Main image of article Skills Cyber Professionals Need to Compete During Budget, Staffing Cuts

The job cuts and budget tightening at U.S. technology firms and other large enterprise sectors are also influencing cybersecurity spending and hiring, with fresh data showing security budgets will grow only 4 percent this year compared with 8 percent in 2024.

These spending reductions are also impacting hiring and staffing. 

The study, produced by IANS Research and executive search firm Artico Search, found that staffing growth slowed to 7 percent – the lowest level in four years. At the same time, nearly 9 in 10 CIOs interviewed for the report noted that their teams are either stretched thin or understaffed, leading to serious discussions about cyber risks at a time of expanded security requirements.

The reasons for these cyber budget and spending reductions are numerous and include concerns over global market volatility – driven by geopolitical tensions – along with uncertain tariff policies in the U.S. and elsewhere, and fluctuating inflation and interest rates.

The research, which is based on responses from 587 CISOs, noted that cybersecurity – after years of growth and attention as threats became more prominent and impactful on the bottom line – is now treated like any other business unit and is increasingly affected by various macroeconomic trends.

"Security is being treated like any other business unit – its budget is largely a reflection of the macro environment and organizational goals," Nick Kakolowski, research director at IANS, noted in the report. "This is challenging as security's scope is rapidly increasing, putting pressure on CISOs to prioritize strategically and build organizational consensus around risk tolerances relative to budget availability."

CISOs and other cybersecurity leaders and executives, who face the daily pressure of preventing attacks and reducing risk, are also feeling the pinch of budget cuts and reduced staff as many enterprises seek to improve bottom-line numbers.

“Cyberattacks are getting riskier and more frequent every day, putting CISOs squarely in the hot seat to keep organizations safe,” Devin Ertel, CISO at Menlo Security, told Dice. “And it’s no longer simply about technology. CISOs are expected to be risk managers, business strategists, budget balancers, and boardroom communicators, all rolled into one.”

While executives are feeling pressure to keep their security teams functioning, cyber professionals are also affected by reduced budgets and slimmer workforces. The lack of open positions means many pros will need to rethink and revamp their skill sets as competition for jobs and promotions has intensified.

“With security budgets growing at their slowest pace in five years, hiring managers are more selective than ever,” Tracy Dale-Baker, chief human resources officer at Keeper Security, told Dice. “In a competitive job market, candidates stand out when they pair core technical expertise with business-aligned skills in areas like privacy compliance, offensive testing, incident containment and secure cloud architecture – skills that directly help organizations defend against today’s most critical threats.”

Summary

In a budget-constrained hiring environment, cybersecurity professionals who stand out need a blend of skills, including cloud security expertise, threat intelligence acumen, risk management fluency, and – unsurprisingly – a strong grasp of the benefits and risks of artificial intelligence (AI), said Bruce Jenkins, CISO at Black Duck.

“As AI-based technologies become as accepted and understood as cloud services are today, they will also become a foundational skill. Given the pace of AI adoption, AI fluency is a skill differentiator for cyber candidates, enabling their ability to embrace AI at scale with confidence,” Jenkins told Dice.

While AI is dominating the tech industry’s attention, Jenkins noted that cloud security remains foundational within cybersecurity, and the ability to secure hybrid and multi-cloud environments, regardless of budget, is a core capability that supports the alignment of cyber practices with business needs. 

At the same time, threat intelligence enables proactive defense, helping cyber teams anticipate and take steps to mitigate attacks before they materialize. Risk management fluency – such as understanding how cyber threats translate into business risk – brings needed insight to executive leadership and boards allocating budget and providing directional business guidance. 

“This ability to translate technical risks into business terms is often undervalued, but the benefit is undeniable, as cybersecurity is frequently a board-level concern,” Jenkins added.

While technical skills remain critical for landing a cybersecurity role, Chad Cragle, CISO at Deepwatch, noted that candidates who receive offers bring an array of so-called soft skills to organizations that extend beyond core security competencies.

“Security budgets are moving slowly, but they’ve never truly been funded; meanwhile, the threat landscape is accelerating rapidly. CISOs now have to focus on impact rather than headcount, and every new hire must prove their value from day one,” Cragle told Dice. “The skills that stand out aren’t solely technical – they tie security to business outcomes. If you can frame risk in terms of revenue, compliance, and customer trust, you’re ahead of most candidates. This mindset starts at the top, with the CISO acting as a business enabler and passing those objectives downward.”

When opportunities in the security job market become tight, the question of whether having a cybersecurity certification is beneficial is often raised. Jenkins notes that in his years of experience as a hiring manager, having a cert is “more than a nice-to-have.”

“When considering multiple high-talent candidates for a position, and all else about the candidates being equal, having role-relevant certifications puts a candidate over the top,” Jenkins said. “Certs are not a substitute for outright experience, but hiring managers seek clear signals of readiness and specialization. Certs such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and cloud- and AI-specific credentials provide that assurance. They validate technical proficiency and signal to hiring managers a strong commitment to continuous learning, a must-have trait when I am involved in the hiring process.”

Heath Renfrow, CISO and co-founder at security firm Fenix24, broke down the type of certifications cybersecurity professionals need into three categories. These include:

“Align certification study with current job needs or near-term career goals. Also, consider employer-sponsored programs or training budgets to offset cost,” Renfrow said.

For those cybersecurity pros looking for work in this time of budget cuts and staffing trims, Renfrow noted that there are other ways to gain the skills that can boost hiring prospects without seeking out certifications. These include:

  • Building a homelab or lab environment: Pros can experiment with SIEMs, firewalls, scripting or offensive tools like Kali Linux. Candidates should document and share their findings on GitHub or LinkedIn.
  • Volunteering for local nonprofits or schools that need security support: These experiences can demonstrate initiative and community impact.
  • Participating in Capture the Flag (CTF) events or bug bounty platforms like Hack The Box or TryHackMe: These gamified environments build muscle memory and show employers hands-on ability.
  • Showcasing threat intelligence or vulnerability knowledge: Pros can use write-ups in a blog, LinkedIn post, or portfolio to display technical understanding and communication skills.

“Certifications can help, but they’re not the golden ticket. A cert might look good on paper, but real-world experience is what truly counts,” Deepwatch’s Cragle noted. “In resource-constrained environments, I prefer a curious, execution-driven, positive-attitude teammate over someone who is officially certified but siloed and limited.”