For the cyber security workforce, the real issue is not the number of people but a lack of the right people with the right skills, according to a study by the training body the SANS Institute, which drew on nearly 3,400 cybersecurity and HR managers. SANS suggests that businesses are no longer prioritising headcount growth. Instead, they are investing in skills development, internal training, and more strategic collaboration between cybersecurity and HR (human resources) teams. A SANS-GIAC Workforce Leadership Summit is running at the fourth and final day of the RSAC 2025 Conference in San Francisco on Thursday, May 1, where C-suite executives will discuss whatโs working and what must change.
โMy personal perspective is that we donโt actually have a talent shortage in cybersecurity,โ said Helen Patton, former CISO and cybersecurity leader at Cisco. โThe real issue lies in understanding the skill sets that are needed for the kinds of roles you have and finding the people who have those skill sets.โ
This yearโs data confirms that technical capability has overtaken work experience and academic degrees as the most valued hiring qualification, according to the survey. Certifications now rank second, with hiring managers placing increasing value on validated, job-ready skills rather than resumes padded with credentials.
โA couple of years ago, it was 70 per cent technical expertise and 30 per cent attitude,โ said Aus Alzubaidi, CISO at MBC Group. โToday, weโre approaching 25โ75, where most of the profile is based on attitude. Adaptability and eagerness to learn are now non-negotiable.โ
Workplace culture and flexibility also emerged as central themes in hiring and retention. According to the study, 34 percent of those surveyed say working well within a team is the most important cultural value in a cybersecurity hire. Remote work, development, and clearly defined career paths are now recognised as competitive differentiators.
โWe frame soft skills as power skills because, in cybersecurity, weโre here to build teams,โ added Lynn Dohm, Executive Director of WiCyS. โSome of the best talent weโve recruited came from accounting, education, and other unexpected places.โ
The study also suggests early signs that regulations like NIS2 (the European Union’s Network and Information Security Directive), DORA (the EU’s Digital Operational Resilience law), and CMMC (the United States’ federal Cybersecurity Maturity Model Certification) are already shaping hiring practices. Nearly half of Europeans surveyed say their workforce strategies are now being influenced by privacy, compliance, and risk management mandates. Visit: https://www.sans.org/mlp/rsac-workforce-leadership-summit.
