In a deeper examination of the findings from the most recent ISC2 Cybersecurity Workforce Study, we take a closer look at the challenges highlighted by respondents, particularly hiring managers, around finding the candidates and the skills their organizations need.
The rapid rise of new technologies, in particular artificial intelligence (AI), has brought with it a profound demand for new and additional skills across organizations. Cybersecurity teams have experienced a pressing need for new and progressive skills in areas such as AI, cloud computing, risk assessment, application security, as well as governance, risk management and compliance (GRC).
A significant finding from the most recent ISC2 Cybersecurity Workforce Study was that the inability to access the skills needed within organizations is not automatically due to a shortage of people. This is reinforced with the finding that 34% of respondents agree that their organizations have the right number of people working in cybersecurity roles, with a further 44% noting only a slight shortage of the number of people needed. Rather, the issue is whether the people already working in the field can keep pace with rapidly evolving technology, regulatory and operational demands, all of which are requiring them to develop new and expanded skills sets.
This substantial need for continuous learning and education has manifested as a skills shortage. The degree to which organizations are experiencing a lack of skills in key areas was highlighted by 95% of respondents, who reported that their organizations have at least one cybersecurity skills need, with 59% of respondents claiming that the skills deficiency they are experiencing is critical or significant. Only 5% believe they are fully resourced in terms of the skills needed.
Filling the Skills Need
In the 2025 study, one theme was notable for its r recurrence across skills-related questions:
“We can’t find people to hire with the skills we need”
This statement is not a claim of a shortage of available, qualified people in the talent pool. Rather, it indicates several potential contributing factors:
- Education and Training Lagging Behind Technology: Cybersecurity certifications and training courses have expanded, but curricula may not be keeping pace with real-world demands. The pace of academic change, or the clarity about how a qualification maps to a given technology skills need, does not always match the pace of technology evolution and business needs.
- Traditional Programs Focus on Foundational Skills: Training around areas such as networking, cryptography, risk management is valuable, but many courses do not yet teach applied competencies across all the new and emerging areas recruiters now seek such as AI, cloud security and more.
- AI Demands Interdisciplinary Talent: Combining cybersecurity expertise with skills in areas such as AI, machine learning and data science creates a rare professional profile. Individuals with one skill set typically do not necessarily possess the other. Those who do are often siphoned off into higher-paying AI product, analytics and software engineering roles outside of cybersecurity.
About one in three (30%) respondents that said their organizations have skills needs reported difficulty finding people to hire who have the in-demand skills needed. In addition, 21% of respondents said that IT often introduces new technology without the expertise to secure it, therefore adding to the skills shortages within their organizations. Alongside this, 15% said that AI technologies are causing uncertainty around what skills will be needed.
Taken together, recruitment challenges and rapid technology adoption can complicate hiring strategies. Hiring managers risk exacerbating these challenges by committing resources to trying to find so-called “unicorns”, an unrealistic and arguably impossible-to-find profile of individual who are not just strong in cybersecurity fundamentals but also capable of configuring, training and interpreting advanced AI systems and other emerging technologies.
This approach can come at the expense of more sustainable or alternative approaches, such as investing in skills development for existing staff or adopting clearer recruitment strategies focused on specific roles rather than attempting to fill multiple gaps with a single hire.
Competition for Skills Is Intense
Even in times of lower hiring and cutbacks, every industry still needs cybersecurity expertise and specific skills to cover their unique needs. However, competition for these is exacerbated by supply and demand challenges.
Hiring managers and cybersecurity professionals are not aligned: The study found that there was a disconnect in the skills being sought by employers compared to the skills perceived as valuable by individual cybersecurity professionals. Hiring managers and cybersecurity professionals were first asked to rank technical and non-technical skills separately, then given a list of both technical and non-technical skills combined to rank.
While hiring managers are looking for non-technical skills such as problem solving (29%), collaboration (24%), communication (22%), curiosity (20%) and strategic thinking (16%) ahead of their top technical skills needs of AI and cloud security (both 15%), cybersecurity professionals have put greater emphasis on their technical skills.
While there is alignment that AI and cloud security are the most needed technical skills, there is far greater fragmentation, with professionals putting emphasis on things like GRC skills (15%) and risk assessment (13%) than hiring managers. The result is that while both hiring managers and professionals share the same view on the top five non-technical skills, professionals are not seeing them as in demand as they might in fact be, with less emphasis on developing those skills the likely outcome.
Coupled with this is a competitive hiring landscape. Consider the broader market competition for AI-savvy professionals (e.g., AI research, autonomous systems, analytics). Cybersecurity teams are directly competing with non-security employers - often offering higher salaries and the prospect of more glamorous work. Those with in-demand skills can command good salaries and terms of employment. Nearly a quarter (23%) of cybersecurity professionals say their team struggles to keep people with high demand skills, and often due to their organizations not offering competitive salaries and growth opportunities – things that could be remedied.
Where Are We Looking?
The study asked a question, from both the perspective of hiring managers and cybersecurity professionals, to understand where the most success was occurring in terms of finding people to hire and finding cybersecurity jobs to pursue.
Across both sides of the equation, employee referrals continue to be the most popular method used to find both people and roles. It illustrates the importance of maintaining your network of industry peers.
While hiring managers and cybersecurity professionals turn to the same top three resources for finding talent or jobs (respectively), we see differences in the emphasis the two respondent groups place on them. After referrals, cybersecurity professional respondents next turn to LinkedIn (49%, compared to 40% of hiring managers). Their third option is recruiters, which is where we see a shift in focus. While only 34% of cybersecurity professionals target recruiters as a source, 40% of hiring managers opt for dedicated recruiters to find people. The use of more general job boards is broadly the same across both sides (32% of cybersecurity professionals, compared to 28% of hiring managers).
From here we see further instances of divergence:
- Cybersecurity Professionals: Generally, much more positive about general and specialist job boards, including LinkedIn, along with certification organizations. Less so about social media and internships.
- Hiring Managers: More positive about early career pathways like internships and education institutions, with much more of a spread of successful outcomes across the platforms.
Building a Skills Base Requires Development and Strategy, Not Just Hiring
The cybersecurity skills challenge, especially in the era of AI, isn’t going away. The emphasis on finding fully trained candidates in volume ready to operate complex AI-based and other modern cybersecurity tools is unrealistic given the pace of change and the unique needs of an organization.
The future belongs to organizations that invest in people, embrace talent development and understand that cybersecurity expertise, particularly where emerging and rapidly evolving technologies like AI is concerned, is developed and invested in over time, not always hired fully formed.
Respondents indicated a variety of actions that organizations are taking to invest in people and organically develop skills within teams. These include facilitating professional development during regular working hours (28%), promoting free training and educational content being offered by the organization’s security vendors, investing in more and new technologies, as well as integrating AI technologies to automate tasks (all 25%), as well as allocating dedicated budget for internal training (24%).
By reimagining hiring as the first step in a broader skills growth strategy, organizations can build resilient, capable cybersecurity teams that are equipped for today’s threats as well as having the competence and understanding needed to develop skills for tomorrow’s hardware, software and service innovations.
Actions For Finding Your Workforce and Building Skills
As the study responses have illustrated, while hiring managers are encountering challenges securing the skillsets their organizations need, the workforce is there to provide them. But more clarity and alignment of needs and professional development efforts is needed from both sides. So too is organization investment in continually developing the people they have, in order to secure the skills they need, rather than in pursuit of finding and hiring the illusive “unicorn” employees with an unrealistic ready-to-go skillset.
- Leverage Your Network: Professional networks are key, not just for cybersecurity professionals, but for those who are hiring managers. Networks are the most consistent way to find a job opportunity and to fill one.
- Showcase Your Nontechnical Skills: Hiring managers indicted a clear need for nontechnical skills alongside technical ones. Cybersecurity professionals that have these power skills don’t always appreciate their importance. Demonstrating nontechnical aspects like your communication, problem-solving and curiosity to learn will be important aspects that stand you out from those with just technical competency.
- Keep Informed About Organization Needs: Cybersecurity professionals taking ownership of their own skills development is a valuable investment in themselves, but it's most valuable when it is effectively aligned with what hiring managers are recruiting for. Consider what job descriptions are calling for when developing your own skills development intentions to ensure the time and effort investment pays off.
- AI is Reshaping Skills Needs: Respondents were clear that AI is having a fundamental impact on cybersecurity roles, driving the need for new and expended skills to support changing roles and rapidly evolving technologies. Organizations need to invest in their existing staff and build on their existing skills to keep pace with technology and maintain operational agility in a fast-changing cybersecurity environment.
Ultimately, hiring managers need to ensure that their job roles and skills requirements are realistic and achievable, rather than a tick-box exercise or a wish list. Meanwhile, cybersecurity professionals need to keep developing themselves – leveraging organization resources and investment, as well as growing their skills independently – to keep pace with the cybersecurity needs of organizations.
