Cybersecurity Trends and the IT Skills Gap: G DATA Report

Public sector organizations are facing a critical shortage of specialized cybersecurity personnel, often relying on general IT staff who lack the specific training required to defend against sophisticated cyberattacks. According to data from the “Cybersicherheit in Zahlen” report by G DATA, Statista, and brand eins, the presence of general IT staff does not automatically equate to the presence of necessary security expertise, leaving government infrastructure vulnerable to ransomware and state-sponsored threats.

This systemic gap in expertise has pushed government agencies toward “relief” models, including the adoption of Managed Security Service Providers (MSSPs) and centralized security hubs. The pressure to modernize is further intensified by new legal mandates, such as the European Union’s NIS2 Directive, which requires a broader range of public administration entities to implement strict cybersecurity risk-management measures by October 17, 2024.

The challenge is not merely a lack of headcount but a mismatch in skill sets. While a general IT administrator can maintain a network, a cybersecurity specialist focuses on threat hunting, incident response, and vulnerability management. As attacks on public infrastructure increase in frequency and complexity, the reliance on non-specialists creates a “security illusion” where systems are operational but not necessarily defended.

Why general IT staff cannot fill the security gap

General IT professionals focus on availability and functionality—ensuring that servers run and users can access their files. Cybersecurity, however, is a specialized discipline centered on confidentiality, integrity, and availability. The “Cybersicherheit in Zahlen” report indicates that the assumption that any IT professional can handle security is a primary vulnerability in the public sector.

Why general IT staff cannot fill the security gap

Specialized security roles require expertise in areas such as Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR). According to the ISC2 Cybersecurity Workforce Study, the global cybersecurity workforce gap remains significant, with millions of professionals still needed to secure the global digital ecosystem. This shortage is most acute in the public sector, where salary caps often make it difficult to compete with private-sector tech firms.

When generalists are tasked with security, critical tasks like patch management and log analysis often take a backseat to daily operational tickets. This creates “blind spots” in the network. For example, a general IT admin might install a software update to fix a bug, but a security specialist would analyze the update for potential vulnerabilities or check if the update addresses a specific CVE (Common Vulnerabilities and Exposures) currently being exploited in the wild.

How the NIS2 Directive and national mandates force change

Regulatory pressure is now the primary driver for “Entlastung,” or relief, in public sector security. In the European Union, the NIS2 Directive expands the scope of regulated entities to include a wider array of “essential” and “important” entities, including many local and regional government bodies. These organizations must now prove they have implemented a comprehensive cybersecurity risk-management framework or face potential fines and management liability.

How the NIS2 Directive and national mandates force change

In Germany, the Federal Office for Information Security (BSI) provides the “IT-Grundschutz” framework to help agencies standardize their security. However, implementing these standards requires a level of technical precision that exceeds the capacity of most municipal IT departments. The BSI has noted the necessity of coordinated defense strategies to protect critical infrastructure (KRITIS), as the interconnected nature of government services means a breach in one small municipality can potentially provide a gateway into larger federal networks.

In the United States, a similar push for centralization is evident. The Cybersecurity and Infrastructure Security Agency (CISA) issues Binding Operational Directives (BODs) that mandate federal agencies to remediate known exploited vulnerabilities within strict timeframes. These directives force agencies to move away from ad-hoc security and toward a disciplined, audited process of vulnerability management.

The role of Managed Security Services (MSSPs) in providing relief

To bridge the talent gap, public sector entities are increasingly outsourcing their security operations to Managed Security Service Providers (MSSPs). This model allows governments to “rent” a Security Operations Center (SOC), providing 24/7 monitoring and incident response without having to hire and retain a full team of in-house specialists.

Bridging the Cybersecurity Skills Gap: A 2025 Guide

MSSPs provide several key functions that relieve the burden on internal IT staff:

  • Continuous Monitoring: Using SIEM tools to analyze traffic patterns and detect anomalies in real-time.
  • Threat Intelligence: Access to global databases of known threats that a single municipality could not track independently.
  • Incident Response: Providing a ready-made team of forensic experts to contain a breach, reducing the “dwell time” of an attacker.
  • Compliance Mapping: Helping agencies align their technical controls with legal requirements like NIS2 or GDPR.

However, the shift to MSSPs introduces the challenge of “digital sovereignty.” Governments must ensure that the providers they use adhere to strict data residency laws and do not introduce new supply-chain risks. This has led to a rise in “hybrid” models, where the government retains strategic control and oversight while the MSSP handles the tactical, high-volume monitoring tasks.

What happens next for government cyber resilience

The next phase of public sector security will likely focus on automation and the integration of AI-driven defense tools. By automating the triage of low-level alerts, agencies can reduce the noise that overwhelms general IT staff, allowing them to focus on high-priority threats. This “automation-first” approach is essential because the volume of attacks is scaling faster than the human workforce can grow.

What happens next for government cyber resilience

Another critical development is the move toward “Zero Trust” architectures. Rather than relying on a strong perimeter (the “castle-and-moat” model), Zero Trust assumes that the network is already compromised and requires continuous verification for every user and device. The U.S. government has already mandated a transition toward a Zero Trust architecture through Executive Order 14028, which aims to modernize federal defenses.

For local governments, the focus will remain on consolidation. Smaller municipalities are likely to form “security clusters,” sharing a single regional SOC to distribute the cost and the expertise. This cooperative model provides the scale necessary to attract high-tier talent and invest in the expensive tooling required for modern defense.

The next confirmed checkpoint for European entities is the October 17, 2024, deadline for the transposition of the NIS2 Directive into national law. After this date, member states must ensure that the designated public sector entities are compliant with the new security mandates.

Do you think the public sector can ever truly compete with the private sector for cybersecurity talent, or is outsourcing the only viable path? Share your thoughts in the comments below.

Leave a Comment