The Changing Cybersecurity Workforce in 2026

You often hear statistics about the cybersecurity skills gap, but the analysis of the cybersecurity workforce needs to go deeper than that. What’s driving the key changes in this field? Here’s how a convergence of factors like AI, regulatory pressure, and overall complexity is evolving the cybersecurity workforce in 2026.

The Disappearance of the Training Layer

For years, cybersecurity teams followed a fairly predictable structure. Junior analysts handled triage and repetitive tasks, while more experienced practitioners moved into detection engineering, incident response, or governance. Over time, organisations built capability from the ground up.

That model is starting to change in 2026. The impact of AI on cybersecurity roles is often framed in terms of efficiency. Things like faster triage, automated workflows, and reduced manual effort all get hyped up. But that misses a more structural shift.

Many of the tasks now being automated effectively functioned as a training layer through which practitioners developed core cybersecurity skills. In larger organisations, that means junior analysts learning through alert triage and incident investigation. In SMEs, it often looks different. You might have a network engineer, systems administrator, or IT lead gradually building cybersecurity capability alongside their core role.

As those tasks are reduced or removed, so too is the environment that traditionally produced mid-level and senior capability. A recent SANS report indicates that AI is changing team size and role structures for many organisations.

The traditional pathway of learning through repetition and building intuition over time is narrowing. Historically, exposure to more routine work helped practitioners build familiarity with environments—familiarity that may be harder to develop when so much is automated.

Another point worth noting is that as companies automate routine security analysis, demand is increasing for practitioners who can:

• validate AI-driven outputs
• understand complex, multi-layered environments
• operate within governance and compliance frameworks
• secure AI systems themselves

If AI reduces manual effort, automates analysis, and filters noise, then it should help address the long-standing cybersecurity talent shortage. But the reality is more nuanced. In a sense, AI is eroding the old training layer and creating a need for aspiring practitioners to bring different skills to the table. This is less about automation replacing roles than about a structural shift in what skills matter.

Regulation Raising the Bar

Regulatory pressure is about being able to demonstrate, in a structured and auditable way, that you can:

• detect and report incidents
• manage risk formally
• operate with defined governance structures
• meet specific resilience expectations

A year ago, frameworks like NIS2 and DORA were still being interpreted. Organisations were mapping requirements, assessing scope, and delaying structural changes. That phase appears to be ending.

The aforementioned cybersecurity workforce report shows regulatory requirements increasingly impacting hiring decisions. That’s a sharp transition from uncertainty toward more concrete expectations.

Organisations are now creating entirely new specialist roles, not just expanding existing ones. These roles are tied directly to regulatory expectations:

• incident reporting coordination
• governance and accountability structures
• third-party and supply chain risk oversight
• resilience testing and documentation

Recent commentary has also highlighted increasing regulatory strain on CISOs. One article argues that in the UK—where accountability expectations are intensifying—more CISOs are stepping down from their roles. As this is primarily commentary, it is best treated as a risk signal rather than a settled, measured trend.

Regulation is doing what it is intended to do: forcing organisations to move beyond ad hoc security and formalise processes around risk, incident response, and resilience—raising the baseline of what “good” looks like. But this doesn’t come without a messy transition that can affect workforce dynamics. Compliance gaps are being felt at all levels now, from enterprises to SMEs.

Threat Complexity

Alongside shifts driven by AI and regulation, there is a third pressure that is easy to overlook. Attackers are adapting.

Over the past few years, many organisations have improved their baseline security posture (partly because of the regulatory pressures we just discussed). Basic controls like endpoint protection, email filtering, MFA, and network segmentation are more widely deployed than they were before.

Rather than relying on obvious malware or easily detectable techniques, attackers are increasingly:

• using valid credentials instead of exploits
• operating through legitimate tools and management systems
• blending into normal administrative activity
• chaining together low-level signals that only make sense in context

The result is not necessarily “more advanced” attacks in a technical sense. But it is a shift toward attacks that are harder to detect using traditional controls, more dependent on understanding the environment, and more damaging when they succeed. In these scenarios, the task is no longer to process alerts efficiently. It is to interpret behaviour in context. That has direct implications for how teams are structured and what skills are required.

The emphasis shifts toward:

• understanding how different parts of the environment interact
• recognising when otherwise legitimate activity deviates from expected patterns
• making judgement calls where there is no clear signal or predefined rule

But this circles back to the training-layer problem: AI reduces the volume of routine analysis, but in doing so it can remove many of the situations in which that contextual understanding was built.

The answer is not to step back from AI. The efficiency gains are real, and in many cases necessary. But it does mean that organisations need to be more deliberate about how capability is developed and maintained.

If experience is no longer built through volume, it has to be built through other means like:

• exposure to realistic scenarios, not just filtered outputs
• structured investigation workflows, rather than passive validation
• environments where practitioners can see how signals connect across systems

In other words, the shift to AI-augmented security changes the role of the practitioner, but it also places more responsibility on the organisation to ensure that underlying understanding isn’t lost. That may mean investing in training, simulation, or more structured development pathways.

Taken together, these shifts point to something more fundamental than a changing job market. Aside from how the cybersecurity workforce is evolving, the model for how capability is built and delivered is being redefined.

AI is reducing the volume of routine work while raising the baseline of what practitioners are expected to understand. Regulation is formalising security as an accountable function, requiring organisations to demonstrate structured capability. At the same time, threats are becoming more dependent on context, making interpretation and judgement more critical than ever.

Solving shortages without hiring

Individually, each of these pressures is manageable. Combined, they create a challenge that many organisations—particularly SMEs—can’t solve through hiring alone. At DIESEC, our services are designed around reality and constraints, so we support organisations with expert security services centred around:

• SOC as a Service for continuous monitoring and response
• Governance, Risk and Compliance (GRC) to align security with regulatory expectations
• NIS2 consulting to operationalise directive requirements
• Phishing simulations to validate human-layer resilience

If you’d like to learn more about any of these services, contact us today.