The cybersecurity boom hiding a growing privacy skills shortage

High-profile breaches have forced privacy firmly onto the boardroom agenda. According to recent research from Nardello, more than four in ten business leaders are concerned about the reputational impact of a cyber incident.

Their concern is justified.

Public scrutiny of cybersecurity capability is intensifying, yet operational resilience is not keeping pace.

Socura’s analysis of the Office for National Statistics’ Annual Population Survey shows there are now 83,700 cybersecurity professionals in the UK, up from 28,500 in 2021. That 194% increase suggests rapid progress, but headcount growth alone does not guarantee preparedness.

In fact, a report from the Department for Science, Innovation & Technology shows that in 2025, nearly half (49%) of businesses in the UK labor market had a basic skills gap.

If the right skills are not being developed at the same rate as emerging threats, or if critical functions such as privacy remain under resourced within organizations, workforce expansion risks masking deeper structural gaps.

Failure to invest is failure to protect

Cyberattacks affecting the Foreign Office, Asahi, the NHS and Jaguar Land Rover over the last 12 months have exposed vulnerabilities across both public and private sectors.

Crucially, they show that gaps in cybersecurity and privacy capability are not limited to smaller or resource-constrained organizations; even well-established institutions are struggling to keep pace.

The strain on privacy teams is significant. More than a quarter (26%) of privacy professionals say their board is failing to adequately prioritize privacy, despite escalating threats. Nearly four in ten (39%) legal privacy teams and over half (51%) of technical privacy teams report being understaffed.

At the same time, more than half (54%) expect budgets to decrease further in 2026. More broadly, ISACA’s 2025 survey of business and IT professionals in Europe found that over half (58%) report that their organization remains understaffed.

This creates a dangerous paradox. Teams are asked to defend against an expanding threat landscape with shrinking resources. Unsurprisingly, more than a quarter (26%) of privacy professionals believe their organization is likely to experience a material privacy breach within the next year.

The consequences extend beyond data loss. Chronic understaffing and budget constraints increase burnout, undermine retention and weaken long-term resilience.

Two thirds (67%) of privacy professionals say their role is more stressful now than it was five years ago, while 34% of organizations struggle to retain qualified privacy professionals.

From privacy compliance to capability

What’s required now is a shift from reactive compliance to proactive integration. Privacy by design must be embedded across organizations, ensuring data protection is considered from the outset of every project, system and decision. A culture of minimal compliance is no longer tenable.

Many organizations are struggling to keep pace with evolving regulation. Over a fifth (22%) of privacy professionals in Europe say their organization finds it difficult to identify and understand its privacy obligations, while more than half (51%) cite the complexity of international laws as a key barrier.

This uncertainty, combined with underfunding and inadequate staffing creates systemic vulnerability.

AI-powered privacy-enhancing tools and automated response platforms are essential. But technology alone cannot close the privacy gap. Organizations still need skilled professionals who can deploy these tools effectively, interpret risk signals, and apply controls consistently. As technology evolves, so too must expertise.

Capability can only be built with a combination of a holistically trained workforce and advanced technologies that can jointly address new generation threats.

Resilience starts with leadership

Business leaders must move beyond acknowledging privacy risk to actively strengthening the capability that manages it. Investment must prioritize people as much as platforms.

Technology can support resilience, but only well-trained, adequately resourced professionals can interpret risk, make judgement calls and respond effectively when incidents occur.

Privacy by design should be embedded into governance, product development and operational decision-making, not retrofitted after deployment. Regulatory frameworks such as GDPR set the baseline, but true resilience comes from integrating data protection into culture, controls and accountability structures.

Above all, privacy must be treated as a business continuity issue. It directly affects operational stability, reputation and long-term value creation. Expanding headcount alone will not close the gap. Without sustained funding, skills development and visible leadership commitment, organizations will continue to face preventable disruption.

Resilient organizations recognize that privacy capability is not a compliance function on the periphery - it is a strategic asset at the core of trust.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro