-(1).png?sfvrsn=de4c1196_2)
The cybersecurity skills shortage is real. But the data suggests organizations are looking for the wrong things and missing the talent that will make a true impact.
The 2026 IANS and Artico Search Cybersecurity Talent Report, based on responses from 515 security professionals, paints a clear picture: the shape of cybersecurity work is changing faster than job descriptions, hiring criteria, and certification requirements are keeping up. Here is what the numbers show.
Security Roles are Getting Broader
The report suggests organizations increasingly value professionals who can operate across multiple security domains. Most functional security staff now support multiple domains, not just one.
According to the report:
- 75% of security architects support multiple security functions
- 69% of security analysts support multiple security functions
- 65% of security engineers support multiple security functions
"As automation and AI allow security workers to gain efficiencies, we are seeing more companies opting for the broad skill sets rather than the significant depth in one specific functional area,” said Matt Comyns, Artico’s co-founder and president, in the report.
Job descriptions built around a single functional domain may no longer match what the role actually requires.
Certifications are Nearly Universal, But Most Aren't Moving Careers
Nearly 80% of cybersecurity professionals hold at least one industry certification. Yet 44% report that certifications have had minimal or no impact on their career. That is a significant gap between how common credentialing is and what it delivers for candidates.
When respondents identified which certifications have made a difference, the list narrows sharply:
- CISSP: 62%
- CISM: 19%
- Security+: 17%
- ISC2: 15%
- CISA: 12%
- CompTIA: 10%
CISSP is in a category of its own. Everything else is a distant second. The data does not argue that certifications are worthless, but it does suggest that most function as baseline table stakes, not career differentiators.
"The industry continues to value soft skills and ability to drive programs and daily work through good communication and partnership far more than certifications,” said Steve Martano, IANS Faculty member and partner in Artico’s cyber practice, in the report.
"If security professional is technically competent and can explain what they're doing to their colleagues, it goes further than having letters or certifications at the end of one’s name.”
For hiring managers relying heavily on certification lists to filter candidates, this is worth reconsidering. Stacking requirements around credentials that professionals themselves say have minimal career impact may be screening out strong candidates while not reliably identifying the right ones.
The Skills Organizations Actually Want
The report suggests some of the most valuable cybersecurity capabilities are not found on any certification list.
The report’s role data and expert commentary point toward increasing value being placed on professionals who can work across business functions, explain technical risk to non-technical stakeholders, and advance work through informal stakeholder relationships. These are the capabilities CISOs and leadership teams increasingly seek. A security engineer who can get a business unit on board is doing something a purely technical hire cannot.
The compensation data shows that experience and education continue to matter. Advanced degrees carry a 10% to 13% pay premium across role levels, and eight or more years of experience adds another 4% to 15%, depending on seniority. Yet the report's expert commentary suggests credentials and tenure alone do not explain who rises fastest. Business fluency appears to be an increasingly important differentiator, and at this time, it cannot be credentialed.
Organizations still writing job descriptions that prioritize technical depth and certification accumulation could be hiring for a version of the role that no longer reflects how the work gets done.
The Fix Starts With How You Hire
Consider what the certification data is actually showing: 79% of cybersecurity professionals hold at least one credential, yet 44% say those credentials have had minimal or no career impact.
Many organizations continue to emphasize certifications in hiring, even though 44% of professionals report that those credentials had minimal or no impact on their careers. Meanwhile, the capabilities highlighted throughout the report (operating across functions and communicating with the business) have no credentials attached to them at all. More candidates will not solve a shortage that starts with outdated hiring criteria. Until job descriptions reflect how security work actually gets done today, the gap will persist.
Download the full 2026 Cybersecurity Talent Report for complete data on role responsibilities, education profiles, and compensation benchmarks by role and seniority.