SANS 2026 report flags cybersecurity skills crisis, putting critical infrastructure and OT sectors at measurable breach risk - Industrial Cyber

Attacks and Vulnerabilities Control device security ICS Cyber Security Training Industrial Cyber Attacks IT/OT Collaboration Malware, Phishing & Ransomware Manufacturing News Reports The Skills Gap - Training & Development Threat Landscape Training SANS 2026 report flags cybersecurity skills crisis, putting critical infrastructure and OT sectors at measurable breach risk April 06, 2026 A new 2026 report from the SANS Institute and GIAC identified that the cybersecurity workforce problem is no longer about headcount. It is about capability. Teams are in place, but too often lack the skills needed to defend against current threats. The data is unambiguous. About 60% of organizations say their teams lack the right skills, while regulatory pressure on hiring has surged from 40% to 95% in just a year. At the same time, 27% of organizations report breaches directly linked to these capability gaps. AI is compounding the shift, reshaping entry-level roles that once served as the industry’s training ground. Moreover, the report reveals that the industry is at an inflection point. AI is eroding traditional pathways into cybersecurity, compliance demands are driving the most aggressive hiring overhaul in years, and the widening skills gap is no longer theoretical. It is translating into measurable security failures. Titled ‘The Evolving Cyber Workforce: AI, Compliance, and the Battle for Talent,’ the SANS 2026 report for the first time in the report’s three-year history noted that the skills gaps decisively overtook headcount shortages as the industry’s top workforce challenge. When asked to choose between ‘not having the right staff’ and ‘not enough staff,’ 60% of organizations identified skills gaps as the greater problem, compared to 40% citing staffing shortages. That 20-point gap has widened sharply from just four points a year ago, signaling a fundamental shift in how the industry defines its workforce crisis. For industrial and critical infrastructure operators, this distinction is critical. These environments do not fail because teams are understaffed alone. They fail when existing teams lack the specialized capabilities required to secure complex OT systems, manage risk, and respond to incidents in real time. “This is no longer a story about filling seats,” Rob T. Lee, SANS chief AI officer and chief of research, said in a media statement last week. “Organizations have people. But those people are overwhelmed, under-resourced, and unable to develop the capabilities they need because they’re too busy running today’s operations. The industry needs to stop counting open positions and start investing in the skills of the people it already has.” The 2026 SANS Institute | GIAC Cybersecurity Workforce Research Report, based on 947 global respondents, captures a cybersecurity labor market undergoing structural strain. Nowhere is that strain more visible than in critical infrastructure and industrial environments, where regulatory exposure, operational risk, and legacy complexity converge. The data shows a workforce model shifting from reactive hiring to capability-driven restructuring, with consequences that are already materializing across operational resilience and security outcomes. The scale of workforce disruption is further underscored by AI adoption. About 74% of cyber teams report that AI is actively changing team size and role structures. In industrial environments, where security teams already operate under tight constraints, this introduces both opportunity and instability. AI is reducing manual analysis time for 49% of organizations and automating workflows for 48%, but only 16% report actual workforce reduction. The implication is clear: efficiency gains are real, but they are not closing the talent gap in critical sectors. Instead, AI is reshaping the nature of work. Entry-level roles such as SOC analysts, threat intelligence analysts, and incident responders are among the most affected, with reductions reported at 32%, 26%, and 22%, respectively. These roles have traditionally been the training ground for cybersecurity talent. In industrial environments, where institutional knowledge and system familiarity are essential, this erosion of entry-level pathways risks weakening long-term workforce sustainability. At the same time, new roles are emerging at pace. Around 34% of organizations have introduced AI or machine learning security specialists, 32% have added AI security engineers, and 30% have created AI governance analyst roles. These positions demand hybrid expertise that blends cybersecurity, data science, and regulatory awareness. For critical infrastructure operators, this creates a dual burden: maintaining legacy OT security while simultaneously building entirely new AI-related capabilities. Regulatory pressure is accelerating this transformation. The report finds that 68% of organizations experience moderate to extreme impact from regulations on hiring, while 95% report some level of regulatory influence overall, a sharp increase from 40% in 2025. For critical infrastructure sectors, which sit directly within the scope of frameworks like NIS2 and DORA, this pressure is not theoretical. It is actively reshaping workforce composition and forcing rapid capability validation. “That is a pretty fascinating shift,” said James Lyne, CEO of SANS Institute. “This isn’t mild compliance adjustment. Organizations are building entirely new specialist positions, restructuring teams around regulatory requirements, and facing real enforcement consequences if they don’t.” The regulatory push is driving a surge in specialist hiring. The proportion of organizations needing new specialist roles jumped from 23% to 53% in just one year. Unlike traditional hiring cycles, this demand is not incremental. It reflects entirely new categories of expertise tied to compliance, resilience, and reporting obligations. In industrial environments, this often translates into roles focused on OT risk, incident coordination, and regulatory audit readiness. Framework adoption is rising in parallel. About 56% of organizations now use structured frameworks such as NICE or ECSF o define cybersecurity roles, up from 46% the previous year. This shift toward standardized role definitions is particularly relevant in critical infrastructure, where inconsistent skill mapping can translate directly into operational risk. Frameworks are becoming less about best practice and more about compliance necessity. Despite these structural efforts, hiring challenges are intensifying at the top end of the workforce. About 27% of organizations report expert roles as the most difficult to fill, followed by 22% for senior roles and 23% for mid-level positions. Collectively, these account for 72% of recruitment difficulty. In contrast, only 4% report difficulty hiring entry-level staff. This imbalance is especially problematic for industrial cybersecurity, which depends heavily on experienced professionals capable of navigating complex, high-risk environments. Time-to-hire data reinforces this pressure. Around 55% of senior roles take six months or longer to fill, while 38% of expert roles remain open for over a year. For critical infrastructure operators, these delays translate directly into prolonged exposure to risk, particularly in sectors such as energy, manufacturing, and utilities, where threat actors are increasingly active. The SANS 2026 report also highlights a growing career progression crisis. About 32% of organizations cite unclear career paths as a major hiring challenge, up from just 9% the previous year. Only 24% report having well-defined and clearly communicated cybersecurity career paths. In industrial environments, where knowledge transfer and long-term expertise development are essential, this lack of structured progression threatens workforce continuity. “Cybersecurity practitioners who use AI are quite likely to replace those who don’t,” said Lyne. “We have to be very careful. If we signal that the lower end of cybersecurity is going to be replaced by AI, even if that’s not the truth, and we don’t end up with enough practitioners learning foundational skills, we won’t have seniors and experts later. We all end up pointing at everyone else, and we end up with a gap in the future.” Training constraints compound the problem. About 60% of organizations cite lack of time as the primary barrier to training, while 54% point to budget limitations. These constraints are particularly acute in critical infrastructure sectors, where teams are often stretched thin managing live operations. The result is a self-reinforcing cycle in which teams cannot develop skills because they are too busy responding to immediate threats. The operational impact of these skills gaps is already measurable. Around 57% of organizations report delayed projects due to workforce limitations, while 47% experience increased burnout and another 47% report slower incident response. In critical infrastructure, these outcomes carry higher stakes, as delays or response failures can disrupt essential services and create cascading economic effects. More concerning is that 42% of organizations say skills gaps prevent adoption of new technologies, and another 42% report reduced monitoring capabilities. This is particularly relevant in industrial settings, where modernization initiatives such as IIoT and smart manufacturing depend on secure deployment. Without the necessary skills, digital transformation itself becomes a risk vector. Perhaps the most direct indicator of risk is that 27% of organizations report experiencing breaches as a consequence of workforce skills gaps. In critical infrastructure sectors, this statistic underscores a shift in how cyber risk must be understood. The issue is no longer just technological vulnerability, but human capability gaps that directly translate into exploitable weaknesses. The SANS 2026 report shows a clear shift in how organizations validate skills. About 64% rely on cybersecurity certifications as their primary validation method, significantly ahead of skills assessments at 49% and internal evaluations at 48%. In regulated industrial sectors, certifications are becoming a proxy for trust, offering a standardized way to demonstrate capability in environments where failure carries systemic consequences. One of the more overlooked data points is the governance gap around AI. While 54% of organizations report having AI security policies, only 38% provide any form of comprehensive training. That disconnect matters more in industrial environments than in IT-heavy sectors. OT teams are already operating with limited visibility and specialized tooling. Introducing AI without aligned training frameworks risks creating uneven adoption, inconsistent decision-making, and untracked risk exposure across plants and operational sites. That gap becomes more concerning when paired with another figure: 24% of organizations have no AI governance plans at all, even as 74% report AI already influencing team structure. This “deploy first, govern later” pattern is particularly dangerous in critical infrastructure, where unvalidated automation decisions can directly affect safety, uptime, and process integrity. The data also reveals a deeper shift in workforce composition that has implications for industrial resilience. Only 5% of organizations report no measurable impact from AI, while the majority report varying levels of structural change. Yet just 20% provide AI security training to all staff, and another 18% restrict it to cybersecurity teams. In industrial contexts, where engineering, operations, and cybersecurity must work in tandem, this siloed training approach risks widening the IT-OT divide rather than closing it. Another critical data point is how organizations are prioritizing AI-related skills. The report identifies AI governance, risk, and compliance as the top required competencies, followed by data security for AI and securing AI systems. For industrial operators, this signals a shift from traditional perimeter defense toward governance-heavy security models. In regulated environments such as energy and manufacturing, this aligns directly with compliance-driven oversight requirements rather than purely technical controls. The SANS 2026 report also quantifies how hiring authority is consolidating at the top. About 53% of hiring decisions are now controlled by senior leadership and CISOs. This centralization reflects the strategic importance of cybersecurity in regulated sectors, but it also slows hiring cycles and introduces bottlenecks. In industrial organizations, where operational teams often require domain-specific hires, this top-down control can delay critical staffing decisions at the plant or system level. There is also a notable shift in how organizations define hiring priorities. Technical capability leads at 55%, ahead of experience at 46%, with attributes like attitude (37%) and aptitude (34%) gaining importance. For industrial cybersecurity, this is a subtle but important pivot. It reflects the growing need for adaptable professionals who can operate across IT, OT, and emerging AI-driven environments rather than relying solely on traditional experience pathways. On the validation side, the report adds nuance to the certification story. While 64% of organizations use certifications as their primary validation method, 58% consider them extremely important, and only 5% dismiss them. In regulated critical infrastructure sectors, certifications are effectively becoming compliance artifacts, not just professional credentials. They serve as auditable proof of capability in environments where regulatory scrutiny is intensifying. Investment patterns reinforce this. About 51% of organizations reimburse certification exams, and 48% fund training platforms. Yet this investment sits in tension with the earlier constraint data, where time and budget remain the biggest barriers. The result is uneven skill development, particularly in industrial environments where operational demands leave little room for structured learning. Another underappreciated signal is how career progression is becoming structurally constrained. Only 24% of organizations report well-defined and clearly communicated cybersecurity career paths, while 36% say paths are only partially defined. In industrial settings, where expertise often depends on years of system familiarity, this lack of clarity threatens long-term knowledge retention and succession planning. The report also highlights retention pressures tied directly to workforce structure. About 42% cite salary as a retention challenge, but 40% point to burnout, and 31% highlight unclear career paths. In critical infrastructure environments, burnout is not just an HR issue. It directly impacts operational continuity, especially in 24/7 environments such as energy grids or manufacturing plants, where security teams cannot afford fatigue-driven errors. A particularly telling data point is the distribution of skills gaps. About 35% of organizations report moderate gaps affecting 10–29% of required skills, while 13% report major gaps exceeding 30%. Only 19% consider their teams fully skilled. For industrial operators, this suggests that even well-staffed teams are operating with partial capability coverage, leaving specific OT, ICS, or process-level risks unaddressed. The SANS 2026 report further shows that security clearance and talent availability are not the primary constraints. Only 17% cite lack of qualified candidates as the main challenge, compared to 36% pointing to budget limitations. This reframes the workforce issue for critical infrastructure sectors. The problem is less about market scarcity and more about internal capacity to develop and retain skills under operational pressure. The data also reinforces that skills gaps are already translating into operational degradation. Beyond breaches (27%), organizations report reduced monitoring (42%) and inability to adopt new technologies (42%). In industrial environments, this has direct implications for digital transformation initiatives such as IIoT deployment, predictive maintenance, and smart grid modernization. Security limitations are not just a risk factor. They are actively slowing industrial innovation. The 2026 report from the SANS Institute and GIAC moves beyond diagnosis and lays out a set of practical steps that reflect how workforce strategy is being redefined under pressure. At the core is a shift toward structure and intentionality. Organizations are urged to formalize AI governance and introduce baseline AI security training across the workforce, starting with high-exposure teams and scaling over time, rather than allowing adoption to outpace oversight. A second priority is rebuilding the talent pipeline from the ground up. The report stresses that entry-level development cannot be abandoned, even as AI reshapes junior roles. Structured mentorships, rotational training, and hands-on learning environments remain among the highest-return investments, particularly for organizations that need to sustain long-term capability rather than rely on external hiring. Framework-driven workforce design also emerges as a central recommendation. Organizations are encouraged to adopt established models such as NICE or ECSF to define roles, standardize skills, and align hiring with both operational and regulatory expectations. This is paired with broader use of industry frameworks like NIST CSF and CIS Controls to anchor compliance and security practices within a consistent structure. The SANS 2026 report also emphasizes the need to integrate cybersecurity into enterprise decision-making. Boards, C-suites, and non-technical stakeholders must be brought into regular security discussions, particularly as regulatory obligations expand beyond IT into the wider business. Building incident response plans that involve legal, HR, finance, and communications teams is no longer optional but a baseline expectation. Equally important is the call to define and communicate clear career pathways. Organizations are advised to create structured progression models for cybersecurity professionals and validate team capabilities through certifications and documented skill assessments. Without this clarity, the report warns, retention challenges and skills gaps will continue to reinforce each other. Taken together, the recommendations point to a broader shift. Strengthening the cybersecurity workforce is no longer about isolated hiring or training initiatives. It requires coordinated investment in governance, structured skill development, and long-term talent pipelines that can adapt to both regulatory pressure and technological change. Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related Check Point tracks Iranian password-spraying waves targeting government and energy sectors in Israel and UAE Darktrace finds Chinese-nexus intrusions reveal dual-mode tactics targeting critical infrastructure at scale Rising breach costs and operational downtime redefine economics of OT cybersecurity making it boardroom priority ESET reports 78% of UK manufacturers face cyber incidents as disruption becomes widespread Hitachi Digital Services boosts OT-IT integration with Manufacturing Operations Management platform Dragos appoints Kaori Nieda as country manager to push market expansion in Japan Australia consults industry on reforms that would give authorities faster powers during critical infrastructure attacks Health-ISAC flags gaps in cyber resilience and incident response, calls for incident coordination and information sharing Iranian hackers target US critical infrastructure through ransomware proxies, KELA warns APT groups and ransomware gangs are turning Singapore into prime cyber target, Cyfirma report finds