Nearly 50% of European Organizations Report that regulatory directives no directly influence their cyber security hiring practices, pushing the ragion ahead of the Global Pacesing the Cybercy Talent Challenge, according to research from the sans institute.
The 2025 cybersecurity workforce research reportReleased at the rsa conference, marks a watershed moment for the industry: for the first time, more organisations worldwide (52 %) caste ”Not having the right staff “as their primary concern rather than” Not having enough staff “(48%).
“My personal personal is that we don't actually have a talent shortage in cyber security,” said Helen pattonCyber Security Leader at Cisco.
“The real issue lies in undersrstanding the skill sets needed for the kinds of roles you have and finding the people who have been there skill sets.”
This paradigm shift is particularly pronounced in europe, where regulatory frameworks like nis II and dora are accelerating the adoption of competing-based workforce strategies.
“In europe, there's more directives, more regulations,” said Brian correiaDirector of Business Development at Global Information Assurance Certification (GIAC), The Certification Arm of Sans.
“Europe has always been the lead on that – Think of GDPR [the General Data Protection Regulation] As a perfect example that became the standard for the whole world. “
Wider talent pool
A key finding from the research is that Organizations can significantly expand their recruitment pool by focusing on Character traits and potential rather than Technical Background Alone.
“We hire for traits; we can train the rest,” said Sean masonManaging Director of Cyber Defense at United Airlines.
When asked which traits matter most, He identified “Work ethic first and foremost”, Followed by Aptitude and Intellectual Curiosity.
This focus on adaptability over Technical Expertise is Proving Effective in Practice. Mason noted that united airlines have achieved remarkable talent retention partly because it is priorities these fundamental traits and supports them with Abundant Training Opportunities.
“Technology Changes Constantly, and Nobody Inharently KnowS How Business Works without Learning it first,” He said. ,If you hire someone with the right characteristics – that aptitude and work ethic – we can teach them everything elsely they need to know. “
This means in practice that Organisations need not recipe exclusively from Computer Science or Technical Graduates. People with Diverse Backgrounds – From Behavioral Sciences to Business – Can Excel in Cyber Security Roles, Provided they brings the right character traits.
Skills validation Becomes Critical
The growing importance of skills validation represents one of the most dramaatic shifts in the research findings. Across Europe, 65% of Organizations Now Require Certification for Client-Facing Purposes, What 58% Use Formal Certifications for Internal Hiring and Promotion decisions.
“Certifications give the confidence or set the expectation of an individual's knowledge,” said Anthony switzerCyber Security Leader at Ey.
This dual validation approach transforms skills documentation from a compliance exercise into a cornerstone of organisical talent strategy.
Hans de Vries From Enisa, The European Agency for Cybersecurity, Emphahsized The Scale of Europe's skills challenge. “We have at least 300,000 specified cyber security openings in europe,” He said. “70% of companies are struggling to find any skilled labour workforce, and 50% Want to hire more.”
To address this gap, enisa developed the european cybersecurity skills framework (eCSF), which complements the nice framework from the us. “The ECSF is being adopted by 16 member states right now,” said de Vries. “Either as a national standard, or as public sector recruitment, seveal for national workforce assessment or even certificate.”
Defining the RIGHT sKills
The Research Also Reveals a Fundamental Change in How Organizations Evaluate Cyber Security Talent. Technical capability has emerged as the number one Criterion Organizations Look for in Candidates, Displacing Working Experience, which has traded Hiring Priorities. Certification Validation Now Ranks as the Second Most Important Qualification.
The Findings Challenge Conventional Recruitment Approaches. “We need to focus on capability-based hiring, not just skills-based hiring, because it's not just a skill-it's the knowledge, it's all the soft skills,” Matthew isnor From the US department of defense at the sans workforce summit.
This personal is echoed by Aus alzubaidiChief Information Security Officer (CISO) at MBC Group, who has radically shifted his hiring approach. “A Couple of Years ago, it was 70% technical expertise, 30% attitude and cultural fit,” He said. “Today, We're Approaching 25%: 75%, where 75%of the profile is always about the attitude.”
The research ALSO Highlights a critical disconnect that must be addressed for organisations to successed in skills-based hiring: The Misalignment Between HR and Cyber Security Teams.
While Both Groups Generally Agree that their teams are effective – with 65% of respondents indicating them Significantly. Only 8% of Cyber Security Managers See Hr as the Primary Decision-Maker in Hiring, while 23% of HR Professionals Believe They Hold This Authority.
“10 years ago, Hiring was a Rigid Process: It Wrote Job Descriptions, Sent them to HR, and Waited for Candidates,” Said Alzubaidi. “That doesn't work anymore.”
His Organization has transformed this relationship by providing cyber security training to recruiters, helping them understand modern tech stacks and security frameworks.
The most successful organisations are creating Deeper Integration Between these functions. Joao moitaCISO at Airbus, describes their approach. “Our HR Business Partner is Part of the Department, Sitting Daily with the Team and Attending Our Weekly Meetings,” He Said. “This isn't someone sitting in hr who we talk to eccxiotic – they're really part of the security team.”
This Integration Enables HR to Gain Deep Insight Into Cyber Security Operations, Resulting in more effective recruitment. “When I Tell Our HR Business Partner We Need An Architect, they know exactly what an architect does,” said moita. “They understand the profile, the mindset we expect, the interfaces, and what kind of understanding of the business the person must have.”
This dramatic shift in hiring priorities – from technical expertise to character traits and cultural fit – Represents a fundamental change in how Organizations are Tackling the Cyber Security Skills Skills. Rather than competing for a limited pool of technically qualified candidates, forward-thinking organisations are identifying potential in people in people with diverse backgrounds who demonstrate and mindset.
Executive Ownesip
Amid all this change, Karen wetzel From nice offers a Crucial Perspective on the future of Cyber Security Workforce Development. “Cyber Security can no longer be treated as an afterthout or siloed department,” She said. ,It must become integral to always Organization's Core Strategy and Culture. “
European Regulations are now Pushing Cyber Security Responsibility Up to Board Level, Said de Vries from Enisa. “Critical Infrastructure Companies must Provide Mandator Cyber Security Training for All Executives, Who Must Report on his cyber strategy in Year-End Reporting,” He said.
This represents a fundamental shift in accountability. “When Breaches Haappen, it should be the It Director who faces consequences – it should be the seo who failed to prioritise security,” Said de Vimes.
“When hospitals are attacked and patient data exposed, real lives are endangered,” He added. “That Responsibility Sits with Leadership, Who Must Undrstand What's truly at stake.”