Cybersecurity Skills Gap Is Now the Top CISO Concern, SANS 2026 Report
Cybersecurity Skills Gap Is Now the Top CISO Concern, SANS 2026 Report
https://www.cybersecurity-insiders.com/cybersecurity-skills-gap-ciso-concern-sans-2026-report/
Publish Date: 2026-05-31 15:28:00
Source Domain: www.cybersecurity-insiders.com
Sixty percent of chief information security officers now cite the cybersecurity skills gap as their primary workforce concern, overtaking headcount shortfalls for the first time, according to the SANS/GIAC 2026 Cybersecurity Workforce Research Report, which surveyed 947 security leaders across industries globally.
- 60% of CISOs named “not having the right staff” as their top challenge; only 40% chose “not enough staff”
- AI is the primary driver: rapid enterprise AI deployment has exposed gaps in what existing teams know how to secure
- The report identifies nine strategic recommendations, led by developing formal AI governance programs and baseline AI security training
- Hiring alone will not close the gap: the market for highly skilled AI-security practitioners is too small and too expensive
SANS 2026 Report: CISOs Rank the Cybersecurity Skills Gap Above Headcount for the First Time
Rob T. Lee, SANS Institute’s chief of research, sees a direct line from AI adoption to the skills shift. Corporations have deployed AI across every business function, creating a technology stack that security teams were not hired or trained to defend. The gap that emerged is not in org-chart slots, Lee said; it is in what the people filling those slots are equipped to do.
The challenge compounds at the assessment layer. “It is hard to assess through a simple survey question,” Lee acknowledged. Marling Engle, CEO of Cyberstar, an automated cyber talent management platform, put the problem plainly: companies are posting entry-level roles that require advanced competencies “because they don’t have a good match for what is in the field and what they actually need.”
Two structural fixes are available today, both grounded in standardized skills frameworks. The National Initiative for Cybersecurity Education (NICE) framework and its international equivalents provide shared vocabulary for what a given role actually requires. Engle urges CISOs to…
