RESEARCH REPORT
Transform cyber talent models to build resilience from within
10-MINUTE READ
June 2, 2026
In brief
- 59% of open cybersecurity roles require hybrid technical and strategic skills, but only 40% of the cyber workforce fits that profile.
- This highlights a capability imbalance driven by complex demand, organizational underinvestment and external pressures.
- Three moves—building internally, redesigning career paths and augmenting talent—help leaders strengthen their cyber capability over time.
Cybersecurity talent is under structural strain
Cybersecurity has evolved from a specialist IT function to a core driver of enterprise resilience. But the workforce model supporting it hasn't kept up. Nearly half of all cybersecurity roles globally remain unfilled, and the issue isn't just the number of available professionals. It's whether they have the right mix of technical depth and business acumen to operate at the enterprise level.
Accenture's analysis of more than 550,000 cybersecurity job postings and professional profiles reveals a structural mismatch between what modern cybersecurity demands and what labor markets can supply.
We’ve identified two distinct cybersecurity talent profiles that define this gap:
| Conductors | Operators | |
|---|---|---|
| Definition | Combines technical depth with business acumen, strategic leadership and soft skills | Primarily executes technical security tasks and controls |
| Enterprise role | Translates risk into decisions; embeds security into transformation; executes cross-functional collaboration | Implements controls, monitors threats, operates systems |
Organizations today need more Conductors, but the labor market continues to produce more Operators. The result is a workforce optimized to operate tools, but not to guide enterprise resilience. Hiring more Operators will not close this gap.
Forces widening the cyber talent gap
Three interrelated forces have created a cycle that erodes cyber capability faster than organizations can rebuild it
Complex demand
Cybersecurity roles have evolved, and demand has expanded across three key dimensions: Deep technical cybersecurity expertise, strategic leadership and soft skills to operate at the enterprise level, and specialized technology skills—especially tied to emerging tech like AI.
Labor market data shows that workforce profile does not mirror this demand pattern. For the role of Cybersecurity Engineer, for example, worker profiles show lower concentrations of deep technical cybersecurity expertise and leadership capabilities than job postings require.
AI-related cybersecurity skills add to the challenge ahead. Demand for these skills has more than doubled (2.5x) since 2020, yet workforce capability is not growing at the same pace. As AI scales, organizations will need to proactively build these skills internally.
There’s also a visibility issue: Cybersecurity represents just 3.5% of all IT job postings and get limited branding, promotion or public narrative. Competition is steep for a small share of talent.
Organizational underinvestment
Hiring isn’t the answer when organizations still struggle to develop and retain talent. High operational pressure, underdeveloped career mobility and limited learning paths push many cyber professionals out before expertise can mature.
1.8
is the average tenure for today’s cybersecurity professionals, down from 3.3 years (2005–2015).
< 30%
of organizations fund structured upskilling programs. 1
49%
of organizations believe talent shortages significantly impact their cybersecurity function. 2
Higher education systems have also struggled to keep up with evolving skills demand. Our review of 100 university cybersecurity programs across 24 countries shows persistent gaps in areas such as cyber law, risk management, enterprise architecture and executive communication—capabilities now central to employer demand.
External pressures
Today’s threat actors evolve in weeks. Competency requirements are growing faster than talent pipelines can adapt. Meanwhile, the cybersecurity function is becoming more accountable for the cyber-savvy of the entire workforce, yet human risk remains organizationally undermanaged. Regulatory accountability is shifting to individual cyber leaders, raising the bar for legal fluency, and the stakes for stepping into such roles.
87%
of leaders cite AI-related vulnerabilities as the fastest-growing cyber risk. 3
94%
of leaders expect AI to be the most significant driver of change in cybersecurity in the year ahead. 4
Only 18%
of organizations deliver role-specific cyber awareness programs. 5
Why today’s cyber talent model no longer works
For years, organizations have responded to rising threats by adding tools, controls and specialists. They assume the labor market can supply missing skills. This model does not work, and post-incident response patterns show why.
When a cyber incident strikes, organizations’ responses are predictable: Restructuring teams, expanding budgets, appointing new leaders and investing in new tools can stabilize the organization in the short term. But very few organizations fundamentally redesign how cybersecurity talent is recruited, onboarded, developed, deployed and embedded across the business.
Without redesigning roles, skills and operating models, post-incident responses optimize technology instead of people, leaving tomorrow's talent gaps to keep widening.
Three moves to close the cyber talent gap
Closing the gap requires a structural reset in how capability is built, how work is organized and how human expertise is scaled. Three moves, taken together, enable organizations to build sustainable cyber capability despite persistent market shortages.
01
Move 1: Build internal capability and the culture to sustain it
The kind of hybrid professionals organizations need aren't emerging fast enough from external markets. Leaders must develop Conductor-level talent from within, and build a culture that lets expertise deepen rather than churn.
Actions to take
- Develop multi-year development pathways with cross-domain rotation across cloud, identity, data governance and enterprise risk.
- Widen entry points by transitioning adjacent talent from application development, audit, analytics and risk into cybersecurity roles.
- Partner with HR to reposition cybersecurity as a talent engine, grounding development programs in how adults learn and sustain performance.
- Cultivate growth and retention by embedding wellbeing, workload transparency and shared accountability as structural conditions, not peripheral benefits.
- Invest in integrator roles including security architects to reduce tool fragmentation and provide connective tissue across cloud, identity, data, applications and AI.
02
Move 2: Redesign roles and career paths
Cybersecurity has become a horizontal enterprise capability, yet its job architecture remains a narrow vertical ladder. When professionals hit their ceiling, they leave, taking their experience with them. Conductor-level capabilities must be developed through role design, career progression and enterprise exposure.
Actions to take
- Expand career routes beyond a vertical ladder to areas like product security, AI governance, cloud platforms and architecture to cultivate hybrid talent.
- Prepare cyber leaders through enterprise-wide leadership development programs which help them understand and articulate security’s role in business value creation.
- Embed cyber talent where risk is actually created—in product development, change management and IT operations—to build business fluency alongside technical depth.
03
Move 3: Augment the human workforce with AI, architecture and partnerships, keeping people in the lead
Even a redesigned workforce cannot match the volume and speed of modern threats alone. The goal is intelligent augmentation: scaling human judgment, not replacing it.
Actions to take
- Use AI to absorb high-frequency tasks like alert correlation, anomaly detection, misconfiguration analysis and secure code generation so practitioners focus on strategic risk decisions.
- Preserve foundational learning through simulation environments to ensure talent develops solid intuition and judgement while still benefitting from automation.
- Build foresight into workforce strategy by developing a future-skills portfolio that’s continuously refreshed through ecosystem intelligence.
- Create connected security architectures to reduce fragmentation, integrate workflows and give both humans and AI the unified environment needed to operate effectively.
- Treat long-term partners as strategic capability extensions, rather than rotating vendors, to preserve institutional knowledge.
- Activate ecosystem intelligent to boost internal capability, participating in structured threat-sharing and cross-sector collaboration that extends teams’ learning and foresight.
Organizations that activate each of these moves stop competing for scarce cyber talent and start building it. The result is a cybersecurity function that defends the enterprise today and grows stronger through every disruption ahead.
Sources
1. ISACA, State of Cybersecurity 2025, September 29, 2025.
2. Accenture, State of Cyber Resilience 2025, June 25, 2025.
3. World Economic Forum, Global Cybersecurity Outlook 2026, January 12, 2026.
4. Ibid.
5. Accenture, State of Cyber Resilience 2025, June 25, 2025.
