The cybersecurity industry is faced with a growing skills gap, with demand for skilled professionals far outpacing supply. As cyber threats become more sophisticated, organisations are struggling to protect their systems and data with the minimal talent available. CISOs and their peers are aiming to bridge this disconnect through building a more resilient workforce for their companies and the wider cybersecurity industry.
The ongoing security skills gap presents major challenges for both businesses and government bodies. Almost every industry is affected, with successful attacks causing major reputational and financial damage. It is a growing concern that organisations can’t afford to ignore.
The problems are multifaceted. There is a widening gap between the number of skilled professionals available and the demand for them, driven by the increasing complexity and the vast volume of cyber threats. The sheer pace of digital transformation has accentuated the impact of the skills gap. As technology advances, so does the sophistication of the threat landscape organisations face, therefore the breadth and depth of skills needed is constantly increasing and changing.
As the threat landscape evolves, so too must the cybersecurity workforce. However, this has led to burnout among many cybersecurity professionals. Understaffed teams put pressure on existing frameworks, forcing employees to work longer hours and take on a higher workload. This can increase staff turnover, leaving critical systems unprotected and open to breaches.
Following are three potential solutions to address the cyberskills gap: upskilling, outsourcing and educating.
Upskilling
Cybersecurity as a career choice can still seem too technical or inaccessible to many, limiting the talent pool even further. However, leaders in cybersecurity have found that upskilling employees who are proficient in soft skills and have a drive for learning is one of the best ways to combat the shortage of cybersecurity talent.
Mark Bowling, Chief Risk, Security and Information Security Officer at ExtraHop said: “Upskilling existing staff could be a big part of the solution. Many companies already have capable employees who, with the right training and development, could step into cybersecurity roles. Building internal programmes that focus on professional growth and training can go a long way in addressing the talent gap. It’s not a quick fix, but it’s definitely possible if companies commit to it and provide employees with the time and resources they need.”
“For too long, the tech industry has prioritised technical qualifications and sector experience over crucial transferable skills,” said Amanda Finch, CEO at the Chartered Institute of Information Security. “Although technical skills are important, cyber professionals consistently say that the most valuable skills in their profession are communication and management, analysis, and problem solving – not technical ability. Encouraging a diverse set of skills and pulling from anywhere in the workforce will help teams keep pace. For instance, HR specialists should have many of the communication and problem-solving skills we need in our cybersecurity teams.
“The key is making people outside the tech team aware of the opportunities available to them. But it also means showing there are opportunities to re-train and join from any career stage: from school leavers who are still exploring their options, to job changers who feel in a rut, to returning workers who want new challenges and opportunities after a career break. The opportunities are out there but if teams can’t shout about them, they’ll slip under the radar.”
Haris Pylarinos, CEO at Hack The Box, an organisation that specialises in addressing the cyberskills gap through training and upskilling, said: “The continuing skills gap highlights the need for businesses to invest in both transformative recruitment strategies and ongoing upskilling, including crisis simulations. This ensures defenses remain agile and responses to cyber threats, particularly against critical infrastructure, improve.
“Practical, hands-on learning is key, with tabletop exercises fostering cross-business alignment on security and guiding crisis response. Gamified learning environments based on real-world scenarios can also enhance engagement and effectiveness, offering real-time feedback for applying knowledge to real-world challenges.
“Equally important are soft skills, such as creativity, persistence, communication, and a ‘hacker mindset’ – an interest in how systems work. All of these are vital in navigating today’s complex cybersecurity challenges. Effective communication, particularly during crises, enables professionals to relay threats and their implications clearly to security teams and senior leadership. Hiring practices should prioritise these soft skills, as they contribute to long-term success in the field.”
Outsourcing
While upskilling existing employees is an effective method to combat the cyberskills gap, many small and medium-sized business (SMBs) do not have the luxury of a large workforce to train and develop.
“The cyber skills gap is an issue that more intensely impacts SMBs due to their limited budgets and resources available. Many SMBs simply can’t compete with larger enterprises that can offer higher salaries within larger teams, meaning the already insufficient talent pool of skilled professionals is unproportionately affecting the SMB sector,” said Dave Atkinson, Founder and CEO of SenseOn.
“Cyber criminals are aware of this and while the financial gains may be smaller, SMBs are often viewed as easy prey, with small cyber teams – often just one or two people – unable to keep up on top of the volume of threat detection alerts they must manage.
“This shortage can lead to serious issues, such data breaches, operational disruptions and reputational damage. To mitigate these, SMBs often end up overspending on siloed security tools in the hope it keeps them secure, but this inadvertently adds complexity and creates even more security gaps.”
Due to this, SMBs are often best outsourcing their cybersecurity protection to specialists that have the appropriate infrastructure to monitor incoming threats.
Charlotte Web, Operations Director at Hyve Managed Hosting said: “Managed Service Providers (MSPs) play a pivotal role in addressing the cyber skills gap, particularly for SMBs that often lack the resources to have an in-house team. According to research, 65% of UK businesses already utilise MSPs. These partnerships provide SMBs with access to specialised skills they may struggle to develop internally, allowing them to navigate increasingly complex IT landscapes with confidence.
Data breaches caused by the skills gap are common, with 20% of UK businesses having been directly impacted. A key advantage of MSPs is their ability to fill this security knowledge gap for businesses. This support is especially helpful for industries like healthcare and finance, where data security is crucial, or e-commerce where downtime can severely impact customer loyalty and brand image.”
Educating
While individual businesses are tackling the cyberskills gap, opportunities and education in the cybersecurity sector are few and far between at a young age. The education of young people into the skills, benefits, importance, and opportunities that cybersecurity brings could be crucial in addressing the cyberskills shortage.
Jill Knesek, CSO at BlackLine said: “One of the main problems is the educational pipeline in cybersecurity. We are facing a significant shortage of candidates with specialised skills, particularly in cybersecurity. To address this issue, we need to start promoting cybersecurity careers at an earlier stage. It’s important to engage high school students or younger and ensure that we are discussing cybersecurity with this generation. It’s a great job with numerous benefits, but one thing people overlook is the multitude of career paths it offers.
“We need to get positive messages across and make more people consider cybersecurity as a career path or college degree. We need people to enter the industry early so that their skills, knowledge, and experience can evolve as the environment around them does.”
Additionally, Deepa Kuppuswamy, Information Security Architect at ManageEngine commented: “Closing the cybersecurity skills gap requires opening the doors to broader routes of entry. Apprenticeships and workplace training programs can make careers in cyber more accessible to people across the UK, particularly those from diverse and non-traditional backgrounds. These pathways not only address talent shortages but also enrich the sector with a wide range of perspectives – essential for innovative problem solving in a constantly shifting environment.
“Educators and professionals must stay ahead of these trends by fostering lifelong learning environments. Educational institutions should start early, embedding core digital literacy and security awareness in the curriculum, while businesses must actively support ongoing development, offering employees access to advanced certifications and hands-on training.
“By embracing alternative routes to careers in cybersecurity and prioritising continuous learning, we can build a robust talent pipeline ready to tackle both today’s and tomorrow’s challenges. Together, industry and educators can ensure that we remain robust in the face of evolving cyberthreats.”
