Main image of article From Perk to Prerequisite: Cybersecurity Training Is Now an Operational Requirement

A recent report from research firm Gartner predicts that worldwide spending on artificial intelligence (AI) could top a staggering $2.5 trillion this year, creating significant challenges for IT and cybersecurity teams tasked with understanding how these rapidly evolving AI tools operate while ensuring their safe and secure use.

The adoption of AI requires a well-trained and well-educated workforce as more of these technologies move from testing into production environments. At the same time, the growing use of AI increases the risks enterprises and other organizations face, especially when it comes to securing corporate and sensitive personal data used to train large language models (LLMs) that underpin these platforms.

ISC2, a nonprofit cybersecurity training organization, finds that with the influx of AI technologies, large and small organizations are investing more in training to keep up, particularly in cybersecurity.

An analysis published in June – 2026 Security Training Trends – shows that about half of security leaders surveyed – 47 percent – report that AI is the most pressing skill their organization is addressing or planning to address through cybersecurity training. The ISC2 survey results are based on interviews with 995 security leaders responsible for cybersecurity training within their organization.

While cybersecurity recruitment and skill sets remain important factors in the industry, the ISC2 report also found that 73 percent of CISOs and security leaders report that their internal training budget increased over the past 12 months. As a result, 94 percent of respondents believe they are keeping up with or ahead of the curve when it comes to adapting training to emerging technologies and shifting security requirements.

“The need for cybersecurity training isn’t new. What’s changed is that the business case is easier to make,” Diana Kelley, CISO at Noma Security, told Dice. “Security teams are being asked to protect the systems and data the business depends on across cloud, SaaS, AI-enabled workflows and distributed supply chains. That makes training less of a professional development benefit and more of a resilience requirement.”

While budgets are increasing, security leaders and their cybersecurity teams still struggle to find time to ensure they receive the training they need, with 53 percent of respondents reporting that time constraints on training are a major concern.

Cybersecurity experts note that enterprises and organizations must continue to view cyber incidents as major business concerns that affect the bottom line and that proper training can mitigate these risks.

“To overcome training-time challenges, organizations should treat learning as a business requirement with protected time and measurable goals. For those entering the field, the news is encouraging: employers are investing more in training, but candidates still need foundational IT, cloud, networking and AI skills to get hired and take advantage of those opportunities,” Ram Varadarajan, CEO of cybersecurity firm Acalvio, told Dice.

Looking Beyond AI for Cyber Development

While AI continues to command most of the attention, the ISC2 survey finds that organizations need cybersecurity professionals who are knowledgeable in several areas and that any in-house training must focus on these critical topics.

These pressing skills among security leaders and CISOs include:

  • AI (47 percent)
  • Cloud computing security (44 percent)
  • Security analysis (44 percent)
  • Risk assessment, analysis and management (40 percent)
  • Security administration (40 percent)
  • Network monitoring (38 percent)
  • Security engineering (36 percent)
  • Application security (34 percent)
  • Threat intelligence analysis (34 percent)
  • Operations technology security (32 percent)

While AI gets outsized attention, security teams still have to monitor networks, investigate anomalous activity, assess application risk, administer operational controls, support identity and access decisions and translate technical findings into business decisions. This is why security leaders remain focused on developing these skills across their teams, Kelley added.

“A strong cybersecurity practitioner needs both technical depth and systems thinking,” Kelley noted. “For example, AI security isn’t just about understanding models. It requires understanding how agent workflows operate, how data is protected, who has access, what runtime controls are in place, what gets logged, and how the organization would respond if something goes wrong. Risk management isn’t just a compliance exercise. It helps practitioners decide what matters most, where controls are needed and how to communicate tradeoffs to the business.”

Over the past several years, CISOs and other cybersecurity leaders have tried to close the so-called skills gaps through additional hiring and more staff. Now, these same executives are seeing greater benefits by training the staff they have and developing skills in-house, said Dr. Margaret Cunningham, vice president of security and AI strategy at Darktrace.

“Organizations have stopped pretending they can hire their way out of the skills gap. They cannot. The pace of change, especially with AI, forced a shift toward building capability internally. Training now sits much closer to core operations, not on the sidelines,” Cunningham told Dice.

That AI ranks as the top skill, while organizations still need cybersecurity professionals skilled in cloud, networking and risk assessment, shows how these roles have changed in just a few short years.

“These priorities reflect how security work has changed. Practitioners do less pure execution and far more interpretation,” Cunningham added. “They work across complex systems and make decisions under uncertainty. That puts pressure on judgment, not just technical skill, and it raises the bar for validating AI-assisted output.”

With rising threats from cybercriminals, the ongoing need for cloud adoption, regulatory pressures and AI growth have all made workforce development a strategic priority. CISOs need to keep pace with AI because budgets are growing, training resources are more accessible, and organizations recognize AI is becoming integral to security operations, Varadarajan added.

“The continued focus on AI, cloud, networking, risk management, administration and analysis highlights the need for cybersecurity professionals to combine technical, operational and business skills. Increasingly, they also need to understand emerging concepts such as AI-driven, game-theoretic cyber defense, which uses intelligent deception and adaptive strategies to shape attacker behavior,” Varadarajan said.

Cyber Training Is Essential in a Complex World

While it’s good news to see training budgets increase, Trey Ford, chief strategy and trust officer at Bugcrowd, believes that many organizations, and even some security leaders, have been slow to recognize how rapidly the threat landscape has evolved and are only now working to address a growing range of cyber risks.

While five years ago CISOs could reasonably assume their team's baseline skills would depreciate slowly, in today's AI-accelerated vulnerability research and exploitation environment, that half-life is measured in months, not years, Ford noted.

“The budget investments aren't generosity; they're a calculated response to watching adversaries gain capabilities faster than human learning curves can match,” Ford told Dice. “The industry has always valued training in principle. What's different now is that boards are seeing the cost of not training show up in incident response budgets and breach disclosures.”

In more cases, Ford said that cybersecurity training should be treated like disaster recovery planning.

“Security leaders need to stop positioning training as professional development and start framing it as operational readiness. That means scheduled downtime, rotation planning and accepting temporary risk while people are offline, the same way you'd handle system maintenance windows,” Ford added. “The organizations solving this are the ones measuring training effectiveness by reduction in time-to-detect or improvement in incident response capability, not by course completion rates. When training shows up in operational metrics, it stops being optional.”