The 2025 Cybersecurity Workforce Research Report upends traditional assumptions and sets the tone for the SANS | GIAC Workforce Leadership Summit, where industry and government leaders will tackle what’s next
A new global study from SANS and GIAC finds that the cybersecurity workforce crisis may be more misunderstood than ever. In a sharp break from headlines focused on unfilled roles, the 2025 Cybersecurity Workforce Research Report reveals that 52 percent of cybersecurity leaders say the real issue is not the number of people but a lack of the right people with the right skills.
The study, based on insights from nearly 3,400 cybersecurity and HR managers, shows a clear shift in mindset. Organizations are no longer prioritizing headcount growth. Instead, they are investing in skills development, internal training, and more strategic collaboration between cybersecurity and HR teams.
This data will anchor the SANS | GIAC Workforce Leadership Summit at the RSACTM 2025 Conference on Thursday, May 1, 2025, where C-suite executives, hiring leaders, and policymakers will come together for a candid conversation about what’s working and what must change.
“My personal perspective is that we don’t actually have a talent shortage in cybersecurity,” said Helen Patton, former CISO and cybersecurity leader at Cisco. “The real issue lies in understanding the skill sets that are needed for the kinds of roles you have and finding the people who have those skill sets.”
The shift is not just philosophical. This year’s data confirms that technical capability has overtaken work experience and academic degrees as the most valued hiring qualification. Certifications now rank second, with hiring managers placing increasing value on validated, job-ready skills rather than resumes padded with credentials.
“A couple of years ago, it was 70 percent technical expertise and 30 percent attitude,” said Aus Alzubaidi, CISO at MBC Group. “Today, we’re approaching 25–75, where most of the profile is based on attitude. Adaptability and eagerness to learn are now non-negotiable.”
Workplace culture and flexibility also emerged as central themes in both hiring and retention. According to the study, 34 percent of organizations say working well within a team is the most important cultural value in a cybersecurity hire. Remote work, development programs, and clearly defined career paths are now being recognized as competitive differentiators.
“We frame soft skills as power skills because, in cybersecurity, we’re here to build teams,” added Lynn Dohm, Executive Director of WiCyS. “Some of the best talent we’ve recruited came from accounting, education, and other unexpected places.”
The study also shows early signs that regulations like NIS2, DORA, and CMMC are already shaping hiring practices. Nearly half of European organizations say their workforce strategies are now being influenced by privacy, compliance, and risk management mandates.
The SANS | GIAC Workforce Leadership Summit will offer press and industry leaders exclusive access to the individuals shaping the future of cyber workforce strategy. Attendees will leave with data-backed insights and practical frameworks they can bring back to their teams.
Access the full 2025 Cybersecurity Workforce Research Report when it launches and request a seat at the Workforce Leadership Summit:https://www.sans.org/mlp/rsac-workforce-leadership-summit