Security leaders facing workforce shortages are turning to artificial intelligence to close the skills gaps in their organizations, according to survey results released today by a global cybersecurity company.
Some 97% of 1,850 IT and cybersecurity decision-makers across 29 countries reported using or planning to use a cybersecurity solution that leverages AI to address a growing number of security incidents, according to the 2025 Fortinet Cybersecurity Skills Gap survey conducted by Sapio Research.
The survey noted that the vast majority of its respondents (86%) had one or more security breaches in 2024, with nearly one-third (28%) reporting five or more. Those levels are notably higher than in 2021, when Fortinet conducted its first skills gap survey. Then, 80% reported a breach, and 19% reported five or more.
The impact of those security incidents is significant, the survey noted. More than half (52%) of organizations surveyed say breaches cost them more than US$1 million, which is roughly in line with last year’s 53% and up from 38% in 2021.
In response to that growing problem, the study noted that organizations are increasingly turning to AI to strengthen their capabilities and posture, even as they acknowledge AI could also be used against them as an engine for new or improved cyberattacks. Nearly half of the respondents (49%) confessed that they’re worried that the use of AI by bad actors will increase cybersecurity attacks.
Cyber Talent Investment Needed
Four out of five organizations (80%) told surveyors that AI tools are helping their IT and security teams be more effective, though almost all are aware that AI won’t solve the ongoing skills shortage alone. That shortage amounts to a global deficit of more than 4.7 million cybersecurity professionals, according to the 2024 ISC2 Cybersecurity Workforce Study.
“This year’s survey further underscores the urgent need to invest in cybersecurity talent,” Fortinet CISO Carl Windsor said in a statement. “Without closing the skills gap,organizations will continue to face rising breach rates and escalating costs.”
“The findings highlight an inflection point for both public and private sectors,” he continued. “Without bold action to build and retain cybersecurity expertise, the risks and costs will only continue to grow for our society.”
Thomas Vick, a technology hiring and consulting expert with Robert Half, a global staffing and recruiting firm, explained that without enough qualified professionals, IT teams may struggle to patch vulnerabilities, manage technical debt, and stay ahead of increasingly sophisticated threats, leaving critical systems exposed.
“As cyber risks escalate, attracting and retaining skilled cybersecurity professionals remains a business priority for safeguarding digital assets and staying ahead of threats,” he told TechNewsWorld.
“The cybersecurity skills gap continues to challenge organizations across industries, making it difficult to fill critical roles in IT departments and security operations centers,” he said. “To stay competitive, many employers are offering higher starting salaries and attractive perks for top talent.”
“From research conducted for the 2026 Salary Guide from Robert Half, more than half of U.S. employers are willing to increase starting compensation for candidates with in-demand cybersecurity skills, and 41% said they would boost compensation for cloud security skills,” he added.
Retaining quality people is more than just financial, argued Mark St. John, co-founder and COO of Neon Cyber, a provider of browser-based security tools in Fort Worth, Texas. “Job hopping is easy for skilled professionals,” he told TechNewsWorld. “You learn some tools, you experience the time in the trenches, and you are suddenly a valuable commodity.”
“I love this for the analysts. I hate it for the business,” he said. “A lot of tribal knowledge of how the business operates, the sensitivity of data across business units, the relationships — they all add up and matter over time. So I am easily convinced that turnover can lead to breaches.”
AI Adoption Collides With Skills Gap
Although most organizations are using or planning to use AI, nearly half of them (48%) acknowledged that the biggest challenge to integrating AI into cybersecurity was the lack of staff with sufficient AI expertise.
“The skills shortage creates a paradox that limits AI’s potential in cybersecurity,” asserted Tim Freestone, chief strategy officer for Kiteworks, a provider of a secure platform for exchanging private data, in San Mateo, Calif.
“Organizations lack personnel with the expertise needed to properly deploy, manage, and optimize AI-powered security tools, meaning the very solution designed to alleviate staffing pressures remains underutilized,” he told TechNewsWorld.
“This gap is particularly acute because effective AI implementation requires dual competencies — both operating AI systems and defending against AI-powered attacks — skills that are in even shorter supply than traditional cybersecurity expertise.
“Without trained professionals who can configure AI tools appropriately, interpret their outputs accurately, and integrate them effectively into security operations, organizations risk deploying AI systems that fail to reach their defensive potential or, worse, introduce new vulnerabilities through improper management,” he said.
“Fortinet’s report makes it clear that the cybersecurity skills gap has become a business risk, not just a technical one,” added Shane Barney, chief information security officer at Keeper Security, a password management and online storage company in Chicago.
“With nearly every company adopting artificial intelligence to strengthen defenses,” he told TechNewsWorld, “the absence of in-house skills to manage these tools safely is widening the gap between technology and readiness.”
Diana Kelley, CISO at Noma Security, an AI lifecycle security company in Tel Aviv, Israel, explained that AI skills can encompass a very broad spectrum. “Traditional AI skills such as data science and machine learning engineers continue to be popular,” she told TechNewsWorld.
“One of the most in-demand GenAI skills is prompt engineering, which is driving value across all teams from security operations, to marketing, to compliance, to business development,” she said. “And people who are diving in and vibe coding AI agents are also setting themselves up for future-proofed AI skills.”
“Of course,” she continued, “for every AI implementation or enterprise use case, there is a need for AI, especially agentic AI, to be secured by the CISO’s organization.”
Investment in Training Needed
The survey advocated greater investment by organizations in cybersecurity training and development. The decline in willingness to pay for certifications this year, down to 73% from 89% the previous year, is concerning, it noted. “If this turns out to be an emerging trend, organizations should review this decision as part of their risk management strategy,” it advised.
Lisa Simon, chief economist at Revelio Labs, a workforce intelligence company in New York City, explained that employers are increasingly relying on certifications as a way to verify cybersecurity skills, particularly in high-risk sectors such as government, finance, and health care.
“Certifications can provide reassurance that candidates meet a certain standard and help organizations demonstrate credibility to clients and regulators,” she told TechNewsWorld, “but the reliance on credentials also has drawbacks.
“Our studies show that only about one in five cybersecurity professionals lists holding a certification on their online profile, which contributes to slower and costlier hiring, and risks excluding strong candidates who have built their expertise through IT or systems roles without formal credentials.”
“In practice, certifications can be a valuable signal of competence,” she continued, “but they shouldn’t be the sole filter. Organizations also need to invest in internal training and diverse talent pipelines to meet the fast-growing demand for cyber talent.”
The survey advised: “Skilled and aware employees and cybersecurity professionals are crucial to overall cyber risk management in a world that [has] moved beyond the attack-and-defend cycle. Today, to protect themselves, organizations need to maintain a posture of perpetual vigilance and continuous risk awareness.”