• United States



UK Editor

Cybersecurity workforce shortage reaches 4 million despite significant recruitment drive

Oct 31, 20235 mins
CareersCSO and CISO

A new study suggests cybersecurity skills gaps can be worse than total workforce shortages.

Manager women working at hiring application discussing curriculum vitae with remote recruiter during online videocall meeting conference in startup office. Teleconference call on computer screen
Credit: DC Studio / Shutterstock

The cybersecurity workforce shortage has risen to a record high of just under 4 million despite the cybersecurity workforce growing by almost 10% in the last year. That's according to the latest Cybersecurity Workforce Study from ISC2, the nonprofit member organization for cybersecurity professionals. The gap between the number of workers needed and the number available has risen 12.6% year over year, with cutbacks, economic uncertainty, artificial intelligence (AI), and a challenging threat landscape as key driving forces, the research found. The current global workforce gap is estimated to be 3,999,964 while the workforce itself is estimated to be 5,452,732, according to ISC2. Meanwhile, organizations are investing in strategies to prevent or mitigate the staffing issues they face.

Two-thirds of organizations lack staff needed to prevent, troubleshoot security issues

Two-thirds (67%) of the 14,865 cybersecurity professionals surveyed reported that their organization has a shortage of cybersecurity staff needed to prevent and troubleshoot security issues. Cost-saving cutbacks such as budget cuts, layoffs, and hiring/promotions freezes are playing a fundamental role, the report found.

Overall, 47% of cybersecurity workers have experienced cybersecurity-related cutbacks, with 22% of this group having been impacted by layoffs within cybersecurity. An additional 28% have had layoffs elsewhere in their organizations, which can significantly affect the cybersecurity workforce. Nearly half of respondents stated that cutbacks have affected their security team disproportionately in comparison to the rest of their organization, with 71% having experienced a negative impact on their workload and 57% seeing their ability to respond to cybersecurity threats impacted as a result.

The entertainment (33%), construction (31%), and automotive (29%) sectors have been hit particularly hard by layoffs in cybersecurity. The military/military contractor (8%), government (9%), and education (13%) sectors have been the least affected. Geographically, Latin America (Brazil and Mexico) has seen the greatest layoffs, followed by Nigeria and United Arab Emirates. Countries with the fewest layoffs are Hong Kong, the US, and Saudi Arabia.

Cybersecurity skills gaps just as challenging as shortages

Staffing shortages aren't the only way that organizations are lacking in their cybersecurity workforce, with a clear and critical need to fill skills gaps in the cybersecurity profession also problematic, ISC2 found. A skills gap is an area in which cybersecurity teams lack workers with proficiency or expertise in particular skills that are necessary to function effectively.

More than half (59%) of cybersecurity workers said that skills gaps can be worse than total worker shortages, while 92% reported skills gaps at their organization, the most common being cloud computing security, AI/ML, and zero-trust implementation. Almost half (43%) cited one or more significant or critical skills gap within their company. An inability to find people with the right skills (44%), struggling to keep people with in-demand skills (42%), and lacking the budget to hire people (41%) are the biggest causes for these skills gaps, according to the report.

What's more, layoffs seem to have a greater effect on skills gaps than they do on total staffing shortages. Most organizations that have had cybersecurity layoffs (51%) have been impacted by one or more significant skills gaps compared to just 39% of organizations that have not had layoffs, according to ISC2. Interestingly, 58% of respondents stated that the negative impact of worker shortages can be mitigated by filling key skills gaps.

Business investing to tackle cybersecurity staff, skills shortages

Organizations are focusing on strategies for tackling the cybersecurity staff and skills shortages they face, the report found. Investing in training (72%), providing more flexible working conditions (69%), investing in diversity, equity, and inclusion (DEI) initiatives, recruiting, hiring, and onboarding of new staff (67%), and using technology to automate aspects of the security job (65%) were all cited as being high on the agenda.

Despite significant turmoil, cybersecurity workers appear fairly content with their roles,ISC2 noted. Almost three-quarters (70%) reported being somewhat or very satisfied in their jobs - a 4% dip compared to last year - while 82% said they work well with security team members. The data also showed that the makeup of the cybersecurity workforce is changing both in gender and race/ethnicity. The biggest change was in non-white men by age; within the US, Canada, Ireland, and the UK, 70% of cybersecurity professionals 60 or older are white men. In those same countries, just 37% of those under 30 are white men. Two-thirds (66%) of security workers who entered the profession in the US, Canada, Ireland, and the UK in the past 12 months were non-white.

Cybersecurity professionals clearly value a diverse workforce, with 69% stating that an inclusive environment is essential for their team to succeed and 65% stating that it is important that their security team is diverse. Over half of respondents (57%) said that DEI will continue to become more important for their cybersecurity team over the next five years.

Cybersecurity workforce must double to tackle threats

"While we celebrate the record number of new cybersecurity professionals entering the field, the pressing reality is that we must double this workforce to adequately protect organizations and their critical assets," said ISC2 CEO Clar Rosso. "Amid the current threat landscape, which is the most complex and sophisticated it has ever been, the escalating challenges facing cybersecurity professionals underscore the urgency of our message: organizations must invest in their teams, both in terms of new talent and existing staff, equipping them with the essential skills to navigate the constantly evolving threat landscape."