Addressing the Cybersecurity Skills Gap: a technical and engineering perspective

In today’s increasingly digital world, cybersecurity has become one of the most critical challenges for organizations, governments, and individuals. As cyber threats continue to evolve in complexity and scale, the demand for skilled cybersecurity professionals has growndramatically. However, the global shortage of qualified experts — commonly referred to as the “cybersecurity skills gap” — has created serious risks for modern infrastructures and digital
systems. From an engineering and technical perspective, addressing this gap requires not only educational reform, but also the development of practical skills, interdisciplinary collaboration, and continuous technological adaptation.

One of the main reasons for the cybersecurity skills gap is the rapid pace of technological advancement. Emerging technologies such as cloud computing, artificial intelligence, theInternet of Things (IoT), and blockchain have expanded the digital attack surface. As systems become more interconnected, engineers and security specialists must understand increasingly complex architectures, dependencies, and threat models. Traditional academic programmes often struggle to keep pace with these developments, leaving graduates with strong theoretical knowledge but limited experience in applying cybersecurity concepts to realistic operational environments.

From a technical standpoint, cybersecurity is no longer limited to antivirus software or basic network protection. Modern cybersecurity engineering involves secure software development, penetration testing, digital forensics, cryptography, risk assessment, security orchestration, and incident response. Engineers must be capable of designing systems according to “security by design” principles, ensuring that protection mechanisms are integrated into every stage of development rather than added as an afterthought. This requires a combination of programming expertise, systems engineering knowledge, analytical problem-solving skills, and the ability to understand how security decisions affect real organisational processes.

A key dimension of the skills gap is the persistent distance between theoretical knowledge and practical capability. Many learners may understand cybersecurity concepts, standards, or common vulnerabilities in theory, but still lack the hands-on experience required to configure tools, analyse incidents, operate security platforms, or respond effectively under realistic constraints. This gap is particularly visible in high-demand areas such as cloud security, AI/ML security, incident response, and security operations, where professionals are expected to combine technical knowledge with familiarity with modern tools and workflows.

For this reason, cybersecurity education should move beyond isolated theoretical modules and adopt structured learning paths that combine awareness, role-based foundations, and hands-on application. Educational institutions and companies should invest in cyber labs, simulation
platforms, capture-the-flag exercises, DevSecOps scenarios, and incident-response simulations that allow learners to practise both offensive and defensive strategies in controlled environments. Certifications such as CISSP, CEH, and CompTIA Security+ can also help validate competencies, but they should complement — rather than replace — practical, scenario-based learning.

Collaboration between academia, industry, and government is equally important. Universities should work closely with technology companies, cybersecurity agencies, and public organisations to develop updated curricula aligned with current threats, regulatory requirements, and engineering practices. Internship programmes, apprenticeships, applied projects, and research partnerships can provide students with direct exposure to professional cybersecurity operations. At the same time, governments should support workforce development initiatives and promote cybersecurity awareness at all educational levels.

In this context, European initiatives such as the CYCERONE project contribute to addressing the cybersecurity skills gap by developing structured training pathways for professionals in SMEs and public administrations. By combining awareness-oriented content, role-based foundational courses, and hands-on activities such as labs, simulations, and practical exercises, CYCERONE reflects the need for cybersecurity education to move beyond theory and support the development of applied, job-relevant competences. Such initiatives can help learners not only understand cybersecurity concepts, but also practise how to use tools, respond to incidents, and communicate risks within real organisational environments.

Another important aspect is the need for transversal skills. Cybersecurity professionals are increasingly expected not only to solve technical problems, but also to communicate risks, document incidents, collaborate across teams, and translate technical findings into language that managers and decision-makers can understand. This is particularly important for SMEs and public administrations, where cybersecurity responsibilities are often distributed across several roles rather than assigned to a dedicated specialist. As a result, training should also support communication, teamwork, problem-solving, and understanding of the business or public-sector context.

Automation and artificial intelligence may also help reduce the impact of the skills shortage. AI- driven security tools can detect anomalies, automate threat analysis, support triage, and improve incident response times. However, these technologies cannot fully replace human expertise. Skilled engineers are still needed to interpret results, validate alerts, manage complex infrastructures, and make strategic security decisions. Therefore, technical education must emphasise both human analytical capabilities and the effective, responsible use of automated security systems.

In conclusion, the cybersecurity skills gap is not simply a matter of producing more graduates or offering more certifications. It requires a more integrated training approach that links technical knowledge with practical application, transversal skills, and real organisational needs. By combining awareness-building, role-based learning, hands-on exercises, and continuous professional development, education providers and organisations can better prepare professionals to design secure systems, operate modern security tools, communicate cyber risks, and respond effectively to digital incidents. Investing in cybersecurity talent today is essential for building a safer and more resilient technological future.