Cybersecurity leaders continue to face a familiar scenario: there aren’t enough qualified people to fill open roles. However, industry reports frequently reference large quantities of open roles within some of the leading organizations in the sector. As the threat versus talent gap widens, who is telling the truth? What is the catalyst? And is it as bad as they are claiming? 

The reality is a lot more nuanced than a straightforward talent shortage. Organizations claim they can’t find talent, while candidates say they can’t find jobs. Cybersecurity’s hiring challenges do not originate from a low volume of candidates — it’s how these professionals are shaped by how organizations define talent, structure roles, and invest in developing the workforce they already have.

The Talent Gap Isn’t What It Seems

Hiring strategies are frequently underpinned by outdated assumptions of what cybersecurity talent should look like and where they should be sourced from. When job descriptions narrow technical requirements, extensive years of experience, or highly specific credentials, organizations miss out on candidates that provide unique value due to their diverse backgrounds and viewpoints. 

According to the latest SANS workforce data, organizations may be bypassing junior talent entirely in an effort to hire more experienced workers through rapid AI adoption, as skills requirements and competencies are changing. AI isn’t simply automating existing work; it’s generating entirely new categories of expertise. As organizations create highly specialized AI security roles requiring cross-functional expertise, they risk further widening the gap between entry-level capabilities and organizational needs.

Outdated Hiring Practices

Here’s what is most often overlooked: the hardest thing to find isn’t technical skills; rather, it’s “historians” inside the organization. People who know how to have a conversation with the business unit lead are the ones who understand it's’ always a negotiation, and those that possess knowledge of the company's culture, information, and relationships. Hiring practices that fail to adapt to those shifts will then exacerbate the appearance of scarce qualified candidates — even when they are present in adjacent roles or within the organization itself.

While technical skills remain important, they are not the only success indicators. Curiosity, adaptability, and willingness to learn new concepts are equally critical in a field where tools and threats evolve quickly. Hiring strategies that focus exclusively on static credentials risk overlooking candidates who could grow into the role.

SANS’ workforce data shows that about a third of organizations are creating new, AI-specific responsibilities that require different skills, workflows, and organizational structures. This includes AI/ML security specialists, AI security engineers, AI governance analysts, and more who have an understanding of how AI systems can be attacked or defended.

In addition to seeking talent with core competencies, it is critical to align experience to the type of role that’s trying to be filled. Expecting senior-level experience for junior roles makes positions difficult to fill, delays the development of new talent, and opens an organization to risk. Flexible approaches that prioritize foundational and soft skills along with learning potential will help organizations build stronger occupational pipelines over time.

Underutilized Internal Talent

One of the most effective ways to address these challenges is to develop talent already inside the organization. Upskilling and reskilling are strategic survival requirements for operational readiness, including both security teams and those in non-security roles. This should include talent development programs, cross training of existing IT staff, and targeted outreach to under-resourced communities.

These employees bring institutional knowledge that is simply too hard to replace — to do so would take years and a hefty budget. Recognizing and developing these internal “historians,” people who understand how the organization operates, can strengthen your business’s operational resilience and continuity.

However, it’s equally important to understand that the skills that build a program won’t sustain it. Training must be approached intentionally as a skills development strategy instead of a talent retention tool. As threats and technologies evolve, so must the skills of the workforce. With appropriate training and investment, employees across other departments can contribute to security efforts in ways that complement technical specialists. This redefinition requires leaders to look inwards, rather than seeing talent solely as new hires.

Rethinking the Role for What’s to Come

“Solving” the cybersecurity workforce challenge requires a shift in perspective — it’s not a shortage of available professionals but rather requires a fundamental rethink of how hiring models, training investments, and role definitions influence outcomes. 

This shift also requires acknowledging that the skills needed today will differ from those needed just a few years ago. AI-centered competencies are becoming increasingly important, and teams must be prepared to understand how emerging technologies affect both defense and risk.

Building resilient security teams will depend not only on recruiting new talent but also on redefining how talent is identified, developed, and supported. The gap is not an unsolvable mystery, but addressing it requires intentional changes in how organizations think about and invest in their people.