ISC2 Report Shows AI Excitement, Risk Worry, and Burnout

ISC2, a leading nonprofit member organization for cybersecurity professionals, today released findings from its 2025 Cybersecurity Workforce Study, which surveyed over 16,000 cybersecurity professionals. The report details how skills gaps and burnout are affecting professionals’ ability to respond to threats, and how AI might help address some of those challenges.

We spoke with ISC2 COO, Casey Marks, about the results and what they signal for 2026 trends.

Annual research shows ongoing AI adoption and education are necessary to address threats

2024’s report showed the results of a surge in layoffs, budget cuts, and hiring and promotion freezes. However, the 2025 data revealed that economic conditions affecting cybersecurity teams showed signs of levelling off, with reports of budget cuts (36%) and layoffs (24%) decreasing by one percentage point.

That slight decrease, however, isn’t a sign that security teams have fewer concerns or priority areas in 2026. It also hasn’t alleviated the ongoing changes that emerging AI technologies and AI-enabled threats are causing in the market.

Why Marks wants to see practitioners embrace the AI opportunity

Marks highlights the data throughout the report as a sign that more security practitioners will need to not only understand AI but also identify ways to leverage the technology in their own workflows.

“New technology isn’t just a threat, it’s also an opportunity, and I want to see security practitioners embrace that,” said Marks. He encourages practitioners to invest in education and awareness around AI to build skills necessary for security moving forward.

Data from the report shows respondents see AI driving new requirements for their teams:

• 73% believe AI will create more specialized cybersecurity skills
• 72% say AI will create the need for more strategic cybersecurity mindsets 
• 66% say AI will require broader skillsets across the workforce 

This year,  41% of respondents cited AI as a top skill needed, followed by cloud security (36%). Nearly half (48%) of respondents are already working to gain more generalized AI  

knowledge and skills, while others are educating themselves on AI solutions at risk to better understand vulnerabilities and exploits (35%). 

“Given an unknown wall of insurmountable threats, there is a whole lot of opportunity for people to jump into this world and be a differentiator for their teams by understanding AI,” Marks said.

Marks added that he sees an opportunity to equalize the adoption rate amongst security practitioners and threat actors, who he says often find ways to leverage emerging technologies to harm faster than the industry does to protect.

Burnout and skills gaps: the challenges facing security professionals in 2025 will continue

Even with AI-enabled efficiency, security teams still face challenges with resourcing and addressing the vast amount of work to be done. 

According to the report,

• 33% of respondents stated that their organizations do not have the resources to adequately staff their teams. 
• 29% said they cannot afford to hire staff with the skills they need to adequately secure their organizations. 
• 72% of respondents agree that reducing security personnel  significantly increases the risk of a breach in their organizations

Security professionals have also identified areas of improvement in overwhelming numbers.

95% of respondents reported having at least one skill need (a 5% increase from 2024), and 59% cited critical or significant skill needs (a 15% increase from 2024). 

The shift in mindset: why skill differentiation might matter more than number of employees now

Marks sees that skill gap data as some of the most important in the whole report. He thinks the industry is now experiencing a mindset shift of sorts, in which teams will need differentiated expertise and a variety of skill sets, rather than simply a certain number of people on staff.

The skills gap is also directly impacting how secure organizations collectively feel entering the new year.

Nearly nine in 10 respondents (88%) have experienced at least one significant cybersecurity incident in their organizations because of a skills shortage, and 69% have experienced more than one.

“A shift is happening. This year’s data makes it clear that the most pressing concern for cybersecurity teams isn’t headcount but skills,” said ISC2’s acting CEO and CFO Debra Taylor, CC, in a statement. “Skills deficits raise cybersecurity risk levels and challenge business resilience. At the same time, we are seeing emerging technologies like AI are perceived as less of a threat to the workforce than anticipated. Instead, many cybersecurity professionals view AI as an opportunity for career advancement. They are using AI tools to automate tasks, and they are investing their time to learn more and demonstrate their expertise in using and securing AI systems.”

How security practitioners and organizations can build agile teams in 2026

Marks says he hopes the research highlights the opportunities ahead for security professionals to continue to bring value and expertise to their organizations. He emphasizes the importance of shifting to a skills-diverse team structure and notes that more security professionals are entering the industry with unique educational backgrounds than ever before.

He hopes to see practitioners commit to ongoing education and build diverse teams that bring a generalist perspective to the overall task at hand: defending against a sea of threats and potential risks.

“I think the bigger challenge now is that education is not static,” Marks said. “Continuous education is important, and I think it will be critical moving forward for everyone to understand what’s happening.”