Budget limitations( 36 %) and time constraints( 21 %) account for 57 % of the primary obstacles preventing organisations from closing those gaps. Sixty percent cite lack of time due to workload as their single greatest training barrier. Teams caught in operational firefighting simply cannot pause to develop the skills they need to keep pace with evolving threats.
“ The industry has been running around saying there are millions of unfilled cybersecurity jobs,” Lee said from the RSAC stage.“ That narrative misses the more fundamental problem. If everyone walks away with one thing from this room, it’ s this: it is more about skills now than headcount.”
Career progression crisis threatens talent pipeline
Unclear career progression tripled as a hiring obstacle, surging from 9 % to 32 % year over year, making it the third-largest challenge organisations face in attracting talent. It also ranks as the thirdlargest retention obstacle at 31 %. Yet only 24 % of organisations report providing well-defined and clearly communicated cybersecurity career paths.
Organisations are rebuilding from the top down, hiring experienced professionals to meet immediate compliance and capability demands rather than investing in junior talent development. Senior executives and CISOs now control 53 % of hiring decisions. Expert-level roles( 15 + years of experience) are the hardest to fill at 27 % and 55 % of senior hires take six months or longer. Entry-level positions, by contrast, present minimal recruitment challenges at just 4 %.
“ Cybersecurity practitioners who use AI are quite likely to replace those who don’ t,” said Lyne.“ We must be very careful. If we signal that the lower end of cybersecurity is going to be replaced by AI, even if that’ s not the truth and we don’ t end up with enough practitioners learning foundational skills, we won’ t have seniors and experts later. We all end up pointing at everyone else and we end up with a gap in the future.”
Certifications surpass academic degrees as top hiring signal
In a decisive shift, cybersecurity certifications now rank as the industry’ s leading skill validation method at 64 %, ahead of skills assessments at hiring( 49 %) and internal evaluations( 48 %). When evaluating cybersecurity staff, 58 % of organisations consider certifications either very important or extremely
Teams caught in operational firefighting simply cannot pause to develop the skills they need to keep pace with evolving threats.
important. Academic degrees, meanwhile, rank last among hiring priorities at just 17 %.
Technical capability now leads all hiring criteria at 55 %, followed by work experience at 46 %, attitude at 37 % and aptitude at 34 %. The question hiring managers are asking has shifted from‘ What credentials do you hold?’ to‘ Can you demonstrate competency?’
Team stress rises as burnout compounds the skills gap
Sixty-one percent of organisations report increased stress within cybersecurity teams over the past two years. The top drivers mirror the report’ s central findings: workload and understaffing( 46 %), budget constraints( 40 %) and threat complexity( 40 %). Lyne flagged emerging research on‘ AI fry’, where productivity tools paradoxically increase burnout through constant context switching.“ I rarely talk to teams that aren’ t running some version of 100 %,” he told the audience.“ This suggests an enhanced risk that leaders need to pay more attention to than in prior years.”
What the report recommends
The 2026 report outlines nine strategic recommendations for cybersecurity leaders, including:
• Develop an AI governance programme and provide baseline AI security training for all employees
• Build a pipeline of entry-level talent equipped to work alongside AI tools through structured mentorships and on-the-job rotations
• Use workforce frameworks such as NICE, ECSF or SCyWF to define job qualifications
• Create and strengthen career paths for security team members and individual contributors
• Validate and document team skills to meet regulatory requirements
• Develop a cyberincident response plan that involves stakeholders beyond the security team.
WWW. INTELLIGENTCISO. COM 27