Worawut - stock.adobe.com
Europe leads shift from cyber security ‘headcount gap’ to skills-based hiring
Research from Sans Institute reveals European organisations are leading a global shift in hiring priorities, driven by regional regulatory frameworks
Nearly 50% of European organisations report that regulatory directives now directly influence their cyber security hiring practices, pushing the region ahead of the global pace in addressing the cyber security talent challenge, according to research from the Sans Institute.
The 2025 cybersecurity workforce research report, released at the RSA Conference, marks a watershed moment for the industry: for the first time, more organisations worldwide (52 %) cite “not having the right staff” as their primary concern rather than “not having enough staff” (48%).
“My personal perspective is that we don’t actually have a talent shortage in cyber security,” said Helen Patton, cyber security leader at Cisco.
“The real issue lies in understanding the skill sets needed for the kinds of roles you have and finding the people who have those skill sets.”
This paradigm shift is particularly pronounced in Europe, where regulatory frameworks like NIS II and Dora are accelerating the adoption of competency-based workforce strategies.
“In Europe, there’s more directives, more regulations,” said Brian Correia, director of business development at Global Information Assurance Certification (GIAC), the certification arm of Sans.
“Europe has always been the lead on that – think of GDPR [the General Data Protection Regulation] as a perfect example that became the standard for the whole world.”
Wider talent pool
A key finding from the research is that organisations can significantly expand their recruitment pool by focusing on character traits and potential rather than technical background alone.
“We hire for traits; we can train the rest,” said Sean Mason, managing director of cyber defence at United Airlines.
When asked which traits matter most, he identified “work ethic first and foremost”, followed by aptitude and intellectual curiosity.
This focus on adaptability over technical expertise is proving effective in practice. Mason noted that United Airlines has achieved remarkable talent retention partly because it prioritises these fundamental traits and supports them with abundant training opportunities.
“Technology changes constantly, and nobody inherently knows how business works without learning it first,” he said. “If you hire someone with the right characteristics – that aptitude and work ethic – we can teach them everything else they need to know.”
This means in practice that organisations need not recruit exclusively from computer science or technical graduates. People with diverse backgrounds – from behavioural sciences to business – can excel in cyber security roles, provided they bring the right character traits.
Skills validation becomes critical
The growing importance of skills validation represents one of the most dramatic shifts in the research findings. Across Europe, 65% of organisations now require certification for client-facing purposes, while 58% use formal certifications for internal hiring and promotion decisions.
“Certifications give the confidence or set the expectation of an individual’s knowledge,” said Anthony Switzer, cyber security leader at EY.
This dual validation approach transforms skills documentation from a compliance exercise into a cornerstone of organisational talent strategy.
Hans De Vries from Enisa, the European Agency for Cybersecurity, emphasised the scale of Europe’s skills challenge. “We have at least 300,000 specified cyber security openings in Europe,” he said. “70% of companies are struggling to find any skilled labour workforce, and 50% want to hire more.”
To address this gap, Enisa developed the European Cybersecurity Skills Framework (ECSF), which complements the Nice framework from the US. “The ECSF is being adopted by 16 member states right now,” said De Vries. “Either as a national standard, or as public sector recruitment, several for national workforce assessment or even certification.”
Defining the right skills
The research also reveals a fundamental change in how organisations evaluate cyber security talent. Technical capability has emerged as the number one criterion organisations look for in candidates, displacing work experience, which has traditionally dominated hiring priorities. Certification validation now ranks as the second most important qualification.
These findings challenge conventional recruitment approaches. “We need to focus on capability-based hiring, not just skills-based hiring, because it’s not just a skill – it’s the knowledge, it’s all the soft skills,” said Matthew Isnor from the US Department of Defense at the Sans Workforce Summit.
This perspective is echoed by Aus Alzubaidi, chief information security officer (CISO) at MBC Group, who has radically shifted his hiring approach. “A couple of years ago, it was 70% technical expertise, 30% attitude and cultural fit,” he said. “Today, we’re approaching 25%:75%, where 75% of the profile is always about the attitude.”
The research also highlights a critical disconnect that must be addressed for organisations to succeed in skills-based hiring: the misalignment between HR and cyber security teams.
Read more about cyber security skills
While both groups generally agree that their teams are effective – with 65% of respondents indicating they are meeting or exceeding goals – their perspectives on hiring authority and qualifications differ significantly. Only 8% of cyber security managers see HR as the primary decision-maker in hiring, while 23% of HR professionals believe they hold this authority.
“10 years ago, hiring was a rigid process: IT wrote job descriptions, sent them to HR, and waited for candidates,” said Alzubaidi. “That doesn’t work anymore.”
His organisation has transformed this relationship by providing cyber security training to recruiters, helping them understand modern tech stacks and security frameworks.
The most successful organisations are creating deeper integration between these functions. Joao Moita, CISO at Airbus, describes their approach. “Our HR business partner is part of the department, sitting daily with the team and attending our weekly meetings,” he said. “This isn’t someone sitting in HR who we talk to occasionally – they’re really part of the security team.”
This integration enables HR to gain deep insight into cyber security operations, resulting in more effective recruitment. “When I tell our HR business partner we need an architect, they know exactly what an architect does,” said Moita. “They understand the profile, the mindset we expect, the interfaces, and what kind of understanding of the business the person must have.”
This dramatic shift in hiring priorities – from technical expertise to character traits and cultural fit – represents a fundamental change in how organisations are tackling the cyber security skills challenge. Rather than competing for a limited pool of technically qualified candidates, forward-thinking organisations are identifying potential in people with diverse backgrounds who demonstrate the right aptitude and mindset.
Executive ownership
Amid all this change, Karen Wetzel from Nice offers a crucial perspective on the future of cyber security workforce development. “Cyber security can no longer be treated as an afterthought or siloed department,” she said. “It must become integral to every organisation’s core strategy and culture.”
European regulations are now pushing cyber security responsibility up to board level, said De Vries from Enisa. “Critical infrastructure companies must now provide mandatory cyber security training for all executives, who must report on their cyber strategy in year-end reporting,” he said.
This represents a fundamental shift in accountability. “When breaches happen, it shouldn’t be the IT director who faces consequences – it should be the CEO who failed to prioritise security,” said De Vries.
“When hospitals are attacked and patient data exposed, real lives are endangered,” he added. “That responsibility sits with leadership, who must understand what’s truly at stake.”
