A first look at data from the 2024 ISC2 Cybersecurity Workforce Study has revealed a marked need for organizations to increase opportunities for cybersecurity workforce growth, as well as enabling more entry-level professionals to enter the field and develop much-needed skills with support from experienced peers.

In 2024, cybersecurity professionals have faced a variety of issues that impacted roles and responsibilities across organizations of all types. Economic pressures, global geopolitical issues, supply chain disruptions, failed software updates and increasing automation and digitalization of cybersecurity tasks have brought into focus the business-critical nature of cybersecurity and allowed professionals to showcase their skills and expertise protecting organizations. However, despite both the clear need and the recognition of the value cybersecurity adds to organizations, the global active cyber workforce has stalled at 5.5 million people.

In this early look at the 2024 ISC2 Cybersecurity Workforce Study, we look in more detail at the cybersecurity skills shortages and the resulting organizational risk factors they create. We also examine how the size of the active workforce and the workforce gap are contributing to the challenge facing both employers and professionals. We will explain why the skills shortages, personnel shortages and skills supply disparity issues reported by respondents requires employers to take wide-reaching action now to reverse a potential cybersecurity capability crisis across private and public sectors.

We surveyed a record 15,852 cybersecurity practitioners and decision-makers globally, receiving responses from Africa, Asia-Pacific, Europe, Latin America, the Middle East and North America.

Key Figures from This Year’s Study

  • Size of the Active Cybersecurity Workforce: 5.5 million Globally (up 0.1% YoY)
  • Size of the Workforce Gap: 4.8 million Globally (up 19% YoY)
  • Total Workforce Needed to Satisfy Demand: 10.2 million Globally (up 8.1% YoY)

The Active Cybersecurity Workforce

Our global estimate of the active workforce indicates that job growth has been broadly flat in the last year at 5.5 million, creating a considerable pressure point in the face of growing perceived need. There was just a 0.1% increase on 2023, which itself was an 8.7% increase over the previous year. While it can be argued that this reflects overall stability within the cybersecurity workforce in the face of economic and workforce retention pressures across sectors, it also highlights a concerning shortage of entry points for new talent and a lack of opportunities to address skills and personnel shortages with new talent and on-the-job learning.

The data suggests that economic concerns and the global growth in automation have not impacted the existing cybersecurity workforce overall as they have other workforces such as those in manufacturing and hospitality. The static size of the cybersecurity workforce, accounting for regional variances, suggests that existing roles are not being lost amid cost-cutting to the same extent as in other areas, but at the very least it has cancelled out any net new job growth. It also highlights the importance of continuing to create job opportunities for the next generation of professionals to enter the workforce, alongside upskilling existing professionals with the right capabilities to meet organizational needs.

Additional data from professional social network LinkedIn supports this, showing that the number of new cybersecurity job postings year-on-year in the U.S. has declined 5.4%, Singapore by 4.9%, France by 4.5%, Canada by 3.5% and Brazil by 2.5%. Job postings in the UK are flat, with Germany and Australia reporting just 1% increases in job postings. The standout countries for job posting growth were Spain and Mexico, up 5.5% and 6.8%, showing a concerted effort to address lower actual job growth and, in the case of Mexico, a declining workforce size.

Furthermore, the LinkedIn analysis of the cybersecurity jobs market shows that alongside the overall lack of growth, job posting market share has seen a pronounced uplift in Latin American countries in the last three years (Brazil 11.2% growth in overall share of new jobs posted, Mexico 3%) alongside Germany (11%) and Poland (6.2%). Meanwhile, the U.K.’s share of job postings was flat while the U.S., India, Canada, Netherlands, Spain, Singapore, France and Italy have all seen their share of the total number of jobs posted fall over the last three years. In the case of Italy, by 10%, the largest negative shift in the LinkedIn data.

The drop off in job postings is supported by data from the ISC2 study, which shows that cybersecurity teams over the past year have seen evidence of hiring and advancement opportunities reducing. At a time when organizations can least afford the cost, disruption and reputational damage of a cybersecurity incident, the profession is under its greatest pressure to maintain safety and security with fewer resources:

  • 39% said a lack of budget was the top reason for cyber shortages, replacing a shortage of talent as the previous top reason for staff shortages
  • 25% have observed layoffs (up 3% from 2023)
  • Over a third (37%) have noted budget cuts (+7% from 2023)
  • Nearly four in every 10 respondents (38%) have experienced hiring freezes (+6% from 2023)
  • Nearly a third (32%) have seen fewer promotions (+6% from 2023)

Furthermore, alongside stalled growth in the active workforce, year-on-year comparison shows that the traditionally high level of job satisfaction found in the cybersecurity sector is down 4%. However, with 66% of participants still satisfied with their role, this is something that employers can leverage to recruit new people into the profession, if job opportunities are made available.

Together, these data points support the notion that hiring managers, cybersecurity leaders and their teams must act now to more closely align and grow professional development efforts aligned with organizational skill deficits to foster career growth and offer the new opportunities for the next generation of the workforce.

If we look at the current 5.5 million workforce by country, we see pockets of workforce growth in several major and growing economies being countered by falls in some of the largest markets for cybersecurity skills.

Breaking Down the Workforce

Country

2023 Workforce Estimate

2024 Workforce Estimate

% Change Year on Year

Australia

138,860

146,481

5.5%

Brazil

749,479

752,407

0.4%

Canada

157,318

156,064

-0.8%

France

217,190

230,338

6.1%

Germany

455,951

439,243

-3.7%

Ireland

19,476

20,610

5.8%

Japan

480,659

500,116

4.0%

Mexico

536,027

521,505

-2.7%

Netherlands

67,527

72,910

8.0%

Nigeria

25,574

25,620

0.2%

Saudi Arabia

53,907

59,766

10.9%

Singapore

76,942

77,909

1.3%

South Africa

177,802

196,780

10.7%

South Korea

263,771

272,562

3.3%

Spain

182,144

187,563

3.0%

U.A.E.

144,300

149,135

3.4%

U.K.

367,300

349,360

-4.9%

U.S.

1,338,507

1,298,804

-3.0%

Highlighted countries experienced a year-on-year decline

The largest active workforce continues to be in the U.S., representing a substantial workforce opportunity of 1.3 million in spite of a 3% year-on-year fall. Significant workforce growth was seen in the Middle East and Africa, with South Africa (10.7% increase), Saudi Arabia (10.9% increase) and U.A.E. (3.4% increase) all growing year-on-year. Europe did experience pockets of growth with Ireland (5.8% increase), the Netherlands (8% increase) and France (6.1% growth) all increasing their cybersecurity workforces, even though, in the case of France, the number of advertised cybersecurity roles according to LinkedIn fell. Overall, the table shows us that several established cybersecurity professional markets have experienced overall workforce declines, with growth in emerging markets maintaining the global status-quo and shifting more of the working skills base into different regions. 

As the two largest cyber workforces in continental Europe, Germany and the U.K. have seen a marked change in the size of their respective cyber workforces since 2019, according to previous years of the study. While this period also includes the anomalous impact of the pandemic, it still highlights a fluid situation in where cybersecurity skills are being recruited. Germany's active cybersecurity workforce rose to a high of 464,782 in 2021, before reducing slightly every year to 439,243 in 2024. Meanwhile, the U.K. stood at 300,087 in 2021 as Germany’s cybersecurity workforce overtook the U.K. for the first time in this study. The U.K. workforce then grew, rising to a high of 367,300 in 2023, before reducing by 4.9% to 349,360 in 2024.

Alongside the growth in the Middle East and Africa, there was also workforce growth across the Asia-Pacific region. Australia (5.5% increase), Japan (4% increase), South Korea (3.3% increase) and Singapore (1.3% increase) contributed to 3.3% overall growth in the active workforce in Asia-Pacific to just shy of 1 million. This cybersecurity workforce is likely benefitting from a variety of factors generating positive jobs growth for cybersecurity professionals. At least in part, these include increased geopolitical and economic disruption in the region over the last year, contributing to increased demand for skilled cybersecurity professionals as part of an overall increase in public and private sector security investment.

Region

2023 Workforce Size

2024 Workforce Size

% Change Year on Year

Asia Pacific

960,231

997,068

3.8%

Europe

1,309,588

1,300,023

-0.7%

LATAM

1,285,505

1,273,912

-0.9%

Middle East & Africa

401,582

431,302

7.4%

North America

1,495,825

1,454,868

-2.7%

Highlighted countries experienced a year-on-year decline

The two largest regions in terms of active cybersecurity workforces – North America and Europe – saw workforce numbers decline year-on-year, despite pockets of growth in Europe. Nearly a quarter of respondents in North America and Europe reported their organization had experienced layoffs in their cybersecurity teams in the last 12 months. While three quarters did not experience cybersecurity layoffs, the data indicates that economic constraints are limiting organizations’ willingness to continue investing in their cybersecurity teams despite staffing shortages.

Meanwhile, 29% of respondents from the Middle East and Africa said their organizations experienced cybersecurity layoffs in the last 12 months, but the region continued its workforce investment to generate the highest percentage of workforce growth in the study, increasing 7.2% to 431,302.

Like Europe, Latin America’s workforce size remained broadly stable, down by just 0.7%.

Understanding the Skills Shortage Impact on Organizations and Professionals

The shortage of key skills in several cybersecurity disciplines is a major contributory factor to how professionals perceive the impact of their workforce shortfall. However, we are also seeing a divergence between the skills that are being sought by organizations and their HR departments, and the skills that cybersecurity professionals believe are in demand.

Of particular note is the fact that although professionals place significant emphasis on communications skills (31%), cloud computing skills (30%), AI (23%) and GRC (19%), hiring managers don’t value these skills as highly. While hiring managers prioritize communication skills only slightly lower at 25%, cloud computing skills are just 19%, AI skills are 12% and GRC comes in at 13%.

Overall, the data revealed that 90% of organizations have skills gaps within their security teams. In particular, and despite it not being a high priority for hiring managers, over one third of respondents still cited AI as the biggest skills shortfall in the teams. This was followed by cloud computing (30%), zero trust (27%), incident response (25%), application security and penetration testing (both 24%).

Some industries have notably higher skills gaps in certain disciplines. For instance, consulting security teams have the highest AI skills gaps. Education, government and military security teams have the highest zero trust implementation skills gaps, while utilities providers – key critical infrastructure covering energy, power and water – and manufacturing security teams collectively have highest operation technology (OT) security skills gaps, a significant consideration given these two sectors arguably have some of the largest exposure to both new and legacy OT.

Looking at the situation from a different angle, namely the sectors that are struggling with cybersecurity skills shortages rather than the technology skills that need to be bolstered, we see several economically key industries that are at heightened risk from shortages.

Nearly all our respondents from education, 96% of them, reported security team skills gaps. This was followed by 94% in construction and healthcare, 93% in real estate, 92% across non-profit, aerospace, telecoms and R&D sectors, as well as the hospitality, travel and government sectors.

Manufacturing, insurance and critical infrastructure are also heavily affected, all at 91% of their respective respondents citing skills gaps.

Ultimately, the findings highlight that cybersecurity professionals need to continue developing skills by pursuing certifications and other education resources that are going to help them develop marketable skills for now and for the future. Our research shows that the disparity between perception and hiring reality is creating a skills barrier to entry, one that can only be overcome by bringing hiring managers and cybersecurity professionals back onto the same skills pathway.

Technical skills such as AI, cloud, GRC and zero trust will equip cybersecurity professionals for the future with the operational capabilities to carry out complex cybersecurity functions for their organizations. However, these skills need to align with the wider expectations and needs of hiring managers looking to supplement technical capabilities with skills that will make cybersecurity roles more effective, understood and collaborative today.

Similarly, organizations and hiring managers need to accelerate efforts to bring in entry-level professionals and develop their foundational skill set in-house as part of a broader hiring program that incorporates both entry-level and a variety of experience levels and industry certifications, mirroring the career pathway that most will follow in their professional lifetime. That means developing leadership, teamwork, communication and strategic thinking skills alongside technical capabilities. The skills disparity highlighted in the study illustrates the need for lifelong learning in cybersecurity, as well as underlining the benefits to individuals, organizations and wider society of a highly skilled, effective and proactive cybersecurity workforce that can defend and protect our economies and our digital lives.

Staffing Risks

A shortage of people and cybersecurity skills in the workplace creates risk and vulnerability within organizations. An inability to fully fill roles and secure the skills needed creates increased workloads that might leave organizations vulnerable both security-wise and financially.

Data from the 2024 annual Ponemon Institute study confirms that the average direct cost of a breach in 2024 was $4.88 million, with the average cost of an insider malicious attack even higher at $4.99 million. The average increase in ongoing costs after a breach takes place (mitigation cost of closing the gate after the horse has bolted) is around $830,000. These figures illustrate the financial risk that could be reduced or prevented through improvements in both staffing numbers and skills capability.

Over two thirds of respondents (67%) reported some form of shortage of cybersecurity professionals in their organization. In line with the flat growth of the active workforce, this figure has also not changed since 2023, reflecting the lack of new jobs growth has impacted hiring managers progress in addressing critical shortages. More than half of those surveyed (58%) stated that such a shortage of skilled staff is putting their organizations at significant risk. This is also just a 1% increase from 2023. The fact it has remained consistent year-on-year despite a high degree of concern over the threat landscape suggests that cybersecurity professionals may be adapting to staff and skills shortages. Nevertheless, this response signals a significant respondent call to organizations to make the necessary investments to deal with cybersecurity challenges and to protect users, data, systems and supply chains with adequate staffing and other resources.

Nearly one-third (31%) of participants said their security teams had no entry-level professionals on their teams and 15% said they had no junior-level (1-3 years of experience) professionals. While the presence of entry- and junior-level professionals within security teams does increase with organization size, overall this represents a high proportion of organizations that do not have a pipeline of next generation professionals coming in who can be developed to meet the organization’s specific cybersecurity needs and who can learn from their more experienced peers before they retire or transition out. This point is exacerbated by hiring managers, 62% of which currently had open roles on their teams, focusing on hiring mid- to advanced level roles rather than a broad mix of experience and abilities. However, it is encouraging that larger size organizations (those with more than 5,000 employees) are still creating more junior and mid-level openings than their smaller counterparts.

Our 2024 data also revealed that 74% of respondents said the current threat landscape is the most challenging they have seen in the last five years. That figure is commensurable to last year’s 75%, reinforcing the high degree of on-going concern and heightened state of alert among cybersecurity practitioners about the challenges and risks they face.

The threat level is supported by other data sources, with the U.S. Agency for International Development citing numbers that put the global cost of cybercrime at $8 trillion in 2023, a figure it projects to rise to $23.84 trillion by 2027.

While the active workforce is flat globally, this is not indicative of a fall in overall need for cybersecurity professionals. In fact, the need has never been higher, which we track via the cybersecurity workforce gap.

Understanding the Gap

The workforce gap measures the difference between the number of cybersecurity professionals that study participants say their organizations require to properly secure themselves and the number of cybersecurity professionals available for hire. It is not an estimate of current job openings for cybersecurity professionals.

While active workforce growth was stable, the workforce gap increased by 19% year-on-year to 4.8 million. That would equate to a theoretical workforce as large as 10.2 million if all staffing needs were fulfilled at once. If we break the gap down by individual countries, we see the surge in reported need jump considerably in some areas compared to the combined global figure.

Breaking Down the Workforce Gap

Country

2023 Workforce Gap

2024 Workforce Gap

% Change Year on Year

Australia

27,756

47,555

71.3%

Brazil

231,927

214,536

-7.5%

Canada

38,842

38,380

-1.2%

China

1,720,941

2,047,784

19.0%

France

59,117

69,139

17.0%

Germany

104,660

120,348

15.0%

India

789,793

1,073,646

35.9%

Ireland

6,990

7,634

9.2%

Japan

110,254

169,603

53.8%

Mexico

116,331

113,862

-2.1%

Netherlands

29,058

28,582

-1.6%

Nigeria

8,352

8,827

5.7%

Saudi Arabia

14,252

18,077

26.8%

Singapore

3,961

4,662

17.7%

South Africa

57,269

63,063

10.1%

South Korea

17,611

31,330

77.9%

Spain

74,498

73,268

-1.7%

U.A.E

31,928

35,011

9.7%

U.K.

73,439

93,349

27.1%

U.S.

482,985

504,307

4.4%

Highlighted countries experienced a year-on-year decline

Australia (71.3% gap increase) and South Korea (77.9% gap increase) saw two of the largest-percentage increases in perceived staffing needs. Both are large economies, with South Korea playing a pivotal role in several global supply chains centered on electronics and engineering, while Australia is a major supplier of natural resources, food and beverages, as well as cultural exports such as sport.

The other growth markets in terms of active workforce also show large gap rises, with South Africa (10.1% gap increase), Saudi Arabia (26.8% gap increase), and the U.A.E. (9.7% gap increase) all showing demand for further workforce and skills growth.

Both the U.K. (27.1% gap increase) and Germany (15% gap increase) are seeing significant increases in their workforce gaps. The need to comply with new and evolving legislation, such as the Financial Services and Markets Act 2023 in the U.K., FinmadiG in Germany and the Digital Operational Resilience Act (DORA) across Europe, contributed to the jump in perceived demand. Some 45% of respondents in Germany cited ‘keeping up with regulatory requirements’ as the second most significant challenge organizations faced over the past 12 months, slightly higher than the global average of 44%. German security professionals view regulatory requirements as an ongoing concern over the next two years as well with 48% citing it as a top challenge they will face.

A small number of countries in the study experienced a declining gap, with Canada (1.2% gap decrease), Brazil (7.5% gap decrease), Mexico (2.1% gap decrease), the Netherlands (1.6% gap decrease) and Spain (1.7% gap decrease) reporting minor falls in year-on-year gap numbers.

Region

2023 Workforce Gap

2024 Workforce Gap

% Change Year on Year

Asia-Pacific

2,670,316

3,374,580

26.4%

Europe

347,761

392,320

12.8%

Latin America

348,259

328,397

-5.7%

Middle East & Africa

111,801

124,978

11.8%

North America

521,827

542,687

4.0%

Highlighted countries experienced a year-on-year decline

Regionally, the North American gap increased overall by 4%. Europe, along with the Middle East and Africa, saw 12.8% and 11.8% gap increases respectively. Asia-Pacific, as has been the case for several years, produced the biggest gap increase, jumping 26.4% to just over 3.37 million. Only Latin America saw a fall, with a 5.7% gap decrease, driven by Brazil.

As our research has revealed, 90% of those surveyed indicate skills shortages in their organizations, with two thirds (64%) viewing these shortages as more serious than the personnel shortages they are dealing with, while the remaining third places skills and people shortages on an equal footing in terms of criticality. While the workforce must continue to grow, particularly through the hiring of entry- and junior-level staff in order to deliver the next generation of cybersecurity professionals, upskilling and multi-skilling are essential to meeting the needs of employers and their current and evolving cybersecurity roles.

Actions for Cybersecurity Employers

The workforce gap is exacerbated by skills deficits. This is why the focus on perceived skill shortages and employer-led initiatives to match people to skills shortages, or at least to paths to develop those skills, is critical to alleviating the impact of the gap. It is arguably even more important to understanding the state of the workforce than looking at the measurable workforce gap in isolation.

This year’s first look at the ISC2 Cybersecurity Workforce Study has revealed three areas of action for employers to address the global shortage of jobs growth, to encourage new individuals into the profession and to address the skills disparity in the talent pool:

  • Addressing job creation and hiring priorities: The ability to bring new people into the profession and reduce the cybersecurity workforce gap – and with it the skills gaps present in the profession – rests with employers and their hiring managers. Even in times of economic disruption, the need for a growing and responsive cybersecurity workforce has endured, as confirmed by this year’s active workforce and gap figures. Hiring a diverse mix of people, from entry-level professionals to the most experienced, not only creates opportunities to bring the next generation into the workforce, it ensures cybersecurity job opportunities keep growing. This approach enables more hires within the available budget than hiring just the most experienced professionals alone and creates a sustainable long-term pipeline for knowledge transfer from those experienced professionals to the next generation of cybersecurity professionals as they come into your organization
  • In-role professional development: Embracing a cybersecurity hiring strategy based on a diverse array of people and experience requires a commitment to on-the-job training and development, rather than relying solely on hiring pre-qualified individuals. As well as being economically more manageable, it provides employers with more options to shape training and education to fit the organization’s unique current and future needs as they arise and evolve, rather than trying to hire cybersecurity professionals that are already ‘oven-ready’
  • Realistic and clear job role expectations: Our study data has highlighted a clear disconnect between what hiring managers are looking for and what professionals believe is in demand. Clear, accurate and realistic job descriptions are essential to addressing and easing this substantial obstacle to successful cybersecurity hiring, while also determining a clear segmentation between skills people need to develop or have already themselves vs. skills they can learn as part of the role. The onus is on employers to address the disparity through better communication of needs and rationalization of expectations (not expecting professionals to already have unachievable years of experience and industry certifications in a recently relevant discipline like AI for instance)

Employers and cybersecurity hiring managers are currently in a position where they can make fundamental changes to prevent stalling job growth turning into a greater crisis. The need for cybersecurity continues to grow. Our collective security is at risk if cybersecurity becomes a cost that can be cut when budgets tighten, rather than remaining a valuable investment in safety, compliance, reputation management and risk mitigation that should be protected. Right now, organizations are still directly empowered to address these issues themselves. Without progress, the risk of regulation and legislation that takes the decision out of the hands of employers becomes higher.

2024 ISC2 Cybersecurity Workforce Study (Coming in October)

The ISC2 Cybersecurity Workforce Study provides insight into the active global cybersecurity workforce and the cybersecurity workforce gap, as well as looking at shortages in cybersecurity skills that are considered essential and in demand by hiring managers. The complete 2024 ISC Cybersecurity Workforce Study will be published in October 2024. The 2023 study is available on the ISC2 website.

About The ISC2 Cybersecurity Workforce Study

ISC2 conducts in-depth research into the challenges and opportunities facing the cybersecurity profession. The ISC2 Cybersecurity Workforce Study assesses the cybersecurity workforce to better understand the barriers facing the cybersecurity profession and to uncover solutions that enable individuals to excel in their profession, achieve their career goals and better secure their organizations’ critical assets.

Methodology

The 2024 ISC2 Cybersecurity Workforce Study is based on online survey data collected in collaboration with Forrester Research, Inc., in May 2024 from 15,852 individuals responsible for cybersecurity at workplaces throughout Africa, Asia-Pacific, Europe, Latin America, the Middle East and North America. Respondents in non-English-speaking countries completed a locally translated version of the survey. Details about the ISC2 workforce gap and workforce estimate methodologies can be found here.

About ISC2

ISC2 is the world’s leading member organization for cybersecurity professionals, driven by our vision of a safe and secure cyber world. Our nearly 675,000 members, candidates and associates around the globe are a force for good, safeguarding the way we live. Our award-winning certifications – including cybersecurity’s premier certification, the CISSP® – enable professionals to demonstrate their knowledge, skills and abilities at every stage of their careers. ISC2 strengthens the influence, diversity and vitality of the cybersecurity profession through advocacy, expertise and workforce empowerment that accelerates cyber safety and security in an interconnected world. Our charitable foundation, The Center for Cyber Safety and Education, helps create more access to cyber careers and educate those most vulnerable. Learn more and get involved at ISC2.org. Connect with us on X, Facebook and LinkedIn.