Cybersecurity Predictions for 2025

Join this upcoming webinar where Fortra experts forecast what security leaders need to know in 2025. Join here

The State of the Cybersecurity Workforce

The cyber workforce – What is it? What does it look like? Is it even a thing? To answer that last question: yes, it is. And to the first question, we say: it’s the universe of people working in cyber-related fields around the world. The middle question is rather harder to answer, though.

There have been concerted efforts over the years to write down the structure of the cyber workforce – to use the wording above, “what it looks like”. Probably the most prominent (and certainly the most in-depth) is the NICE Framework, distilled by the U.S. National Initiative for Cybersecurity Education. It distils the cyber workforce into seven “work role categories” (for example oversight and governance, implementation and operation, and cyberspace intelligence), with these categories further broken into 52 “work roles” (system security analysis, for instance, or incident response).

There are 11 competency areas across which cyber professionals work – AI security, communications security and supply chain security being examples – and a somewhat daunting 2,000+ task, knowledge, skill (TKS) statements. Think of a TKS statement as a specific task that a cyber professional might undertake as part of their duties, along with detail of what knowledge and skills they will need to achieve it.

Finding the Right Approach for You

Of course, if you’re the U.S. Government then the NICE Framework probably works for you. However, most of us aren’t, so much of it will likely be overkill … but it still has the potential to help us, which we will come back to later after we’ve looked at some rather more empirical, real-world evidence that tells us what the global cyber workforce looks like.

The first big aspect of the global cyber workforce is that it is half-empty. According to ISC2’s 2024 Cybersecurity Workforce study there are 5.5 million people active in cyber worldwide, which sounds great until you read on to discover that there is a gap of 4.8 million. That adds up to almost 47% of the global cyber workforce need is not being addressed. The really concerning part, however, is the change over time: the number of people in cyber has stayed roughly static year-on-year, with an increase of 0.1% (which is negligible when you consider the tolerances of survey figures) … but the gap has increased by 19%. So, if we take a bit of artistic license and treat those numbers as exact, we’ve taken on a net 5,500 or so, but the need has gone up by the best part of a million.

Understanding the Size of the Workforce

Let’s look at the modest increase in cyber employees. In its simplest form, the 0.1% increase is a byproduct of the number of people coming into cyber and the number leaving it. It is a lot harder to survey people who are no longer in the cyber industry because … well, they are no longer in the cyber industry and we have largely lost sight of them. Which is why the study makes use of a variety of secondary data sources to produce a robust figure. But one survey put global growth in 2022-23 at 8.7% (although the narrative is slightly ambiguous, it does use the words “new positions”). 8.7% of 5.5million is just over 460,000 – and it feels believable that we have in fact been successful in attracting almost half a million new people into cyber, but that our efforts have been negated by a similar number of people leaving the profession.

Why do people leave cyber? To some extent, for the same reason as anyone else: cybersecurity has been around for long enough that practitioners are hitting retirement or early retirement age. Some will be promoted into non-cyber jobs: given that executive team and board level roles tend not to include CISOs, moving up the ladder from a cyber-specific job may well land you up in a more generic IT manager/CIO/CTO role, taking you out of the cybersecurity catchment group. Some will move into non-cyber jobs at similar levels to where they sit in the organization chart today.

If some surveys are to be believed, many will move into roles that fall into the category of: “anything but this”. According to a 2023 write-up that referenced a Gartner report, “Nearly half of cybersecurity leaders will change jobs by 2025 due to multiple work-related stressors”, and: “of that near 50%, 25% will leave the field entirely”. Another 2023 report said that: “51% are likely to leave their job in the next 12 months as a result of stress”. The figures of yet another align fairly well with regard to people talking of leaving the field of cyber, with 24% contemplating a change of career. Of course, there is a big difference between people saying: “I’m thinking of leaving cyber” and them actually doing it, but with percentages this high the impact could be high – and our 460,000 figure from earlier backs this up somewhat.

So, then, we’ve discussed the global cyber workforce but what about our own? Most of us have modest-size cyber teams and so we’re not about to go diving deep in the NICE Framework’s database of TKS statements. However, we can use the Framework as a starting point to remind us of the key areas we need to consider in our cyber functions – to establish whether we have a requirements gap and by inference a skills gap by simply not considering all the required areas and the relevant risks. A great reference is NIST Special Publication 800-181, which makes the framework comprehensible and describes the building blocks for how we could use it in our organizations.

Retention Considerations 

What we just discussed talks about how we might structure our cyber team, but there is a much more important factor we need to consider: how to hang onto the team members once we have them in place. No matter how much we insist that cyber is a specialism that requires special skills and knowledge, the fact remains that the challenge of getting your cyber team to stay with the organization is really no different from the challenge facing any other hiring or line managers in the company. While we’ve talked in some depth about cyber staff that fold their metaphorical hand because they are stressed or burnt out, this tends to mask some of the traditional reasons for leaving the company – or the industry – that are no different now from 20 years ago.

Why do people leave any job? A better offer elsewhere is a common one (though at a high level at least we’re probably staying in the industry, albeit with another employer). Seeing peers paid more than us for what we think is the same job. Seeing no route to move upwards, because mid-ranking cyber management jobs report into non-cyber roles which we couldn’t do. Feeling unappreciated. Lack of training and personal development. Plain and simple poor management. People are leaving cyber jobs, and maybe the industry, for some modern reasons.

In short, many of the traditional threats to the workforce apply just as much to cyber too.