Skills are always a key problem in the cyber security arena.
The problem isn't the lack of skills, it's the distribution. Far, far too many firms keep security as a tiny corner of the IT department, where someone like me (dear reader), equipped with a soul corroded by 20 years of disinterested, vendor-blinded management failure, arrogant developers and idiot ops persons, toils away getting absolutely nothing of any value done -- because that's what they want us to do, because they don't know the first thing about security. Any suggestion that perhaps an inventory would be useful or that risk assessments might be interesting would get you laughed out of the room and then excluded from subsequent activity in case you accidentally manage to fix some fail. My current berth's a perfect example. It handles gigantic sums of money and any halfway competent pentester would go through them like a knife through butter. Patching? They've heard of it. They've spunked a ton of cash on garbage commercial snake oil, because the relatively small number of clueful techies are never asked for input -- let alone us peons in security. I won't go into details for obvious reasons, but the state of security here is as bad as any I've come across in my career. It's 90s level stuff like admin passwords being called out across the office, no access to logs, almost complete lack of policies, and an ISMS? "Why do you hate America?"
I could fix it all myself in 18 months with a bit of clueful headcount and management backing (so for instance devs who put plaintext passwords into a database on the LAN get fired, rather than being able to tell us to fuck off and stop being so paranoid...) but of course I'm a bit of a nerd rather than a schmoozer and I didn't go to the right sort of school, so... fergedd abaad it. Nothing ever changes. Management blunder on, happy with the delusion that spending money means they don't need to worry about security any more. And one day they'll discover they've been pwned from top to bottom, probably shortly after wondering why all those millions of dollars of transfers were just made to bank accounts in unfriendly or regulation-light jurisdictions. I would say "I hope so!" but of course I'd be a prime suspect in that scenario, and I'm allergic to anglepoise lamps. I suspect a lifetime toiling in the mackerel-gutting sheds of Scarborough would have been less soul-crushingly awful.