CybersecurityIncident Response

CISOs Confront Growing Skills Gap in Cybersecurity Teams

Analyst 207||Source: GovInfoSecurity
Diverse cybersecurity team gathered around a blank whiteboard in a modern conference room.

"Not having the right staff" was picked by 60% compared to only 40% who chose "not enough staff."

SANS/GIAC 2026 survey: skills outrank vacancies

The SANS/GIAC 2026 Cybersecurity Workforce Research Report surveyed 947 chief information security officers from companies around the globe and, for the first time, found concerns about team skills and capabilities ahead of worries about headcount and unfilled vacancies. That 60% vs. 40% split signals a shift in what CISOs identify as their principal challenge: not simply hiring bodies, but ensuring those bodies have the right skills.

Rob T. Lee: AI and quantum raise the bar for skills

Rob T. Lee, SANS chief of research, framed the skills problem as one driven by new technologies. Rapid corporate deployment of artificial intelligence means defending "a whole new technology stack, implemented across every function of the company," Lee said, and that implementation has "highlighted 'gaps in the skills of the team.'" CISOs, he added, face practical questions: "Do we need new positions? Are these additional duties [for existing staff]? How do we identify and measure success?"

Lee urged a realistic view of workforce limits: "You can't hire your way to success." He said there are not enough highly skilled cybersecurity professionals available and those who are available are often "prohibitively expensive." Given those constraints, "Most CISOs are really trying to figure out, if they can't get the budget to hire someone, can they at least get budget to increase the skills" of their current staff.

Lee acknowledged one more difficulty: "It is hard to assess through a simple survey question," and SANS is preparing more detailed follow-up questions to clarify exactly what skills are missing.

Marling Engle: frameworks, title drift, and hiring mismatches

Marling Engle, CEO of Cyberstar, said companies often demand advanced qualifications for entry-level roles because "they don't have a good match for what is in the field and what they actually need." To fix that mismatch, Engle recommended standardization: "Just pick one" of the existing cyber skills and roles frameworks, such as those produced by the National Initiative for Cybersecurity Education and organizations abroad.

The frameworks, Engle said, are "just a standardized way to talk about the information" and they help training organizations map courses to specific job qualifications. Standard language also fights what Engle described as "title drift" — the temptation for workers to call themselves a "cool role" that does not match their daily work. The result can be misleading hiring decisions: "So it turns out actually, I don't need a security architect. I need a SOC analyst." Engle used a blunt comparison to make the point: "Imagine if you did that in medicine. This guy's a heart surgeon, but it turns out he was actually a pediatrician and they just gave him the heart surgeon title."

JC Vega: operational experience can't be certified away

JC Vega, a cybersecurity consultant and retired U.S. Army colonel who runs the cyber networking group A Wee Dram, argued that technical training alone misses a central part of cyber work: operations. "I can teach anyone IT, or cyber. I can't teach you operations to get that big picture of the organization. That you have to learn by working there," he said.

Vega warned that operational judgment — understanding why systems exist and what happens if defense fails — shapes decisions and resilience in ways certifications cannot. He also expressed concern about a generational shift: "Now you have people coming up who are all cyber, and they've never done anything else. They don't have the operational experience." According to Vega, that absence can impair defenders' ability to balance technical fixes with organizational priorities.

John Felker: leadership, listening, and a dual-track idea

John Felker, a former Coast Guard member who served as deputy chief of service cyber command and later for CISA before retiring as the agency's assistant director in 2020, emphasized leadership and practical learning. He recalled the Coast Guard's traditional early assignment — the so-called SLJO, for "sh---y little jobs officer" — as a crucible for learning how to "drive the ship" and "learn leadership," including the skills of listening and integrating input from subordinates. One of the interview questions he favored: "How well do they listen to their subordinates? How well do they listen, integrate and understand what their subordinates are telling them, whether it's business or cyber?"

Felker proposed a "dual track" workforce model: "One for someone who wants to be a superstar in cyber or in AI, and stay focused on that track; and another who says, 'I'm gonna have all these AI and cyber skills in my toolkit, but I want to go over here and work in the business side of things'." He acknowledged a trade-off: operational assignments can let cyber skills atrophy if too long, but they also build leadership and context that purely technical rotations do not.

What this means for CISOs, enterprises, and training providers

  • CISOs: Expect pressure to reallocate budget toward upskilling existing teams rather than hiring alone, and to define the skills required more precisely as SANS develops follow-up questions.
  • Enterprises and procurement leaders: Look to standardized frameworks to match job titles to real duties and avoid costly "title drift" that produces hiring mismatches.
  • Training providers and talent platforms: There is demand not just for certifications but for programs that build operational judgment and leadership, or for dual-track curricula that preserve technical depth while exposing people to business operations.

The SANS/GIAC survey reframes a long-standing workforce problem: the gap is less about empty seats than about what the people in those seats can actually do. With AI and other emergent technologies widening the skills frontier, leaders quoted in the report converge on a common next step — define the skills precisely, align titles and training to those definitions, and invest in operational experience as well as technical certificates. How organizations balance immediate detection-and-response needs against the longer grind of building operational judgment will determine whether the 60% who fret about "not having the right staff" still say so next year.

https://www.govinfosecurity.com/skills-gap-top-ciso-concern-says-new-sans-survey-a-31603

AiEmerging ThreatsInformation SecurityQuantum ComputingWorkforce DevelopmentCISOTalent ManagementCybersecurity Skills GapSANSGIACCybersecurity Teams
Related Intelligence

Continue Reading

Close-up of a smartphone's circuit board with blurred background, components out of focus.

BootROM Exploit Targets Millions of iPhones

Millions of iPhones are vulnerable to a newly discovered BootROM exploit, known as "usbliter8", that can't be fixed with software updates because it's embedded in the device's hardware. This means iPhones with A12 and A13 processors will be at risk for the rest of their lifespan.

Analyst 207
Blurred laptop screen on office table surrounded by coworkers.

AI Agents Emerge as Unchecked Identities in Enterprise Security

The equation for enterprise security is no longer simple: with AI agents now connected to critical business services, controlling identities is no longer enough to control risk. These emerging insiders have quietly become privileged - and potentially invisible - attack paths that security and identity programs must urgently address.

Analyst 207
Security analysts work at computer workstations and a large wall screen in a brightly-lit operations center.

AI Shifts Threat Management from Reactive to Proactive Stance

With a sprawling security stack of 40+ tools, enterprise teams are drowning in overlapping alerts and manual handoffs, leaving gaping holes for adversaries to exploit. This disjointed approach leaves teams scrambling to respond to threats, with attackers enjoying a lengthy 43-day window to wreak havoc.

Analyst 207
Windows desktop with Recycle Bin open, showing a file and a confirmation dialog with a partially obscured filename.

Microsoft Updates Trigger Recycle Bin Filename Glitch

Microsoft just revealed a frustrating glitch in the Recycle Bin that displays a confusing filename when you permanently delete an item, showing a cryptic code instead of the file's original name. Luckily, the issue only affects the deletion confirmation dialog and doesn't change the file's name in the Recycle Bin or when it's restored.

Analyst 207