A new global study by cybersecurity training provider, SANS Institute and certification body, GIAC, finds that the cybersecurity workforce crisis may be more misunderstood than ever.
In a sharp break from headlines focused on unfilled roles, the 2025 Cybersecurity Workforce Research Report reveals that 52 percent of cybersecurity leaders say the real issue is not the number of people but a lack of the right people with the right skills.
The study, based on insights from nearly 3,400 cybersecurity and HR managers, shows a clear shift in mindset. Organisations are no longer prioritising headcount growth. Instead, they are investing in skills development, internal training, and more strategic collaboration between cybersecurity and HR teams.
“My personal perspective is that we don’t actually have a talent shortage in cybersecurity,” said Helen Patton, former CISO and cybersecurity leader at Cisco. “The real issue lies in understanding the skill sets that are needed for the kinds of roles you have and finding the people who have those skill sets.”
The shift is not just philosophical. This year’s data confirms that technical capability has overtaken work experience and academic degrees as the most valued hiring qualification. Certifications now rank second, with hiring managers placing increasing value on validated, job-ready skills rather than resumes padded with credentials.
“A couple of years ago, it was 70 percent technical expertise and 30 percent attitude,” said Aus Alzubaidi, CISO at MBC Group. “Today, we’re approaching 25–75, where most of the profile is based on attitude. Adaptability and eagerness to learn are now non-negotiable.”
Workplace culture and flexibility also emerged as central themes in both hiring and retention. According to the study, 34 percent of organisations say working well within a team is the most important cultural value in a cybersecurity hire. Remote work, development programmes, and clearly defined career paths are now being recognised as competitive differentiators.
“We frame soft skills as power skills because, in cybersecurity, we’re here to build teams,” added Lynn Dohm, Executive Director of Women in Cyber Security (WiCyS). “Some of the best talent we’ve recruited came from accounting, education, and other unexpected places.”
The study also shows early signs that regulations like NIS2 and DORA are already shaping hiring practices. Nearly half of European organisations say their workforce strategies are now being influenced by privacy, compliance, and risk management mandates.
This comprehensive report, based on global survey responses from HR and Cybersecurity Managers, offers valuable insights on how these two work roles can collaborate effectively to build, develop, and retain high-performing cybersecurity teams.
Download the full report here and delve deeper into insights around:
- How the cybersecurity skills gap is evolving and what it means for your organisation
- The critical role of cybersecurity training and certifications in team development and retention
- Effective collaboration strategies for HR and Cybersecurity Managers in the hiring process
- Adapting to changing workplace values and how they impact hiring and retention
- 8+ case studies from industry leaders like United Airlines, Cisco, IBM, Airbus, Middle East Broadcast Corporation, and more
