The Cyber Skills Gap Has Moved: Why Non-Security Teams Are Driving the Next Wave of Upskilling

By Alyssa Pratt, Senior Content Strategist, Coursera

What if your biggest cybersecurity capability gap isn't on your security team at all?

Security teams have spent twenty years training employees to spot phishing emails and use stronger passwords. AI is introducing a different kind of risk that goes beyond users clicking suspicious links. It's engineers building AI agents with broad system access, analysts feeding models with regulated data, and product teams turning on copilots before anyone runs a threat model. These are security decisions made by people who don’t even realize they’re making them.

Coursera's Industry Skills Brief 2026 shows the workforce starting to catch up. The fastest-growing security skills aren't concentrated inside security teams. They're climbing through general IT, data, and developer tracks in every industry the report analyzed.

This reframes the L&D question from “how do we deepen our security team” to “how do we extend security capability across the workforce.”

A new pattern in the data

The Industry Skills Brief 2026 draws on enrollment data from six million enterprise learners across nearly 7,000 organizations. Across all six industries analyzed, security skills rank among the fastest-growing in general IT, data, and developer learning paths—not just in specialist security training:

• Technology / IT: Cybersecurity is the number one IT skill, with Authentications second and Network Protocols fifth. These learners are mostly developers and platform engineers.

• Energy: Identity and Access Management ranks first among IT skills, followed by Data Security and Network Security. The workforce is largely operational, yet identity and infrastructure security are priorities.

• Financial Services: In a track dominated by data scientists, analysts, and product teams, Information Privacy is the number one GenAI skill.

• Professional Services: Data Security ranks second in IT skills, alongside Cloud Computing.

• Retail and Consumer: Malware Protection ranks second in IT skills, in a sector where most learners work in store operations, e-commerce, and supply chain roles.

• Healthcare and Pharmaceutical: Identity and Access Management and Continuous Monitoring both appear in the top five IT skills, alongside Data Integration and Automation.

No single sector tells the full story, but read together they tell a strong one: Security skills are becoming an expectation for the broad technical workforce.

Why this is happening now

The widespread adoption of security skills reflects the adoption of AI tools. Organizations are quickly deploying agentic workflows, AI-assisted development pipelines, and autonomous systems that act on behalf of users. Each of these expands the attack surface in ways traditional perimeter controls were never designed for.

The security community is reframing the risk to match. “The biggest change I've seen is that security is moving closer to the engineers building AI-enabled applications,” shares Caroline Wong, Chief Strategy Officer at Axari. “The latest OWASP Top 10 for LLMs reflects a shift from concerns about chatbots and prompt injection to concerns about autonomous agents, tool use, supply chain compromise, data poisoning, and AI systems that can take action in the real world. As AI becomes more capable, engineers are increasingly expected to understand not just how to build these systems, but how to build them safely.”

Building safely is becoming a shared responsibility, not the security team's alone. The upskilling data shows the workforce is already responding.

3 tiers for a cross-functional security skills framework

A modern security curriculum has three layers. Most organizations have built the third, and many have some version of the first. The middle layer is role-specific security depth for non-security technical staff. That's where the gap tends to sit.

Tier 1: Baseline security literacy

Everyone who builds, operates, or oversees AI systems should understand:

• Identity and access fundamentals

• How to recognize and escalate potential risks

• The basics of secure data handling

The goal is practical awareness. Employees should know what looks suspicious and what to do about it.

Recommended starting points: Introduction to Cybersecurity Essentials from IBM and Cybersecurity Awareness for Everyone from Kennesaw State.

Tier 2: Role-specific security depth

Developers and software engineers: In the Tech sector, Cybersecurity ranks first among IT skills, with Authentications second and Network Protocols fifth. That pattern includes developers. Secure-by-design competencies belong in the standard developer learning path: authentication, secure coding practices, threat modeling, and code-level handling of sensitive data. Developers building AI-enabled applications also need familiarity with the risks specific to LLMs and agentic systems.

Data professionals: Information Privacy ranking as the number one GenAI skill in Financial Services reflects a pattern: data teams now sit at the intersection of model behavior and regulated information. Priority areas include applying data privacy regulations to AI workflows, governance-aware data handling, and recognizing where training data introduces risk.

IT and platform teams: As Identity and Access Management climbs the rankings in Energy and Healthcare, with Authentications surging in Tech, access control is becoming a daily concern for platform engineers and IT operations. Priority areas include IAM, network security, and the controls needed to support agentic systems that act on behalf of users.

Recommended starting points: Responsible AI for Developers: Privacy and Safety from Google Cloud, Privacy Law and Data Protection from University of Pennsylvania, and Introduction to Security Principles in Cloud Computing from Google Cloud.

Tier 3: Security specialists

Your security team still needs deep specialist training, especially around what's specific to AI: red teaming AI systems, threat modeling for agentic workflows, and adversarial testing of LLM applications.

Recommended starting point: Securing AI and Advanced Topics from Johns Hopkins.

What success looks like

When evaluating the impact of a cross-functional security L&D program, look beyond completion rates. Indicators that better illustrate business impact include:

• Security-related defects caught earlier in development cycles

• Fewer access misconfigurations and identity-related incidents

• Engineering teams raising security questions in design reviews, not after deployment

• Faster response when new AI security guidance is published

• Reduced dependence on the security team to gate routine technical work

The clearest indicator: How often do security questions come up in the first conversation about a new AI tool? If your teams are asking these questions early, your training is on the right track.

Where this leaves security leaders

For CISOs, the workforce data points to a question worth consideration: How much of your security capability depends on headcount inside your own team, and how much can be extended by raising the floor across adjacent functions?

“I stopped thinking about security as a function that owns outcomes and started thinking about it as a function that sets guardrails,” explains Jerich Beason, CISO at WM. “When adjacent teams understand the why, they become an extension of your capability without you ever having to hire for it. My job is to make every engineer, analyst, and system owner a force multiplier for the security team.”

Hiring the right security professionals and deepening their expertise still matters, but L&D investment now has outsized impact beyond the security team.

Build security capability before your next AI deployment

Security has joined the small set of skills the AI era now demands across every technical role. The pattern is already visible in your workforce's learning behavior. Is your training program built to meet it?