You’ve probably heard the phrase a million times: “There’s a massive cybersecurity skills shortage.” It’s on headlines, in boardrooms, and in job market reports. And on the surface, the numbers do look serious, but when you dig deeper, the picture becomes far more nuanced.

The real question isn’t just “are there enough people?”, it’s “do the people available have the skills organisations actually need?”

And the answer isn’t as simple as yes or no.

The Numbers Tell a Story (But Only Part of It)

Let’s look at some of the big global figures first:

• On the global level, the cyber workforce gap is still huge, at around 4 to 4.8 million unfilled positions worldwide according to recent workforce studies. That means demand outstrips supply by a wide margin.
• In Europe alone there’s an estimated EU cybersecurity workforce gap of nearly 350,000 professionals, and demand keeps growing.
• Across all regions, roughly 90% of organisations report skills gaps in their cyber teams, even if they technically have people in those roles.

So yes, by the numbers, there are more jobs than qualified people to fill them. But the term “skills shortage” barely scratches the surface of what’s actually happening.

Here’s why.

It’s Not Just About Headcount

One of the clearer trends that’s emerging from multiple surveys is a distinction between headcount shortage and skills mismatch:

• Many organisations report that they have staff, but not always with the skills they need.
• Leaders increasingly say that the real challenge is not numbers, but skills alignment. In other words, finding people with the right capabilities rather than just any capabilities.
• Critical technical areas like cloud security, AI/ML security, Zero Trust implementation, threat analysis, and incident response are repeatedly cited as lacking expertise.

That’s why a SOC analyst with great SIEM skills might still not be what a financial services firm needs for secure cloud architecture, even though both are “cybersecurity jobs.” The job titles don’t always map neatly to the real skill requirements.

In the DACH region, this mismatch shows up in a structural way too: cybersecurity vacancies have been growing faster than the output of specialised training programmes, creating a supply bottleneck for certain high‑demand roles.

Entry Level vs Senior Roles: Two Different Problems

Another part of the story is who is in demand:

• Around half of organisations struggle to attract truly entry‑level talent, and many teams lack any junior professionals at all.
• At the same time, mid‑level and senior roles dominate recruitment efforts, and these are the hardest to fill, partly because the skill combinations organisations are looking for are rare.

This creates a perception of “no talent available,” even when there are people available, they just aren’t at the precise experience or capability level that the job requirements specify.

It’s why many teams have openings open for months, and why more organisations are now willing to rethink rigid requirements like “10+ years experience in X, Y, Z.”

A Closer Look at “Skills” vs “Experience”

From a recruitment perspective, a lot of the disconnect comes down to what employers ask for versus what candidates bring:

• Many job ads still list long checklists of specific tools and certifications, often drawn from what the team currently uses rather than what the business actually needs.
• Candidates with strong fundamental skills and problem‑solving ability are sometimes overlooked because they lack niche tool experience that could be acquired on the job.
• Training data shows that entry‑level talent is often more capable than organisations give them credit for, but hiring practices haven’t fully adapted to evaluate potential over pedigree.

This mismatch (between what hiring managers think they need and what practical, valuable capability looks like) is at the heart of many “skills shortage” debates.

What About DACH Specifically?

While global figures set the scene, the DACH region has its own flavours of the same dynamics:

• Demand in DACH has been growing steadily, but local training pipelines have not expanded at the same rate, partly because specialised cybersecurity education programmes are still maturing.
• Regulatory and compliance requirements (like KRITIS, ISO 27001, and national security checks) add extra barriers that don’t exist everywhere, meaning the bar for entry is higher in certain roles.

So while the global shortage and the skills mismatch overlap, DACH organisations often face greater structural hurdles around training, certification, and compliance expectations, not just pure headcount gaps.

So What’s Really Going On?

From our perspective:

• There is a cybersecurity workforce shortage in terms of sheer numbers.
• There’s also a skills mismatch that’s arguably more critical. Organisations struggle to find the right skills, not just any skills.
• In regions like DACH, training bottlenecks and compliance complexity make alignment even tougher.

It’s not a binary issue. It’s a stack of overlapping challenges, including workforce size, skill variety, experience depth, training quality, and how organisations write job requirements.

What Helps Close the Gap

Based on global data and recruitment experience:

1. Rethink entry‑level roles. Create pathways where people can grow into roles instead of being filtered out by rigid checklists.
2. Focus on transferable capability. Problem‑solving, risk thinking, and security fundamentals often matter more than tool‑specific experience.
3. Invest in upskilling and internal mobility. Organisations that build skills internally see fewer vacancies and stronger retention.
4. Adjust expectations regionally. In places like DACH, bridging structural training gaps can make a big difference; it’s not just about headcount.

Talking about a “cyber skills shortage” without unpacking what that really means is like describing a symptom without diagnosing the cause. Yes, the numbers are large. Yes, the demand is persistent. But the real challenge (and opportunity) isn’t just hiring more people. It’s connecting the capabilities organisations need with the capabilities people actually have or can realistically grow into.

When we look at it that way, the skills “shortage” becomes less of a doom‑loop headline and more of a strategic problem we can actually solve.