America's Cybersecurity Skills Gap Now Costs More Than $1 Million Per Breach

Kasun Illankoon

By: Kasun Illankoon

Thursday, June 11, 2026

Jun 11, 2026

8 min read

A new Fortinet report finds that 86 percent of organizations suffered at least one breach in the past year, and the bill has never been higher. But buried inside the same data is a more encouraging story about how enterprises are choosing to fight back.

by Kasun Illankoon, Editor in Chief at Tech Revolt

[For more news, click here]

Fifty-two percent of organizations say their most recent security breach cost them more than $1 million. In 2021 that figure was 38 percent. In four years, the share of companies absorbing million-dollar losses from cyber incidents has grown by more than a third, and the survey, drawn from over 2,750 IT and cybersecurity decision-makers across 32 countries, shows no sign the trend is reversing.

The report lands at a moment when the American enterprise is trying to make sense of two forces pulling in opposite directions. On one side: an AI-driven threat environment that is getting faster, more automated, and harder to anticipate. On the other: an AI-powered security toolset that, for the first time, is giving defenders genuine capability parity with the attackers. Understanding where those forces intersect is quickly becoming the most important question in enterprise technology.

The Cost of Getting It Wrong

Start with the damage. Eighty-six percent of organizations in the survey reported at least one breach in the past 12 months. That near-universal figure is not new; breach rates have hovered at similarly high levels for several years. What has changed is the price. Breaches cost most in North America, where the average is now $2 million per incident, and the overall share of organizations absorbing seven-figure losses has climbed steadily since the survey began tracking it.

The cause, for the third consecutive year, is not a mystery. Fifty-six percent of IT leaders cited a lack of cybersecurity skills as a top driver of security breaches. Not the sophistication of the attacks. Not insufficient technology budgets. The absence of people who know what to do. Fifty-one percent say senior-level cybersecurity skills are what they need most, and 49 percent struggle to get approval from their own organizations to hire them. That last figure is the kind of finding that should prompt a difficult conversation in every boardroom in the country, particularly given that 50 percent of respondents say executives and board members have already faced personal penalties in the aftermath of a cyberattack.

The framing from Carl Windsor, CISO at Fortinet, is precise about what that resistance to investment actually represents. "Cybersecurity is not simply a technical issue but a strategic business risk. This year's survey suggests that while boards generally recognize the importance of cybersecurity, more investment is needed to address key issues, such as emerging AI risks and the ongoing cybersecurity skills shortage. Addressing these issues is critical to business resilience in an increasingly complex threat landscape."

For context, Windsor is describing organizations where the person accountable for the security outcome has already been penalized for a breach, yet the organization is still not approving headcount. That is not a technology problem. It is a governance problem.

AI Cuts Both Ways, and Boards Still Don't Understand It

The most urgent new dimension in this year's findings is the role of AI, both as a threat multiplier and as the tool enterprises are reaching for to close the talent gap. Only half of leaders believe their board members are fully aware of the risks posed by employee use of AI. That gap between adoption and awareness is not theoretical. Every enterprise AI deployment expands the attack surface, creates new pathways for data exfiltration, and introduces model-level risks that most security teams were not trained to evaluate.

Sixty-three percent of respondents expect more need for AI oversight and governance roles on cybersecurity teams over the next three years. That is a significant projection, and it reflects a maturation in how the industry is thinking about the problem. The first wave of concern about AI in security was largely about the offensive side: what happens when threat actors use large language models to write better phishing emails or automate vulnerability scanning at scale. The second wave, the one this report is beginning to document, is about governance of the AI your own organization is deploying.

Forty-four percent of respondents cited defending against AI-powered cyberattacks as a top concern. That figure is significant because it positions AI-driven threats not as a future scenario but as a present operational reality that security teams are managing today. Cybercriminals and cyber defenders are now equipped with the same technology, and the determining factor is not which side has access to it but which side has the talent to deploy it more effectively.

The Tool Adoption Story Is Genuinely Positive

And here is where the report's findings become more encouraging. Despite the grim breach figures and the persistent skills shortage, AI-powered security tool adoption is widespread and, by most accounts, working. Ninety-one percent of respondents say they are using or experimenting with AI-powered cybersecurity solutions. Skepticism or uncertainty about AI for cybersecurity has dropped from 43 percent last year to 38 percent this year. Eighty-four percent report that AI-enhanced security tools are helping their IT and security teams be more effective and efficient.

Those numbers describe an industry that has moved through the evaluation phase and into deployment. The question is no longer whether AI belongs in enterprise security operations. It is whether organizations have the talent to govern and optimize the AI they have already installed. Sixty percent of respondents say finding cybersecurity talent with specific AI experience is their top recruiting challenge. The skills gap has not disappeared under AI adoption; it has shifted. The new premium is not on people who can configure firewalls. It is on people who can oversee AI models, build security automation, and govern the AI systems that are now embedded in critical infrastructure.

The specific skills in demand reflect that evolution. Organizations say they need people who can develop AI models (55 percent), oversee AI tools (54 percent), and build security automation (52 percent). These are not entry-level responsibilities, which is why 51 percent are specifically looking for senior-level talent and why the hiring gap is so consequential.

Investment Is Finally Catching Up

The more optimistic signal in Fortinet's data comes from the investment side. Ninety-two percent of respondents say they would pay for an employee to earn a cybersecurity certification, up from 73 percent in last year's report. That 19-point jump in a single year is substantial, and it suggests that the combination of rising breach costs, board-level accountability, and AI-driven complexity is finally producing the budget realignment that security leaders have been asking for.

Ninety-two percent also say they are likely to invest in AI-related cybersecurity training or certifications in the next 12 months. Fifty-nine percent are developing internal training or reskilling programs to support AI adoption, while 52 percent are procuring external training from industry vendors. The picture that emerges is of an industry that has accepted, somewhat belatedly, that buying technology without building the human capital to operate it is not a security strategy.

Talent pipeline efforts are also expanding beyond conventional recruiting. Ninety-two percent of organizations report using internships, apprenticeships, partnerships, and targeted programs to draw from underrepresented groups. Seventy-one percent have formal hiring targets for underutilized talent pools. The cybersecurity workforce shortage is severe enough that organizations are making structural commitments to widen the funnel rather than simply compete harder for the same candidates.

Fortinet's own contribution to this effort is concrete. Through the Fortinet Training Institute, the company is on track to train one million people in cybersecurity worldwide this year, a commitment it made in 2022 and has expanded steadily since. The Institute's Security Awareness Training service gives organizations a mechanism to build cyber literacy at scale across the workforce, not just within the security team, which is increasingly relevant as employee AI use creates organizational risk that is not confined to the IT department.

What American Enterprises Should Do With This Data

The Fortinet report is a survey, not a prescriptive framework, but the data it produces points clearly enough toward several decisions that American enterprise technology leaders should be making right now. The breach costs are not declining, the threat environment is accelerating, and the only durable response is building institutional capability rather than hoping that deploying another layer of technology compensates for the absence of people who understand it.

The AI governance dimension is particularly worth attending to. The finding that only half of boards feel fully informed about AI-related risks is not a small gap. It is a structural vulnerability in the organizations responsible for capital allocation, risk tolerance, and long-term resilience. Boards that cannot evaluate the risks posed by their own employees' use of AI are making strategic decisions in the dark, and the $2 million average breach cost in North America is at least partly a consequence of exactly that.

The encouraging news is that the tools to close that gap exist, the investment appetite is improving, and the organizations that are moving fastest on AI-powered security are reporting measurably better outcomes. The gap between those organizations and the ones still waiting for board approval to expand their security teams is, in the starkest terms, about $2 million per incident and growing.