The most dangerous gap in cybersecurity today isn’t technical capabilities – it has a lot to do with the mental.
That was my first thought when I reviewed ISACA’s 2025 State of Cybersecurity report. I don’t know about many of you, but this is the first time I’ve seen “Adaptability” ranked as the #1 qualification factor for hiring cybersecurity professionals. Think about it: back in the day, many of us couldn’t step foot into the cyber field because we didn’t have the experience required. Now adaptability surpasses even hands-on experience.
I’ve been in the industry for over 20 years, starting in the US Marine Corps where the slogan “Improvise, overcome, and adapt” reflects the mindset that EVERY Marine needs to have to accomplish their mission. I can confidently say, this is one for the history books.
I’m not talking about sloganware or punchline change. I’m talking about something so foundational that it redefines what it means to be ”qualified” in cybersecurity. I’m not talking about your “paper” security professionals; I mean at the bleeding edge. And I do mean bleeding -- human blood. Because that’s what it’s costing us: burnout, mental stress, and the emotional toll of defending a broken system. And it all starts with adaptability.
Cyber leaders aren’t just asking, “Can this candidate secure our systems?” anymore. We’re asking, “Can they keep pace when everything changes mid-sprint?”
This isn’t about checking another box anymore; it’s about rethinking what readiness actually means. It’s not enough to acknowledge the change required. Now you have to move on it, build for it, lead into it. In the age of AI, the greatest risk isn’t unpatched code pipelines – it’s an unadaptable mindset wearing a badge that says “qualified.”
When looking at the pressures crushing today’s security leaders, consider that, according to ISACA’s State of Cybersecurity data:
- 66% say their roles are more stressful than five years ago
- 55% report understaffed teams
- 65% have unfilled cybersecurity roles
Additionally, 44% of current cybersecurity professionals started in the field. That means around half of the workforce adapted their way in – just as I did, from pulling cable and setting up telecom switchboards in the Marine Corps to setting up my first firewall at a former healthcare solutions provider, to eventually becoming a cybersecurity leader for a Fortune 100 company. “I improvised, I overcame, and I ADAPTED.”
Meanwhile, cybercriminals don’t have to go through upskilling to get the role. They’re quick, nimble and amazingly creative – they have no bounds. They’re relentless.
If we’re going to keep pace, we can’t just hunt for “qualified” candidates. We must build and lead adaptable teams. Threats aren’t the only element of change in cybersecurity; we also face shifting compliance requirements, supply chain concerns, vendor risk and now AI governance frameworks.
Ask any CISO who’s gone through a breach, and we’ll tell you – what saved us wasn’t the playbook we paid a vendor a pretty penny for in order to check the box. It was the pivot our team displayed during the most critical moments. (In my case, it was during multiple breaches occurring at once. Thank you, “Small but Mighty” Security Team.)
I’ve worked with small, mid-size and large enterprises, and I’ve seen this firsthand. In a leadership workshop, a security leader shared that his top cybersecurity hire last year wasn’t a traditional engineer. It just so happen to be a former EMT. Why? “Because in high-stress moments, he stayed calm, quickly adapted and communicated clearly across teams.”
This isn’t just feel-good fluff – I call it strategic intelligence.
ISACA’s State of Cybersecurity report shows that adaptability now leads hands-on experience as the top qualifier for a cybersecurity role and nearly half of those currently in the field transitioned from other roles. This is not a coincidence. It’s a signal.
Harvard Business Review’s analysis of crisis teams across industries backs this up: the teams that thrived and executed the best weren’t led by the most seasoned or the most certified – they were led by those with psychological adaptability: the ability to absorb new information, adjust in real time and take decisive action when the pressure spikes.
It wasn’t how long they’d been in the role, it was how quickly they could shift gears without losing their head that made the difference.
ISACA’s report also highlights that 59% of organizations list soft skills as the top skills gap. When you break that down, you see critical thinking, communication, and problem-solving outpacing hard skills like threat detection and endpoint security.
But still, you see very few organizations setting aside funding to close those gaps – and even fewer are measuring them during hiring.
This is the clear misalignment on what preparation looks like, with only 27% of employers believing that university graduates are well-prepared to enter the cybersecurity workforce.
The old model trained for stability, and a new reality demands agility
If we keep relying only on certifications and, now, AI-generated and polished static resumes as our litmus test for readiness, we severely risk building a world of ego-driven, brittle teams that are unprepared for modern-day chaos.
That chaos is real. Researchers are warning, and real-world examples confirm: cybercriminals aren’t waiting around. They’re weaponizing AI – leveraging polymorphic malware, synthetic identities and autonomous tooling to outpace our traditional defenses.
AI-powered cybercrime is evolving fast. And if our hiring models, approaches to training and detection systems don’t evolve with it, we won’t be ready – and we become the risk.
So, what’s next? Because once you see it, you can’t unsee it.
1. Measure for Adaptability in Hiring
Replace “years of experience” as your filter. Instead, assess traits like flexibility, curiosity and decision-making under uncertainty. Tools like Korn Ferry and Predictive Index offer psychometric assessments that help surface the adaptability profile of a potential candidates.
Keep in mind, these tools won’t eliminate technical vetting, but they’ll help prevent hiring brilliant people who crack under pressure.
2. Integrate Soft Skills into Postmortems and Promotions
Turn every incident response into a growth opportunity. Don’t just review technical missteps – assess communication clarity, collaboration and how the team adapted under pressure.
Next, build a Cyber Upskill Program and integrate soft skills into your promotion track. Gartner wrote that organizations tying adaptability to leadership progression retain higher-quality talent.
3. Redesign Onboarding for Agility – Not Just Laptop Access
If your onboarding only teaches what to click and where to report, you’re wasting mission-critical moments.
Use onboarding to give examples of how your team handles uncertainty, shifts gears and communicates while under stress. Run live scenarios. Invite other departments in. Throw in something that breaks the flow.
We either train them to adapt early or watch them freeze when it matters. MIT Sloan reports that employees trained for adaptability outperform their peers in unexpected situations.
4. Create Role Mobility Across Functions
Stop treating cybersecurity like it lives in a silo. News flash: it doesn’t.
If your security team doesn’t understand how legal thinks, how products are built, or how procurement chooses vendors, you’re not building defenders, you’re building gatekeepers.
Let your people rotate, shadow other teams and sit in on business reviews. This is not to check a box, but to build muscle memory for a security mindset and systemic thinking – the kind of thinking that recognizes how a single decision in marketing or ops could open the door to a breach.
5. Fund Mental Health as a Strategic Risk Mitigation Tool
High stress isn’t just driving people to silently quit – it’s compromising your security posture.
Let’s stop pretending this is an HR problem. When your best and brightest people are burned out, checked out or quietly quitting behind their keyboards, your security controls are already compromised.
Companies like Palo Alto Networks and Mastercard are funding resilience through therapy, coaching and mental health stipends. Why? Because if your team breaks, your firewall might as well.
6. So, What Happens If We Don’t?
- Higher turnover→ More fatigue and longer unfilled roles (word spreads fast about a business’s culture)
- Increased breach exposure → Brittle teams don’t bend, they break
- Lost innovation → Rigid teams struggle to adapt to new threat models, AI tooling and compliance changes
If we stay on this path, we’ll lose the trust of the next generation of cyber talent – talent that’s looking for environments agile enough to match their pace.
In a world of AI-based attacks, disinformation campaigns, and constantly shifting mandates, adaptability is the new baseline for survival.
Don’t get me wrong, experience still matters – but only if it can flex. Certifications are still useful – but only if they evolve. And leadership must start valuing what can’t be quantified: agility, clarity under chaos and the courage to pivot (traits the “Small but Mighty” security team at my last organization had in spades).
As leaders, we’re not just defending digital perimeters – we’re shaping how teams think, move and adapt.
Let’s build them wisely.
