Fast Facts

• Over half of European companies report having zero dedicated cybersecurity specialists.
• 76% of Italian firms provided no cybersecurity training in the past year.
• 52% of organizations say the main issue is a lack of the right skills, not just staff numbers.
• HR and cybersecurity teams often disagree on who should decide hires, leading to mismatched job descriptions.
• Professional certifications and internal training are now seen as more valuable than external recruitment alone.

Scene: The Empty Cybersecurity Chair

Picture a boardroom where the seat marked “Cybersecurity Expert” sits empty - not because no one applied, but because the role asks for a mythical unicorn: a person with every possible skill, at every possible level. This is the reality facing businesses across Europe. They aren’t just missing people - they’re missing the right skills, and their own hiring processes may be to blame.

Beyond the Numbers: The Real Gap

For years, headlines have warned of a “cybersecurity talent shortage” numbering in the hundreds of thousands. But a closer look - like the 2025 SANS/GIAC Cybersecurity Workforce Report - reveals a more nuanced truth. The problem isn’t simply a lack of people; it’s a mismatch between the skills companies need and those candidates offer. Nearly half of surveyed organizations say they don’t have the right people, while the rest lament not having enough staff at all. Yet, in a majority of European companies, cybersecurity training is nearly nonexistent, and job descriptions are so broad or unrealistic that few dare apply.

Why Hiring Unicorns Fails

Many organizations still post job ads seeking “unicorns” - candidates who can do it all: cloud security, AI, compliance, incident response, and more. This approach ignores the reality that cybersecurity is a vast, rapidly evolving field. When HR and cybersecurity leaders don’t speak the same language or use frameworks like ENISA’s ECSF, they create roles that no one person could realistically fill. The result? Positions remain vacant, and the company stays vulnerable.

Building Skills, Not Just Filling Seats

Forward-thinking companies are flipping the script. Instead of scouring the market for elusive experts, they’re investing in internal training and upskilling. Certifications, once seen as mere checkboxes for compliance, now serve as roadmaps for developing real expertise - especially in emerging areas like cloud and AI security. According to the SANS/GIAC report, over half of organizations now prioritize training their existing staff, creating a pipeline of talent that evolves along with the threat landscape.

Culture, Clarity, and Retention

Recruiting is only part of the solution. Retaining talent depends on more than salary; factors like clear career paths, supportive culture, and ongoing learning matter even more. Long, complicated hiring processes and vague job offers drive skilled candidates to faster-moving competitors. The lesson? Organizations must define roles precisely, collaborate across departments, and offer real growth opportunities to keep their cybersecurity teams engaged and effective.

WIKICROOK

• Cybersecurity Skills Gap: The cybersecurity skills gap is the mismatch between the security expertise organizations need and the skills available in the workforce, creating hiring challenges.
• Upskilling: Upskilling means teaching employees new or advanced skills so they can handle more complex roles and adapt to changing workplace demands.
• Certification: Certification is an official credential proving someone has the required skills and knowledge for a specific technical job or profession.
• ENISA ECSF: ENISA ECSF is a framework from the EU agency ENISA that standardizes cybersecurity roles and skills, aiding job descriptions and workforce development.
• Incident Response: Incident response is the structured process organizations use to detect, contain, and recover from cyberattacks or security breaches, minimizing damage and downtime.