AI and the cybersecurity skills gap: A double-edged sword for national security

The cybersecurity industry faces a paradox that threatens national security: Artificial intelligence promises to bridge a critical workforce shortage, but it might simultaneously deepen the very crisis it has the potential to solve.

The cybersecurity skills gap has reached alarming proportions. According to Boston Consulting Group (BCG) research, approximately 2.8 million cybersecurity positions remain unfilled globally, with organizations maintaining only a 72% fill rate for cybersecurity roles. In the United States alone, Business Executives for National Security (BENS) estimates suggest a deficit ranging as high as 522,000 unfilled positions.

Recent research reveals the gap is expanding rather than contracting. The World Economic Forum's Global Cybersecurity Outlook 2025 reports that the cyber skills gap has increased by 8% since 2024, with two out of three organizations reporting moderate-to-critical skills gaps. More troubling still, ISC2's 2024 Cybersecurity Workforce Study found that the global cybersecurity workforce grew by only 0.1% from 2023 to 2024, a dramatic slowdown from the previous year's 8.7% growth.

Every unfilled cybersecurity position represents a potential vulnerability in the nation's digital defense infrastructure. Modern economies rely on interconnected private-sector infrastructure, where an attack on a private energy company can leave millions without power, or a breach at a financial services firm can trigger market instability.

The connection between workforce shortages and security incidents is quantifiable. A projection in the BCG report reveals that if the talent shortage continues unchecked, it could account for more than half of all significant cybersecurity incidents worldwide. According to ISC2, organizations with critical or significant skills gaps are almost twice as likely to experience a material breach compared to organizations with no skills gaps.

National security experts emphasize that no sector is immune. As BENS research highlights, digital attacks have drastically lowered the cost threshold for malicious actors to operate, expanding the attack surface across every single industry, from traditional defense contractors to content delivery networks and social platforms that contribute to national resilience. When adversaries target critical infrastructure, supply chains or industries holding vast amounts of citizen data, the consequences extend far beyond individual organizations to affect economic stability and national interests.

Artificial intelligence offers compelling solutions to the workforce crisis. Organizations are rapidly adopting AI tools to amplify their security teams' capabilities. ISC2 research shows that 82% of cybersecurity professionals agree that AI will improve their job efficiency, with predictions that AI will play a meaningful role in allowing professionals to focus on more complex, high-value and critical tasks.

The efficiency gains are substantial. BCG found that organizations using generative AI effectively could see up to a 30% increase in operational efficiency. The technology also accelerates talent development. For new team members, AI can act as an intelligent apprentice or personalized mentor, guiding them through complex tasks and organizational specifics that once took months or even years to fully comprehend. For experienced professionals, AI synthesizes global threat intelligence in real time and helps veterans apply their expertise across an expanding digital attack surface.

Practical applications already demonstrate value. According to research by Cisco, AI-powered capabilities enable security teams to run at machine speed and correlate data at scale across email, web, process and network domains to detect attacks with greater accuracy. Cisco reports that 75% of cybersecurity professionals say AI can help them by automating repetitive tasks.

Despite its promise, AI introduces complications that may actually exacerbate the skills shortage. The technology creates a paradox where it simultaneously helps manage workload while generating entirely new security domains that require human oversight.

Organizations adopting AI across departments often create additional work for stretched security teams. According to ISC2, 45% of cybersecurity teams have implemented generative AI into their tools. But 64% of organizations have implemented generative AI in other departments, causing more work for cyber professionals. This organizational adoption brings immediate consequences: Over half of organizations have already faced data privacy and security concerns due to organizational adoption of generative AI.

The skills required for cybersecurity work are shifting in unpredictable ways. ISC2 research shows that 59% of hiring managers don't know enough about generative AI to determine which skills professionals will need to succeed in an AI-driven world, while 51% believe generative AI will result in certain cybersecurity skills becoming obsolete. This uncertainty makes workforce planning extraordinarily difficult.

To effectively leverage AI while mitigating risks, organizations must adopt a comprehensive, multi-faceted approach.

Nearly half of organizations lack clear direction. ISC2 reports that approximately 45% of participants say their organizations currently lack a clear generative AI strategy, with this concern most pronounced among directors and non-managerial staff. Organizations must develop well-defined strategies that guide AI integration while addressing associated risks.

Focus hiring and training on capabilities that will remain valuable as AI evolves. According to ISC2, hiring managers increasingly prioritize non-technical skills like problem-solving, teamwork, collaboration, curiosity and communication over technical skills like cloud computing security or risk analysis. These skills provide flexibility as the technological landscape shifts.

Workforce development cannot be treated as a luxury. BCG research recommends that organizations should offer current workforce opportunities for upskilling and continuous learning, including sponsoring certifications and providing internal and external training. BCG found that 60% of organizations view continuous training as essential to maintaining effective cybersecurity teams, with learning initiatives correlating strongly with higher workforce satisfaction.

While IT continues as the most popular pathway into cybersecurity (70%), ISC2 found that more new entrants come from different backgrounds, with 18% previously working in non-IT positions. Organizations should embrace this diversity. BCG emphasizes that attracting new talent to the industry requires targeted, strategic outreach.

While ISC2 reports that almost 90% of professionals say their organization has a generative AI use policy, 65% indicate their organization needs to implement more regulations on the safe use of generative AI. Effective governance requires cybersecurity team involvement from the outset. Currently, only 60% of respondents report that their cybersecurity team is involved with creating regulations and guidelines for generative AI, dropping to just 50% in large organizations.

Organizations should provide clearer career paths and cultivate supportive work environments to engage and retain workers. According to ISC2, economic pressures have resulted in 25% of respondents reporting layoffs in their cybersecurity departments and 37% facing budget cuts, making demonstrated commitment to professional development even more critical.

Deploy AI as an augmentation tool rather than a replacement. According to Cisco research, AI-driven platforms can learn continuously from how analysts interact with the environment and deploy playbooks that automate workflow pieces, recommend response actions based on analysis of disparate information and provide context-based assistance so analysts can see issues through completion regardless of experience level.

Addressing the cybersecurity workforce shortage directly strengthens national defense. Understaffed security operations centers miss warning signs of intrusions, and by the time breaches are discovered, attackers have often established persistent access and exfiltrated sensitive data.

A robust cybersecurity workforce provides multiple layers of protection. Adequate staffing enables timely threat detection, proper implementation of defense architectures, rapid incident response and strategic long-term improvements rather than merely addressing urgent issues. Each of these capabilities reduces the window of opportunity for adversaries and limits the potential damage from successful attacks.

The interconnected nature of modern infrastructure means that strengthening private sector cybersecurity defenses bolsters overall national security. As BENS research demonstrates, a breach at a single supplier can compromise entire industries, with attackers gaining potential access to dozens or hundreds of downstream organizations, including government agencies and defense contractors.

The cybersecurity skills gap represents one of the most significant national security vulnerabilities of the digital age. Artificial intelligence offers powerful tools to address this crisis, amplifying the capabilities of existing teams and accelerating the development of new talent. However, AI simultaneously introduces new attack vectors, expands the scope of security responsibilities and creates uncertainty about future skill requirements.

The path forward requires organizations to embrace AI strategically while maintaining focus on human expertise. For all its analytical power, AI cannot replicate the uniquely human attributes essential for security leadership: the judgment, accountability, strategic thinking and ability to navigate nuanced trade-of