Skip to content

Editor’s Note: The 2025 ISC2 Cybersecurity Workforce Study marks a fundamental turning point in how we understand organizational risk. For years, the conversation has been dominated by the global shortage of workers. However, as this article details, the narrative has shifted: we now face a shortage of specific, high-value capabilities—particularly in AI and cloud security—that headcount alone cannot solve.

For professionals in information governance and eDiscovery, this distinction is vital. As legal workflows integrate generative AI and complex data sets, the “skills gap” becomes a defensibility gap. A team that lacks the technical nuance to explain its tools poses a direct risk to the litigation process. This article highlights not only the scope of the problem but also offers practical frameworks—from skills mapping to protected learning time—that leaders can consider to bridge the gap between their roster and their readiness.

Industry News – Cybersecurity Beat

Beyond Headcount: Why the Cybersecurity Skills Gap Now Defines Risk and Readiness

ComplexDiscovery Staff

The most expensive asset in a security operations center is no longer the technology stack, nor is it the headcount budget that leaders fight for every fiscal quarter. It is the widening chasm between what professionals are hired to do and what the modern threat landscape actually demands.

For years, the cybersecurity industry has defined its talent crisis by a single, blunt metric: the number of unfilled jobs. But the narrative is shifting. The 2025 ISC2 Cybersecurity Workforce Study, recently released and drawing on data from over 16,000 professionals globally, reveals that the primary constraint on organizational readiness is no longer capacity, but capability. Organizations are finding that they can fill seats, but they cannot easily find the specific, high-level expertise needed to defend against AI-driven attacks, secure complex cloud environments, or navigate the legal intricacies of data governance.

The Capability Cliff

This shift from a “people gap” to a “skills gap” is reshaping risk profiles across the industry. According to the ISC2 findings, 59% of respondents now report critical or significant skills gaps on their teams—a figure that has climbed sharply from 44% the previous year. The distinction is vital. A team may be fully staffed on paper, yet lack the specialized knowledge to deploy zero-trust architectures or audit machine learning models effectively.

As Debra Taylor, acting CEO of ISC2, explains: “This year’s data makes it clear that the most pressing concern for cybersecurity teams isn’t headcount but skills. Skills deficits raise cybersecurity risk levels and challenge business resilience.”

The practical consequences are immediate and damaging. Almost nine out of ten professionals surveyed admitted their organization has suffered at least one negative security outcome, such as a breach or delayed incident response, directly tied to a deficiency in skills.

For security leaders, the message is clear: the era of hiring for general aptitude and training on the job is colliding with a reality where threats move too fast for traditional learning curves. One approach worth considering is altering governance structures to address this challenge. Instead of treating training as an annual compliance checkbox, security leaders might consider pairing every major project charter—whether an AI pilot or a cloud migration—with a mandatory skills map. This ensures that before a new tool is deployed, the specific human capabilities required to manage it are identified, funded, and locked into the schedule.

AI: The Accelerant of Risk and Opportunity

Artificial intelligence sits at the epicenter of this workforce transformation. In the 2025 study, AI ranks as the single most pressing skill needed, cited by 41% of respondents, outpacing cloud security at 36%. The dual nature of AI—as both a weapon for attackers and a force multiplier for defenders—has created a scramble for fluency.

Notably, the study reveals that cybersecurity professionals increasingly view AI as an opportunity rather than a threat. According to Taylor, “We are seeing emerging technologies like AI are perceived as less of a threat to the workforce than anticipated. Instead, many cybersecurity professionals view AI as an opportunity for career advancement. They are using AI tools to automate tasks, and they are investing their time to learn more and demonstrate their expertise in using and securing AI systems.”

For information governance and eDiscovery professionals, the AI skills gap is not a theoretical problem. As legal hold processes and technology-assisted review workflows increasingly rely on opaque AI models, the inability to understand or explain these tools becomes a legal risk. If a team cannot test a generative AI model for hallucinations or bias, they will struggle to defend its output in court.

One potential solution for organizations lies in structured, hands-on exposure. Rather than relying solely on external certifications, teams might consider embedding short, focused “labs” into their regular rhythms. These might take the form of monthly brown-bag sessions where analysts and legal ops professionals practice red-teaming an internal AI tool or auditing a dataset for classification errors. This cross-pollination helps legal teams understand the technical limits of their tools while teaching security analysts the importance of defensibility.

The Burnout Cycle

The pressure to upskill rapidly is exacting a heavy human toll. The study highlights that nearly half (48%) of all cybersecurity professionals feel exhausted from trying to stay current on the latest cybersecurity threats and emerging technologies, while 47% feel overwhelmed by workload. This burnout creates a vicious cycle: overwhelmed professionals have less mental bandwidth to learn, which causes their skills to atrophy relative to the market, leading to even greater stress and workload.

Economic factors complicate the picture. While 2025 has seen some stabilization compared to the volatility of previous years—with reports of budget cuts (36%) and layoffs (24%) each decreasing by one percentage point from 2024—budgets remain tight. Over a third of organizations report budget reductions, and many cannot fund the positions they know are necessary. This leaves existing staff to stretch across an expanding surface area of responsibilities.

Leaders may find that protecting their teams’ time as aggressively as they protect their networks can help address this challenge. Tangible practices—such as establishing “no-meeting” blocks dedicated to deep work or rotating the ownership of topic briefings—may reduce cognitive load. By making learning a protected part of the workday rather than an after-hours burden, organizations can retain their most experienced talent and work to break the burnout cycle.

A Future Built on Competence

Despite the strain, the workforce remains optimistic about its long-term value. A vast majority of professionals—87%—believe there will always be a need for cybersecurity roles, and 81% are confident the profession will remain strong. But they also recognize that those roles are changing. The demand is moving toward professionals who blend technical acumen with the ability to communicate risk to the boardroom.

For eDiscovery and governance leaders, this is an opportunity to redefine career paths. By rewarding AI literacy and cross-functional collaboration, they can build teams that are resilient enough to handle the next wave of technological disruption. The question facing every organization is no longer just about headcount. It is about competence.

As AI continues to rewrite the rules of engagement, how confident are you that your team possesses the specific skills to answer the alarm when it rings?

News Sources

Assisted by GAI and LLM Technologies

Additional Reading

Source: ComplexDiscovery OÜ

The post Beyond Headcount: Why the Cybersecurity Skills Gap Now Defines Risk and Readiness appeared first on ComplexDiscovery.

Photo of Alan N. Sutin Alan N. Sutin

Alan N. Sutin is Chair of the firm’s Technology, Media & Telecommunications Practice and Senior Chair of the Global Intellectual Property & Technology Practice. An experienced business lawyer with a principal focus on commercial transactions with intellectual property and technology issues and privacy

Alan N. Sutin is Chair of the firm’s Technology, Media & Telecommunications Practice and Senior Chair of the Global Intellectual Property & Technology Practice. An experienced business lawyer with a principal focus on commercial transactions with intellectual property and technology issues and privacy and cybersecurity matters, he advises clients in connection with transactions involving the development, acquisition, disposition and commercial exploitation of intellectual property with an emphasis on technology-related products and services, and counsels companies on a wide range of issues relating to privacy and cybersecurity. Alan holds the CIPP/US certification from the International Association of Privacy Professionals.

Alan also represents a wide variety of companies in connection with IT and business process outsourcing arrangements, strategic alliance agreements, commercial joint ventures and licensing matters. He has particular experience in Internet and electronic commerce issues and has been involved in many of the major policy issues surrounding the commercial development of the Internet. Alan has advised foreign governments and multinational corporations in connection with these issues and is a frequent speaker at major industry conferences and events around the world.

Read more about Alan N. Sutin
Show more Show less