Cybersecurity Skills Gap: Hiring Challenges by the Numbers

Cybersecurity is no longer a backroom function—it’s a front-line defense. But there’s a growing problem that’s making it harder for businesses to stay protected: the cybersecurity skills gap. This gap is making it incredibly difficult for companies to find and keep skilled cybersecurity professionals. Below, we’ll break down 30 of the most important stats that show just how serious this issue has become. More importantly, we’ll also walk you through what these numbers mean for your business and what you can do to stay ahead.

1. 70% of organizations report a shortage of cybersecurity skills

This stat speaks volumes. If 70% of companies are struggling to find cybersecurity talent, then you’re not alone. This is a global issue affecting every industry, from tech startups to government agencies.

The demand for cybersecurity professionals is growing much faster than the supply, and this gap is widening every year.

So, what can you do?

First, consider creating a cybersecurity talent pipeline. You can build partnerships with local colleges and universities to attract interns or fresh graduates early.

Offering real-world training, mentorship, and career development opportunities will make your company more attractive to candidates just starting out.

Second, broaden your hiring scope. Many organizations limit themselves by only hiring candidates with certain degrees or certifications.

But cybersecurity is a skill-based field. Someone with hands-on experience from a bootcamp or freelance background could be just as capable as someone with a four-year degree.

Finally, invest in training your existing IT team. You might already have the right people—they just need the right skills. Offering certification support and time to train can help close your internal skills gap and reduce dependency on new hires.

The bottom line? You don’t always have to look outside to solve a talent shortage. Start by building from within and thinking differently about where your talent comes from.

2. 57% of companies say the cybersecurity skills gap puts them at moderate to extreme risk

This stat highlights a serious consequence: not having enough skilled cybersecurity staff can leave your business vulnerable.

Over half of companies know they are more exposed to cyberattacks because they simply don’t have the right people on their security teams.

To reduce this risk, take a proactive approach. Start by conducting a risk assessment of your current cybersecurity setup. Identify where the weak points are—maybe it’s endpoint protection, phishing awareness, or cloud security.

Then, match those gaps with the skills your current team has or lacks.

If hiring isn’t immediately possible, consider short-term help. Bring in contractors or consultants for specific projects or to help train your in-house staff. They can offer fast impact while you build up a longer-term team.

Also, prioritize your highest risks. You might not have the resources to fix everything at once, and that’s okay. Focus first on critical systems or data that would cause the most damage if breached.

This stat is a warning. But it also gives you a clear signal to take action—strategically, quickly, and with a focus on the most important risks first.

3. 60% of cybersecurity jobs remain vacant for over 6 months

Six months is a long time for any role to stay open—especially one that’s supposed to protect your systems from threats every day. If most cybersecurity positions are sitting vacant this long, it’s a clear sign the hiring process is broken or too slow.

Start by reviewing your job descriptions. Are you asking for too much? Many listings demand 5+ years of experience, a long list of certifications, and niche technical knowledge—all for an entry-level role. Candidates often skip over roles that seem unrealistic.

Also, think about your interview process. A drawn-out, complex process with multiple rounds and tests can scare away candidates in a market where they’re already in high demand. Aim to streamline your hiring steps and make decisions faster.

And don’t forget about compensation. Cybersecurity professionals know they’re in demand. If your salary ranges are below market, you’re going to lose out to competitors who are willing to pay what the market demands.

If you’re struggling to fill roles, you may need to rethink not just how you hire—but what you offer.

4. The global cybersecurity workforce gap is over 3.4 million professionals

This is a staggering number. Across the world, there are 3.4 million unfilled cybersecurity jobs. That’s not just a hiring problem—it’s a crisis that affects industries, economies, and national security.

What can you do about a global issue like this? Focus on what’s in your control.

Start building a long-term talent strategy. That means investing in junior talent and giving them a clear career path. Train, mentor, and promote from within so you’re not always dependent on a shallow external talent pool.

Also, get creative with where you find talent. Consider veterans transitioning to civilian work, career switchers from adjacent fields like IT support or software development, and graduates of alternative programs like coding bootcamps or community colleges.

It’s also a good time to review how inclusive your hiring practices are. Diverse teams bring different perspectives that are critical in cybersecurity. A more open and welcoming culture can help you attract talent that others are missing.

The size of the gap can feel overwhelming, but your approach doesn’t have to be. Focus on building a talent pipeline that works for your business today—and grows with you tomorrow.

5. 45% of security leaders say they can’t find qualified candidates

When nearly half of security leaders say they just can’t find the right people, something deeper is going on. It’s not just a hiring problem—it’s a qualification mismatch.

One big issue is the overemphasis on certifications and degrees. Yes, those can be helpful—but they don’t always show practical ability. Many truly talented professionals are self-taught or come from non-traditional backgrounds.

So, shift your hiring approach to be skill-based. Use hands-on assessments or practical scenarios to test what candidates can actually do, not just what they say on paper. This gives you a clearer picture of their capabilities.

You should also consider adjusting your definition of “qualified.” Does a candidate really need to know every tool you use on day one? Or can they learn on the job with some support? Often, potential is more valuable than perfection.

Also, don’t forget internal candidates. Some of your best future security experts may already work in your company, just in a different department. Give them the opportunity to grow into the role.

When you focus more on ability and less on checkboxes, you’ll likely find more candidates who are not just qualified—but ready to hit the ground running.

6. 50% of organizations cite limited talent pool as their biggest hiring barrier

Half of all businesses say their biggest issue is simply not enough qualified people to choose from. The reality is, most companies are fishing in the same small pond—looking for candidates with the same skills, certifications, and experience.

One way to overcome this is to look beyond the usual candidate profiles. Consider those who’ve been in other tech roles—like network engineers, developers, or IT support—who may have transferable skills and just need some upskilling.

You can also partner with training providers or online learning platforms. Sponsoring a few candidates through a certification course like CompTIA Security+ or CISSP can help you grow your own talent from the ground up.

It’s often faster and more affordable than trying to poach top-tier professionals.

Another option is remote hiring. By looking beyond your immediate geography, you open your search to a much wider group of candidates. Remote work is now widely accepted in cybersecurity, and many tasks can be done securely from anywhere.

Don’t just wait for the perfect candidate to show up. Build the talent you need by being flexible, forward-thinking, and proactive in where you look.

7. 63% of companies have unfilled cybersecurity positions

It’s not just a few open roles here and there—nearly two-thirds of companies are operating with cybersecurity jobs left empty. That means risk is climbing while defense remains understaffed.

What’s happening here is a combination of unrealistic job expectations, narrow hiring pipelines, and lack of internal training. Many companies expect to hire a security unicorn who knows every tool, every framework, and every threat vector.

But those people are rare—and already employed.

Instead of chasing perfection, shift your focus to building a balanced team. Not everyone needs to be an expert. A strong junior hire with enthusiasm and training potential can sometimes bring more value than a burned-out senior looking for a paycheck.

You should also evaluate whether your job roles are too specialized. Breaking cybersecurity down into overly narrow silos—like just cloud, just endpoint, or just SIEM—can make it harder to fill roles.

Sometimes a generalist with broad knowledge can fill a gap more effectively than waiting months for a specialist.

Keeping roles open is a risk you can’t afford. Reevaluate your hiring strategy and look for smart, trainable candidates who can grow into the job.

8. 76% of cybersecurity professionals say skills shortages are impacting their workload

This stat shows a hidden cost of the skills gap—burnout. When you don’t have enough hands on deck, the pressure lands on the people you do have. And 76% of them say it’s too much.

That’s a huge risk to your company. Overworked employees are more likely to make mistakes, miss threats, or simply quit. Replacing a burned-out team member is even harder in this tight job market.

To reduce this pressure, start by prioritizing tasks. Make sure your security team is focused on the work that truly matters—like incident response, patching, and monitoring—and not bogged down by routine tasks that could be automated or outsourced.

You can also bring in temporary help through contractors or managed security service providers. These external resources can take some of the workload off your core team while you continue hiring.

Another option is to cross-train other departments. Teach your IT or development teams basic security principles so they can handle minor issues and reduce reliance on your security team.

Your cybersecurity team is your last line of defense. If they’re running on empty, your business is more exposed than you think.

9. 59% of organizations report increased workload due to hiring delays

Hiring delays don’t just slow down your projects—they pile work onto your existing staff. Nearly 6 in 10 companies say their teams are overwhelmed because they simply can’t hire fast enough.

Speed matters in cybersecurity. When hiring takes too long, threats continue to evolve, and defenses don’t keep pace. To fix this, simplify and shorten your hiring process.

Start by cutting unnecessary steps. Do you really need five interview rounds and a panel review? Can you move faster with just two interviews and a hands-on test? Candidates won’t wait around forever—especially in cybersecurity, where good ones are snapped up quickly.

You can also prepare pre-approved job descriptions, salary ranges, and budgets in advance. That way, when a need arises, you’re not starting from scratch.

Another tip is to build a talent bench. Stay in touch with previous candidates, interns, or promising applicants you didn’t hire before. Having a pool of warm leads can speed things up significantly.

The faster you hire, the faster your team gets relief—and the safer your systems stay.

10. 53% of businesses report difficulty retaining skilled cybersecurity staff

Hiring is only half the battle. Retention is the other half—and more than half of companies are struggling with it. In cybersecurity, skilled professionals often jump ship for better pay, less stress, or more interesting work.

To keep your top talent, start by listening. Regularly check in with your team and ask what they need—whether it’s better tools, clearer goals, or more career growth. Often, small changes can make a big difference.

Next, create a real path for advancement. Cybersecurity professionals want to grow. Offer certifications, promotions, and leadership opportunities to help them see a future with your company.

Also, take burnout seriously. Long hours, constant alerts, and high pressure can push even the best people out the door. Encourage time off, rotate on-call duties, and make sure the workload is fair.

If your team feels valued, supported, and challenged, they’re far more likely to stick around. Retention isn’t just about money—it’s about culture, opportunity, and balance.

11. 44% of cybersecurity professionals consider leaving their jobs due to burnout

Nearly half of the cybersecurity workforce is thinking about walking away—and burnout is the main reason. That’s a major warning sign for businesses, especially when finding replacements is already tough.

Burnout happens when people are overworked, under-supported, and feel like they’re constantly reacting to emergencies. It wears people down over time, and once they reach a breaking point, it’s hard to bring them back.

To prevent this, start by building a more sustainable work environment. Give your team the tools and support they need to work smarter, not harder. Automate repetitive tasks, improve alert filtering, and streamline incident response playbooks so the team isn’t chasing false alarms all day.

Also, protect their time. Make sure your security staff isn’t getting pulled into unrelated IT work or asked to “wear too many hats.” Their focus needs to stay on what they do best—keeping the company secure.

And finally, recognize the work they’re doing. A simple thank you goes a long way, especially in a high-stress field. Celebrate wins, acknowledge effort, and build a culture where your team feels appreciated, not just used.

When people feel respected, supported, and empowered, they’re more likely to stay. You can’t fix the talent shortage overnight—but you can stop your own team from becoming part of the statistic.

12. Entry-level cybersecurity roles require 3+ years of experience at 61% of companies

This stat highlights one of the most common roadblocks for new talent: unrealistic expectations. If a job is labeled “entry-level” but demands years of experience, you’re automatically shrinking your talent pool.

The problem here is a mismatch between job titles and actual requirements. Many companies want someone who’s done it all—but also want to pay them as if they’re just starting out. That’s not going to work in today’s market.

To fix this, take a fresh look at your job descriptions. Ask yourself: do we really need three years of experience? Or do we need someone who can learn fast, follow instructions, and grow into the role?

If you truly need experience, then it’s not an entry-level job—be honest about that. But if it’s a junior role, consider dropping the experience requirement and instead focus on skills or aptitude.

Also, create true entry-level roles. These could be internships, apprenticeships, or junior analyst positions with strong mentorship. That’s how you build a pipeline of loyal talent who grow with your company instead of hopping around.

When you align your expectations with reality, you’ll find it much easier to fill those early-career positions—and build a stronger team in the long run.

13. 35% of organizations have delayed security projects due to lack of talent

When you don’t have the people, the work doesn’t get done. Over a third of companies are hitting the brakes on important security initiatives because they can’t staff them properly. That’s a dangerous place to be.

Delaying security upgrades, new tools, or compliance projects leaves you exposed. Threats don’t wait for your hiring process to catch up.

To keep things moving, get creative with your resources. Consider outsourcing specific projects to trusted security consultants or managed service providers. These partners can help bridge the gap while you hire and train internally.

You should also prioritize. Not every project needs to happen at once. Focus on what will make the biggest impact—whether that’s patching critical systems, rolling out MFA, or improving detection and response.

And don’t forget to revisit projects you paused before. Make a list of what’s on hold, review the risk, and build a phased plan to get back on track as new hires come in or workloads lighten.

Security is a moving target. The more you delay, the more vulnerable you become. Keep projects alive, even if it means approaching them in smaller, smarter ways.

14. 42% of companies say lack of internal training hinders cybersecurity hiring

You can’t always hire your way out of a problem—sometimes you have to grow the solution from within. But nearly half of companies say they aren’t doing enough internal training to make that happen.

That’s a missed opportunity. If you have smart, capable people in your organization, you might already be sitting on untapped cybersecurity talent. They just need the right support.

Start by identifying team members in IT, development, or operations who show interest in security. Then, offer them training paths—like online courses, certifications, or internal mentorship programs.

You don’t need to spend a fortune. Plenty of great cybersecurity training exists at low or no cost. What matters more is making it part of your culture. Give employees time to learn. Tie training to career paths. Reward those who invest in growing their skills.

Also, involve your current security team in mentoring. It helps junior staff grow, and it gives senior team members a sense of leadership and ownership that can improve morale and retention.

The more you invest in internal training, the less you’ll have to struggle with external hiring. It’s a long-term solution that pays off in loyalty, capability, and resilience.

15. Women make up only 24% of the cybersecurity workforce

Diversity isn’t just about fairness—it’s also about effectiveness. Teams with different perspectives solve problems better, spot risks others might miss, and innovate faster. But right now, cybersecurity has a big gender gap.

With women making up less than a quarter of the workforce, there’s a huge opportunity to bring more balance into the field.

Start by reviewing your job descriptions. Avoid language that feels exclusive or overly aggressive—studies show that women are less likely to apply if they don’t meet every requirement, especially if the tone feels intimidating.

Next, look at your interview panels. Are they diverse? If not, candidates might not see your workplace as inclusive or welcoming. Representation matters at every step.

You can also partner with groups and organizations focused on women in tech and cybersecurity. Sponsor events, offer scholarships, or create internship programs specifically aimed at underrepresented groups.

Finally, build a supportive culture. That means mentoring, career development, and flexibility. When women join your team, make sure they feel valued and heard—because that’s what keeps them there.

If you’re not actively working to change this stat, you’re missing out on half the talent in the market.

16. 62% of employers say job candidates lack hands-on cybersecurity experience

Theory and knowledge are great, but hands-on experience is what really counts in cybersecurity. And most employers say candidates just don’t have it.

That’s not always the candidate’s fault. Many training programs focus on concepts without giving learners the chance to apply them in real-world situations. And for new professionals, it’s hard to get experience when no one will hire them without it.

To bridge this gap, offer hands-on testing during the hiring process. Even simple challenges—like analyzing a log file or identifying vulnerabilities—can give you a better sense of a candidate’s potential than a resume alone.

Also, build an internship or apprenticeship program. These give you the chance to train someone in your tools and processes while they gain real-world experience.

If you’re hiring juniors, consider providing access to labs or sandbox environments where they can learn and grow on the job. Create a learning path that includes shadowing senior staff and gradually taking on more responsibility.

You don’t need candidates with years of hands-on experience—you need people who can learn, adapt, and grow with your team. Give them the space and support to do that.

17. 48% of cybersecurity professionals say their team is understaffed

Almost half of cybersecurity teams are trying to do more with less. That’s not sustainable. An understaffed security team can’t keep up with all the alerts, threats, and projects that demand attention. Eventually, things fall through the cracks.

If your team is stretched too thin, the first step is to figure out what can be cut or delegated. Not every task requires a senior security analyst. Some repetitive work can be automated with scripts or handed off to managed service providers.

Also, talk with your team. Ask what’s taking the most time and whether those tasks actually match their skill level. You might find that highly trained people are stuck doing routine work simply because there’s no one else to do it.

From there, build a hiring plan—but don’t aim for perfect. Focus on adding people who can reduce pressure quickly. Junior analysts, for example, can handle triage, basic monitoring, or ticket cleanup, which frees up your senior staff to focus on critical tasks.

Even a few strategic hires can make a big difference in reducing stress and improving security outcomes. Don’t wait for a crisis to admit you’re short-staffed—address it early, clearly, and with a plan.

18. 39% of organizations report a lack of cloud security expertise

As more companies move to the cloud, the demand for cloud security skills is exploding. But nearly 4 in 10 organizations say they don’t have the expertise they need to keep cloud environments secure.

This is a serious risk. Misconfigured cloud settings are one of the top causes of data breaches. And unlike traditional systems, cloud services move fast, change often, and require a different approach to security.

To close this gap, start with training. Offer cloud-specific security certifications to your team, like AWS Certified Security – Specialty, Microsoft SC-300, or Google Cloud Security Engineer. These aren’t just credentials—they teach real, hands-on skills.

If you’re hiring, prioritize candidates with experience in cloud platforms. Even if they don’t have deep security knowledge, someone who understands how cloud environments are structured will be much quicker to train than someone who’s new to both.

You can also work closely with your cloud providers. Most offer built-in security tools, best practice guides, and support services. Use them. Don’t try to reinvent cloud security from scratch when there are good resources available.

As your infrastructure evolves, your team’s skills need to evolve too. Make cloud training a core part of your security strategy—not an optional extra.

19. 41% of companies say automation can’t fully replace skilled cybersecurity staff

Automation is a powerful tool. It can handle alerts, scan for vulnerabilities, and flag suspicious behavior faster than any human. But here’s the truth: it can’t think like a person. And 41% of companies know that no matter how much automation you have, you still need real people.

Automation helps reduce the noise, but someone still has to investigate, decide, and act. You need skilled professionals to tune those tools, validate findings, and respond to complex threats. Without the right people, automation becomes just another alert generator.

So use automation wisely. Let it do the repetitive stuff—log analysis, rule-based filtering, routine compliance checks. Free up your human staff to focus on what they do best: critical thinking, decision-making, and strategy.

When hiring, look for people who are comfortable working alongside automation tools. Those who understand scripting, APIs, or platforms like SOAR (Security Orchestration, Automation and Response) will bring even more value.

And remember, automation doesn’t reduce the need for talent—it just changes the kind of talent you need. You’re not replacing people. You’re empowering them to do more with less.

20. Only 18% of cybersecurity applicants meet basic job qualifications

This stat reveals the core of the hiring crisis: most applicants simply aren’t prepared. Whether it’s lack of experience, the wrong certifications, or missing soft skills, 82% of candidates aren’t meeting the bar.

That’s frustrating—but it’s also a chance to rethink how you define your “bar.”

Instead of creating a long list of must-haves, try defining the key capabilities a person needs on day one. Can they think critically? Do they understand basic networking? Can they communicate clearly? From there, everything else can be taught.

You should also invest in candidate development. Work with local schools, community colleges, or bootcamps to help shape their curriculum around real-world needs. Offer mentorships, sponsor projects, or create entry-level labs for practice.

Inside your company, give hiring managers clear tools to evaluate candidates fairly. Use standardized assessments and scoring guides so that good potential isn’t missed just because someone doesn’t have the “right” background.

The more you help shape your own hiring pool, the more likely you are to find the right person—even if they don’t check every traditional box.

21. 54% of CISOs report hiring as their top operational challenge

For Chief Information Security Officers (CISOs), the biggest headache isn’t just defending against cyberattacks—it’s finding the people to do it. Over half say hiring is their number-one problem.

This isn’t surprising. Hiring delays lead to risk. Understaffing leads to burnout. And budget issues make it harder to offer competitive pay. When all of this lands on the CISO’s desk, it pulls their focus away from strategy and leadership.

To help fix this, CISOs need stronger partnerships with HR and leadership. Get involved early in the hiring process. Make sure job descriptions reflect the actual work, not a wishlist of impossible skills.

Push for a better candidate experience, too. The faster and smoother your hiring process, the more likely you are to land top talent.

CISOs should also advocate for long-term workforce planning. Don’t wait until you’re in crisis mode to start hiring. Build talent pipelines, fund internal training programs, and stay connected to industry groups that can feed you referrals.

Hiring is hard—but with the right strategy, it doesn’t have to be the roadblock that slows everything else down.

22. 30% of organizations hire underqualified candidates out of necessity

Sometimes, you can’t find the perfect hire. So you compromise. Three in ten companies are hiring underqualified candidates simply because they have no other choice.

That’s not necessarily a bad thing—if you have a plan to close the skills gap once the person is on board.

When hiring someone who isn’t fully qualified, be clear about the learning path. Assign a mentor. Set up weekly check-ins. Enroll them in online training or certification programs. Give them real work, but in a way that allows for mistakes and learning.

Also, manage expectations internally. Let your leadership team know this person is a grower, not a plug-and-play hire. Frame it as an investment—and track their progress to show ROI.

Over time, you may find that these candidates become some of your most loyal and capable team members. Why? Because you gave them a chance when others didn’t.

There’s nothing wrong with hiring for potential—as long as you follow through with support and development.

23. 68% of employers prioritize certifications over degrees in cybersecurity hiring

Degrees can be helpful—but in cybersecurity, what you can do often matters more than what school you went to. That’s why nearly 7 out of 10 employers now value certifications more than formal education.

Certifications like CISSP, CEH, CompTIA Security+, and OSCP show specific, verified knowledge. They prove that someone has taken the time to learn and be tested on real-world skills.

If you’re hiring, use certifications as one filter—but don’t treat them as everything. Some great candidates may be self-taught or still working toward certification. Look at the full picture.

For your internal team, make certification part of your development plan. Pay for exams, give people time to study, and celebrate when they pass. It’s a win-win—your team gets smarter, and your company becomes more secure.

Also, if you’re mentoring new talent, help them choose the right certifications for their career goals. There’s no one-size-fits-all path, and choosing wisely saves time and money.

Focusing on skills over diplomas opens the door to a broader, more capable workforce. And in today’s market, that’s a smart move.

24. 26% of cybersecurity professionals work more than 50 hours a week

Working 50+ hours a week might be manageable for a short time, but when it becomes the norm, problems start to build. Over a quarter of cybersecurity professionals are logging this kind of overtime regularly, and that’s a big red flag.

Long hours may seem like a sign of dedication, but in reality, they’re a warning signal. Constant overwork leads to fatigue, mistakes, and eventually burnout. And when security professionals are tired, they’re more likely to miss key threats or make critical errors.

To tackle this issue, first take a look at your team’s workload. Are they doing more than they should because of understaffing, inefficient tools, or outdated processes? Streamlining tasks through better automation or improved tools can ease the pressure quickly.

Also, rotate responsibilities. If the same person is always on call, running point on incidents, or handling audits, they’re going to burn out fast. Share the load fairly and give people time to recover.

Lastly, encourage healthy work boundaries. Make it clear that working excessive hours isn’t a badge of honor. If you want your team to be sharp, alert, and motivated, they need downtime—real, uninterrupted rest.

Healthy teams do better work. Protect your staff’s time, and they’ll protect your business better in return.

25. 52% of organizations offer increased compensation to attract cybersecurity talent

More than half of companies are using money to compete—and in today’s talent market, that’s not just smart, it’s necessary. Cybersecurity professionals know they’re in demand, and many are shopping around for better offers.

If you’re struggling to hire or keep talent, reviewing your compensation package is a good place to start. Look at current salary benchmarks in your region and industry. Are you paying competitively? If not, you’re likely losing candidates before they even apply.

But pay alone won’t fix everything. Combine compensation with flexibility, growth opportunities, and a supportive culture. A higher salary might attract someone, but meaningful work and career growth are what keep them.

Also consider offering bonuses for certifications, performance, or project completion. These targeted rewards can be motivating without requiring a full salary restructure.

In a competitive market, you have to be willing to invest in your team. Compensation may not solve all your hiring challenges, but it can give you the edge you need to win top talent.

26. 43% of cybersecurity job postings remain open for 90+ days

When a job stays open for three months or more, it’s a clear sign that something isn’t working. Either the role is too specialized, the requirements are too high, or the offer isn’t competitive.

Long-open roles also hurt morale. Teams waiting for backup can become frustrated and overworked. Projects stall, and risks go unaddressed. Eventually, the team starts to fray.

To fix this, start with the job description. Are you asking for more than necessary? If you’re looking for someone with 10 years of experience, five certifications, and niche technical knowledge—all for a mid-level salary—you’re going to be waiting a long time.

Next, examine your hiring process. Is it moving quickly? Are candidates being kept in the loop? Streamlining your interview steps and responding faster can help you close roles more quickly.

If the role really is hard to fill, break it into smaller roles. Maybe one part-time contractor can handle threat monitoring, while an internal junior hire focuses on compliance. Sometimes two smaller solutions are better than one big one.

Open roles create open vulnerabilities. Take action early to revise, simplify, or restructure your hiring approach before delays turn into risks.

27. 38% of security teams lack expertise in emerging technologies like AI and IoT

Cybersecurity doesn’t stand still. As new technologies like artificial intelligence (AI) and the Internet of Things (IoT) become more common, attackers are shifting their focus—and many security teams are not keeping up.

More than a third of security teams lack experience in these areas, and that leaves gaps that bad actors are quick to exploit.

To stay ahead, make emerging tech a core part of your training strategy. Offer workshops, attend conferences, or bring in guest experts to give your team hands-on exposure to the tools and threats that come with AI, IoT, and other fast-moving tech.

When hiring, look for curiosity and adaptability. A candidate who understands the basics of machine learning or smart devices—even if they aren’t an expert yet—can grow quickly with the right support.

Also, partner with other departments. Your product or R&D teams may be deploying these new technologies before your security team even sees them. Create a culture of early collaboration so security can be baked into the process—not patched in later.

The future is already here. Make sure your team is prepared to secure it.

28. 49% of companies plan to increase cybersecurity staff next year, despite hiring struggles

Even with all the challenges—long hiring times, burnout, and skills gaps—nearly half of companies still plan to grow their security teams. That’s encouraging, but it also means competition for talent will only get fiercer.

If you’re planning to grow, start preparing now. Build relationships with candidates, universities, bootcamps, and training programs. Don’t wait until you have a job opening—start the conversation early so you have people in your pipeline when you need them.

Also, invest in your brand as an employer. Talented professionals want to work where they’re supported, valued, and given room to grow. Showcase your culture, your values, and your commitment to career development.

Think beyond hiring, too. Improving your onboarding process can help new hires get up to speed faster. Developing clear career paths can help you retain them longer.

Growth is good—but only if it’s strategic. Prepare, plan, and build an environment where new cybersecurity professionals can thrive.

29. Only 29% of organizations have formal cybersecurity career pathways

Without clear career paths, cybersecurity roles can feel like dead ends. That’s a big reason people leave—and a big reason some never apply in the first place.

Yet fewer than one in three companies have formal paths for advancement. That’s a missed opportunity to keep your best people and attract more.

To fix this, map out what a career in your security team can look like. What’s the next step after junior analyst? What skills or certifications are needed to move into management? Put it on paper, make it visible, and talk about it during interviews.

Also, build a learning culture. Give your team time, tools, and encouragement to pursue growth. Pair people with mentors. Fund certification programs. Track progress and reward milestones.

When people can see a future in your organization, they’re far more likely to stay and succeed.

Clear career paths don’t just retain talent—they help build it from within.

30. 55% of cybersecurity leaders say the talent gap has worsened in the past two years

This last stat brings everything into focus. The problem isn’t getting better. In fact, more than half of cybersecurity leaders say it’s getting worse. That means the time to act is now.

You can’t wait for the talent gap to close on its own. You have to build your own solutions—by growing internal talent, being flexible in hiring, and creating a workplace where cybersecurity professionals want to stay.

Start small if you need to. Improve one job description. Launch one internship. Offer one training stipend. These steps add up.

Also, stay involved. Security isn’t just the job of your analysts—it’s a team effort. Support from HR, leadership, and IT can make a huge difference in how fast and how effectively you can grow your security team.

This gap is real. It’s serious. But it’s also solvable—if you’re willing to adapt, invest, and lead.

wrapping it up

The cybersecurity skills gap is real, it’s growing, and it’s affecting almost every industry. But the good news? It’s not unsolvable. Every challenge highlighted in this article is also a call to action.

Whether it’s long hiring cycles, unrealistic job expectations, or retention issues, each one presents a chance to rethink how we approach cybersecurity talent.