What's causing the cybersecurity skills gap?

Cybersecurity is the biggest technical skills gap. And with AI, quantum, and workforce shortages, it’s only expected to get worse.

Closing the gap is vital to reducing risk, data breach costs, and other expenses. But before you can close the gap, you have to understand what’s causing it. 

In this article, we explore key causes of the cybersecurity skills shortage and chart a path forward to improve your organization’s cyber readiness.

According to Fortinet’s 2025 Cybersecurity Skills Gap report, lack of cybersecurity awareness and training is the top cause of breaches.

Organizations are already facing the consequences of the cybersecurity skills shortage. But how did we get here?

First and foremost, there simply aren’t enough security professionals. In fact, 4.8 million cybersecurity roles remain unfilled, representing a 19% year-over-year increase.

These staff shortages impact more than skills gaps. There's also a direct link between staffing shortages and higher data breach costs. According to the 2022 Cost of a Data Breach Report, organizations with insufficiently staffed security teams faced an average breach cost of $4.56 million ($550,000 higher than those with sufficient staff).

Similarly, the 2024 report revealed that the growing skills gap contributed to a $1.76 million increase in average breach costs.

In many organizations, AI and automation have replaced the need for entry-level security professionals. As a result, the talent shortage is most noticeable for mid- and senior-level roles. 

Organizations are primarily looking for practitioners who have several years of hands-on experience and/or specialized skill sets unique to their business needs. The problem, of course, is that experienced or niche professionals are harder to find and recruit.

As you look to fill your organization’s skills gaps, don’t limit your search to only senior professionals with the exact skillsets you need. Instead, consider entry-level talent with the desire to learn and grow. 

As time goes on, you can build their skills and knowledge to address your organization’s gaps. By providing career development opportunities, you’ll also build their loyalty and improve retention.

Learn why upskilling is better than hiring for tech roles.

Wider economic conditions have impacted organizations and led to widespread budget cuts, hiring freezes, and layoffs. In fact, 36% of organizations have experienced cybersecurity budget cuts in the past 12 months, and nearly a quarter have undergone layoffs.

The rising cost of cybercrime also doesn’t help: The global average cost of a data breach is $4.4 million. 

Budget cuts and layoffs can be necessary short-term solutions, but you also need to consider the long-term cost of compounding skills gaps. Layoffs and less funds for training will only make those gaps more pronounced.

Cybersecurity professionals are constantly battling threats and anticipating the next attack. Unsurprisingly, this takes a toll on their mental health. 

One-third (32%) of cybersecurity professionals are kept awake at night by job stress, and at least two-thirds (65%) have considered leaving their job because of stress. It’s not just individual practitioners, either. 52% of organizations say directors or executives have faced fines, jail time, loss of position, or loss of employment following a cyberattack.

Losing talented professionals only widens the skills gap. And the longer those roles sit open, the wider those gaps become.

Rather than ignoring the problem and hoping it goes away, give your people proper support. Talk about mental health openly, provide rewards and recognition, and promote work-life balance.

You aren’t solely responsible for your employees' mental wellbeing. But a few simple actions can improve their work environment and keep burnout to a minimum.

Uncover six ways to support your team’s mental health.

If you’re among the lucky few to have sufficient staff and resources, it still might not be enough to bridge the skills gap. 

New technology presents new cybersecurity risks, and organizations are adopting emerging tools before their employees understand the risks they pose or how to use them for defense. 

Consider AI and quantum computing. These days, threat actors can use AI to automate personalized, sophisticated social engineering attacks at scale. There’s also adaptive malware that can adapt to security measures in real-time.

That’s not to mention the looming quantum threat. Even though 69% of senior cybersecurity managers recognize the risk quantum computing poses to legacy encryption technologies, only 5% have implemented quantum-safe encryption. 

The bottom line: Tech is changing faster than employees can learn. 

Already, lack of staff with sufficient AI expertise is the biggest challenge for IT decision makers when it comes to implementing AI in cybersecurity.

Annual security training and lengthy video courses are no longer enough for non-tech professionals, much less security pros. Organizations need to level up their learning and development strategies if they want skills to keep pace with tech. That includes providing hands-on projects, personalized learning paths, and learning opportunities alongside day-to-day work.

The security skills gap won’t disappear overnight. It’s going to take sustained effort to make a long-term impact—and it all starts with your people. Investing in them and their growth is how you’ll overcome these challenges and build a resilient security culture.

Uncover strategies to boost your organization’s cybersecurity readiness. Get your copy of Cybersecurity in the AI Age: How to Go from Skills Gaps to Cyber Resilience.