The Cybersecurity Skills Gap Is Real. But We're Measuring the Wrong Thing.
Companies keep buying courses and certifications. Breaches keep happening anyway. The problem is not a shortage of trained people. It is a shortage of people who have actually practised under fire.

Key points
- The World Economic Forum's 2025 Global Cybersecurity Outlook report named skills shortages and budget constraints as the top barriers to cyber resilience.
- IBM data collected from 600 organisations between March 2024 and February 2025 found that 13% reported a breach of an AI model or application.
- In that same IBM survey, 63% of breached organisations had no AI governance policy in place, or were still drafting one when the breach happened.
- Only 49% of organisations planned to increase security spending in 2025, down from 63% the year before.
- Some organisations using hands-on simulation platforms report saving more than $400,000 in training costs, according to figures cited by CSO Online.
The cybersecurity industry has spent years talking about a "skills gap," the idea that there are not enough trained security professionals to go around. The argument makes less sense once you notice that many security graduates cannot find work. The positions go unfilled not because the people do not exist, but because employers cannot tell who is actually ready.
Call it a validation gap instead.
Why do breaches keep happening if we keep training people?
Because most training does not resemble real work. A certification exam tests memory. A live breach tests judgment under pressure, in your specific environment, with your specific tools misbehaving in ways no textbook anticipated. Those are different skills.
AI makes this harder. Criminals now use AI tools to write more convincing phishing emails (fake messages designed to trick staff into handing over passwords), find weaknesses in software faster, and automate attacks that previously required a skilled human operator. Nobody was building defences against those techniques five years ago. The certifications sold today were written before the threat existed.
IBM's survey data makes the governance problem concrete. Thirteen percent of the 600 organisations polled had already suffered a breach of an AI model or application. Eight percent did not know whether they had been breached at all. Those are not training failures in the traditional sense. They are readiness failures.
Spending more on courses does not fix that. Neither does buying more security software. More tools produce more alerts. More alerts exhaust the analysts reading them. Exhausted analysts miss things. The breach happens anyway.
The approach gaining ground is the cyber range: a simulated version of a company's real systems where security staff can practise responding to attacks without touching live data. Think of it as a flight simulator for incident response. Pilots do not learn to handle engine failures by reading about engine failures. They practise in a simulator until the response is instinctive.
A well-built range replicates the actual software stack the organisation runs, runs realistic attack scenarios against it, and then produces a detailed report on what the team did well and where they froze. That report is also useful when a security manager needs to argue for budget: concrete evidence of a gap is more persuasive than a vendor's brochure.
For ordinary employees outside the security team, the lesson is familiar. Phishing simulations, where staff receive fake scam emails as a test, work precisely because they create a low-stakes version of the real thing. Muscle memory built in practice carries over to the real event.
Security teams need the same thing, just at a much higher level of complexity. Annual training days do not provide it. Continuous, realistic practice does.



