The number of unfilled cybersecurity positions across the world continues to grow, despite an overall increase in the cyber workforce, as security professionals struggle with understaffing, burnout and persistent skills gaps, according to a new report.
The annual workforce report released today by the International Information System Security Certification Consortium, known as ISC2, shows the global cybersecurity workforce has reached a record-high 5.5 million people, up 8.7% from 2022.
But roughly 4 million more cyber professionals are needed worldwide, with the gap widening by 12% from last year.
“It is great news that the number of professionals coming in is increasing,” Tara Wisniewski, executive vice president for advocacy, global markets and member engagement at ISC2, said in an interview. “But the gap is scary and getting scarier.”
The study is based on a survey of 14,865 cybersecurity professionals across the globe working in a diverse range of sectors, which are referred to as “industries” in the report. The data includes both good news and bad news for the “government” and “military/military contractor,” industries, respectively.
Both of those industries had by far the fewest layoffs in cyber, per the ISC2 report, compared to hard-hit sectors like entertainment and media, construction, and software development.
But the public sector also leads the way for cyber worker shortfalls, as 78% of respondents working in government and 76% of those in the military sector, respectively, faced staffing shortages, according to the ISC2 report.
Across all industries, some of the top causes for the staffing shortfalls include organizations struggling to find enough qualified talent (41%), not having enough budget (34%), failing to offer competitive wages (30%), and struggling to keep up with turnover and attrition (27%).
Organizations also face a range of skills gaps in the cybersecurity field, with the most common being cloud computing security, artificial intelligence and machine learning, and zero trust implementation, according to the report.
For federal agencies, the results in the ISC2 report underscore the need to develop innovative cyber recruiting and retention programs, while expanding the pathways into the cyber workforce.
“There really is a call for what can the federal government do to open up the talent pipeline,” Wisniewski said.
The Biden administration is attempting to do just that under a “cyber workforce and education” strategy released over the summer. It lays out a plan for the federal government to increase avenues into a cybersecurity career, including by positioning the federal government as a leader in adopting “skills-based” hiring practices, rather than just relying on college degrees.
And Congress is also pushing federal agencies to rethink their cybersecurity hiring practices. The House of Representatives earlier this month passed the Modernizing the Acquisition of Cybersecurity Experts Act, or MACE Act. It would relax educational requirements for federal cyber positions by directing agencies to focus on qualifications directly relevant to job performance, rather than college degree requirements.
‘We are beginning to see new pathways’
For proponents of alternative routes into the cyber workforce, the ISC2 report includes some good news. It shows 80% of cybersecurity professionals agree there are more pathways into the cybersecurity workforce than there were in the past.
Starting out in IT continues to be a major stepping stone as 52% of cybersecurity professionals started their careers in a non-cyber IT position. And 51% of those surveyed said they earned a cybersecurity certification.
But a full 45% said they learned about cybersecurity concepts “outside of formal training,” and just 31% said they got a bachelor’s degree in cybersecurity or a related field.
“There’s a strong belief that there needs to be more pathways, and we are beginning to see new pathways,” Wisniewski said. “We may need to kind of amp up that work in terms of what those pathways look like.”
Organization culture may be a major challenge, as 45% of hiring managers surveyed by ISC2 say their organizations are “reluctant to hire entry-level employees with little experience.” The same percentage of hiring managers also report that their organizations rely “too heavily on education/degrees when looking for applicants.”
But those initiatives have been slow to get off the ground, while the rest of the federal government struggles to keep up with a patchwork of different hiring and retention authorities.
Wisniewski said the fierce competition for cyber talent amid a widening workforce gap only increases the need for the federal government to reform its hiring practices.
“The fact that it takes so long to move into a role is only hurting the federal government, when you’ve got an industry where the people are at such a premium,” Wisniewski said.
Diversity and skills-based hiring
The ISC2 report also finds a link between skills-based hiring and diversity efforts. For instance, organizations that use skills-based hiring have an average of 25.2% women in their workforces, compared to 22.2% for those who have not adopted those practices.
One of the major goals of the White House’s cyber workforce strategy is strengthening the cyber workforce through greater diversity and inclusion.
“Organizations that are adopting initiatives related to hiring, such as skills-based hiring and using job descriptions that refer to DEI programs/goals, can create a more diverse workforce,” the ISC2 report finds.
As younger cyber professionals find new pathways into the security field, Wisniewski said “the face of cyber” is changing.
“More women are coming into the field, more diversity in terms of race, class, and gender, and more diversity of people coming in from alternative routes other than IT,” she said.
Cybersecurity burnout and stress
While this year’s ISC2 report shows the opportunities to enter the cybersecurity field are expanding, the strain of the workforce shortage combined with recent cutbacks may be taking a toll on employees. Job satisfaction dipped slightly, with 70% of respondents saying they are “very” or “somewhat” satisfied, down 4% from last year.
The report attributes the downturn to the challenge of building an “effective culture” amid recent economic uncertainty.
“Hiring and promotion freezes, budget cuts and layoffs loom large in workers’ minds and organizations need to scramble to keep their workers from burning out,” the report states.
With understaffing rampant across cybersecurity teams, Wisniewski said most cyber professionals are overworked as cyber threats continue to evolve and make headlines.
“When there is an incident, someone has to pay the price,” she said. “And very often it’s the chief information security officer.”
Agencies are also developing new cybersecurity requirements and regulations that are likely to add to the demand for cyber professionals across industries, Wisniewski said. She pointed to the recent Securities and Exchange Commission rules requiring public companies to make certain cyber disclosures.
“If there’s going to be a move to legislate and regulate, there needs to be a lot more communication and focus on what that means and what that impact is,” she said. “We would love to see, whenever that comes out, that there is also a commitment to building the workforce. We have to do something different.”