These findings come at a time when nearly two-thirds of study respondents say the current cyber threat landscape is the most challenging they have seen in the last five years. ISC2 tracks the global cyber workforce gap, which means the separation between the number of cybersecurity professionals organizations need and the number of professionals available to be hired. This year, the cyber workforce gap was 4.8 million. That’s a 19 percent year-over-year increase — outstripping the 12.6 percent increase in 2023.
Meanwhile, the number of cybersecurity professionals currently employed worldwide stayed essentially flat, rising just 0.1 percent year-over-year. That contrasts with 2023, when the workforce grew 8.7 percent.
Workforce gaps are less dramatic in the U.S., where the gap rose 4.4 percent year-over-year, compared to 17.6 percent in 2023. And in contrast to global trends, the size of the U.S. active cyber workforce actually shrunk, declining by 3 percent. Additionally, the number of new U.S. cybersecurity job postings listed on LinkedIn dropped 5.4 percent.
Worldwide, financial strain became a bigger barrier to meeting cybersecurity needs. The study found that 39 percent of global respondents listed budget as a reason for their staff shortages. This marked the first time ISC2 respondents said insufficient budget was the top driver for understaffing since the study began capturing such information in 2018; in all the prior study years, the top reason was “lack of qualified talent.”
What cyber staff organizations did have on hand often could not provide all the skills organizations wanted, study respondents said. Among global respondents, 90 percent reported skill shortages. And 64 percent said skills gaps are a bigger issue than staffing gaps.
Critical infrastructure and government respondents were slightly more likely than average to report skill gaps, with 91 percent of critical infrastructure citing this issue and 92 percent of government respondents doing the same. Governments were especially likely to have gaps in zero-trust implementation skills.
Some organizations may need to change strategies to address these gaps. The study found some mismatches between skills applicants think are in demand versus the skills sought by hiring managers. For example, 23 percent of applicants captured in the study believe AI and machine learning (ML) skills are in demand, but only 12 percent of hiring managers said they look for such skills. Meanwhile, 34 percent of organizations highlighted AI/ML as a skill gap on their security teams.
The study also found a notable proportion of organizations’ cyber teams had no pipelines for onboarding early-stage professionals and growing their talent. Thirty-one percent of global respondents lacked entry-level professionals and 15 percent lacked junior professionals with 1-3 years of experience. Study authors advised that organizations are likely to find it more difficult and expensive if they only try to hire to fill mid- and high- level roles, rather than also onboarding and training up people earlier in their careers. The latter approach may also be more sustainable.
Starting to offer such career paths requires first determining which skills are must-haves for new hires, and which can be taught on the job. That kind of effort should go hand in hand with revising open job descriptions, to clarify what’s expected from applicants — helping resolve the confusion between the skills applicants believe are in demand and those the hiring managers are looking for, study authors suggested.
The full study is slated for release in October.