Why Cybersecurity’s Talent Gap Refuses To Close

Authored By Linda Oraegbunam

 

As economies become increasingly digital, cybersecurity has evolved from a specialist technical function into a strategic necessity. Financial institutions, healthcare providers, government agencies and critical infrastructure operators all depend on cyber professionals to protect the systems that underpin modern life. In an era shaped by artificial intelligence, cloud computing and rising geopolitical tensions, the ability to build and sustain a capable cybersecurity workforce has become a matter of economic resilience as much as technological security.

Yet despite years of investment, the cybersecurity talent challenge remains stubbornly persistent. Recent workforce studies estimate the global cybersecurity gap at between 2.8 million and 4.8 million professionals, while employers across the United Kingdom continue to report difficulties recruiting and retaining talent. Governments have invested in digital skills programmes, universities have expanded cybersecurity courses, and employers have widened recruitment pathways in an effort to strengthen the pipeline of future professionals. The prevailing assumption behind these efforts is straightforward: if more people enter cybersecurity, the talent gap will eventually close. While there is no doubt that expanding access to cyber education remains essential, the persistence of the challenge suggests that the issue may be more complex than a simple shortage of skilled professionals.

Part of the difficulty lies in how cybersecurity itself is understood. Public conversations about cyber careers remain heavily focused on highly technical disciplines such as ethical hacking, penetration testing and security operations. While these functions are critical, they represent only a fraction of a much broader ecosystem. Modern cybersecurity also depends on threat intelligence analysts who identify patterns in emerging risks, governance and compliance professionals who navigate increasingly complex regulatory environments, security architects who design resilient systems, behavioural specialists who address the human factors behind cyber risk, and policy experts who help shape the rules governing digital security. These disciplines may sit under the same professional umbrella, but they require fundamentally different skills, interests and ways of thinking.

This is where a less discussed challenge begins to emerge. Through my work across cybersecurity, artificial intelligence and workforce development, I have met countless students and early-career professionals who are eager to enter the industry but possess a relatively narrow understanding of what a cyber career entails. Many assume the profession begins and ends with coding. Others focus exclusively on technical certifications because those pathways are the most visible. What is striking, however, is how often individuals discover later that their strengths lie elsewhere. Some with backgrounds in psychology become fascinated by behavioural security and cyber awareness. Those with interests in law and public policy frequently find themselves drawn towards governance, risk and compliance. Some of the strongest analytical thinkers are often better suited to threat intelligence than highly technical engineering roles. Yet many of these pathways remain largely invisible to people entering the profession.

The consequence is that workforce challenges are not always driven by a lack of people. They can also stem from how talent is identified, developed and ultimately matched to opportunity. If individuals pursue pathways that do not align with their interests, aptitudes or ways of thinking, organisations face a double challenge. Critical roles remain difficult to fill, while talented professionals become disengaged, leave the industry or never enter it at all. In that context, increasing the volume of people entering cybersecurity does not necessarily address the underlying problem. It simply increases the number of people moving through a system that may not be directing them effectively.

This question becomes even more important as the nature of cyber risk continues to evolve. For years, cybersecurity hiring focused primarily on technical capability. Today, organisations are grappling with artificial intelligence, supply-chain vulnerabilities, regulatory complexity and increasingly sophisticated threat actors. Addressing these challenges requires multidisciplinary teams that combine technical, analytical, legal, behavioural and strategic expertise. The future cybersecurity workforce is unlikely to be built solely from computer science graduates. It will increasingly depend on professionals from a much wider range of educational and professional backgrounds, many of whom may not currently recognise that their skills have a place within cybersecurity.

This is where advances in artificial intelligence may offer an opportunity that extends beyond automation and productivity. Across education and workforce development, AI-supported tools are beginning to help individuals identify pathways that align with their interests, learning preferences and problem-solving styles. While still an emerging area, these approaches have the potential to improve career guidance in ways that were previously difficult to achieve at scale. The objective is not to allow algorithms to determine careers, but to provide better information earlier in the decision-making process, helping individuals understand where they are most likely to thrive before committing significant time and resources to a particular path.

The implications extend well beyond individual career outcomes. Better alignment has the potential to improve retention, strengthen workforce resilience and enable organisations to make more effective use of the talent already available to them. For the UK, this distinction matters. The country’s ambition to remain a global leader in cybersecurity will depend not only on producing more talent, but on ensuring that talent is deployed effectively across an increasingly diverse profession. At a time when employers continue to report workforce shortages despite substantial investment in education and training, there is a strong case for rethinking how individuals are introduced to cybersecurity careers in the first place.

For years, the cybersecurity workforce debate has focused on quantity. The next challenge may be one of precision. Expanding the talent pipeline remains essential, but so too does helping people find the parts of the profession where they can create the greatest value and sustain long-term careers. If the industry is serious about closing the talent gap, it may need to broaden the conversation beyond questions of supply alone. The future of cybersecurity may depend not simply on attracting more people into the profession, but on ensuring that the right people find the right place within it.

 

linda-op-ed

 

Linda Oraegbunam is the co-founder of IdentArk, a machine learning engineer, and AI governance researcher with experience across the UK Civil Service and regulated commercial sectors. Her work combines production AI development with research into the governance and accountability structures needed for responsible AI deployment. She is the creator of a growing suite of open-source tools that form an agentic AI governance toolkit published on PyPI. Her research explores the relationship between agentic AI systems and organisational accountability, helping organisations develop practical approaches to deploying AI that are secure, transparent, and aligned with emerging governance standards.