If you wanted to become a basketball star, how would you get started? You wouldn’t read a book on basketball and take an online course. You’d set up a hoop in your driveway, join a local team to train, and play in real matches. So why do we expect cybersecurity professionals to learn their skills from theory and static training?The cybersecurity industry talks constantly about the “skills gap.” The recent World Economic Forum’s Global Cybersecurity Outlook report revealed skills and budgets were significant blockers to achieving cyber resilience. However, I argue that we don’t have a skills gap; we have a validation gap.The “skills gap” gets a lot of airtime in cybersecurity industry discourse, but what are we really talking about when we talk about a skills gap? It’s not about staffing; how can we have both a skills gap and a graduate unemployment problem? “AI” is the lazy explanation (is there anything anyone hates more than hearing that their job could be replaced by AI?) But if AI really is the explanation, why are we still experiencing breaches and fixating on a supposed lack of skills in the cybersecurity workforce?The reality is that we don’t yet fully trust AI with our most critical security concerns, and for good reason. Few people would dispute that there are serious production risks in relying on AI and most wouldn’t actually use it to replace an experienced security analyst. While comparatively fewer organizations have reported serious breaches of AI models or applications, many are favoring rapid-scale deployments of AI technologies over establishing robust governance structures. Data from IBM suggests that, of 600 organizations polled globally between March 2024 and February 2025, 13% reported breaches of AI models or applications. More worrisome, 8% had no idea whether or not they had been compromised, and 63% of breached organizations either lacked AI governance policies or were developing them at the time of the reported incident. Despite these risks — and the significant financial damage they can cause — only 49% of organizations planned to invest in additional security measures in 2025, compared to 63% in 2024.You can’t hire or tool your way out of the skills gap. You have to build your way out. The industry keeps asking, “How do we close the cyber skills gap?” The better question is, how do we prove readiness before the fight begins? That is the real challenge emerging in cybersecurity today.This is more challenging when we need skills and expertise that just don’t exist yet. AI poses new threats to combat, from the development of more insecure software to the exploitation of models to do things they weren’t designed for to attackers weaponizing AI for more efficient attacks. No one was preparing to respond to these threats five years ago, so these skills need to be developed in real time. Even the most advanced training programs cannot hope to match the pace and scale of the vulnerabilities posed by AI and the increasingly broad attack surface it presents to potential threat actors. Relying on outdated training modalities is practically an invitation to attackers seeking to compromise critical systems, yet many organizations fail to recognize this as the systemic vulnerability it is.Traditional upskilling is flawed and wholly impractical for the present risk environment. Organizations are shelling out tens of thousands per employee on courses, certifications, and boot camps, but certifications simply cannot keep up with the pace of technological change and the evolution of attacker tactics and techniques. Security professionals need continuous hands-on experience that represents the actual attack surfaces of their organizations. How they apply their skills in real-world scenarios is a big part of what’s missing; even the most rigorous theoretical exercises cannot replicate the experience of combatting an intrusion event in real time or identify potential weaknesses in SOC response protocols.Our industry has traditionally seen technology as the answer. More tools and more alerts feel like we’re getting somewhere, but all it really leads to is teams that are fatigued and burned out on noise. When the main source of breaches remains human failure, we’re not going to tip the scales unless we invest in the people on the front line. Dynamic cyber ranges are the difference between learning a skill in theory and learning it in context.A truly effective upskilling cyber range needs an AI Proving Ground, with a high degree of customization and fidelity, as well as in-depth post-exercise analysis, to nurture and retain effective talent with the skills and experience to combat increasingly sophisticated threats.High degree of customization. Replicate your real production environment and tech stack and introduce panic-inducing live-fire exercises. This gives employees invaluable insight into how they’ll react in a real-life scenario. Does everyone have the right context and information to make quick decisions that will protect the business? Replicating a real production environment also allows for testing integration flows between security and IT tools to validate how they work together.Post-exercise analysis. It’s not enough to run tests if you can’t analyze the outcomes to make improvements. This data is also particularly useful as execs are pushing for tech consolidation by proving the need to retain budget or secure additional resources for tools and features. Cyber ranges can also make detailed recommendations based on best practices and support and identify specific business cases for additional investment.Nurture talent. How do you take a tier 1 SOC analyst and turn them into a tier 3? While AI might be able to perform the role of a junior analyst, you need a pipeline of talent to become that high-performing individual who could be the difference between spotting an unusual indicator of compromise or allowing an attacker to gain further access into critical systems. It’s faster and more cost-effective to teach someone over time than hunt out the top performer to hire into the organization. Nurturing and investing in existing talent also becomes a significant competitive advantage over time.For overstretched teams, on-the-job training might feel onerous, but the benefits are considerable. You really can see 10X returns on your investment. Some of our customers have saved upward of $400,000 in training expenses and made their organizations significantly more resilient to novel threats. The key is to not see practical, hands-on training as an annual event or one-off investment, but to employ a continuous platform that accurately reflects the risks faced by your organization and becomes part of your operating model and broader security culture.I don’t know about you, but working in a team environment feels far more rewarding than studying in a classroom environment. Retain your top talent by validating their skills and allowing them to add to their resumes in a way that feels natural and instinctive.This article is published as part of the Foundry Expert Contributor Network.Want to join?