Mind the Gaps: Worsening Talent and Skills Shortages Continue to Plague Cybersecurity Industry
Despite rising cyber risks, the global active cyber workforce has stalled at 5.5 million people, leaving a gap in the current needed workforce of 4.8 million people, according to an annual ISC2 study.
The cyber workforce gap is nothing new—business and security professionals have been warning for years that there isn’t a sufficient pool of cybersecurity workers. But the workforce has stalled even as the need for cybersecurity experts keeps rising. ISC2 estimated that 9.5 million cybersecurity workers were needed globally in 2023, while 10.2 million are needed now, with the gap in current versus needed workers growing 19 percent year-over-year.
“While it can be argued that this reflects overall stability within the cybersecurity workforce in the face of economic and workforce retention pressures across sectors, it also highlights a concerning shortage of entry points for new talent and a lack of opportunities to address skills and personnel shortages with new talent and on-the-job learning,” ISC2 said.
LinkedIn data showed that the number of new cybersecurity job postings year-over-year has been declining in many countries, including the United States, Singapore, and France. The drop in postings was supported by data from the 2024 ISC2 Cybersecurity Workforce Study, which showed that cybersecurity teams are seeing less hiring and fewer advancement opportunities.
The report noted that 39 percent of survey respondents said a lack of budget was responsible for cyber shortages—replacing the usual reason of a shortage of talent. A quarter of teams observed layoffs (up from 3 percent in 2023), and 37 percent have had budget cuts. Nearly 40 percent of respondents experienced hiring freezes, and 32 percent have seen fewer promotions.
More than two-thirds of respondents reported some form of cybersecurity professional shortage in their organization. More than half of respondents said this shortage puts their organization at significant risk.
“At a time when organizations can least afford the cost, disruption, and reputational damage of a cybersecurity incident, the profession is under its greatest pressure to maintain safety and security with fewer resources,” ISC2 said.
These pressures also take their toll on cybersecurity professionals. The traditionally high level of job satisfaction in cybersecurity is down 4 percent (66 percent are still satisfied with their role, though). Part of this can be attributed to the ongoing and compounding stressors facing cybersecurity professionals. A survey of cyber professionals by Cobalt found that C-suite professionals in the cybersecurity industry are 34 percent more likely than average respondents to say they currently want to quit their jobs. In addition, almost half of cybersecurity professionals at all levels said they are currently experiencing burnout.
Skill gaps and misalignment also exacerbate the issue. ISC2’s research found that 90 percent of cybersecurity professionals see skills shortages—not just staffing shortages—in their organizations.
ISC2 found that while cybersecurity professionals place a significant emphasis on communication skills, cloud computing skills, artificial intelligence (AI), and governance, risk, and compliance (GRC), hiring managers prioritize those skills much less when hiring. Instead, they seek strong problem solving skills, teamwork and collaboration, and professional curiosity, with technical skills ranking notably lower than cybersecurity professionals expect. This disconnect between perception of what’s wanted versus what hiring managers actually look for has created a skills barrier to entry, the report noted.
“Overall, the data revealed that 90 percent of organizations have skills gaps within their security teams,” ISC2 said. “In particular, and despite it not being a high priority for hiring managers, over one third of respondents still cited AI as the biggest skills shortfall in the teams. This was followed by cloud computing (30 percent), zero trust (27 percent), incident response (25 percent), application security and penetration testing (both 24 percent).”
There’s also a challenge in many organizations’ talent pipelines. More than 30 percent of survey participants said their security teams had no entry-level professionals on their teams, and 15 percent said they had no junior-level (one to three years of experience) professionals. Larger organizations are creating more junior and mid-level openings, but smaller organizations are lagging behind.
“While the workforce must continue to grow, particularly through the hiring of entry- and junior-level staff in order to deliver the next generation of cybersecurity professionals, upskilling and multi-skilling are essential to meeting the needs of employers and their current and evolving cybersecurity roles,” ISC2 said.
The full data from the 2024 ISC2 Cybersecurity Workforce Study will be released later this month.