‘We’re not investing as much as we should in their skills and development’: Skills shortages remain a key factor in security breaches — and things could get worse with AI in the equation

A leading cause of security breaches lies in a lack of employee skills and awareness, according to new research from Fortinet, and it’s an issue that’s plagued the industry for years.

In Fortinet’s 2026 Global Cybersecurity Skills Gap Report, more than half (56%) of security and IT leaders cited a lack of employee security awareness as a top cause of security breaches.

A similar number (54%) highlighted a lack of trained IT or security staff as a leading contributing factor on this front.

Speaking to ITPro, Melonia da Gama, director of training and learning programs at Fortinet, noted that this marks the third consecutive year in which the top cause of security incidents came from poor skills capabilities.

Indeed, it’s an issue that enterprises are failing to address despite obvious signs that threat actors are capitalizing on the problem by actively targeting staff.

“For the third year in a row, human skills, whether it be the IT or security teams, or the general security awareness of all your employees, has been the top concern for threats,” she said.

“And if you look at the top four attacks listed, they’re all targeted at the end-user, at the employees.”

According to Fortinet’s findings, the top four attacks reported by organizations over the last year included:

• Malware attacks (39%)
• Phishing attacks (36%)
• Web attacks (31%)
• Password attacks (30%)

These attack methods align consistently with previous iterations of the report, da Gama noted, and show that despite an increasingly sophisticated threat landscape, cyber criminals are still sticking with traditional techniques.

“Some of these simple attacks they have are still working on humans, because we’re not investing as much as we should in their skills and development,” she told ITPro.

The situation for enterprises is further exacerbated by the fact that many simply can’t find workers with relevant skills. Worse still, nearly half (49%) said they struggle to even get approval to bring on additional cybersecurity talent.

This flies in the face of what executives have told Fortinet repeatedly over the last few years - namely the fact that cybersecurity is now a mission-critical area.

More than three-quarters (73%) said cybersecurity is now a key priority for their organization, for example. Many, however, aren’t putting their money where their mouth is, with Fortinet finding that only 59% prioritize spending in this domain.

According to da Gama, Fortinet found that there’s a growing gap when it comes to business priorities and financial priorities. Put simply, boards are aware of the scale of threats, but they’re not quite willing to invest at the levels required.

The potential impact of this underinvestment is significant, Fortinet found. More than half (52%) of organizations reported that breaches now cost more than $1 million on average.

High stakes with AI in the equation

Poor skills capabilities come at a critical time for many organizations, particularly given many are ramping up AI adoption and deploying new tools and technologies.

AI brings with it an array of new considerations for IT and security leaders. It’s an enabler for employees, but it’s also widening attack surfaces and is even being leveraged by threat actors to supercharge attacks.

“Last year in our report, we said [AI] was an opportunity, obviously, to shore up our defenses really quickly,” da Gama told ITPro. “It’s a challenge, because we’re seeing even this year, the biggest challenge they have is how do we implement this within our organization – and it’s a threat.”

“The number one worry they have is AI,” she added. “Attacks that are leveraging AI, because we don't know what they're going to look like. They're getting better and better every day.”

Da Gama explained that many organizations are falling into the trap of “hanging our hats on technology and AI” while “forgetting about the people”.

Finding cyber talent was already a challenge, but when it comes to AI-related skills the situation is even more dire, according to Fortinet. Nearly two-thirds (60%) of respondents said their top recruitment challenge was finding cybersecurity professionals with experience in AI.

Meanwhile, 63% said they expect a great need for AI oversight and governance roles in cybersecurity teams over the next three years.

Efforts are being made to improve on these fronts, Fortinet found. The overwhelming majority (92%) of respondents said they plan to invest in AI-related security training or certifications over the next 12 months.

The same number said they’re willing to pay for employees to achieve certifications in a bid to boost their skills capabilities.

Attempts to source talent from traditionally underrepresented groups and through alternative talent pipelines are also accelerating, Fortinet found.

92% of respondents now use internships, apprenticeships, partnerships, or skills programs to attract talent from a range of demographics. Three-quarters also have dedicated recruitment initiatives targeting women, marking a positive increase compared to last year.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.