The Rising Skills Crisis in Cybersecurity
Cybersecurity is at a crossroads. The demand for skilled professionals continues to skyrocket, yet the industry is struggling to keep pace. With attack surfaces expanding, new technologies emerging, and sophisticated threats evolving, security teams are facing an unprecedented talent shortage.
For years, organizations have relied on traditional hiring methods, prioritizing degrees and credentials over hands-on expertise. However, in 2025, this approach is proving insufficient. Companies are shifting toward skill-based hiring, while simultaneously grappling with a lack of qualified candidates in critical areas like AI security, Active Directory protection, and Industrial Control Systems (ICS) defense.
In this deep dive, we’ll explore five key cybersecurity skill gaps defining 2025, why they matter, and what organizations can do to bridge them.
Hiring for Skills Over Degrees
The shift from degree-based hiring to skill-based hiring is no longer a prediction—it's happening now. Organizations have realized that traditional educational pathways don’t necessarily produce the job-ready professionals they need. Instead, practical experience, certifications, and problem-solving abilities are taking center stage.
A report from Intelligent.com found that nearly half (45%) of the 800 U.S. companies surveyed plan to eliminate degree requirements from job listings in favor of skills-based criteria. This trend is echoed by the White House’s National Cyber Director, who has advocated for a more inclusive, skills-first approach to hiring in cybersecurity.
Furthermore, Hack The Box’s Cyber Attack Readiness Report (CARR) 2024 found that over 67% of cybersecurity teams rely on certifications and hands-on labs to assess potential hires. This underscores a major shift: employers care less about where you studied and more about what you can do.
Organizations that continue to prioritize degrees over skills risk missing out on top-tier talent, especially as the cybersecurity landscape demands more hands-on expertise.
Adapting to the New Hiring Landscape
For security leaders, this means rethinking hiring strategies. Conducting skills gap assessments, developing hands-on evaluations for candidates, and focusing on certifications like OSCP, CISSP, and HTB’s practical labs can help teams identify the right talent.
Additionally, job seekers need to embrace continuous learning. Traditional education paths may not be enough—cyber professionals should actively seek out practical training opportunities, contribute to real-world projects, and build portfolios that demonstrate technical expertise.
Blue Team Professionals Need More Resources
While offensive security experts (red teamers) have long been a focus for cybersecurity development, defensive specialists (blue teamers) are facing a crisis. Organizations are finding it increasingly difficult to hire and retain skilled defensive professionals, which is concerning given the rising number of cyber threats.
As of November 2024, a staggering 35,378 vulnerabilities had been published—an increase of 39% compared to the previous year. Despite this, defensive teams often lack the resources, training, and time needed to stay ahead of emerging threats.
Eight out of ten recruiters struggle to find security professionals with strong defensive skills, according to the Center for Strategic & International Studies.
Bridging the Defensive Skills Gap
To address this shortfall, companies must prioritize blue team training and create structured learning opportunities. One proven approach is the purple teaming model, where offensive and defensive teams collaborate to simulate attacks and improve defenses.
Organizations like Easi have already implemented this by assigning compromised machines to red teams and then tasking blue teams with investigating, identifying, and mitigating the attacks. This real-world practice helps defensive professionals stay sharp and up-to-date on the latest threats.
The Rise of Active Directory Security Specialists
Active Directory (AD) remains a fundamental part of enterprise security, with 90% of Fortune 1000 companies relying on it. Unfortunately, many organizations lack professionals who specialize in AD security, leaving them vulnerable to sophisticated attacks.
In previous years, AD security expertise was considered a high-level skill. However, as attackers increasingly exploit AD vulnerabilities, even junior security professionals are now expected to have foundational knowledge of AD attack vectors and defense strategies.
HTB introduced the Certified Active Directory Pentesting Expert (CAPE) certification in response to the growing demand for AD security expertise.
Building AD Security Expertise
Organizations must prioritize AD security training and certifications to ensure their teams are equipped to handle threats. Investing in dedicated AD security labs, hands-on exercises, and real-world attack simulations can help professionals develop the necessary expertise.
AI-Enabled Attacks Are on the Rise
Artificial intelligence is transforming cybersecurity—both as a defense mechanism and as a tool for attackers. AI-powered applications are increasingly being exploited through vulnerabilities like prompt injection and adversarial machine learning.
According to industry reports, 60% of security professionals fear that AI will be leveraged for advanced cyberattacks. Additionally, 60% of breaches are already linked to issues such as mismanaged permissions, social engineering, and application security weaknesses.
Preparing for AI Threats
Security teams must prioritize AI security education and testing. Resources like OWASP’s Top Ten List for Gen AI & LLMs, HTB’s AI track, and web application security challenges offer a strong foundation for understanding AI vulnerabilities.
Industrial Control System (ICS) Security Is Now Critical
As IT and Operational Technology (OT) security converge, Industrial Control Systems (ICS) are becoming a prime target for cyberattacks. Approximately 38% of attacks against ICS assets originate from IT environments, highlighting the growing risk posed by interconnected systems.
In response to this trend, HTB collaborated with Dragos to develop the Alchemy Lab, a dedicated ICS security training ground. This initiative underscores the increasing demand for ICS cybersecurity expertise.
Training for ICS Security
Professionals interested in ICS security should explore foundational resources such as the Lockheed-Martin Cyber Kill Chain, SANS 5 Critical ICS Controls, and specialized training courses offered by industry experts like Justin Searle.
Developing a Culture of Continuous Learning
Cybersecurity is not a static field—it requires constant adaptation and upskilling. Organizations that fail to prioritize professional development risk falling behind in an ever-evolving threat landscape.
Day-to-day responsibilities can often overshadow training efforts, but companies that integrate learning into their workflows will be better positioned for long-term success. Leaders should establish dedicated training schedules, encourage certification programs, and foster an environment where learning is a natural part of the job.
The best cybersecurity teams don’t just react to threats—they stay ahead of them through continuous learning and proactive skill development.
Taking Action
For security professionals, staying ahead means embracing lifelong learning, seeking out real-world practice opportunities, and refining their skills based on industry demands. Meanwhile, organizations must invest in structured training programs and provide access to hands-on learning environments.
The Future of Cybersecurity Careers
The cybersecurity skills gap isn’t just a hiring issue—it's a security risk. As threats become more sophisticated, the industry must adapt by prioritizing skills-based hiring, defensive training, AI security expertise, and ICS protection.
Whether you’re an employer looking to strengthen your security team or a professional seeking to future-proof your career, one thing is clear: continuous development is the key to success in cybersecurity.
The future belongs to those who are ready to learn, adapt, and evolve.
