Until recently, the IT security debate centred around the number of vacancies, treating the shortage of manpower as a major brake on growth. However, the SANS and GIAC Workforce Research 2026 report sheds a whole new light on this diagnosis. It turns out that it is not empty chairs that account for the fragility of systems, but the invisible to the naked eye gaps in the competencies of the people who already sit in those chairs. 60% of organisations have complete teams that, despite being fully staffed, remain vulnerable to modern threats.
The dawn of regulatory engineering
The traditional division between legal departments looking after the letter of the law and technical departments looking after the bits and bytes no longer exists. The exponential increase in the importance of regulatory compliance – from 40 to 95 per cent in just one year – has forced the birth of a new caste of specialists. Directives such as NIS2 or DORA have ceased to be regarded as an onerous bureaucratic obligation, becoming the foundation of job role design. Today’s job market is no longer simply looking for a systems administrator; it covets a regulatory engineer who can translate a rigorous regulatory framework into a cloud architecture.
In March 2026, there were more than two and a half thousand active advertisements for AI and ML security engineers. This phenomenon shows that the market no longer believes in the versatility of former experts. Almost one in three companies has created dedicated positions for people operating at the intersection of artificial intelligence and data protection. This specialisation is not an aesthetic choice, but a necessity driven by the fact that it is at the intersection of new technologies and the lack of knowledge of how to secure them that 27 per cent of successful attacks occur.
Foundation erosion and cognitive paralysis
Automation, which was supposed to be a saviour for overloaded teams, has introduced an unexpected disruption to the HR ecosystem. Artificial intelligence has taken over entry-level tasks that for decades served as a natural testing ground for junior SOC analysts. By cutting out these career tiers, organisations have inadvertently dismantled the early training system for future experts. A generational gap is being created that cannot be bridged by ad hoc hiring, as the market lacks ready candidates to meet the exacting requirements of 2026.
At the same time, the highest levels of human resources face a phenomenon known as ‘AI Fry’. This is a specific type of burnout resulting from the constant context-switching between numerous tools supported by artificial intelligence. Although these tools reduce manual analysis time, they paradoxically increase stress levels in 61 per cent of employees. The overabundance of data and the need to constantly verify the suggestions generated by the algorithms make even the most experienced professionals work at the limit of their cognitive capacity.
New currency: Proof instead of a promise
Competency verification has undergone the most radical transformation in the history of the IT sector. An academic degree, once the gold standard for recruitment, is now in the priorities of only 17 per cent of employers. In a world where technology becomes obsolete in quarterly cycles, a theoretical university foundation has given way to certifications and practical evidence of proficiency. For 64 per cent of leaders, it is the certificate that is the hard currency verifiable during an audit.
This shift towards pragmatism forces organisations to use structured competency frameworks such as NICE or ECSF. They make it possible to precisely map the gaps in the team, turning the intuitive search for a ‘good IT professional’ into a mathematical operation of filling in the missing links in the security chain. Investing in the development of existing staff ceases to be seen as a benefit and becomes a key element of operational risk management.
Education as a hard infrastructure component
A common management mistake is to treat learning time as a resource that can be sacrificed in the name of day-to-day operations. However, the data is inexorable: 60 per cent of companies admit that it is pure workload that prevents necessary training, which in a straight line leads to project delays and weakened incident response. Teams trapped in reactive mode lose their ability to adapt, which, in the context of severe penalties for non-compliance with NIS2, becomes a real financial threat to the entire corporation.
