The threat landscape is ballooning. Bad actors, unfettered by the constraints of legitimate enterprises, are embracing AI for faster, more effective attacks on a growing scale. At the same time, companies are tightening their budgets and adopting their own AI use cases to streamline security operations. When there are fewer resources for job creation, coupled with greater threats, hiring the right talent is critical.
The cybersecurity talent gap has been an industry talking point for years, but the solution isn’t as simple as filling open roles with bodies. Hiring requirements are rapidly shifting, and the talent pool must respond in real time. Tomorrow’s jobs may not even exist yet.
That is what CISOs are up against as they consider what tools, skills and people they need to defend their organizations — this year and going forward.
In-demand roles and skills
Today’s CISOs and other cybersecurity hiring leaders are going to be increasingly interested in people with skills that enable them to manage cross-functional responsibilities, according to Pete Luban, field CISO at AttackIQ, a security validation and exposure management company.
“We don’t need white hats; we need strong cross-functional cybersecurity experts. And there’s a vast shortage of those,” he said.
The growing adoption of continuous threat exposure management, a framework introduced by Gartner, is also breaking down the barriers between traditional skill sets. While security teams used to be made up of several individual specialists, this may be changing.
“You had a vulnerability person, you had a threat hunter, you have an engineer who’s writing automation. I think those things are no longer going to be individual cybersecurity skill sets,” Luban said. But the talent pool hasn’t quite caught up with these new expectations. “It’s difficult to hire a person like that because I don’t think they exist yet.”
Over time, as people with new skill sets emerge, there is the distinct possibility of new job roles, particularly focused on AI. Unsurprisingly, AI is at the top of the list for in-demand cybersecurity skills; 41% of the 16,029 cybersecurity practitioners who participated in the 2025 ISC2 Cybersecurity Workforce Study reported it as the most critical skills need.
“We need skill sets around understanding it, engineering it and protecting it,” said Jon France, CISO of ISC2, the nonprofit member association for cybersecurity professionals that published the study.
Debby Briggs, vice president and CISO at cybersecurity company Netscout, agreed that AI developments have added new specialized skill requirements, from prompt engineering to web app penetration testing and, soon, AI penetration testing.
Briggs also noted the need to develop a role focused on reviewing new AI tools before they are introduced inside an organization. “Right now, the person in security that can review that is me,” she said. “You don’t want your CISO being the person to do that.”
Cloud computing security came in second on the list of security team skills needs, cited by 36% of respondents to the ISC2 survey. This is also posing hiring challenges; France described cloud securitization and architecture roles as “a little trickier to fill.”
Technical skills are, naturally, a big part of what CISOs need in their hires, but hiring managers are also looking for nontechnical skills. More than half of the hiring manager respondents (54%) in ISC2’s report said that strong problem-solving skills were a top skill need. Teamwork and communication came in second and third.
These skills are particularly valuable as cybersecurity professionals’ responsibilities shift. Hiring managers want to know: Can they adapt to how quickly their environment is changing and work alongside their teammates to do so?
The gap between open roles and available talent
A casual look through your LinkedIn feed might reveal a story that seems at odds with an industry that routinely talks about needing talent. You probably won’t have to scroll very far before you find a post from a cybersecurity professional detailing a frustrating hunt for work.
“It floors me that there are really qualified people, or people who appear to be really qualified, on LinkedIn that are sending out hundreds of resumes and they’re not hearing [back] at all,” Briggs said.
If employers are looking for cyber talent and there are qualified people in the market eager to be hired, why aren’t they connecting?
Budget constraints are an obvious culprit. Last year, 36% of organizations reported cybersecurity budget cuts, 39% reported hiring freezes, and 24% reported layoffs, according to ISC2’s 2025 report.
Many organizations tend to have a sector-specific approach to hiring that could also contribute to the disconnect with job seekers. A financial institution may want to fill a cyber role with someone who has specific finance experience, France offered as an example.
And that isn’t the only way in which experience arises as an issue between cyber talent and employers. “We’re all looking for someone with four or five years’ experience. And we’re getting people with no experience or decades’ worth of experience,” Briggs said. Even entry-level positions often require two to three years of experience — which she acknowledged is not actually entry-level, by definition. “I think the industry has to get real with itself,” she said.
Talent does not develop on its own. Employers play a role in investing in and growing the skill sets they need to fill their cybersecurity needs.
“You as a CISO and you as a person manager own the responsibility to grow and retain that talent,” Luban said.
People in the cybersecurity space tend to be a curious bunch. That eagerness to learn and adopt new skills is something employers can leverage, particularly as they look for people to integrate AI knowledge and even fill new AI-focused roles.
That might mean hiring people who demonstrate more general skills, like strong problem-solving, which can be honed to fit specific, technical needs.
“Don’t go looking for a unicorn. Go and train a few horses to be unicorns,” France said.
The risk of unfilled roles
Efficiency is the remit of AI. As it makes cybersecurity professionals faster, the expectation will be to do more with less — and budgets are being adjusted accordingly.
“Belts are tightening everywhere when it comes to human resources. With the introduction of AI and all of these other things that essentially remove a lot of the arduous tasks and the monotonous things, it would naturally suggest that it’s going to take less people to do more,” Luban said.
But while AI is a powerful resource for cybersecurity teams, it is not a replacement for human talent. On the 2025 ISC2 report, 72% of respondents said that significant cyber personnel reductions increase the risk of a breach. What worries CISOs about the challenges around finding talent and today’s threat landscape?
The speed at which AI is developing and being adopted is a primary concern. “I think nefarious people are moving faster than the white hats are,” Briggs said.
Threat actor groups can behave like enterprises: They can invest in research and development, they can collaborate, they can scale. But unlike their victims, they do not have to answer to a board or regulators or investors. CISOs, conversely, have to manage budgets, vet AI tools, guide responsible implementation and continuously monitor the performance of these tools. They also must consider the risks that come with internal — and well-intended — use of AI tools.
“The potential for misuse and irresponsibility creates a cybersecurity threat that is on par with RomCom or the biggest threat actor group out there,” Luban said.
On top of all of the security demands stemming from adopting AI tools, they also need to manage the security of legacy technology while thinking about the threats just around the corner. France said he is thinking about the security implications of quantum computing in the not-too-distant future. Briggs said she is worried about API management.
CISOs need resources, both people and technology, to keep up. Operating without the right talent — and without enough of it — weakens enterprises’ business resilience.
AI is going to help CISOs mitigate risk in some ways: It will automate some security functions, it will augment human workers’ capabilities. But it will not eliminate the need to find and develop talent, at least not yet. Employers that want to keep up with today’s landscape may find that actively investing in the development of the talent they need is a worthwhile pursuit.
“Here’s the social contract: Security employees need to be curious, need to want to learn,” France said. “The employers need to give them the space and the capability to execute on that curiosity and to learn.”
Enjoyed this article? Sign up for our newsletter to receive regular insights and stay connected.