According to the “SANS 2026 Cybersecurity Workforce Research Report” (download for data), “The cybersecurity workforce is undergoing a fundamental transformation. Companies are rebuilding their teams top-down as artificial intelligence displaces traditional entry points. At the same time, regulatory compliance requirements are creating new frameworks for validating skills. This convergence is leading to a widening skills gap that companies are struggling to close, even as they increasingly recognize that the right skills are more important than simply increasing headcount.”
It continues: “The need for specialists in new roles has almost doubled year-on-year, while additional recruitment of staff with existing skills has increased significantly.”
This is giving CISOs increasing concerns: 60 percent of security leaders identify this skills gap as their biggest workforce challenge for 2026 (up from 52 percent last year). 40 percent said that a lack of staff was their main problem.
Beth Miller, global field CISO at software maker Mimecast, says it’s not just a security skills gap that’s troubling CISOs. The gap exists in the required security skills across the entire company. “You can have a highly skilled security team, but if you don’t also have security skills across the entire operation, there’s still a gap,” she says. Closing this gap requires “investing in the human element across the organization,” she adds.
Cochran of the SANS Institute made similar observations, explaining that CISOs need to build a culture of continuous learning and development.
Gaps in securing AI
CISOs lag behind in securing AI implementations for several reasons.
First of all, says Mimecast’s Miller, “the AI space is evolving faster than CISOs are prepared for it. The pattern we see in our company and others is that senior leadership announces an initiative to adopt AI – it’s top-down and often tied to competitive pressures or board expectations. Then, within weeks, business units develop AI tools, connect them to data and integrate AI into existing systems, while CISOs only learn about these (initiatives) during or after implementation.”
There are also AI deployments that happen from the bottom up, often without any involvement or knowledge from senior management. “Shadow AI is happening across the industry,” says Model N’s Shah. While the security or IT department may discover these implementations after the fact, it doesn’t eliminate the vulnerability on its own.
Experts also point to two additional challenges: First, developing the right security controls for AI as the technology evolves. Second, all stakeholders must be persuaded to accept and comply with these controls and governance frameworks as they evolve with the technology. This dynamic inevitably creates a gap between what is needed to secure AI and the controls actually implemented. “It’s a governance gap masquerading as an IT issue,” adds Miller.
The SANS report found that only 54 percent of companies surveyed had AI security policies in place and only a fifth (20 percent) had comprehensive governance frameworks. Meanwhile, around 75 percent are either implementing governance structures or were still in the process of establishing them.
SANS concluded that “AI security governance is still in its infancy.” Other experts confirmed this and explained that CISOs focus on
- Observability-Tools,
- the ability to influence management,
- AI-related security awareness and training,
- new best practices for AI security as well
- new AI governance frameworks
need to be supported in order to close the gaping gap that appears to exist in many companies.
The legacy gap
According to Jason Lish, Global CISO at Cisco, many business leaders have a “set-it-and-forget-it mentality” when it comes to technology. They resist IT modernization measures as long as the systems work and do not offer any competitive advantages.
This poses challenges not only for CIOs trying to integrate AI and other new technologies into legacy systems, but also for CISOs looking to implement modern security practices and technologies, Lish explains. This is becoming an increasingly pressing security issue as attackers become more adept at using AI to exploit legacy and unsupported systems where modern security controls cannot be implemented.
A 2026 study by the National Association of State CIOs and Deloitte & Touche found that CISOs cited legacy infrastructure as one of the top three barriers to addressing cybersecurity challenges. They also cited increasingly sophisticated attacks and insufficient funding for cybersecurity.
“CISOs should think about a risk-based approach here,” says Lish, “reaching out to the board or senior leadership and saying, ‘These are the most critical pieces of legacy equipment that we need to replace,’ and helping them understand the risk of not doing that. The CISO needs to be the one to do that prioritization.” (sb)
