ISOs today are stuck between a rock and a hard place. As cyberthreats grow in complexity and scale, they’ re being asked to protect the enterprise while navigating a widening cybersecurity skills gap, shrinking budgets, and rising burnout. How do you build – and keep – a capable security team under those conditions? The short answer: it’ s incredibly difficult.
The pressure to secure the enterprise isn’ t going anywhere – but neither is the widening talent gap. CISOs will have to get creative. According to the ISC2’ s latest Cybersecurity Workforce Study, an additional 10.2 million security professionals are required to meet the current global demand. In the UK, the first Skills England report highlighted that the nationwide skills gap continues to grow, with the NCSC warning of a widening gap between cyberthreats and defence capabilities due to talent shortages.
Many CISOs still rely on traditional security training methods like annual courses, in-person workshops, or outdated e-learning, but in today’ s fast-evolving threat landscape, these approaches leave teams underprepared for emerging vulnerabilities and sophisticated attack vectors.
What’ s often overlooked is just how advanced and accessible modern learning platforms have become. For example, gamified activities like‘ capture the flag’ challenges are now common in cybersecurity upskilling, offering real-time threat simulations that engage and educate. Live sessions with worldleading practitioners, deep technical content for IT certifications, and hands-on labs help practitioners learn faster and apply knowledge immediately, all while saving organisations time and money compared to legacy methods.
As daunting as this sounds, it also opens the door to a smarter solution. Amid headcount and salary freezes, our research discovered that over the past twelve months, more than half( 53 %) of UK employers have seen an uptick in requests from nontechnical staff for cybersecurity reskilling opportunities. Encouragingly, four in five( 81 %) see digital reskilling more cost-effective than acquiring new headcount – particularly for the 48 % of employers looking to enhance skills in cybersecurity.
Upskilling existing employees is not as crazy as it might sound. Many non-technical staff data analysts, IT-adjacent roles, even ops folks already have transferable skills like risk awareness, systems thinking, or compliance experience. These individuals can take ownership of ensuring security practices in their departments to bolster cybersecurity across an organisation without the need for additional resources.
Despite the demand, many employees do not feel empowered to drive forward their own learning, with more than a third( 34 %) pointing to a lack of time as a barrier to pursuing new securityfocused learning opportunities. Almost one in five( 19 %) employees also cited a lack of access to relevant learning materials at their point of need. Unsurprisingly, businesses must develop their internal cyber training systems, with robust methodology, training modules and even in-house certification and remuneration offers.
Indeed, while hiring new talent may seem like the fastest fix, the reality is that we cannot recruit our way out of this talent shortage. Cyber talent simply doesn’ t exist in the volumes required. Instead, we should turn inwards and consider whether we are creating an environment where existing team members can grow and build the advanced capabilities we so urgently need. With the threat landscape changing daily, the ability to continuously learn through an‘ in-the-flow-of-work’ approach will be essential.
Building a continuous learning programme
Continuous learning is the key – a culture that fosters curiosity, adaptability, and ongoing skill development in employees. It’ s about more than just formal training; it involves encouraging individuals to seek new challenges, share knowledge, and continuously learn to stay relevant. It’ s about embedding learning into the day-to-day, not reserving it for annual workshops or reactive upskilling after incidents.
It’ s easy to focus on the upfront cost of learning and development( L & D), particularly in a budget-constrained environment. What is often overlooked, however, is the cost of underinvestment. Unaddressed skills gaps can lead to increased incident response times, higher risk exposure, and ultimately, greater financial losses from breaches or compliance failures. A blanket upskilling of employees helps to mitigate some of these risks, headed by non-technical leaders.
Alexia Pedersen, SVP International at O’ Reilly
What’ s often overlooked is just how advanced and accessible modern learning platforms have become.
WWW. INTELLIGENTCISO. COM 49