The SANS 2026 Report Is Out — and the Cybersecurity Crisis Isn't a Talent Shortage. It's a Skills Collapse.

For years, the cybersecurity industry has described its workforce problem in one dimension: not enough people. The 2026 SANS and GIAC Cybersecurity Workforce Research Report, unveiled at RSAC 2026 on March 31, dismantles that framing. Based on a survey of 947 global respondents, the report argues that the real crisis is not headcount but capability. Teams exist. They are staffed. They simply cannot do what the threat landscape now demands.

The Numbers

Sixty percent of organizations surveyed said their cybersecurity teams lack the skills needed to defend against current threats. That is not a recruitment statistic — it is an indictment of training, retention, and institutional knowledge transfer. More concretely, 27 percent of organizations reported experiencing breaches they directly attributed to workforce skills gaps. Not zero-day exploits. Not nation-state APTs. Skills gaps.

The regulatory dimension has exploded. In 2025, 40 percent of organizations said regulatory directives were affecting their hiring practices. In 2026, that number hit 95 percent — a 55-point surge that represents the fastest acceleration of any metric in the report's history. NIS2 leads at 30 percent, followed by CMMC at 29 percent, DORA at 26 percent, and DoD 8140 at 24 percent. Organizations are hiring to comply, but compliance hiring does not automatically produce defensive capability.

AI Is Compounding the Problem

The report identifies AI as a double-edged accelerant. On the defensive side, organizations want to deploy AI for threat detection, anomaly analysis, and automated response. But the skills required to implement, tune, and trust those systems are precisely the skills that are in shortest supply. Knowledge gaps and skills gaps are the top two barriers organizations cite when trying to operationalize AI for cyber defense.

On the workforce pipeline side, AI is reshaping the entry-level roles that historically served as the industry's training ground. Tier 1 SOC analysts, junior incident responders, and log reviewers — the positions where new practitioners once built foundational instincts — are being automated or restructured. The career ladder's bottom rungs are disappearing, and 32 percent of organizations now cite unclear career paths as a major hiring challenge, up from just 9 percent a year earlier.

What This Means for Industrial Operations

For OT and critical infrastructure operators, the skills crisis is especially acute. Industrial control systems do not fail because teams are understaffed alone. They fail when existing teams lack the specialized capabilities required to secure converged IT/OT environments, manage risk across protocol boundaries, and respond to incidents in real time on systems that cannot be rebooted without production consequences.

The PwC Global Digital Trust Insights report released earlier this year flagged the same pressure point: 47 percent of OT security leaders cite a lack of qualified personnel as their top challenge, while 39 percent point to unclear governance between IT and OT teams. The SANS data reinforces that finding with harder numbers and a starker conclusion — the gap is widening, not closing.

What Comes Next

The report's prescription is straightforward if expensive: continuous education, realistic OT lab environments, scenario-based exercises, and cross-discipline training between IT and OT teams. Organizations that invest in those programs are maturing fastest. Those that treat cybersecurity staffing as a checkbox exercise — fill the seat, meet the regulation — are the ones reporting breaches.

Only 24 percent of organizations report having well-defined cybersecurity career paths. Until that number moves, the skills crisis will keep compounding, regulation or not.