In this Help Net Security interview, Jon France, CISO at ISC2, discusses cybersecurity workforce growth. He outlines organizations’ challenges, such as budget constraints and limited entry-level opportunities. France also points to the urgent need to upskill current employees and adopt inclusive hiring practices to tackle the growing skills gap in the industry.
The ISC2 report indicates that the growth of the cybersecurity workforce could be more stable. What are the main reasons behind this slowdown, and how significant is its impact on organizations?
A first look at the 2024 ISC2 Cybersecurity Workforce Study indicates a slowdown in the growth of the cybersecurity workforce, largely driven by economic uncertainty. This has led to a shortage of entry points for new talent and limited opportunities to address existing skills gaps. As a result, we estimate the global active cyber workforce has grown by just 0.1% over the past year, remaining relatively flat at around 5.5 million professionals. This marks a sharp contrast to the 8.7% growth reported in 2023.
While existing cybersecurity roles have been preserved to a greater extent compared to other sectors amid economic cost-cutting, the limited workforce growth has effectively halted the creation of new job opportunities. Regionally, this trend varies, but the overall picture is clear: the demand for cybersecurity professionals far exceeds the current supply.
This slow workforce expansion is having a significant impact on organizations. Our research reveals that 90% are facing cybersecurity skills shortages, with 67% reporting a lack of cybersecurity professionals. This gap has reached a new high in 2024, with an estimated 4.8 million additional professionals needed globally—a 19% increase compared to the previous year.
The shortage of talent is placing considerable strain on cybersecurity teams, leaving them under-resourced at a time when organizations are highly vulnerable to costly cyber incidents. With fewer professionals available to maintain security, the risks of disruption, financial loss, and reputational damage have escalated. This year, 74% of professionals report that the current threat landscape is the most challenging it has been in the last five years. As the pressure on the profession intensifies, it’s essential for organizations to prioritize creating more entry-level opportunities for new talent and investing in upskilling their current workforce to address evolving security challenges.
What are the primary challenges companies face when recruiting cybersecurity talent? Are there specific barriers, such as compensation expectations, lack of experienced candidates, or competition from other sectors?
One of the key challenges companies face when recruiting cybersecurity talent is budget constraints. For the first time, “lack of budget” has overtaken “lack of qualified talent” as the top cause of staffing shortages. Economic pressures are limiting organizations’ ability to invest in cybersecurity teams, despite the growing demand for skilled professionals. As a result, 38% of organizations have experienced hiring freezes (+6% from 2023). This reflects a broader trend where economic factors are impacting workforce development across the industry; layoffs, budget cuts, and stalled promotions are all impacting existing cybersecurity professionals.
In Europe, three major causes of skills shortages have been identified: difficulty finding candidates with the right skills (33%), limited budgets (29%), and IT departments introducing new technology without the expertise to secure it (29%). While this indicates a shortage of skilled candidates, there’s also a disconnect between what hiring managers are looking for and what professionals believe is in demand. For example, professionals rank AI and cloud computing skills highly, but hiring managers prioritize them much lower.
To overcome this mismatch, organizations need to create clear and realistic job descriptions, specifying the skills candidates need versus those that can be developed on the job. Better communication between hiring managers and cybersecurity professionals is crucial to aligning expectations and reducing barriers to entry, particularly around requirements for excessive years of experience or specific industry certifications.
How important is upskilling and reskilling the current workforce in addressing the cybersecurity skills gap? What initiatives or programs are proving effective in this area?
Upskilling and reskilling the current workforce is essential to closing the skills gap and ensuring organizations remain secure in an evolving threat landscape. When organizations cannot fill critical cybersecurity roles, workloads increase, leaving them vulnerable to incidents and financial risks. Developing talent within the existing workforce not only helps fill these gaps but also mitigates the impact of unfilled roles, such as additional strain on teams and burnout.
More than half of cybersecurity professionals globally (58%) believe that skills shortages put their organizations at significant risk, with 64% stating that skills gaps pose a greater challenge than staffing shortages. The most critical gaps identified include skills in AI (34%), cloud security (30%), zero trust (27%), digital forensics (25%), and application security (24%). Organizations must focus on these areas by upskilling and reskilling current employees to match these in-demand skill sets, which is key to addressing the broader skills gap.
Continuous professional development through certifications and education programs is vital for cybersecurity practitioners to remain competitive and relevant. By prioritizing upskilling initiatives, organizations can address immediate security concerns as well as future-proof their teams in an increasingly complex digital environment.
How can organizations effectively attract and retain a more diverse workforce in cybersecurity? What are some successful examples you’ve seen?
To attract and retain a diverse cybersecurity workforce, organizations need to focus on inclusive hiring practices and invest in skills development. One key strategy is shifting from requiring pre-qualified candidates to offering on-the-job training, especially for entry-level positions. This approach not only helps small-to-medium businesses with budget constraints but also enables companies to tailor training to their unique needs. Programs like ISC2’s One Million Certified in Cybersecurity aim to broaden the talent pool by providing free training and certification for entry-level professionals, allowing people from diverse backgrounds to enter the field.
Successful organizations also address the gap between what hiring managers expect and what candidates believe is required. Clear, realistic job descriptions help attract a wider range of candidates by focusing on skills that can be developed in the role rather than requiring extensive prior technical experience. This makes it easier for businesses to tap into a broader talent pool, including underrepresented groups, by emphasizing potential over existing experience and qualifications.
In addition, fostering an inclusive work culture is critical. Companies that succeed in recruiting and retaining diverse talent invest in diversity, equity, and inclusion (DEI) initiatives, set measurable diversity goals, and expand recruitment efforts beyond traditional job portals. Mentorship programs and leadership commitment to DEI help ensure underrepresented groups feel valued, promoting retention and long-term career growth in cybersecurity.
Considering the current trends and initiatives, where do you see the cybersecurity skills gap heading over the next 5-10 years?
After two years of reduced investment in hiring and professional development, organizations are now grappling with significant skills shortages and understaffed cybersecurity teams—a challenge that is amplifying risk and putting added strain on existing personnel.
Looking ahead, I’m cautiously optimistic. Over the next 5-10 years, I expect the skills gap to begin closing as more organizations recognize the critical need for sustained investment in workforce development. Cybersecurity is no longer a “nice to have”—it’s a business necessity. With the growing complexity of threats, driven by global instability and emerging technologies like AI, organizations will need to prioritize cybersecurity as a core part of their strategy.
Organizations must also focus on expanding entry-level opportunities, upskilling current employees, and building more diverse pipelines of talent to bridge the widening skills gap. As more businesses commit to developing cybersecurity talent and cross-sector collaboration drives the promotion of cybersecurity careers, a more diverse talent pool is likely to emerge. Investment in the next generation of cyber professionals will enable the workforce to meet evolving challenges and keep our critical assets secure.
Fill out the form to get your free eBook: