The skills problem, in numbers
Fortinet's 2026 Cybersecurity Skills Gap Report moves the talent conversation out of HR and into the incident-response post-mortem. Among Canadian IT leaders surveyed:
- 47% said a lack of cybersecurity skills was a leading cause of security breaches at their organization.
- 53% said they most needed senior-level cybersecurity skills — the analysts, architects, and incident responders who run the actual day-to-day.
- 40% struggled to get budget approval for additional cybersecurity hires, even after recognizing the gap.
- 49% said they struggle to recruit cybersecurity staff with AI-specific experience.
Combined with the threat data from Fortinet's parallel 2026 Global Threat Landscape Report — 374 Canadian ransomware victims, 17 billion attacks against Canadian targets — the picture is straightforward: the workload is growing faster than the workforce.
AI is making the talent gap worse, not better
There's a common assumption that AI tools will narrow the gap by automating away the boring work. The data is more nuanced. Yes, 91% of Canadian respondents are using or experimenting with AI-based security tools, and 85% report measurable productivity gains. But the same survey shows half of organizations cannot find people who know how to operate those tools.
The threat side has the same dynamic: global exploitation attempts rose 25.49% last year, fueled in part by attackers' own AI tooling. So defenders are simultaneously trying to (a) hire scarce talent, (b) deploy new AI defenses, and (c) keep up with attackers who don't have any of those staffing constraints.
How organizations are responding
Three patterns stand out from the report:
1. Internal upskilling is replacing pure external hiring
58% of organizations are developing internal training or reskilling programmes to bring existing staff up the AI-security curve. Another 49% are buying training or reskilling services from industry vendors. Boards are starting to see upskilling current employees as a faster path than competing for the same senior candidate.
2. AI training is the top investment for the next year
49% of organizations say they're likely to invest in AI-related cybersecurity training or certifications in the next 12 months. Expect AI-security skills to be the most-requested category on the certification market through 2026.
3. Operating models are shifting to managed and augmented services
For organizations that can't realistically build a 24/7 SOC or run an in-house red team, the math now favors blended models: a small in-house security team partnering with a managed service or staff-augmentation provider for specialist work. This is the same conclusion CCCS has been making for two years — most Canadian SMBs can't run a full-stack security team alone.
A defensive playbook for stretched teams
If you're running security with fewer people than the threat justifies, four moves give you the most coverage per dollar:
- Buy 24/7 monitoring you can't build. Managed SIEM/SOAR/XDR closes the after-hours window where most ransomware deploys.
- Augment specialist roles — don't try to hire them. Cleared penetration testers, IR responders, and cloud-security architects are easier to engage on retainer than to recruit full-time.
- Standardize on playbooks before tools. A documented runbook for the top 10 incident types is worth more than any single product purchase.
- Treat AI tools as force-multipliers, not replacements. The vendors who say AI eliminates the need for analysts are selling something. The realistic gain is 30–50% productivity on tier-1 triage.
How CyberSafe helps
Our Staff Augmentation practice places senior cybersecurity professionals into Canadian organizations on flexible terms — the kind of senior skills 53% of respondents said they need most. For organizations that prefer to outsource the operating layer, Managed Security gives you a 24/7 SOC plus documented detection and response without the headcount line item. And Consulting can help build the internal upskilling plan that 58% of your peers are putting in place this year.