A cybersecurity skills shortage is creating additional cyber risks, according to a new global report.

Fortinet’s 2025 Cybersecurity Skills Gap Report found that 70% of businesses in New Zealand and Australia believe that the skills shortage was adding to their cyber risk, and most (92%) had experienced at least one security breach in the past 12 months.

“There has long been a skills shortage in cybersecurity, and AI is accelerating the shortage because it’s moving at such an incredible pace,” says Matt Harrison, who heads the client sales team for Fortinet, New Zealand. “There are not enough graduates with cybersecurity skills, so Kiwi businesses need to invest in upskilling their existing staff and retaining them.”

The report found that data and network security skills were the most in demand, while the hardest roles to fill were AI and machine learning, digital forensics and incident response. AI security tools are helping cybersecurity teams improve their effectiveness, but the skills shortage is adding to cyber risk.

Efficient AI attacks are increasing the need for cyber skills

The expanded use of AI is increasing the frequency and efficiency of cyberattacks, which is driving a widening gap between the skills we need and the skills available.

“AI can increase the volume of attacks by automating the process, and it can also make an attack more personalised,” Harrison explains. “For example, in a phishing attack, AI can build a better email by pulling on all your social media posts and comments, to find out what areas interest you. That social engineering aspect is often quite overlooked. You might have noticed that your spam emails are no longer full of spelling mistakes.”

In addition, AI can analyse a code base to find weaknesses and make an attack more technically credible.

“There’s a growing understanding within organisations that AI as an attack vector is a real risk now,” says Harrison. “AI can potentially outpace all the cyber solutions and products available. It’s a constant game of cat and mouse.”

Despite this recognition, Fortinet’s report found that 51% of global respondents didn’t think that their board of directors was “fully aware” of the risk – a governance gap that can have real business consequences.

With our National Cyber Security Centre estimating the average cost of a data breach at $173,000, any increased risk has the potential to be costly and its critical for organisations to be in alignment.

Embracing AI tools to fight AI breaches

On the other side of that cat-and-mouse game, AI security tools are rapidly learning to recognise cyber threats as they occur.  

“If you usually log in from Auckland on weekdays between 10am and 4pm, AI can learn that pattern over time. It can also recognise how you use different apps at different times of the day,” Harrison says.

“Now imagine there is a sudden login from Saint Petersburg on a Friday night at 10pm. AI would see that as unusual activity – something outside your normal behaviour. By identifying these kinds of anomalies early, AI helps security teams respond faster and contain potential risks before they escalate.”

The fast-changing nature of both threats and responses makes it a challenge to keep IT professionals up to date. In New Zealand, Fortinet’s team has grown by 30% over the past 18 months as demand for training increases.

“There’s definitely a real shortage of skilled cybersecurity people,” Harrison says. “Our surveys showed that they are in hot demand, regardless of how the local economy is performing, and regardless of the region or country.”

Human error still the largest cause of breaches

Cybersecurity breaches are increasingly common, but the report highlights that the primary vulnerability remains constant: human error. Worldwide, the IT leaders surveyed by Fortinet named “lack of security awareness” as the leading cause of breaches.

‘Hygiene’ practices – like strong passwords, multi-factor authentication and frequent software updates – are still one of the strongest lines of defence against attack.

“Keep doing the basics,” Harrison adds. “AI gets all the attention, but one of the fundamental risks is people becoming complacent. It’s surprisingly common for people to have a notebook with their passwords written in, or to be using ‘Password1234’ for every site. These are some of the basic steps that everyone in your organisation needs to improve, no matter how big or small your business is.”

Look beyond traditional recruitment pathways

To find new cybersecurity talent, New Zealand businesses need to look beyond traditional recruitment pathways, the report found, by training internally and developing hiring initiatives targeted at a diverse range of workers.

Oceanian IT decision-makers told Fortinet their biggest challenge for retaining cybersecurity talent was lack of upskilling opportunities, followed by issues around flexible work, remuneration and benefits and work/life balance.

“Organisations need to plan for both developing and adding skills,” Harrison says. “In a digital economy, the right training opportunities can help attract and retain cybersecurity staff. The current market means cybersecurity talent can jump from job to job, and it’s expensive to secure them, so if you do, it’s wise to invest in further training and enablement.”

Access the full 2025 Cybersecurity Skills Gap Report