Cybersecurity professionals remain very satisfied despite skills and staff shortages and economic challenges in 2023.

Amid a year of unprecedented global geopolitical tensions, increased digital disruption and demand for cybersecurity expertise, this year’s ISC2 Cybersecurity Workforce Study, which was released earlier today, brought to the fore the level of operational contradiction security professionals are having to deal with, across emerging threats to tooling to workforce issues.

The study, which gathered insights from almost 15,000 professionals from across the world, highlighted how both the cybersecurity workforce and the workforce gap have grown substantially as the threat landscape has evolved, and moved up corporate and government agendas.

However, the figures also revealed that cybersecurity teams have had to struggle with cutbacks and expect more to come, even as artificial intelligence (AI) changes both the solutions they must deploy and the threats they face.

A year of exceptional growth

Polling the largest global sample of cybersecurity professionals in the history of the study, the data showed that the global security workforce grew by 8.7% year-on-year, to 5.5 million worldwide.

While this represents breakneck expansion, growth in the cybersecurity workforce gap once again outpaced growth in the active workforce. The shortfall between the active workforce and the perceived need grew 12.6% year-on-year to 4 million worldwide.

Technology’s impact on people

If dealing with the staffing gap is a challenge, so is dealing with a changing threat and technology landscape. And all those elements are intertwined. Three quarters of security professionals see the threat landscape as the most challenging it has been in the last five years, and barely half believe their organizations have the tools and people they need to deal with incidents over the coming years.

Cloud and AI Skills

The shift to the cloud is one exacerbating factor. Cloud security is the most sought-after cybersecurity skill and professional development area, according to hiring managers, and the one that is most mentioned as an area where companies have a pronounced skills gap. Zero trust is the next most pressing area.

Meanwhile, artificial intelligence (AI) and machine learning (ML) skills are now among the top five most in-demand skills for cybersecurity professionals. A year ago, they were bottom of the list, and were not even mentioned in previous iterations of the study.

People vs skills shortages

For the first time since the pandemic, many participants expect hiring in their organizations to slow. Almost half of professionals have already experienced cutbacks, whether in the form of layoffs, reduced budgets, or staffing freezes. Almost a quarter had experienced layoffs while almost a third expect additional cutbacks in the next year.

This potentially means widening gaps in knowledge, experience and risk management. Gaps which threat actors – also benefiting from AI and other tech advances – will look to exploit.

A skills gap can be a bigger challenge than a workforce gap, according to the study. Even a fully staffed cybersecurity team will be of little use if it is lacking critical capabilities within its skillset. Economic pressures can mean that while head counts do not necessarily increase, investment in personnel development can actually fall, preventing the acquisition and expansion of key skills needed to adapt to new and emerging technologies and threats such as AI, ransomware, phishing and more.

This means education and training – both pre- and mid-career – are crucial. Existing cyber professionals believe so, with 58% saying targeting key skills gaps can mitigate worker shortages. Workers who continue to invest in their skills and keep certifications up to date are better able to weather economic uncertainty, while organizations who help them do so are less likely to experience skills gaps.

Meanwhile, new workers joining the industry are coming from a more diverse pool. More are likely to have a bachelor's degree in cybersecurity before joining the industry – but they are also more likely to have previously worked in a non-IT role. There are more mid-career entrants than previous years, and gender and ethnic breakdowns are shifting.

Nonetheless, if organizations are recruiting cybersecurity professionals at a furious rate – and still can’t find enough of them – that doesn’t mean the cybersecurity industry can rest easy. Changes in the skills and technologies used to combat threats as well as instigate them are happening against a backdrop of continuing geopolitical and economic instability that are overspilling to impact unconnected organizations as well as consumers.

Happiness despite the challenges

It might not be a surprise that while 70% of cybersecurity professionals are very or somewhat satisfied with their job, this represents a drop of 4% year-on-year. It’s worth noting the number of professionals who were very dissatisfied was 4%. In 2019, that figure was 7%.

The survey findings suggest the satisfaction drop was largely down to the cutbacks and layoffs that have already occurred, which directly result in more challenging workloads for employees as well as an erosion of trust, rather than a wider malaise with the actual work.

Nevertheless, despite the challenges – or, perhaps because of them – cybersecurity professionals are amongst the most fulfilled workers around, meaning the profession continues to operate as one of the best paid and most content sectors to work in.

The full report for 2023 can be downloaded at https://www.isc2.org/research, along with the Cybersecurity Workforce Study reports from previous years for further comparison. We will be diving deeper into each section of the findings in the coming days.

Methodology

The 2023 ISC2 Cybersecurity Workforce Study is based on online survey data collected in collaboration with Forrester Research, Inc. in April and May 2023 from 14,865 cybersecurity practitioners. The respondents reside in North America, Europe, Asia, Latin America, the Middle East and Africa. Respondents in non-English speaking countries completed a locally translated version of the survey. A detailed explanation of the estimation methodology for the Cybersecurity Workforce Gap is included in the report.