The demand for AI-related cybersecurity skills has more than doubled since 2020 and is now outpacing available supply globally. Average cybersecurity job tenure has fallen from 3.3 years to just 1.8. More than half of cybersecurity professionals report frequent work-related stress.

These are signals of a workforce under serious pressure and a talent model that no longer fits its purpose. To fix this model, organizations need to understand what’s going wrong, how it’s impacting their business, and why the solution to solving the cybersecurity talent gap isn’t just about headcount. It’s about capabilities.

Cybersecurity roles have fundamentally changed

Not long ago, cybersecurity teams operated separately from most company functions and focused mainly on implementing controls, monitoring threats and responding to incidents. So long as cyber staff were well-trained on networks, firewalls, and malware, strong technical specialization was sufficient. 

However, today, cybersecurity sits at the intersection of business strategy, digital platforms, regulation and customer trust. Cyber teams are no longer a nice-to-have. They are the first line of business resilience. That shift demands something the traditional talent model was never designed to produce.

Accenture’s latest report, “Reinventing the Cyber Workforce: Solving the Talent Imbalance,” looked at more than 550,000 cybersecurity job postings and professional profiles globally and found that 59% of open cybersecurity roles now require not just technical depth, but also business acumen, strategic leadership and soft skills. However, only 40% of today’s workforce fits that profile. 

We call these hybrid professionals “Conductors,” people who can translate risk into financial terms, lead cross-functional decisions and embed security into transformation initiatives. While the labor market is producing plenty of “Operators,” or technically-skilled professionals focused on executing controls and monitoring threats, it is not producing nearly enough Conductors.

A convergence of forces widening the talent gap

The supply and demand of necessary cyber skills is growing more complex. AI-related capabilities are now among the fastest-growing requirements in job postings, yet workforce capability is not keeping pace. 

Organizations are also underinvesting in the talent they already have. Fewer than three in ten organizations fund structured upskilling programs for their employees, and with the average cybersecurity professional’s tenure sitting at a low 1.8 years, companies are burning out and losing experienced people. Fifty-seven percent of organizations cite insufficient internal investment as a direct cause of their talent shortages, showing that many organizations are doing little to replace people they lose.

Additionally, external pressures keep intensifying the cybersecurity environment. Regulatory regimes in some nations now hold cybersecurity leaders personally accountable for governance failures, with penalties ranging from fines and sanctions to criminal liability. This is increasing demand for leaders fluent in law, risk and crisis management at exactly the moment the talent pool is at its thinnest.

Three Moves to Close it

First, build internal capability and a culture to sustain it. The hybrid professionals that organizations need are emerging too slowly from the labor market. Companies must develop them internally through cross-functional pipelines. Culture matters too. Cyber expertise cannot deepen when accountability is unclear, workloads are unmanaged and wellbeing is neglected.

Second, redesign roles and career paths. The traditional cybersecurity career ladder is too narrow for a field embedded across every major business function. Career paths must broaden to give cybersecurity professionals real business experience, whether it be cybersecurity professionals stepping into roles that build commercial fluency or business leaders with clear on-ramps into cybersecurity. Cybersecurity capabilities should be embedded wherever technology decisions are made, such as product development, change management and IT operations. At these intersections, talent gains context, experience and stronger reasons to stay.

Education systems must evolve too. Many university cybersecurity programs underemphasize cyber law, risk management, enterprise architecture and executive communication, producing graduates who can configure a firewall but cannot assess business risk or brief a board.

Third, augment human capabilities with AI, connected architecture and long-term partnerships — with humans always in the lead. AI can absorb the high-volume cybersecurity tasks that drive burnout, freeing people up to focus on judgment, architecture and strategic risk decisions. However, if automation takes on foundational work before practitioners can master it, these future leaders will lack a necessary experience base.  Additionally, architecture must be connected and long-term ecosystem partners need to be treated as strategic capability extensions, not interchangeable vendors that operate on short-term rotations, erasing institutional memory.

The question every boardroom should ask

Boardrooms and CEOs need to ask themselves an important question: Are you building the cybersecurity workforce your business depends on — or are you still hiring for yesterday’s threats?

Organizations that can answer this with confidence are already ahead. Those that can’t need to rethink their cyber talent strategy before the gap between their capabilities and the threats they face becomes a crisis. Getting this right does more than improve defenses. It accelerates recovery, strengthens regulatory confidence and builds deeper customer trust.

Cybersecurity done well isn’t a cost of doing business. It’s a competitive advantage, but only for leaders who build it deliberately before the next disruption forces their hand.

The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.