nnAn industry increasingly defined by emerging technologies such as AI isnstill struggling to find enough workers with the right skills andncompetencies to match surging demand from employers.nn
nThe global cybersecurity workforce has reached record levels, ISC2’s 2023 Cybersecurity Workforce Study has found.
nnThis workforce gap was compounded by a shortage in practitioners with skillsnin areas such as cloud security, AI and machine learning, zero trustnarchitectures, as well as the ability to problem solve and communicate.n
nnIn 2023, our research calculated that the global workforce grew to annall-time high of 5.5 million, an increase of 440,000 jobs compared to 2022,na rise of 8.7*%. For comparison, in 2019 the global workforce wasnestimated at 2.8 million. At the time, this was seen as an impressive figurenand yet the workforce has continued to expand rapidly ever since, despitenencountering obstacles such as the COVID-19 pandemic and economic challengesnacross the globe.n
nnThis is good news and should be celebrated, yet it remains in the shadow ofnunfulfilled demand. In 2022, the gap between supply and demand was estimatednat 3.4 million; a year later this reached 4 million. This leaves thenprofession struggling with the seeming paradox that it is employing annever-greater number of people in cybersecurity roles but at a pace thatnnever quite catches up with the underlying need in terms of numbers ornspecific skills.n
nn”While we celebrate the record number of new cybersecurity professionalsnentering the field, the pressing reality is that we must double thisnworkforce to adequately protect organizations and their critical assets,”nsaid ISC2 CEO Clar Rosso.n
nn“Our message is that organizations must invest in their teams, both in termsnof new talent and existing staff, equipping them with the essential skillsnto navigate the constantly evolving threat landscape.”n
nn
nWorkforce expansion
nn
nnIn 2023, the areas of highest workforce demand were Asia-Pacific (up 11.8%nyear-on-year to 960,000), the Middle East and Africa (up 11.7% year-on-yearnto 402,000), and North America (up 11.3% year-on-year to 1.5 million), withnEurope (up 7.2% year-on-year to 1.3 million), and Latin America (up 4.5%nyear-on-year to almost 1.3 million) making up the back of the line.
n nnDrilling down from continents to individual countries, we see a clearerneconomic picture emerging. The biggest single country rises were seen innJapan (up 23.8% year-on-year to 480,000), Spain (up 18.9% year-on-year ton182,000), Holland (up 17.1% year-on-year to 68,000), France (up 14.5%nyear-on-year to 217,000), and the U.K. (up 8.3% to 367,000) which until thencombination of the pandemic and the Brexit trade deal had been consistentlynthe largest single market for cybersecurity professionals, a role now takennby Germany.n
nnThe Middle East also saw notable increases, including the U.A.E. (up 18%nyear-on-year to 144,000), and Saudi Arabia (up 16.2% year-on-year ton54,000). Both countries are growing as destinations for overseas companiesnand new technology businesses as they seek to diversify from operatingnpurely fossil fuel economies. Only four countries saw a decline in workforcensize, Australia (down 3.4%), Germany (down 1.9%, but still the biggestncybersecurity employer in continental Europe), Mexico (down 1.2%), andnSingapore (down 0.6%).n
nn
nGlobal shortfalls
nn
nnHowever, relating these rises to the estimated workforce gaps revealednserious shortfalls. The biggest gap was in the Asia-Pacific region, wherenthe shortfall has now reached nearly 2.7 million, a 23.4% rise compared tonthenn2022 ISC2 Workforce Studynn. North America was another challenging geography, with a shortfall ofn522,000 people equating to an increased gap of 19.7%, while Europe recordedna gap of 348,000, up 9.7%. The only areas in positive territory were LatinnAmerica where the shortfall fell 32.5% to 348,000, and the Middle East andnAfrica where it declined 7.1% to 112,000.n
n nShortfalls were especially acute in Japan where the workforce gap nearlyndoubled to 110,000 (up 97.6%), Canada (up 53% to 39,000), India (up 40.2% ton790,000), and the U.K. (up 29.3% to 73,000). The exceptions to this –npossibly influenced by local economic conditions – were Singapore (downn34.8% to 4,000), Australia (down 29.7% to 28,000), the U.A.E (down 29.2% ton32,000), Ireland (down 17.6% to 7,000), Saudi Arabia (down 9.8% to 14,000),nand France (down a modest 2.9% to 59,000).n
nn
nCalculating the gap
nn
nnIn creating this year’s ISC2 Cybersecurity Workforce Study, we drew on anrange of external data sources (e.g., the OECD and the U.S. Bureau of LabornStatistics’ estimate of cybersecurity analysts), trends extrapolated fromnprevious years’ studies, and, importantly, a survey of 14,865 cybersecuritynpractitioners across multiple geographies conducted by Forrester Research innApril and May 2023.n
nnUsing the U.S. as a baseline, this numerical and survey data formed thenbasis for calculating the gap between the demand for cybersecuritynprofessionals (how many workers organizations of different sizes want tonhire over the 12 months from April-May 2023) compared to the supply (thenestimated number of workers who will enter the field minus those who leavenin the 12 months from that period).n
nn
nWhat the survey showed
nn
nnThe size of the gap, and the fact it exists at all, would have beenninfluenced by a range of factors, including the growing need forncybersecurity to protect organizations as they digitalize, the speed atnwhich the industry can train new workers to meet this demand, and thenwillingness of organizations to hire them.n
nnOur survey found macroeconomic factors to be an important influence, withn47% of respondents reporting cutbacks (layoffs, budget cuts, hiring ornpromotion freezes). This underlines an important aspect of the ISC2nCybersecurity Workforce gap; it is not intended as a measure of the localnjobs market, rather the underlying need for these roles even whennorganizations are not actively hiring them.n
nnOverall, 21% said their organization had a significant shortage ofncybersecurity staff to troubleshoot issues, with another 46% mentioning anslight shortage. When asked why this was happening, 41% believed it was duento a lack of qualified talent, 34% mentioned budgetary constraints, and 27%nmentioned challenges with turnover and staff attrition.n
nn
nInvestment in skills
nn
nnMeanwhile, organizations struggled to cope with a skills gap, with 92%nbelieving their organization suffered from this in one or more areas. In 17%nof cases, these skills gaps were rated as ‘critical’ to cybersecurity. Somenof this deficit might be explained by not having enough workers but it’snalso clear that many organizations suffer from a skills imbalance. As ournstudy notes:n
nn“Organizations may have a number of cybersecurity workers, but if thosenworkers all lack certain critical skills, that surplus of headcount can bencompletely negated.”n
nnFrustratingly, the biggest skills gaps mentioned by respondents were innareas often promoted as important cybersecurity mitigation areas such asncloud security (35%), AI/machine learning (32%), zero trust (29%) andnpenetration testing (27%).n
nn
nWhat does the gap mean for members?
nn
nnIn most countries, the study confirmed that cybersecurity skills remain innhigh demand, which suggests that practitioners shouldn’t have problemsneither finding work or moving to a new or better position over time.nHowever, it would be a mistake to consider the workforce gap as a positivenfor members. Even with the availability of jobs, the chances that a newnemployer is understaffed and under skilled remains likely in countries withnhigh and rising workforce and skills gaps. ISC2 members can only stretch sonfar to cover shortages in their organizations.
n nnAlthough the skills issue is not new to the technology sector as a whole, itncould be argued that cybersecurity is a special case. If IT departmentsncan’t find the skills they need, this might harm business growth; if thensame is true of cybersecurity, this could put organizations at risk or, innthe case of critical infrastructure, cause wider societal and economic harm.n
nnThe profession must also find a way to constantly re-skill and develop thenpeople it already has within its ranks. Our Cybersecurity Workforce Studynsuggests that the field is still struggling to do this and must change itsnapproach, for example by creating new pathways into cyber careers,nattracting a wider diversity of people, while offering a clear route fornpractitioners to expand their qualifications and knowledge.n
nn* 2023 estimate includes four new countries — United ArabnEmirates, Saudi Arabia, Nigeria and South Africa. YoY growth is based onnback-estimates for those countries for 2022.
n- n
- The full report for 2023 can be downloaded atn n https://www.isc2.org/researchn n , along with the Cybersecurity Workforce Study reports from previousn years for further comparison. n
- A preview session on the Cybersecurity Workforce Study findings tookn place at ISC2 Security Congress in October 2023. This is now availablen for on-demand replay atn n https://events.isc2.org/ n
- Join the conversation – let us know your thoughts on the findings overn in then n ISC2 Community n