But many companies are not taking these threats seriously, according to Clar Rosso, CEO of ISC2—one of the largest certification organizations as well as member associations for cybersecurity professionals.

The organization’s annual cybersecurity workforce study, which was released on Oct. 31 and surveyed nearly 15,000 cyber professionals, found that the industry’s skills gap has hit a record high. Globally, roughly 4 million professionals are needed to adequately safeguard the digital world—an increase of about 13% compared to last year. This means the industry as a whole needs to basically double in size to meet growing demand.

Realistically, Rosso says, the gap should be higher because every company—no matter the size—needs people with cybersecurity expertise.

“There’s so many organizations that just don’t have any cybersecurity professionals at all,” she says. “So it’s not really representative of what in the nation or around the globe, we actually need. It’s just for those organizations that are clever enough to understand that they need cyber professionals.”

ISC2’s certifications are among the most popular and sought after in the industry, especially its Certified Information Systems Security Professional (CISSP) certification. Rosso says the CISSP is to cybersecurity as a CPA is to accounting—essential. The organization not only works to help create a skilled and qualified workforce as well as ensure ISC2 members have latest information and resources especially with a growing threat landscape fueled in part by next technology like AI.

Growing threat landscape

According to the report, 3 out of 4 cybersecurity professionals believe the current threat landscape is the most challenging it has been in the past half decade, and less than half think their organization has resources and personnel to respond to threats over the next two to three years.

So with this threat concern as well as a large skills gap, it would be assumed that most companies would be trying to beef up their cyber teams. Not necessarily.

Nearly half—47%—of cybersecurity professionals have experienced layoffs, budget cuts, or freezes on their teams, and almost a third expect additional cutbacks next year. Not only do these cuts affect productivity and morale, but it also affects cyber awareness and training. 

Rosso says the findings are shocking and concerning because with AI looming on the horizon, threats will be even more fast and furious. 

“I think what it does is it just shows that organizations are more driven by their revenue than they are or their profitability than concerns over their cyber risks, even though their cyber risks can damage them. financially and certainly reputationally,” she says.

IBM’s Cost of a Data Breach report had similar findings. Despite data breaches increasing in cost, many companies are unwilling to increase their cyber defense expenditures—sometimes even after a breach.

Small businesses are especially at risk, Rosso adds, because 95% of organizations that have 100 or fewer employees have no cybersecurity professionals at all. 

“Small businesses having no cyber professionals is a huge risk because it’s not if a breach happens in your organization, it’s all about when a breach will happen in your organization, because it’s misguided for anyone to think that they are too small for cyber criminals to bother with them,” Rosso says.

Overall, cybersecurity is a national defense and national economic security issue, she says. Last week, a leader at the Cybersecurity Infrastructure and Security Agency (CISA) echoed this to Fortune—adding that there needs to be increased awareness of the cybersecurity skills gap.

Educating—and certifying—professionals

Rosso says it is great that there has been a proliferation of cybersecurity programs at universities across the country, but oftentimes the degrees do not necessarily align with what the market and employers want. (Fortune does have a ranking of the best master’s degrees in cybersecurity.)

“Employers prefer to hire based on certification. The certification—it’s a demonstration of knowledge, skills, ability and experience, so they know if I hire a CISSP, I know as CISSP knows, and can do,” she adds.

Some universities have also integrated certifications into their degree programs to provide students with the best preparation for their careers. And, many companies in the cybersecurity arena, such as Cisco, Google, and ReliaQuest have been working to address the cyber gap with their own skills-first, hands-on learning opportunities that often involve certifications.

To encourage people to consider careers in cyber, ISC2 is providing free access to entry-level Certified in Cybersecurity courses and exams to 1 million people. After a year, Rosso says 345,000 people have enrolled and 36,000 have been certified.

She says it is important to realize that students do not necessarily need a tech background to get started in cybersecurity. Simply having effective communication, project management, or critical thinking skills can help individuals get ahead.

Plus, she says the industry is far away from being replaced.

“As much as automation is going to be introduced to help the profession, we are a long way from not needing more people in the profession,” she says. “So that’s what I think makes it so exciting. They’re going to be at the center of augmented intelligence, which is the intersection of the human intelligence and the artificial intelligence. There’s really no hotter topic around the globe as far as I think job roles go right now.”