The cybersecurity workforce crisis facing critical infrastructure and manufacturing has shifted from a staffing shortage to a capability deficit, according to the 2026 SANS Institute and GIAC Cybersecurity Workforce Research Report released at RSAC 2026. The report, based on responses from 947 global practitioners, leaders, and HR professionals, found that 60% of organizations say their teams lack the skills needed to defend against current threats, while 27% report security breaches directly linked to workforce capability gaps. For the first time in the report's three-year history, skills gaps decisively overtook headcount shortages as the industry's primary workforce challenge.
Background
The findings arrive as operational technology environments face intensifying threat activity. IBM X-Force data shows that OT-affecting breaches cost an average of $4.56 million per incident, while the Dragos-Marsh McLennan 2025 OT Security Financial Risk Report estimated worst-case global OT cyber risk exposure at $329.5 billion annually. Manufacturing remains the most targeted industry for cyberattacks for the fourth consecutive year, according to IBM's 2025 X-Force Threat Intelligence Index. The convergence of IT and OT networks-combined with aging ICS and SCADA infrastructure-has expanded the attack surface, making specialized defensive skills more critical than ever.
The SANS 2026 report marks a sharp acceleration from its 2025 predecessor. Last year, 52% of cybersecurity leaders identified skills deficits, not headcount, as the core issue-but the margin between the two concerns was just four percentage points. That gap has now widened considerably.
Details
The hardest roles to fill sit at the top of the experience ladder. According to the report, 27% of organizations identified expert roles as the most difficult to fill, followed by senior roles at 22% and mid-level positions at 23%-collectively representing 72% of recruitment difficulty. Only 4% of organizations reported difficulty hiring entry-level staff. Time-to-hire data underscores the problem: 55% of senior roles take six months or longer to fill, while 38% of expert positions remain open for over a year. For industrial operators managing complex OT environments, these extended vacancies translate directly into prolonged risk exposure.
Rob T. Lee, SANS chief AI officer and chief of research, stated that the industry must "stop counting open positions and start investing in the skills of the people it already has." AI is compounding the challenge. The report found that AI is automating entry-level tasks that historically served as the training pipeline for the next generation of cybersecurity professionals. Only 20% of organizations provide AI security training to all staff, while 18% restrict it to cybersecurity teams alone.
Regulatory pressure is accelerating workforce restructuring. The proportion of organizations reporting regulatory impact on hiring surged from 40% in 2025 to 95% in 2026-the fastest acceleration of any metric in the report's history. NIS2 leads at 30% of organizations reporting hiring impact, followed by the Cybersecurity Maturity Model Certification (CMMC) at 29%, DORA at 26%, DoD 8140 at 24%, and SEC regulations at 21%. Demand for new specialist roles nearly doubled year over year, jumping from 23% to 53%.
The report's nine strategic recommendations include building AI governance programs, creating structured mentorship and on-the-job rotation programs for entry-level talent, adopting workforce frameworks such as NICE and ECSF to standardize role definitions, and developing career paths-an area where only 24% of organizations currently report clearly defined cybersecurity career progression.
Outlook
Framework adoption is already accelerating, with 56% of organizations now using NICE or ECSF workforce frameworks to define cybersecurity roles, up from 46% in 2025. About 64% of organizations rely on certifications as their primary skills validation method. Whether these measures can close capability gaps fast enough to keep pace with regulatory enforcement timelines and evolving OT threat activity remains an open question for manufacturing and utility operators heading into the second half of 2026.
