Registration for Nomios Next is now live! Sign up for the cybersecurity event of 2026. More info

Contact us
Placeholder for Aerial view ship portAerial view ship port
Talent shortage & continuity

The cybersecurity talent shortage is structural. The risk it creates is real.

There are not enough skilled security professionals to go around — and that gap is widening. For organisations that depend on in-house teams to manage their security posture, this is not an HR problem. It is a continuity risk.

The global cybersecurity workforce gap now exceeds four million unfilled positions, according to ISC2's annual workforce study. In Europe, the picture is particularly acute — demand for security professionals is growing faster than educational pipelines and career transitions can fill it. Organisations across every sector are competing for a finite pool of people with the right combination of technical depth, operational experience, and current knowledge.

Most security leaders are aware of this in the abstract. Fewer have fully reckoned with what it means for the resilience of their own security operations — not just today, but over the next three to five years.

The problem goes deeper than recruitment

The visible symptom of the talent shortage is the difficulty of hiring. Roles go unfilled for months. Salary expectations have risen sharply. Candidates with real operational experience — the kind that comes from years of incident response, threat hunting, or SOC work — command premiums that many organisations cannot match.

But the less visible problem is retention and continuity. Security teams that do manage to build capability are not immune to attrition. Burnout rates in security operations are high — the combination of alert fatigue, shift work, and the constant pressure of defending against an asymmetric threat takes a measurable toll. Senior analysts move on. Institutional knowledge walks out the door. Teams that took years to build can be destabilised by the departure of two or three key people.

For organisations with small security teams — which is the majority — a single departure can create a meaningful gap in coverage. A team of four loses a quarter of its capacity when one person leaves. If that person held specialist knowledge of a critical system or managed a key vendor relationship, the impact is disproportionate to the headcount change.

"Most organisations have a business continuity plan for their IT systems. Very few have a meaningful continuity plan for their security capability. Those two things need to be treated with the same seriousness."

The knowledge concentration risk

Related to retention is a risk that is rarely named explicitly: knowledge concentration. In many organisations, critical security knowledge — how the SIEM is tuned, which rules matter, how to handle a particular class of incident, what the legacy environment's quirks are — resides in the heads of one or two individuals. That knowledge is not documented. It is not transferable on short notice. And when those individuals leave, it leaves with them.

This is a governance risk as much as an operational one. Boards and senior leadership that are serious about cyber resilience need to ask not just "do we have a security team?" but "how dependent are we on specific individuals, and what happens if they are unavailable?" The answer is often uncomfortable.

What continuity actually requires

Addressing talent-related continuity risk requires thinking across several dimensions simultaneously.

Strategic leadership continuity

The CISO or head of security is often the single point of failure for security strategy and board-level communication. When that role is vacant — through departure, illness, or extended leave — organisations frequently find themselves without anyone who can credibly represent security risk to leadership or make strategic decisions under pressure.

A virtual CISO (vCISO) arrangement provides a structured solution to this. Rather than depending entirely on a single individual, the organisation has access to senior security leadership that can provide continuity through transitions, cover gaps, and bring external perspective to strategic decisions. For organisations that have never had a dedicated CISO, it also provides that capability without the cost and commitment of a full-time executive hire.

Operational coverage

Day-to-day security operations — monitoring, detection, response — are particularly vulnerable to staffing gaps. A SOC that runs on a small in-house team has limited redundancy. Illness, holiday, and turnover create coverage gaps that are difficult to manage without either overstaffing or accepting periods of reduced vigilance.

Managed security services address this by distributing operational responsibility across a larger team with built-in redundancy. The analysts monitoring your environment are not a single person who might be unavailable on a given night — they are part of a structured operation with depth, shift coverage, and escalation paths. For many organisations, this represents a material improvement in operational resilience that would be difficult to replicate in-house at equivalent cost.

Specialist depth on demand

Beyond day-to-day operations, many security programmes require specialist expertise that is impractical to maintain in-house full-time. Penetration testing, PKI architecture, incident response forensics, compliance advisory — these are areas where the required depth of knowledge is significant, the demand is periodic rather than constant, and the cost of employing a full-time specialist is hard to justify.

Access to specialist professional services on a project basis effectively extends the capability of in-house teams without the overhead of permanent headcount. It also means the organisation is not dependent on a single individual for a critical specialisation — the knowledge is held by a team, not a person.

An honest conversation

The talent shortage is not going to resolve itself on a timescale that helps most organisations plan around it. The pipeline of new security professionals is growing, but not fast enough to close a four-million-person gap in any near-term horizon. Organisations that are waiting for the hiring market to improve are likely to be waiting for a long time.

The more productive question is how to build a security programme that is resilient despite the talent constraints — one that does not depend on always being able to hire the right people at the right time, and that can absorb the inevitable disruption of turnover without losing operational effectiveness. That is a question worth asking now, before a departure or a gap in coverage makes it urgent.

Get in touch

How resilient is your security capability to talent disruption?

We help organisations build security programmes that do not depend on always having the perfect team in place. Let's talk about what that looks like for you.


Placeholder for Portrait of ethnic male smiling dotted shirtPortrait of ethnic male smiling dotted shirt
Updates

Latest news and blog posts

Placeholder for Quantum Safe NetworkingQuantum Safe Networking
Nokia

Quantum Security Network security

Why quantum-safe networking needs to be on your 2026 agenda

Find out why quantum-safe networking should be on every IT leader's 2026 agenda and what practical steps to take now on encryption, key governance, and post-quantum cryptography readiness.

Vincent de Knegt
Placeholder for Vincent de KnegtVincent de Knegt

Vincent de Knegt

4 min. read
Placeholder for Accelerate25 blog heroAccelerate25 blog hero
Fortinet

SASE

FortiOS 8.0: Secure Networking in the AI Era

At Fortinet Accelerate 2026 in Las Vegas, Fortinet introduced FortiOS 8.0, the latest release of the operating system powering the Fortinet Security Fabric.

Michel Adelaar
Placeholder for Michel AdelaarMichel Adelaar

Michel Adelaar

2 min. read
Placeholder for HPE Juniper SRX400HPE Juniper SRX400
HPE

NGFW

Security from Core to Edge: HPE Juniper Networks Introduces the SRX400 Series

One of the most concrete announcements is the HPE Juniper Networking SRX400 series: a compact next-generation firewall that brings carrier-grade security to the edge of the network.

Richard Landman
Placeholder for Richard landman 1024x1024Richard landman 1024x1024

Richard Landman

3 min. read
 See all updates