An industry increasingly defined by emerging technologies such as AI is still struggling to find enough workers with the right skills and competencies to match surging demand from employers.
The global cybersecurity workforce has reached record levels even as the demand for skills still far exceeds the supply of available workers, ISC2’s 2023 Cybersecurity Workforce Study has found.
This workforce gap was compounded by a shortage in practitioners with skills in areas such as cloud security, AI and machine learning, zero trust architectures, as well as the ability to problem solve and communicate.
In 2023, our research calculated that the global workforce grew to an all-time high of 5.5 million, an increase of 440,000 jobs compared to 2022, a rise of 8.7*%. For comparison, in 2019 the global workforce was estimated at 2.8 million. At the time, this was seen as an impressive figure and yet the workforce has continued to expand rapidly ever since, despite encountering obstacles such as the COVID-19 pandemic and economic challenges across the globe.
This is good news and should be celebrated, yet it remains in the shadow of unfulfilled demand. In 2022, the gap between supply and demand was estimated at 3.4 million; a year later this reached 4 million. This leaves the profession struggling with the seeming paradox that it is employing an ever-greater number of people in cybersecurity roles but at a pace that never quite catches up with the underlying need in terms of numbers or specific skills.
"While we celebrate the record number of new cybersecurity professionals entering the field, the pressing reality is that we must double this workforce to adequately protect organizations and their critical assets,” said ISC2 CEO Clar Rosso.
“Our message is that organizations must invest in their teams, both in terms of new talent and existing staff, equipping them with the essential skills to navigate the constantly evolving threat landscape.”
In 2023, the areas of highest workforce demand were Asia-Pacific (up 11.8% year-on-year to 960,000), the Middle East and Africa (up 11.7% year-on-year to 402,000), and North America (up 11.3% year-on-year to 1.5 million), with Europe (up 7.2% year-on-year to 1.3 million), and Latin America (up 4.5% year-on-year to almost 1.3 million) making up the back of the line.
Drilling down from continents to individual countries, we see a clearer economic picture emerging. The biggest single country rises were seen in Japan (up 23.8% year-on-year to 480,000), Spain (up 18.9% year-on-year to 182,000), Holland (up 17.1% year-on-year to 68,000), France (up 14.5% year-on-year to 217,000), and the U.K. (up 8.3% to 367,000) which until the combination of the pandemic and the Brexit trade deal had been consistently the largest single market for cybersecurity professionals, a role now taken by Germany.
The Middle East also saw notable increases, including the U.A.E. (up 18% year-on-year to 144,000), and Saudi Arabia (up 16.2% year-on-year to 54,000). Both countries are growing as destinations for overseas companies and new technology businesses as they seek to diversify from operating purely fossil fuel economies. Only four countries saw a decline in workforce size, Australia (down 3.4%), Germany (down 1.9%, but still the biggest cybersecurity employer in continental Europe), Mexico (down 1.2%), and Singapore (down 0.6%).
However, relating these rises to the estimated workforce gaps revealed serious shortfalls. The biggest gap was in the Asia-Pacific region, where the shortfall has now reached nearly 2.7 million, a 23.4% rise compared to the 2022 ISC2 Workforce Study . North America was another challenging geography, with a shortfall of 522,000 people equating to an increased gap of 19.7%, while Europe recorded a gap of 348,000, up 9.7%. The only areas in positive territory were Latin America where the shortfall fell 32.5% to 348,000, and the Middle East and Africa where it declined 7.1% to 112,000.
Shortfalls were especially acute in Japan where the workforce gap nearly doubled to 110,000 (up 97.6%), Canada (up 53% to 39,000), India (up 40.2% to 790,000), and the U.K. (up 29.3% to 73,000). The exceptions to this – possibly influenced by local economic conditions - were Singapore (down 34.8% to 4,000), Australia (down 29.7% to 28,000), the U.A.E (down 29.2% to 32,000), Ireland (down 17.6% to 7,000), Saudi Arabia (down 9.8% to 14,000), and France (down a modest 2.9% to 59,000).
Calculating the gap
In creating this year’s ISC2 Cybersecurity Workforce Study, we drew on a range of external data sources (e.g., the OECD and the U.S. Bureau of Labor Statistics’ estimate of cybersecurity analysts), trends extrapolated from previous years’ studies, and, importantly, a survey of 14,865 cybersecurity practitioners across multiple geographies conducted by Forrester Research in April and May 2023.
Using the U.S. as a baseline, this numerical and survey data formed the basis for calculating the gap between the demand for cybersecurity professionals (how many workers organizations of different sizes want to hire over the 12 months from April-May 2023) compared to the supply (the estimated number of workers who will enter the field minus those who leave in the 12 months from that period).
What the survey showed
The size of the gap, and the fact it exists at all, would have been influenced by a range of factors, including the growing need for cybersecurity to protect organizations as they digitalize, the speed at which the industry can train new workers to meet this demand, and the willingness of organizations to hire them.
Our survey found macroeconomic factors to be an important influence, with 47% of respondents reporting cutbacks (layoffs, budget cuts, hiring or promotion freezes). This underlines an important aspect of the ISC2 Cybersecurity Workforce gap; it is not intended as a measure of the local jobs market, rather the underlying need for these roles even when organizations are not actively hiring them.
Overall, 21% said their organization had a significant shortage of cybersecurity staff to troubleshoot issues, with another 46% mentioning a slight shortage. When asked why this was happening, 41% believed it was due to a lack of qualified talent, 34% mentioned budgetary constraints, and 27% mentioned challenges with turnover and staff attrition.
Investment in skills
Meanwhile, organizations struggled to cope with a skills gap, with 92% believing their organization suffered from this in one or more areas. In 17% of cases, these skills gaps were rated as ‘critical’ to cybersecurity. Some of this deficit might be explained by not having enough workers but it’s also clear that many organizations suffer from a skills imbalance. As our study notes:
“Organizations may have a number of cybersecurity workers, but if those workers all lack certain critical skills, that surplus of headcount can be completely negated.”
Frustratingly, the biggest skills gaps mentioned by respondents were in areas often promoted as important cybersecurity mitigation areas such as cloud security (35%), AI/machine learning (32%), zero trust (29%) and penetration testing (27%).
What does the gap mean for members?
In most countries, the study confirmed that cybersecurity skills remain in high demand, which suggests that practitioners shouldn’t have problems either finding work or moving to a new or better position over time. However, it would be a mistake to consider the workforce gap as a positive for members. Even with the availability of jobs, the chances that a new employer is understaffed and under skilled remains likely in countries with high and rising workforce and skills gaps. ISC2 members can only stretch so far to cover shortages in their organizations.
Although the skills issue is not new to the technology sector as a whole, it could be argued that cybersecurity is a special case. If IT departments can’t find the skills they need, this might harm business growth; if the same is true of cybersecurity, this could put organizations at risk or, in the case of critical infrastructure, cause wider societal and economic harm.
The profession must also find a way to constantly re-skill and develop the people it already has within its ranks. Our Cybersecurity Workforce Study suggests that the field is still struggling to do this and must change its approach, for example by creating new pathways into cyber careers, attracting a wider diversity of people, while offering a clear route for practitioners to expand their qualifications and knowledge.
* 2023 estimate includes four new countries — United Arab Emirates, Saudi Arabia, Nigeria and South Africa. YoY growth is based on back-estimates for those countries for 2022.
- The full report for 2023 can be downloaded at https://www.isc2.org/research , along with the Cybersecurity Workforce Study reports from previous years for further comparison.
- A preview session on the Cybersecurity Workforce Study findings took place at ISC2 Security Congress in October 2023. This is now available for on-demand replay at https://events.isc2.org/
- Join the conversation – let us know your thoughts on the findings over in the ISC2 Community