Why the cybersecurity skills gap is partly self-inflicted

The cybersecurity skills gap is usually framed as a hiring problem. Organizations respond by expanding recruitment pipelines, investing in certifications, and launching internal training programs. The logic seems simple: if security teams are understaffed, the solution is to add more talent.

There is some truth to that. Skilled cybersecurity professionals are indeed scarce globally. The ISC2’s 2025 Cybersecurity Workforce Study found that 59% of organizations report critical or significant skills shortages, with many struggling to find the talent they need.

Yet this diagnosis misses a harder truth. What if the shortage we talk about so often is partly a consequence of the systems we design?

Enterprise security stacks have grown dramatically more complex over the past decade. The average enterprise now operates 83 security tools from 29 different vendors, with 52% of executives citing complexity as their biggest operational challenge.

When talent is already scarce, environments that require deep ...