What Fortinet’s 2026 Cybersecurity Skills Gap Report Means for the US Security Hiring Landscape

The 2026 cybersecurity hiring market is being shaped by two forces moving at the same time: rising cyber risk and rapid AI adoption. Fortinet’s 2026 Cybersecurity Skills Gap Global Research Report, based on a survey of 2,750 IT and cybersecurity decision-makers across 32 locations, shows that organizations are investing heavily in AI-powered security tools while also struggling to find the people needed to manage, govern and secure them. North America represented 22% of respondents, making the report highly relevant for US employers planning their security workforce strategies. 

The headline finding is clear: AI is now central to cybersecurity. Fortinet found that 91% of respondents are either using or experimenting with AI-powered cybersecurity solutions, while 84% say AI-enhanced tools are helping IT and security teams become more effective and efficient. That matters for US hiring because AI is no longer a niche skill within security. It is becoming part of the day-to-day operating model for security teams, from threat detection and alert triage to automation, data analysis and response workflows. 

However, the report also makes clear that AI is not removing the need for cybersecurity talent. It is changing the type of talent organizations need. The more companies use AI in security, the more they require professionals who understand both cybersecurity fundamentals and AI-specific risks. These include data leakage, AI-enabled attacks, governance, oversight, model behavior and secure automation. Fortinet found that 60% of respondents say their top recruiting challenge is finding cybersecurity talent with specific experience in AI, up from 57% last year. 

For the US security hiring landscape, this creates a significant talent squeeze. Employers are not only competing for traditional security professionals, such as cloud security engineers, network security specialists, SOC analysts and threat intelligence experts. They are also competing for a newer profile: cybersecurity professionals who can work confidently with AI tools, assess AI-related security risks and help organizations adopt AI safely.

This demand is likely to intensify. According to the report, 63% of respondents expect a greater need for AI oversight and governance roles over the next three years, while 49% believe they may need to create new AI-driven roles. In addition, 57% expect existing staff to need reskilling or upskilling to work effectively with AI tools. This suggests that US employers will need to think beyond job adverts and salary benchmarking. They will need structured workforce planning, clear career pathways and internal training programs that help existing teams adapt. 

The urgency is reinforced by the scale and cost of breaches. Globally, 86% of organizations reported one or more breaches in the past 12 months, and 29% reported five or more. North America stood out in the regional data, with 87% of organizations experiencing at least one breach and an average breach cost of $2.0 million, the highest of all regions listed in the report. 

That cost pressure has direct hiring implications. When breaches are frequent and expensive, cybersecurity recruitment becomes more than an IT concern. It becomes a business resilience issue. US companies that cannot hire or retain the right security talent may face longer recovery times, higher operational disruption and increased exposure to regulatory, financial and reputational damage.

Fortinet’s findings also show that human factors remain central to cyber risk. The most commonly perceived causes of breaches were lack of cybersecurity skills and trained IT or security staff at 56%, lack of security awareness at 55%, and lack of cybersecurity products at 54%. This is important because it challenges the idea that technology alone can solve the problem. Even with AI-enabled tools, organizations still need trained professionals who can configure systems correctly, interpret alerts, educate users, respond to incidents and make sound judgement calls under pressure. 

For US hiring managers, this means the strongest candidates will be those who combine technical depth with practical security judgement. AI literacy will help, but it will not replace core skills such as incident response, cloud security, risk management, network security, identity and access management, and security operations. In fact, as AI tools become more embedded, senior-level expertise may become even more valuable because organizations need people who can decide when to trust automation, when to challenge it and how to govern it.

The report supports this point directly. Fifty-one percent of respondents say they need senior-level cybersecurity skills most of all, compared with 32% for mid-level roles and 13% for entry-level roles. That creates a difficult dynamic in the US market. Employers want experienced professionals, but the wider industry also needs to build the next generation of talent. If too many companies focus only on senior hires, the market will become even more competitive and expensive. 

Certifications remain a major part of the solution. Fortinet found that 91% of IT decision-makers prefer candidates with technology-focused certifications, while 92% would pay for an employee to get certified. In North America, 71% of respondents consider professional certifications when hiring, and 61% are very likely to invest in AI-related cybersecurity training or certification in the next 12 months. 

For US employers, certifications can help in two ways. First, they provide a practical benchmark when assessing candidates in a competitive market. Second, they can support retention by giving existing employees a visible development path. This matters because the report also highlights retention challenges, with 52% of respondents saying their organization struggles to retain cybersecurity talent and 48% saying a lack of training and upskilling opportunities can negatively affect retention. 

The message for US hiring teams is that training should not be treated as a perk. It should be part of the cybersecurity workforce strategy. Companies that invest in certifications, AI upskilling and career progression are likely to be better placed to retain security professionals in a market where demand remains high.

Another important finding is the continued need to broaden talent pools. Fortinet reports that 71% of businesses have formal targets for cybersecurity hiring from underutilized talent pools, and 75% have structured recruiting initiatives targeting women. However, the report also notes that the overall composition of IT and cybersecurity teams has not changed significantly. 

This is highly relevant in the US, where security hiring often remains too focused on narrow requirements: specific degrees, exact tool experience or years of experience in roles that are still emerging. To close the gap, employers may need to look more seriously at adjacent talent, including IT infrastructure professionals, veterans, career changers, apprentices, community college graduates and candidates with strong analytical skills who can be trained into security roles.

The Fortinet report ultimately points to a more complex US security hiring market, not a simpler one. AI is helping teams become more efficient, but it is also creating new risks, new governance needs and new skill requirements. Breach costs remain high, boards are under pressure to treat cybersecurity as a business priority, and organizations need senior expertise while also building sustainable talent pipelines.

For US employers, the practical takeaway is clear: hiring alone will not solve the cybersecurity skills gap. The winning approach will combine targeted recruitment, AI-focused upskilling, certification support, broader talent sourcing and stronger retention strategies. Companies that act now will be better positioned to secure the people they need. Those that wait may find themselves competing for the same scarce talent, at a higher cost, in a threat landscape that is only becoming more demanding.