By Alex Ezat Parnia, President and CEO at Florida Coastal University
The widening gap in the global cybersecurity workforce is pegged at the staggering 4.8 million unfilled roles. An 87% expansion of the cybersecurity workforce is needed to meet current demands. Universities have been turning out graduates year after year. The gap seems to be widening and not closing up.
There has been no neglectful trend in cybersecurity education. Degree programmes have boomed. Enrolments have grown. Certifications have proliferated. Yet the 2025 ISC2 Cybersecurity Workforce Study confirmed that the gap widened, with the shortage of talent increasing annually by 19%, which translates to 4.8 million unfilled positions. More graduates, bigger gap. Something down the line is not working.
The problem, according to the 2026 SANS and GIAC Cybersecurity Workforce Research Reports is substantially misidentified. As per the results from nearly 1000 cybersecurity practitioners and leaders/HR and, as such, the report presents a dominating challenge to the prevailing narrative. 52 % of cybersecurity leaders stated that the primary considerations were not the quantity of people entering the cybersecurity workforce but were more related to quality of individuals with appropriate skill sets.
Cybersecurity graduates are being produced by universities; however, they do not produce certified Cybersecurity Professionals. These are two completely different types of entities/individuals.
What the curriculum is missing
There have been visible differences in what colleges and universities teach and what employers need for many years now, but little work has been done to change these disparities by developing curriculum or creating new programs of intensity or priority.
Ninety percent of hiring managers consider only candidates that have prior IT experience. Many organisations take more than six months to fill a Cybersecurity position with qualified people, and 90% of Cybersecurity teams are telling the ISACA and ISC2 that team(s) have skills “gaps,” in excess of just staffing shortages. There are not only “positions” but also there are “candidates”; the problem is that the candidates are being turned into candidates with no job experience.
Organisations struggle to find acceptable candidates for the job (however) the specific skillset is required that most Cybersecurity Degree programs don’t have enough of. Examples of the specific skillset required are: “Cloud Security across Multi-Cloud and Hybrid technologies,” “The skill-set required for AI and Machine Learning Defense, particularly the ability to detect and mitigate AI powered cyber-attacks,” “Implementing Zero Trust Architecture,” “Digital Forensics,” and “Application Security at the Code Level and Software Supply Chain Levels.”
The existing specializations being developed by employers have actually been in the forefront for three to five years now, so there shouldn’t be any surprises there either. As noted by the ISC2 report, released in 2025, businesses are seeking employees with specific skillsets at a much faster rate than they can hire them. To be as relevant as possible, universities must focus on creating curricula based on what has occurred within the threat landscape from 2018 onward!
AI has changed what entry-level means
The 2026 SANS essay contains some issues that will continue to affect the skills gap for at least the next 10 years due to the fact that artificial intelligence is automating many of the entry-level jobs that historically have been done by junior analysts to train them to become cybersecurity professionals. Before, in order to build skills as a junior analyst, individuals possessed a range of tasks and responsibilities listed above – including responding to alerts / triaging them, analyzing logs, and determining patterns in large data sets – of which many have been taken over by AI-based security operations tools.
The net result of automating these functions is creating a structural problem that can not be addressed solely by hiring new employees. The entry-level job has, in effect, been compressed. A graduate who would have expected that his or her initial job responsibilities would include performing very basic tasks, is now walking into an environment in which all of the basics have already been automated (due, again, to the use of AI in security operations) and his or her employer expects him or her to be able to add value immediately upon being hired.
At the same time that regulatory compliance is driving the most significant hiring overhauls of the last several years, new regulatory requirements for cybersecurity are being enacted through the establishment of new rules in various countries, including those of the EU, UK, and US. New cybersecurity rules are now being imposed upon industries that, until recently, did not have any formal set of regulations governing their security functions. For example, healthcare, financial services, critical infrastructure, and cloud services are now all being required, under regulatory compulsion, to expand their security functions.
What needs to change, specifically
Graduates are trained differently, not more. The first change is practical rather than theoretical; the top three qualifications for hiring graduate employees, as reported by SANS in their 2025 Workforce Research Report (and by employers globally), are: 1) technical skills/capability, 2) certification and 3) work experience. The types of graduates produced by universities with curricula focused primarily on academic theory and academic frameworks, rather than hands-on lab work, live threat simulation and real-world incident response, are unable to practice cybersecurity; they are able only to discuss it.
The second change is timeliness, or currency of knowledge and capability. The nature of the threat environment changes more quickly than the rate of publishing academic journals. Universities’ degree program review processes generally involve a two- to three-year implementation period, which means that they will never be able to keep up with an industry where the dominant attack vector shifts every few months. Accordingly, universities must set up direct industry advisory committees that have actual authority over early degree program curriculum content rather than providing recommendations to universities through the use of consultative panels, which will be integrated into the curriculum through revisions to the modules in the future.
The third change is concerned with AI integration issues. Training in cybersecurity without including the transformative effects of AI on both the threat landscape and the security defence tools used will leave graduates underprepared for a version of the cyber-security industry that does not exist anymore. Over 80% of all cyberattacks have involved some form of AI in their implementation. A graduate who cannot identify, counteract or utilise AI in the context of security will no longer have the necessary skills to secure employment in the rapidly evolving job market.
The cost of getting this wrong
Organisations with significant security staff shortages face data breach costs that are on average $1.76 million higher than their well-staffed counterparts. Two-thirds of organisations face additional risks because of cybersecurity skills shortages. Only 15% of firms expect cyber skills availability to significantly improve by 2026.
Those numbers are not primarily a hiring problem. They are a training problem that begins in the classroom. The organisations maintaining only a 72% fill rate for cybersecurity roles globally are not failing to find people with cybersecurity degrees. They are failing to find people whose degrees prepared them for the work.
The global investment in cybersecurity education is not small. The return on that investment is not meeting the scale of the threat. Closing that gap requires universities to do something that most of them are not structurally designed to do quickly: change what they teach, not just how many students they teach it to.