Cyber breaches are increasing in number, complexity and variety at the same time as the workforce needed to counter them is failing to keep pace. Fortinet’s 2025 Cybersecurity Skills Gap report captures that tension starkly. 86 per cent of organisations reported experiencing at least one breach in the past year. More than half blame a lack of training for successful incidents.
According to a 2024 ISC study, the global shortfall of qualified professionals now stands at 4.7 million. For Richard Woolfrey, regional vice-president for UK and Ireland at Fortinet, addressing the rise in attacks is inseparable from the challenge of tackling the shortage of talent needed to contain them. The problem, he argues, is not simply a more hostile environment but a broader, faster and more varied one. “It isn’t just coming from one place,” he says. “The threat landscape is getting broader and more sophisticated.” Many organisations, he notes, are suffering not only isolated incidents but repeated breaches through different attack vectors and avoidable mistakes.
A significant proportion of those mistakes come from inside organisations rather than through malicious actors. Fortinet’s research suggests that around 77 per cent of organisations have experienced some form of insider-related data loss. Woolfrey stresses that this is often down to simple error. “It can be a misdirected email, insecure file sharing, unauthorised use of an app in the cloud,” he says. “There isn’t necessarily malicious intent. It can just be human error.” That expansion of everyday digital risk means the attack surface widens whether or not an organisation is directly targeted – and that the pressure on cyber functions grows accordingly.
Much of that pressure stems from a mismatch between rising demand and the number of people trained to meet it. “The issues are outstripping the skills gap,” Woolfrey says. “The demand is getting larger all the time.”
The expansion in scale means cyber competence must not rest solely with the security team. As digital infrastructure spreads across every workflow and department, so too does the exposure to risk. Woolfrey does not think of the skills gap as a narrow technical shortage but as a broader organisational one. “These mistakes can happen in any department, anywhere,” he says. “Every company needs cybersecurity skills, not just tech companies.”
The industry’s difficulty in attracting and retaining talent is made worse by the narrow recruitment routes many employers continue to rely on. Job descriptions often demand specific degrees or certifications, even for roles that could be learned through training. Woolfrey believes some of these shortcomings are self-inflicted. “The barrier of entry into this industry is possibly higher than it needs to be,” he says.
Such recognition has seen Fortinet expand its internship programmes, build new graduate routes and launch a Sales Academy in the UK to help early-career candidates move into the sector. “Within our teams today, we have people who started out as teachers, others who worked in public services, and some who came from manufacturing,” Woolfrey explains. “At some point, they decided to pivot into cybersecurity, and now they’re thriving in completely new careers. It’s amazing to see such a variety of profiles finding success in this field, even though none of them originally imagined this would be their path.”
Yet training remains crucial. Woolfrey notes that certifications are still valued by employers and can help people change careers. What matters, he argues, is widening the pool of candidates who get the opportunity to pursue them.
This year’s report also highlights the accelerating influence of AI. Nearly all organisations surveyed either use AI-enabled tools or plan to do so soon, yet many admit they lack the expertise to deploy them effectively.
Woolfrey is clear that AI cuts both ways. “It’s a double-edged sword,” he says. It can automate detection, triage and response, but it can also be weaponised for deepfakes, phishing campaigns and malware creation.
On whether AI can meaningfully close the skills gap, he is cautious. “AI can assist,” Woolfrey says, “but it doesn’t take away what people do.” He expects roles to evolve rather than disappear. The report reflects this, with only 2 per cent of respondents believing their job in cybersecurity will become defunct because of AI.
Boards, meanwhile, are far more alert to cyber risk than they were even a few years ago. High-profile breaches have forced senior executives to treat cybersecurity as a core business issue rather than an operational one. Woolfrey thinks this shift is real. “The consequences of cyberattacks in recent years have showcased how critical cybersecurity is to companies,” he says. “Ultimately, the board has the responsibility to look after the brand.” But increased attention must translate into sustained investment and better cultures. “These can be high-pressure jobs,” he notes. “It’s how we make it sustainable so people will continue to stay in the industry.”
AI certainly has a potential role to play here. Woolfrey stresses that automation can relieve teams of the “alert fatigue” that has become a defining feature of the job, reducing manual triage and repetitive workflows so analysts can focus on the judgements only humans can make. The 2025 Cybersecurity Skills Gap report describes AI as potentially acting as a “junior analyst” in this respect. Executed successfully, this should help create a path to retaining staff in a high-pressure field by stripping out the grind that pushes many to burnout.
On the picture in Ireland and the UK, where there has been a recent cluster of sector-specific attacks targeting retail, Woolfrey sees largely the same pressures that the global findings expose. London and Dublin act as major digital hubs, but the nature of cyber risk means physical location is only lightly relevant. “Cyber isn’t necessarily by geography – it can be anywhere,” he says. What matters more is how organisations build talent pipelines and support early-career development in their own markets.
Asked for his headline takeaway from this year’s findings, Woolfrey returns to the same point: technology alone will not compensate for a lack of human capability. “Businesses and vendors can only go so far,” he says. “There’s a collective responsibility. You secure your home, you secure your car – you need to secure your IT.”
As attacks multiply and diversify, that responsibility becomes harder to shoulder. The numbers in the report testify to scale. Woolfrey’s reflections testify to urgency. The threat landscape is growing and changing faster than organisations can hire. Closing the gap will require more than new tools. It demands broader recruitment, accessible entry routes, sustained training and cultures that retain people rather than exhaust them. In cybersecurity, the human factor has always mattered. This year’s findings suggest it might matter now more than ever.
Related
