Bridging the cybersecurity talent gap: BCG’s Shoaib Yousuf shares insights

At the Global Cybersecurity Forum (GCF) 2025 in Riyadh, Boston Consulting Group and GCF unveiled The Quantum Leap: Navigating the Future of Computing, a comprehensive study examining how quantum technologies are transitioning from laboratory research to commercial reality.

The report reveals quantum computing is poised to unlock over $50bn in value across industries, with oil and gas alone facing potential savings of $6-30bn — while simultaneously presenting critical cybersecurity threats that could render traditional encryption obsolete.

Gulf Business editor Neesha Salian sat down with Shoaib Yousuf, MD and partner at BCG during the forum, to discuss the evolving cybersecurity landscape, the critical talent gap threatening the industry, and why organisations need to shift from viewing cybersecurity as a compliance checkbox to treating it as a competitive advantage and economic imperative.

You’ve been quite active at GCF 2025. Tell us about the sessions you were involved in.

Historically, we have been hearing about the gap in cybersecurity talent for the last 20 years, and the gap is widening. Last year, we decided to take this problem statement and understand what really is this gap, including where is the geographical split, which sectors need it most, and translate it into tangible roles.

We collaborated with GCF last year to do a very detailed report, and the session this year was about raising awareness and translating this into actionable insights so we can be at the forefront of bridging that gap.

It was a fantastic session. One key insight that came out was how to link this gap to the threat landscape. As you see, the cybersecurity threat landscape is evolving and has become quite dynamic. We have the data but haven’t done the analysis yet, so these were very good takeaways for me, and hopefully in the next version of the report we’ll take that into consideration as well.

Could you share some of the key highlights from your report about how the cybersecurity sector is set to grow, especially given the evolving threat landscape?

First, we broke down the entire mega number of three million into geographical splits. Second, we linked this with sectors, which sectors have the highest job opportunities but also the gap. Financial services, energy, for example. This is super important because if I’m entering the cybersecurity space, I know which sector has more opportunities for me, and also which sector is evolving with more opportunities for upskilling and reskilling.

Then we linked that gap to cybersecurity functional roles: is it incident management, compliance, architecture? This is insightful for both supply and demand to understand which functional roles in which geographical split and sector are important.

We also went further to understand the challenges across the value chain. One challenge that’s super important is retention. In cybersecurity, it has become a high-churning workforce. People are moving quite rapidly, either because of salaries, work culture, or employee benefits. Retention has become a big issue.

The second challenge is that because the cybersecurity landscape is evolving, organisations need to focus not only on increasing salaries but on the entire value proposition around learning and development. You need to make sure talent continues to stay relevant.

What should be the key approach from governments, businesses, and societies when they approach cybersecurity?

Historically, cybersecurity in some organisations was seen as a compliance checkbox — something to tick for corporate policies, the board, or regulatory requirements. But this has changed. It has become a competitive advantage. It’s not a tick box anymore; it’s for the assurance and trust of customers. Organisations have started changing their mindset.

Second, as a topic which moved from a compliance checkbox to a value differentiator, it has also become a topic for economic growth and national security. If you look at the OECD definition and the latest UN frameworks, they talk about cybersecurity as a much bigger economic imperative for national security and sovereignty.

Every organisation and policymaker needs to play a role in building capacity. Organisations need to make sure they can serve their own needs. Everyone wants talent with three to five years of experience, but nobody is solving this problem at the pipeline level. You need to have certain seats in your organisation opening roles for internships and work experience.

I was in a session with people from SABIC and national entities, and I told them: your organisation needs to have at least some percentage of your employees as talent incubators. You need to play a role in building that talent pipeline.

I gave them an example of BCG. As consultants, we don’t hire consultants with eight or 10years of experience. We go all the way from university and make them into consultants over 10 to 12 years, and then we produce the next generation of leaders in the market. We need to apply the same approach to cybersecurity.

As a regulator, they need to play a much more active role in capacity building, academies, upskilling, and reskilling. My cybersecurity skills from two years ago might not be relevant today because technology is changing, processes are changing with AI — everything is getting re-engineered. It’s the regulator’s responsibility to make sure the workforce stays competitive. We should look at the incentives, frameworks, and initiatives to incentivise upskilling, reskilling, and talent incubation programmes.

In terms of challenges and opportunities, particularly in the GCC where governments are very proactive, what stands out? How do evolving technologies impact the future?

Historically, the GCC and many countries have seen cybersecurity more from a regulatory point of view, a very regulatory-driven environment with a lot of initiatives launched by the government with certain controls and standards. GCC, Southeast Asia, even Europe has become very heavy on regulations. That’s why you see a lot of capacity and workforce focused on compliance analysts, auditing backgrounds, and implementing controls.

However, with technology shifting, organisations need to build much more engineering capability, operational capability, threat intelligence capability, and incident management capability. If you go to the US, they’ve always been building products and engineering, so their talent is more quantitatively solid.

This is one challenge: how to balance the workforce to cover the entire spectrum of the cybersecurity workforce framework — not only assurance and regulatory but also shifting toward more engineering roles and operational roles so they can build their own products and capabilities.

How can you measure cyber resilience, particularly with the potential impact of quantum technologies?

I love this question because resilience means different things to so many different people. At the basic level, resilience is not about 100 per cent protection. One of the unique things about cybersecurity is that you will always get attacked, you will always get breached. It’s a continuously evolving topic. There’s nothing like achieving 100 per cent security and moving on. You’ll always have security that you believe is great, but it will get broken with quantum or advanced technology, and then you have the next challenge.

Resilience doesn’t mean 100 per cent cybersecurity. Resilience means if something happens, how quickly can we respond and bring it to a level that’s acceptable to us. It’s okay to get sick — vaccines aren’t about never getting the flu; we get flu shots to minimise the impact. I see cybersecurity controls and capabilities like vaccine shots. We will get attacked, but we are immune and resilient to bring the damage down. If you don’t do it, it can be life-threatening.

For me, resilience is about building that mindset and capability to sustain yourself. A lot of organizations have a “zero attack policy,” but that’s the wrong way to start.

What are the three things CISOs or CEOs are talking to you about now, and how has that changed since two years ago?

Cybersecurity is a topic that has always been very hard to justify in terms of investments. How much investment is good enough? With cloud, you can show savings and productivity gains. When you talk to technology leaders about business cases, it usually makes sense. But with cybersecurity, it’s always very difficult to justify what budget you should spend.

This is one challenge we see from CISOs: what is the right budget I should spend and fight for? One initiative that GCF has launched with the World Economic Forum — where BCG will be contributing — is the Center for Cyber Economics. We’re trying to create a model to bring clarity on cost avoidance or the potential impact you could have avoided if you had invested a certain amount.

I’m not saying we have a perfect formula, but CISOs will continue to face this challenge. There are a lot of Gartner and Forrester reports and regulations that say you should spend a certain percentage of IT spend on cybersecurity, but there is no magic formula. It all depends on your starting point: the complexity of your architecture, the maturity of your organisation.

This is one challenge we see with CISOs: not where to spend, but justifying how much to spend and convincing management that this money is good enough to give you a good level of assurance. And good assurance doesn’t mean 100 per cent resilience.

These are business problems, and this is where BCG differentiates itself — we don’t talk control language or technology language. We typically address those business challenges with our clients.