For interview requests with Rob T. Lee, James Lyne, or additional commentary: press@sans.org.
Jenn Elston SANS Institute 301-654-7267 press@sans.org
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
