T he cybersecurity workforce has a bigger problem than headcount: the people already on the team don’ t have the skills to match today’ s threats. That is the tone of the central findings of the 2026 SANS | GIAC Cybersecurity Workforce Research Report, unveiled at RSAC 2026 by SANS Institute CEO, James Lyne, and Chief AI Officer and Chief of Research, Rob T. Lee.
Drawing on responses from almost 1,000 practitioners, leaders and HR professionals across six global regions, the report reveals an industry at an inflection point: AI is automating the entry-level work that has historically trained cybersecurity’ s next generation, regulatory compliance is forcing the most dramatic hiring overhaul in years and the widening skills gap is producing real, measurable security failures.
Organisations have people. But those people are overwhelmed, under-resourced and unable to develop the capabilities they need.
For the first time in the report’ s three-year history, skills gaps decisively overtook headcount shortages as the industry’ s top workforce challenge. When asked to choose between‘ not having the right staff’ and‘ not enough staff’, 60 % of organisations identified skills gaps as the greater problem, compared to 40 % citing staff shortages. That 20-point gap has widened sharply from just four points a year ago, signalling a fundamental shift in how the industry defines its workforce crisis.
New research highlights a growing cybersecurity skills crisis, as organisations struggle to equip existing teams to tackle increasingly complex threats in an AI-driven landscape. SANS Institute CEO, James Lyne, and Chief AI Officer and Chief of Research, Rob T. Lee, reveal how workforce gaps, regulatory pressure and automation are reshaping the future of cybersecurity talent.
“ This is no longer a story about filling seats,” said Rob T. Lee, SANS Chief AI Officer and Chief of Research.“ Organisations have people. But those people are overwhelmed, under-resourced and unable to develop the capabilities they need because they’ re too busy running today’ s operations. The industry needs to stop counting open positions and start investing in the skills of the people it already has.”
AI is reshaping the cybersecurity workforce faster than governance can keep up
The report documents the workforce in active transformation. Seventy-four percent of organisations report that AI is already impacting their cybersecurity team size and role structures. Yet governance lags far behind deployment: only 21 % have a comprehensive AI security framework in place, while 7 % have no AI policy at all. More
WWW. INTELLIGENTCISO. COM 25