No new headcount? Build the skills you need anyway

The powers that be have sent a clear message. They want your team to shepherd AI adoption, strengthen the company’s security posture, and modernize its aging infrastructure. The problem: Nobody’s approving more headcount to help you handle all these spinning plates.

As you know, you can’t just pile these major initiatives onto your existing workloads. Each of these projects calls for expertise your team may not have yet. Expecting people to figure everything out on the fly while also keeping the lights on is a recipe for burnout at best, failure at worst.

According to the Spiceworks 2025 State of IT Report, IT labor and skill shortages rank among the top concerns for IT leaders, right alongside rising product costs. Teams, very likely including yours, are simultaneously being asked to do more with less. So how do you square the circle?

Well, you can’t simply say you’re going to do everything and hope for the best. That just sets everybody up to fail. But you can get deliberate about which skills you’re building internally, which ones you’re outsourcing, and how you’re carving out time to actually learn.

Which IT skills actually matter right now

If you spread your learning bandwidth too thin, you’re virtually guaranteeing surface-level learning across the board—and that won’t get you where you need to be. To get maximum return on your learning investment, zero in on the IT skills that matter most. If you’re not sure where to begin, here are three areas that are worth prioritizing right now:

AI and automation

These skills moved from the “nice to have” column to the “expected” column faster than most IT teams anticipated. (The silver lining is that tech pros with AI skills are getting paid generously.)

Organizations increasingly want IT to support AI initiatives, but smaller teams rarely have dedicated AI roles to handle the work. You now need to evaluate AI tools, know when they’re appropriate for a given problem, and manage the security risks they introduce—whether anyone formally updated the job description or not. 

You don’t need a machine learning engineer on staff, but someone should understand how your AI tools actually work. That way, you won’t be completely dependent on vendors to tell you what’s possible.

Security

You will always need security chops. They’re just as critical as they’ve been for years, even if the industry conversation has shifted toward AI. Cybersecurity is still the number one driver of IT budget increases, yet small businesses are far less likely than enterprises to have dedicated security staff. That means IT generalists need to go beyond checkbox compliance awareness to develop real fluency with threat landscapes and incident response.

Cloud

Cloud proficiency is especially relevant if you’re managing workloads across multiple environments. If your company is running production systems across Azure, AWS, and a legacy on-prem environment, someone needs to understand how all the pieces fit together. That someone is probably you, and you just need the time and support to develop the necessary expertise.

When to build skills vs. outsource them

Some IT skills simply aren’t worth developing internally if you’ll only use them once in a blue moon. So, consider which capabilities your team truly needs to have on hand versus which ones can be outsourced.

You probably want to build skills in-house when the capability directly supports core business operations, requires institutional knowledge, or demands immediate response times. Security awareness training, for example, benefits from someone who knows your environment and organizational culture. The same goes for managing business-critical applications that are tightly integrated with your operations.

Outsourcing works better when you need specialized expertise you’ll only use occasionally, 24/7 coverage you can’t provide yourself, or capabilities that require continuous investment to stay current. Threat monitoring and security operations centers fall into this category for most small IT shops, so engaging an MSP for these functions often makes more sense than trying to develop the expertise internally.

However you proceed, you’ll want clear boundaries and ownership responsibilities established before something goes sideways. When an incident crosses the line between what you’re handling and what your MSP is responsible for, everyone should already know who does what.

Strategically leveraging vendor training 

Vendor certifications get a bad rap as marketing exercises, and sometimes that reputation is deserved. At the same time, they can be genuinely useful if you’re thoughtful about how you approach them.

Certification programs pay off when they’re tied to real projects. Getting AWS certified makes sense if you’re migrating to AWS, but it’s résumé padding if you’re a Microsoft shop with no plans to change. The same logic applies to security certifications, where choosing the right one means understanding what problems you’re actually trying to solve rather than just accumulating credentials.

Watch for vendor lock-in, of course. Some training paths are basically designed to deepen your dependence on a specific platform. Where possible, prioritize skills that transfer well across vendors. A solid understanding of cloud architecture principles serves you better long-term than memorizing one vendor’s console layout, even if the vendor-specific cert is what gets you in the door.

Vendors often include training credits or discounts as part of larger deals, so you might want to ask for them, especially during renewals when you have some leverage. While you’re at it, don’t overlook free tiers. Microsoft Learn, AWS Skill Builder, and Google Skills offer substantial content that goes well beyond product marketing.

Carving out learning time when you’re already stretched

You know you need new skills. You just don’t have time to develop them because tickets keep coming and the next urgent project is always right around the corner. If you’ve been in IT for any length of time, you’ve probably watched training budgets go unspent and learning initiatives quietly fade because nobody could find the hours.

Dedicated learning time only works if it’s actually protected. Even two hours a week adds up over months, but only if those hours genuinely stay on the calendar. If learning time is the first thing sacrificed when something urgent hits, it’s aspirational time, which is another way of saying it doesn’t exist.

Tying learning to real work can sidestep this problem. Implementing a new security tool? That’s the training. Document what you learn as you go, and you end up with both a new capability and a knowledge base you can reference later (or hand off if you ever get that headcount). It’s slower than bringing in an expert, but you end up with expertise you own rather than expertise you rented.

If you’re lucky enough to have even a small team, rotating who handles interruptions can free up focused time for everyone else. If you’re a one-person shop, that’s trickier. You might need to negotiate with leadership for protected project time, or accept that learning happens in smaller chunks squeezed between the daily chaos. Either way, you can pay this cost now, on your own terms, or pay more later when you’re bringing in consultants at emergency rates because you never had time to learn how the system works.

Build IT skills that pay off over the long term

The gap between what IT is expected to do and what it’s actually staffed to do isn’t closing anytime soon. You can bridge it somewhat with upskilling, but only if you’re deliberate about where you focus.

You can’t cover every skill gap, and some capabilities really do belong with an MSP. But the skills you do build become yours. They compound over time, they make the next project easier, and they give you options you didn’t have before. Carve out the time, protect it like it matters, and a year from now you’ll be working with a better toolkit than the one you’ve got today.