The cyber security skills gap is one of the most consistent themes in my conversations with customers and prospects at Kertos. Over the past few months, I have spoken regularly with CISOs, CTOs, and Heads of InfoSec, and barely a conversation has passed without this topic surfacing. Not as an abstract industry concern. As a lived, daily reality.
The stories I hear are not about companies that failed to hire the right people. They are about teams doing extraordinary work under impossible conditions, stretched across too many responsibilities, fighting threats that multiply faster than budgets allow. And in most cases, the leaders telling me these stories are not at large enterprises with deep pockets. They are at mid-sized companies, fast-growing startups, and SMBs trying to meet the same compliance requirements as organizations ten times their size.
One Goalkeeper Facing Twelve Opposing Teams
The cyber security skills gap is, at its core, a structural mismatch between the demand for expertise and the supply of people qualified to provide it. Nowhere is this felt more sharply than in European SMBs.
The most memorable description I received came from a CISO at a German technology company. He compared his team to a goalkeeper in football. Their job is to block every shot, from every angle, every time. In a well-structured team, defenders reduce the pressure and help manage the field. But his team had been operating without enough defenders for years. "Imagine one goalkeeper," he told me, "not just against eleven players. Against multiple teams at once. That is what our week looks like."
According to the ISC2 2024 Cybersecurity Workforce Study, the global cybersecurity workforce gap now stands at approximately 4.8 million professionals, up 19% year-on-year, against a total workforce needed of 10.2 million. Europe is not spared: the continent's cybersecurity workforce actually contracted by 0.7% in 2024, even as demand continued to climb. Perhaps most striking, 64% of respondents in the study said they believe skills gaps carry a more significant negative impact than outright staffing shortages.
What has changed most dramatically in recent years is who this problem affects. Information security and compliance used to be primarily the domain of large regulated entities: banks, healthcare systems, defense contractors. A wave of European regulation has shifted that completely. NIS2, which came into force in October 2024, extended mandatory security obligations to tens of thousands of additional entities across critical sectors. Smaller companies that previously operated without a formal information security program now face binding requirements around risk management, incident reporting, and supply chain security.
The goalkeeper is now expected to compete in a professional league, with an amateur team, and no time to prepare.
Why the Cybersecurity Workforce Shortage Keeps Growing
The security talent gap is driven by forces on both sides of the equation moving in the wrong direction at the same time.
On the demand side, the pressure is regulatory and commercial. NIS2 requirements are forcing organizations to build security functions they never previously needed. ISO 27001 certification is increasingly expected by enterprise customers and procurement teams before contracts can be signed. GDPR enforcement is becoming more assertive. Each of these creates a new class of organizations actively searching for qualified security professionals who simply are not available in sufficient numbers.
On the supply side, the talent pool is not growing fast enough. Cybersecurity requires a combination of technical depth, regulatory literacy, and judgment that takes years to develop. The pipeline from university to job-ready professional is slow by design. And once qualified professionals enter the workforce, they tend to stay where they are: large corporations attract the most experienced candidates with compensation packages, career development structures, and brand recognition that most SMBs cannot match. Low job mobility compounds the problem. When a skilled professional lands at a large enterprise with interesting problems and solid progression, there is very little incentive to move to a smaller organization where they would likely face more stress with fewer resources.
This creates a structural problem with an uneven distribution of consequences. According to Eurostat, SMBs account for over 99% of all businesses in the EU and employ roughly two-thirds of the private sector workforce. They are the backbone of the European economy. But they are also the organizations least equipped to compete for the security talent they now legally need.
Countries like Germany face particularly acute pressure. The BSI's annual state of IT security report consistently identifies the lack of qualified security personnel as one of the top structural vulnerabilities for German companies. And yet, in 2024, for the first time in the ISC2 study's history, respondents cited "lack of budget" rather than "lack of qualified talent" as the top cause of staffing shortages, suggesting that even when companies know what they need, they cannot afford to get there.
What the Skills Gap Looks Like in Day-to-Day Operations
When I ask CISOs how the cybersecurity workforce shortage actually shows up in their work, the answers follow a remarkably consistent pattern. Teams are not just short-staffed. They are overwhelmed in ways that compound over time.
The most immediate effect is on response time. When a critical vulnerability is discovered, a properly staffed team can triage, assess, and begin remediation quickly. When that same team is stretched thin, the same process can take nearly twice as long. In cybersecurity, response time is not an abstract performance metric. It directly determines exposure and potential damage.
Context-switching is the other invisible cost. Security professionals in understaffed teams regularly juggle responsibilities across multiple domains: vulnerability management, compliance evidence collection, access reviews, incident response, and vendor risk assessments, sometimes all in the same week. ENISA's 2024 Report on the State of Cybersecurity in the Union highlights that NIS2 compliance and talent shortages are deepening simultaneously, with investments shifting from people to technology out of necessity. The human cost of this shift is real: constant context-switching between strategic projects and routine operations leads to incomplete strategic plans and operational blind spots.
This is not a people problem. The security leaders I speak with are among the most dedicated professionals I encounter. It is a structural problem, and structural problems require structural solutions.
How CISOs Can Narrow the Gap Without Waiting on Hiring
Hiring alone is not a realistic short-term answer for most organizations. The talent is scarce, the competition is fierce, and onboarding a new hire takes time even after a successful search. The more productive question is: how do you operate more effectively with the team you already have?
The security leaders who are managing this best share a common approach. They identify which tasks require genuine human judgment and which are pure workflow, then apply technology to the workflow tasks and protect their best people's time for the judgment work. As one Head of InfoSec told me: "Every minute a senior security engineer spends manually pulling data from an AWS console is a minute not spent on threat modeling or incident response planning." That is not a complaint. It is a design flaw that can be fixed.
Evidence collection, control mapping, audit preparation, access log reviews: these are time-intensive activities that follow predictable patterns. They can be automated. Compliance automation platforms like Kertos continuously collect evidence across integrated systems, map controls to relevant frameworks, and flag gaps before they become audit findings. A task that previously required days of manual coordination happens continuously, in the background, without pulling a security engineer away from higher-value work. The productivity gain for a small team is significant, and the compliance posture is actually stronger because monitoring never stops.
Beyond automation, several CISOs I have spoken with are deliberately growing security awareness internally, partnering with DevOps and IT teams to build interest in security topics and providing structured training. Security champions programs and clear development paths convert team members from adjacent disciplines into capable contributors over time. It requires patience, but it builds something more durable than a single external hire. University partnerships and internship programs are the longer-term play, giving students hands-on exposure to real security work while creating a genuine talent pipeline over a two-to-three year horizon.
The table below compares the most common approaches organizations are using to address the security talent gap, along with their practical trade-offs:
The Biggest Mistake: Outsourcing Instead of Automating
There is one pattern I observe repeatedly, and it concerns me most in the DACH market specifically. When organizations recognize they have a cybersecurity workforce shortage, the instinctive response is to fill the gap with people. And when they cannot hire fast enough, many turn to managed service providers or external consultancies to compensate.
Outsourcing feels safe. It puts qualified professionals nominally in the loop. It distributes perceived responsibility. But in practice, it often creates more problems than it resolves. External partners require briefing. They need context about your infrastructure, your risk priorities, and your specific regulatory situation, and that briefing takes time from your internal team, the very team that is already stretched. Communication gaps between internal stakeholders and external partners introduce latency into processes where speed matters most. When something goes wrong, accountability becomes murky. And the total cost, both financially and in management overhead, consistently exceeds what organizations initially anticipate.
The deeper issue is visibility. When core security processes live outside your organization, you often do not know what you do not know. And responsibility for data protection and incident response cannot be fully delegated: your organization remains liable under NIS2 obligations, regardless of which external partner was nominally in charge.
This is not an argument against all external support. Specialized expertise for bounded engagements, penetration testing, red teaming, specific audits, can absolutely make sense. But using outsourcing as the default structural response to a staffing problem is expensive, creates control gaps, and rarely closes the cyber security skills gap in any meaningful way.
The better answer is to reduce the operational burden on your team through automation, freeing your people to focus on work that genuinely requires their expertise. Kertos handles continuous evidence collection, control monitoring, and compliance reporting across multiple frameworks simultaneously. That is not a replacement for a security team. It is what makes a lean security team effective. Good leaders can distinguish topics that truly require human judgment from activities that are purely workflow-driven and are better served by automation than by a third-party inbox.
The companies navigating the cyber security skills gap best are not the ones with the largest security departments. They are the ones that have made the clearest decisions about where human expertise is irreplaceable and where a well-configured platform should carry the load.
Frequently Asked Questions About the Cyber Security Skills Gap
How large is the cybersecurity workforce shortage in Europe?
The ISC2 2024 Cybersecurity Workforce Study estimates a global shortage of approximately 4.8 million professionals, with Europe's cybersecurity workforce actually contracting by 0.7% in 2024. The study found that 64% of security professionals believe skills gaps carry a more significant negative impact than outright staffing shortages, and the trend is worsening year over year.
How does NIS2 worsen the security skills gap for SMBs?
NIS2 extended mandatory security requirements to a significantly broader range of organizations across Europe, many of which had no formal information security function previously. This dramatically increases demand for qualified security professionals in precisely the organizations least equipped to compete for them.
What is the most effective way to address the gap without hiring?
The most effective approach is to automate routine, process-driven security activities so that existing team members can focus their time on high-judgment work. This includes compliance automation tools that handle evidence collection, control mapping, and audit preparation continuously, allowing small teams to maintain a compliance posture that would otherwise require significantly more headcount.
What is Kertos and how does it address the security talent gap?
Kertos is a European compliance automation platform that helps information security teams maintain continuous compliance across frameworks like ISO 27001, NIS2, GDPR, SOC 2, and TISAX. By automating the manual work that typically consumes a disproportionate share of security team time, Kertos allows lean teams to operate at a level that would otherwise demand far greater staffing. If you want to see how it works in practice, book a demo.
The cyber security skills gap is not going to close on its own in the near term. The structural forces driving it, regulatory expansion, talent scarcity, enterprise retention, are not reversing quickly. But organizations are not helpless. The security leaders I admire most are the ones who stopped waiting for the hiring market to improve and started redesigning how their teams work. They invest in automation, grow talent from within, protect their best people's time for genuinely complex problems, and treat compliance as an ongoing discipline rather than a periodic fire drill. That is not a workaround. That is strategy.
