27% of Breaches Are Caused by Skills Gaps: Why Hiring Isn't Fixing Your Cybersecurity Problems

The Cybersecurity Workforce Crisis Has Shifted

For years, the cybersecurity industry narrative has been consistent: we can't fill open positions fast enough. The "skills gap" was a headcount problem. Hire more people, and the problem goes away.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

The SANS 2026 Cybersecurity Workforce Research Report, based on 947 global respondents, reveals that narrative

is now wrong [1]. The problem has fundamentally changed.

For the first time in the report's three-year history, skills gaps decisively overtook headcount shortages as the industry's top workforce challenge. When asked to choose between "not having the right staff" and "not enough staff," 60% of organizations identified skills gaps as the greater problem, compared to 40% citing staffing shortages [1].​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

That 20-point gap has widened sharply from just four points a year ago. This isn't gradual evolution—it's a structural shift in how cybersecurity risk manifests in organizations of all sizes.

For small and medium businesses, this distinction is critical. Your cybersecurity problem isn't that you need another security analyst. Your problem is that your existing team may lack the specialized capabilities required to secure your specific environment, manage your risk profile, and respond to incidents effectively.

Why Skills Gaps Are Becoming Breaches

The SANS report contains perhaps its most alarming statistic: 27% of organizations report experiencing breaches as a consequence of workforce skills gaps [1].

Let that number sink in. More than one in four organizations that suffered a breach in the past year can trace that breach directly to not having the right capabilities on their team—not not having enough people, but not having the right skills.

This is a measurable security failure with direct business impact. According to IBM's Cost of a Data Breach Report 2025, the average breach costs $4.88 million globally [2]. When skills gaps are the root cause, that $4.88 million isn't a technology problem—it's a workforce development problem that could have been prevented.

The Capability Gap in Critical Infrastructure

The problem is most acute in critical infrastructure and industrial environments. These sectors don't fail because teams are understaffed alone. They fail when existing teams lack the specialized capabilities required to secure complex OT (Operational Technology) systems, manage industrial risk, and respond to incidents in real time [1].

For SMBs in manufacturing, healthcare, energy, or any sector with operational technology dependencies, this is the difference between a minor security event and a business-disrupting incident. When your security team understands IT security but not OT security, you have a skills gap that attackers can exploit.

The AI Complication

Artificial intelligence is compounding the shift in ways the industry is still processing. The SANS report found that 74% of cyber teams report AI is actively changing team size and role structures [1].

Entry-level roles—SOC analysts, threat intelligence analysts, incident responders—are among the most affected, with reductions reported at 32%, 26%, and 22% respectively [1]. These roles have traditionally been the training ground for cybersecurity talent. They're where juniors learn the fundamentals before advancing to senior and expert positions.

When AI reduces these roles, it doesn't just save money—it erodes the pipeline that produces tomorrow's experts. James Lyne, CEO of SANS Institute, warns: "If we signal that the lower end of cybersecurity is going to be replaced by AI, even if that's not the truth, and we don't end up with enough practitioners learning foundational skills, we won't have seniors and experts later" [1].

For SMBs, this creates a future risk: today's experts are expensive because they're scarce. If the pipeline that produces new experts is disrupted, expertise will become even scarcer and more expensive. The cost of fractional cybersecurity services will rise as supply tightens.

The Regulatory Pressure Cooker

Regulatory pressure on cybersecurity hiring has surged from 40% to 95% in just one year [1]. That's not incremental change—that's a complete transformation of the hiring landscape.

For critical infrastructure sectors, which sit directly within the scope of frameworks like NIS2 (EU), DORA (EU financial sector), and APRA (Australia), this pressure is not theoretical. It's actively reshaping workforce composition and forcing rapid capability validation.

The SANS report finds that 68% of organizations experience moderate to extreme impact from regulations on hiring [1]. Frameworks like NICE (US) and ECSF (EU) are becoming less about best practice and more about compliance necessity. 56% of organizations now use structured frameworks to define cybersecurity roles, up from 46% the previous year [1].

For SMBs in regulated industries, this creates a dual burden: you must maintain cybersecurity with limited budget while facing the same regulatory requirements as enterprises. Compliance is becoming a capability gate—if you can't demonstrate that your team has the right skills, you can't operate in your market.

The Hiring Paradox: More Openings, Harder to Fill

Despite the shift from headcount to skills, hiring challenges are intensifying at the expert and senior levels. The SANS report found [1]:

• 27% of organizations report expert roles as the most difficult to fill
• 22% cite senior roles, and 23% mid-level positions
• Collectively, these account for 72% of recruitment difficulty
• Only 4% report difficulty hiring entry-level staff

Time-to-hire data reinforces this pressure:

• 55% of senior roles take six months or longer to fill
• 38% of expert roles remain open for over a year [1]

For SMBs, these delays translate directly into prolonged exposure to risk. You can't wait 12 months to fill a critical security role while threats evolve daily. The gap between current capability and required capability is where breaches happen.

Why Traditional Hiring Isn't the Solution

If the problem is skills gaps, why not just hire more skilled people? The SANS report reveals several structural barriers:

1. Expertise Is Concentrated and Expensive

The report found that only 5% of organizations report no measurable impact from AI on their workforce [1]. That means 95% are scrambling to adapt to AI-driven changes while simultaneously trying to hire experts who understand AI security. Those experts are in brutally short supply, and their salaries reflect it.

For an SMB with a $50,000-$150,000 annual cybersecurity budget, hiring a $200,000/year AI security expert isn't just difficult—it's impossible. The economics don't work.

2. Training Constraints Are Self-Reinforcing

About 60% of organizations cite lack of time as the primary barrier to training, while 54% point to budget limitations [1]. This creates a self-reinforcing cycle: your team is too busy fighting fires to develop the skills that would prevent fires, so you keep fighting fires.

Rob T. Lee, SANS chief AI officer and chief of research, puts it bluntly: "Organizations have people. But those people are overwhelmed, under-resourced, and unable to develop the capabilities they need because they're too busy running today's operations" [1].

3. Career Path Uncertainty Deters Talent

About 32% of organizations cite unclear career paths as a major hiring challenge, up from just 9% the previous year [1]. Only 24% report having well-defined and clearly communicated cybersecurity career paths [1].

For SMBs, this is a recruitment killer. Top talent won't join your team if they can't see a growth trajectory. But you can't define that trajectory if you don't have cybersecurity expertise in-house to design it. Another self-reinforcing cycle.

What SMBs Can Actually Do About It

If hiring experts isn't feasible and internal training is constrained by time and budget, what's the path forward? The SANS data points to several strategies that align with SMB constraints:

1. Shift from Hiring to Building Capability

Instead of competing for scarce expert talent, focus on upskilling your existing team. The SANS report notes that 64% of organizations rely on cybersecurity certifications as their primary validation method [1].

For SMBs, this is actionable:

• Sponsor key team members for certifications (CISSP, Security+, CC, cloud-specific certs)
• Use certification study as structured capability building, not just test prep
• Map certifications to your specific risk profile (healthcare → HIPAA-focused, retail → PCI-DSS-focused)

The goal isn't to turn your IT generalist into a cybersecurity expert. It's to build enough specialized capability to manage your specific risk profile effectively.

2. Use Fractional Expertise Strategically

You can't afford a full-time CISO or security architect. But you might afford 10 hours per month of fractional CISO services, or a quarterly security architecture review.

This is where managed security service providers (MSSPs) and cybersecurity consultants fit. Use them for:

• Strategy and governance: Design your security posture, not just monitor it
• Capability assessment: Identify your actual skills gaps, not perceived ones
• Incident response preparation: Build playbooks before you need them
• Compliance mapping: Translate regulatory requirements into actionable controls

The key is using fractional expertise to build internal capability, not replace it. Every engagement should include knowledge transfer so your team becomes more capable over time.

3. Prioritize AI Governance Skills

The SANS report identifies AI governance, risk, and compliance as the top required competencies, followed by data security for AI and securing AI systems [1].

For SMBs, this is a leveraged skill investment. AI governance skills cover multiple risk vectors:

• Data protection (Privacy Act, HIPAA, GDPR)
• Third-party risk (AI vendor management)
• Compliance readiness (EU AI Act preparation)
• Incident response (AI-specific threats)

One person developing AI governance capability can de-risk multiple aspects of your security posture simultaneously.

4. Address the Training Barrier Structurally

If 60% of organizations can't train because of time constraints [1], the solution isn't "make more time"—it's embed training into operations.

• Lunch-and-learn sessions: 45-minute focused briefings on specific threats
• Simulation-based training: Use attack simulation tools to learn by doing
• Peer learning: Have team members present on security topics they've researched
• Micro-credentials: Break large certification paths into smaller, achievable milestones

The goal is to shift training from "something we do when we have time" to "how we operate every day."

5. Leverage Frameworks for Efficiency

With 56% of organizations now using structured frameworks like NICE or ECSF to define roles [1], SMBs can stand on the shoulders of giants rather than building from scratch.

Use existing frameworks to:

• Define role requirements: NICE and ECSF have already mapped cybersecurity roles to required skills
• Identify gaps: Compare your team's capabilities against framework-defined standards
• Validate compliance: Framework alignment makes audits simpler and faster
• Guide hiring: Framework-defined roles reduce ambiguity in job postings and candidate evaluation

For an SMB without a dedicated HR team, frameworks provide scaffolding that would otherwise require expensive consultants to build.

The Bottom Line

The cybersecurity workforce crisis has evolved. The problem isn't that you need more people—it's that your people may lack the right skills for the threat landscape you're facing.

When 27% of breaches are directly caused by skills gaps [1], and the average breach costs $4.88 million [2], the economics are clear: investing in capability development is cheaper than learning from breaches.

For SMBs, the path forward isn't trying to compete with enterprises for scarce expert talent. It's building capability strategically: upskilling existing team members, using fractional expertise for specialized needs, leveraging frameworks for efficiency, and embedding continuous learning into operations.

The most important shift is recognizing that cybersecurity isn't a headcount problem you can hire your way out of. It's a capability problem you have to build your way through. The organizations that close their skills gaps won't be the ones that hired the most people—they'll be the ones that developed the right capabilities.

Related: AI Outpacing Human Defenders: Why Your Security Strategy Is Now Obsolete

FAQ

References

[1] SANS Institute | GIAC, "The Evolving Cyber Workforce: AI, Compliance, and the Battle for Talent," SANS 2026 Cybersecurity Workforce Research Report, 2026. [Online]. Available: https://www.sans.org/mlp/2026-evolving-cybersecurity-workforce-ai-compliance-talent

[2] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[3] Anthropic, "Disrupting the first reported AI-orchestrated cyber espionage campaign," Anthropic, November 2025. [Online]. Available: https://www.anthropic.com/news/disrupting-AI-espionage

[4] Purple Book Community, "State of AI Risk Management 2026," The Purple Book Club, 2026. [Online]. Available: https://thepurplebook.club/state-of-ai-risk-management-2026

[5] National Institute of Standards and Technology (NIST), "NICE Cybersecurity Workforce Framework," NIST, 2024. [Online]. Available: https://www.nist.gov/itl/applied-cybersecurity/nice

[6] European Union Agency for Cybersecurity (ENISA), "European Cybersecurity Skills Framework (ECSF)," ENISA, 2022. [Online]. Available: https://www.enisa.europa.eu/topics/national-cybersecurity-strategies/nis-cooperation/ecsf

[7] Consortium for Information & Software Quality, "2025 CISQ Report on Software Quality in the US," CISQ, 2025. [Online]. Available: https://www.it-cisq.org/cisq-reports

[8] CyberSeek, "Demand for Cybersecurity Talent," CyberSeek, 2026. [Online]. Available: https://www.cyberseek.org

---

Experiencing cybersecurity challenges that might be skills-related? lilMONSTER can assess your team's capabilities against your risk profile and build a strategic roadmap to close the gaps. Book a consultation at https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=skills-crisis to strengthen your defenses before a breach exposes the gap.