The cybersecurity workforce narrative for the past decade has been built around a number: the global talent shortage, variously estimated at between 3 and 4 million unfilled cybersecurity positions. The story was about headcount — not enough people choosing cybersecurity careers, not enough people graduating with the right qualifications, not enough people entering the profession to meet demand.
The SANS 2026 Cybersecurity Workforce Research Report, released at RSAC 2026 and drawing on responses from nearly 1,000 practitioners, leaders, and HR professionals across six global regions, challenges that narrative. For the first time in the report’s three-year history, skills gaps have decisively overtaken headcount shortages as the industry’s top workforce challenge. And — the number that turns this from a workforce management concern into a security risk — 27% of organizations report breaches directly linked to these capability gaps.
The shortage of bodies was always a proxy metric. The 2026 data suggests it was measuring the wrong thing.
What the Report Actually Found
The headline finding is a shift in how organizations describe their workforce problem. Previous years’ editions of the SANS workforce report identified headcount — insufficient numbers of security staff — as the primary challenge. In 2026, that position has been taken by skills gaps: organizations have people in security roles, but those people lack the capabilities their environments require.
Approximately 60% of organizations report that their teams lack the right skills, up from lower levels in prior years. The gap is not primarily in foundational security knowledge — it is in the emerging capability areas that modern security environments require: AI security, cloud security architecture, operational technology security, and threat intelligence analysis.
The regulatory pressure dimension is significant. Regulatory compliance requirements around hiring and demonstrating security capability have surged from 40% to 95% in just one year, according to the report. Organizations are now being asked, in regulatory and compliance frameworks, to demonstrate not just that they have security staff but that those staff have specific, documentable capabilities. This has forced a confrontation with capability gaps that organizations previously could obscure behind headcount numbers.
The 27% figure — the proportion of organizations reporting breaches directly linked to skills gaps — is the finding that converts this from a workforce planning concern into a security operations concern. These are not hypothetical future risks. They are documented security failures in which the specific factor contributing to the breach was a gap in what the security team could do.
Why OT and Smart Building Security Is Particularly Exposed
The skills gap problem hits hardest in the domains where specialized knowledge is scarcest and where the consequences of capability gaps are most severe. Operational technology security and smart building security are near the top of that list.
OT security is a genuinely distinct discipline from enterprise IT security. The skills that make someone effective at securing Windows domain environments, cloud infrastructure, or enterprise web applications do not directly transfer to securing SCADA systems, PLCs, building automation controllers, or industrial network protocols. The underlying technologies are different, the threat models are different, the operational constraints are different, and the relevant regulatory frameworks are different.
The OT security talent pool was already small before the current skills gap became the dominant workforce concern. The Purdue Model and ICS-specific security frameworks require knowledge that most enterprise security practitioners have not been trained in. The handful of certifications that cover OT security — GICSP, ICS-CERT training programs, vendor-specific training — have limited capacity and produce a fraction of the qualified practitioners that the expanding OT security market requires.
Smart building security compounds this by requiring expertise that spans IT security, OT security, physical security, and building systems knowledge. The person qualified to assess the security of a building management system that uses BACnet protocol over IP, integrates with Active Directory for access control, and feeds data to a cloud analytics platform is a genuinely rare individual. Facilities management teams know how the building systems work but typically lack cybersecurity expertise. IT security teams understand network and endpoint security but typically lack knowledge of building automation protocols, physical access control architecture, or the operational constraints that govern patching and downtime in building systems.
The result is a structural capability gap that the 2026 SANS data confirms is producing measurable security failures.
The AI Problem: Eliminating the Training Pipeline
The SANS report identifies a specific mechanism by which the skills gap is worsening at the same time that it is becoming more consequential: AI is automating the entry-level work that has historically trained cybersecurity practitioners.
This is a point that deserves careful consideration because it runs against the common framing of AI as a solution to the talent shortage.
The conventional argument is that AI tools will allow smaller security teams to do more — automating alert triage, accelerating threat hunting, generating detection rules, and generally amplifying the productivity of available security staff. That argument has merit for some use cases. But it ignores what entry-level security work has always done beyond its immediate output: it has trained people.
Junior analysts who spent years triaging security alerts developed the pattern recognition that allows senior analysts to identify complex attack chains. Junior practitioners who handled routine vulnerability assessments learned the network and system knowledge that makes senior assessments meaningful. Entry-level SOC work was, in significant part, a training mechanism for building the experienced practitioners that organizations need at higher levels.
If AI automates the work that entry-level practitioners did, the career pathway that produced experienced practitioners compresses or disappears. Organizations may see near-term productivity gains from AI-assisted security operations while simultaneously degrading the pipeline that produces the experienced professionals they need for the capabilities AI cannot replicate.
For OT and smart building security, where the knowledge base is already narrow and the training pathway was already constrained, this risk is particularly acute. There is no large pool of entry-level OT security practitioners whose work can be automated away without consequence — the pool is already too small. The automation of adjacent IT security work may reduce the pool of practitioners who develop enough adjacent knowledge to eventually transition into OT security roles.
The Regulatory Pressure Amplifier
The surge in regulatory compliance requirements around demonstrating security capability — from 40% to 95% of organizations in a single year, according to the SANS data — reflects regulatory frameworks that are increasingly prescriptive about what security teams must be able to do, not just what policies they must have in place.
NIS2, which took effect across EU member states in 2024, requires organizations in critical sectors — which includes smart building operators, facility managers, and industrial operators meeting certain thresholds — to demonstrate that their security teams have specific capabilities and that those capabilities are maintained through ongoing training. The requirement is not just to employ security staff; it is to demonstrate those staff can perform specific security functions.
DORA, the Digital Operational Resilience Act governing financial sector entities in the EU, similarly prescribes detailed requirements around ICT risk management capabilities that must be present in security teams. The Cyber Resilience Act, applying to manufacturers of connected products — including IoT devices — establishes capability requirements for the teams responsible for product security.
US frameworks are moving in the same direction. The SEC’s cybersecurity disclosure rules require public companies to describe their security governance and the expertise of board members and executives responsible for cybersecurity oversight. The National Cybersecurity Strategy implementation includes workforce capability requirements tied to federal contracting and critical infrastructure protection.
Organizations that have papered over capability gaps with headcount are discovering that regulators and frameworks are asking specifically about what their teams can do. The 27% of organizations in the SANS data that experienced breaches linked to capability gaps include organizations that had the headcount the job descriptions called for, but not the specific knowledge those roles required.
What Organizations with Smart Office Infrastructure Should Do
The practical implications of the 2026 SANS findings for organizations running smart office and OT infrastructure cluster around a few specific areas.
Audit capability, not headcount. The relevant question is not “do we have enough security staff?” It is “can our security staff actually perform the specific functions our environment requires?” For a smart office environment, those functions include: assessing and monitoring IoT device security, understanding building automation protocols and their security properties, identifying OT/IT network boundary risks, and responding to incidents that involve non-standard devices and protocols. Do the people responsible for those functions have those capabilities?
Separate OT and smart building security from IT security organizationally. Not permanently or with hard walls, but in terms of defined responsibilities and required capabilities. IT security generalists will not develop OT security expertise by accident. Defining which security functions require OT-specific knowledge, and ensuring that the people responsible for those functions have or are developing that knowledge, is a prerequisite for closing the gap.
Build training pathways before you need them. The GICSP (Global Industrial Cyber Security Professional) certification, SANS ICS curriculum, and vendor-specific training from Siemens, Honeywell, Schneider Electric, and others provide structured pathways for developing OT security capability. Waiting until a gap produces a breach to invest in those pathways means the breach is the first evidence of the gap.
Document capability gaps honestly. The regulatory pressure driving the headcount-to-skills-gap shift in the SANS data is not going away. Frameworks that require demonstrating security capability will ask harder questions over time, not easier ones. Organizations that document their capability gaps honestly and build plans to close them are in a better position than organizations that maintain the fiction that job titles imply capabilities they do not.
Evaluate AI tooling critically. AI security tools can genuinely improve the effectiveness of understaffed security teams in specific, well-defined use cases: alert triage, log analysis, vulnerability prioritization. They do not substitute for domain expertise in OT security or smart building security, and they do not close capability gaps in the areas where those gaps are most consequential. Buy AI tools that amplify what your team can do; do not use them as a rationale for avoiding the investment in specific expertise that your environment requires.
The SANS 2026 finding that 27% of organizations experienced breaches linked to capability gaps is a confirmation of something that security practitioners in OT and building security have observed for years: the gap between what modern connected environments require and what security teams are equipped to provide is producing real security failures. The path to closing it runs through honest capability assessment, targeted training investment, and organizational structures that give OT and smart building security the specialized attention those disciplines require.
This article is provided for informational purposes only and does not constitute legal advice.
