Jobs
For candidates
For Employers
For Employers
Cyber professional recruiting
Executive/ CISO recruiting
Board of directors roles
Cybersecurity talent strategy development
Insights & resources
Insights & resources
Blog
Partners
Cybersecurity conference calendar
About
Sign up
Sign up
Name of user
Profile
Assessments
account
log out
Log in
Sign up
Jobs
For candidates
For candidates
For candidates
Cybersecurity sales talent
Technical talent
For Employers
For Employers
Cybersecurity sales talent
Contract/ fractional technical talent
Full time technical talent
Executive/ CISO talent
Insights & resources
Insights & resources
Blog
Partners
Cybersecurity conference calendar
About
Jobs
Hire
For candidates
For candidates
Cybersecurity sales talent
Technical talent
For Employers
Cybersecurity sales recruiting
Contract/ fractional technical staffing
Technical practitioner recruiting
Executive recruiting
Insights & resources
Blog
Partners
Cybersecurity conference calendar
About
Log in
Sign up
Profile
Assessments
account
log out
back
For everyone
for hiring managers
For everyone

State of the global cybersecurity workforce and the jobs ‘gap’

Talent shortage
Cybersecurity workforce
Turnover

State of the global cybersecurity workforce

Every year, ISC2 publishes a report on the global cybersecurity workforce. They recently published their 2023 edition, which, in addition to the normal survey stats, also covers timely topics around the impact of AI and the impact of the cooling economy on workplaces.

State of the Global Cybersecurity Workforce

The workforce ‘gap’

Each year, ISC2 reports a headline stat on the size of the global cybersecurity workforce and the ‘gap.’ Lots of people take this statistic and the headline of 3.5M open jobs from cybersecurity ventures. ISC2’s own figure is 4M (actually 3,999,964 which, by the way, is an absurd level of precision). Of this 4M, 520K are in the US (cited as a 20% YOY increase). Interestingly, ~2.5M of the gap is in Asia- presumably driven by extrapolations based on population.

I, personally, call BS on these stats. 

I run a job board that does not proport to have a universal perspective on open jobs, but I do look at data scraped from 150 applicant tracking systems on cybersecurity job openings and then curate the jobs that show up on our site. Each week, we see a couple hundred new jobs populate and a few hundred leave, with an average time to fill of about 2-3 months.

Even if you assume coverage gaps in the data (which there are), this gets nowhere near a persistent gap of 500K jobs. Searching for cyber openings on Indeed, Linkedin, and aggregation sites such as google jobs yield quality results most in the low thousands (and many more jobs that are way wide of the mark). And since 500K is a ‘stock’ or run rate number, you’d expect to see roughly that balance of jobs open at any given time, with a much larger number ‘flowing’ through each year (as some jobs do get filled). 

My sense is that ISC2 is coming under some degree of pressure for the stats, as this year they published this disclaimer in the body of the report:

It’s important to note what this year’s workforce gap represents. The workforce gap calculates the difference between the number of cybersecurity professionals that organizations require to properly secure themselves and the number of cybersecurity professionals available for hire. The workforce gap does not aim to estimate the actual current job market for cybersecurity professionals.  

In previous years, the definition of demand was: Demand is defined as the number of cybersecurity jobs organizations would like to employ over the next year minus the number of current workers. 

So, what we have is an estimate of what it would take to actually adequately secure the world. This raises the obvious question of how you define ‘properly secure.’ Additionally, it seems foolish to invalidate the choices that companies are actually making about their risk tolerance. Choosing not to post security roles is, explicitly or implicitly, a business decision. 

So, I think we can definitively say that the gap is something much less than 500K jobs. 

Nevertheless, we do operate in an industry where there are significant demand and supply imbalances. One of the best thinkers on this topic is Ben Rothke, who has written several pieces on Medium unpacking the topic. 

He recently posted The big lie of millions of information security jobs (gated), which does a great job unpacking the issue. Previously, he posted Is there really an information security jobs crisis? Ben’s main points, which I agree with and I think we can definitively state:

  • Demand for highly experienced information security professionals exceeds supply (particularly at rates that companies are willing to pay)
  • Advanced technical disciplines are where the biggest discrepancies exist, particularly areas like cloud security and application security
  • Much of this is self-inflicted with poorly written job descriptions that do not thoughtfully link up screening criteria (certs, years of experience, tech experience) with the skills that are actually required to be successful in role. 

The ISC2 report does have good data on where these skill gaps are most prominent:

The Workforce Gap

Impact of the economic environment

Clearly, 2023 has been the most challenging year for the infosec space in probably the past two decades. On the tech vendor side, as companies and their backers (most often VCs) have sought to reduce cash burn and extend runway (most are unprofitable), employees got hit hard with layoffs.

On the practitioner side, you can divide that camp into services companies and enterprise. Many cybersecurity services business saw declines of 5-25% YOY in 2023, and had layoffs in line with that. In enterprise, the picture was more muted, with employees more likely to feel the impact of hiring freezes, slow rolling new hires, and caps on technology budgets. Relatively few security teams in enterprise were directly hit by layoffs this year. 

Here’s the data from ISC2:

Impact of the Economic Environment
Impact of Cutbacks on Cybersecurity Professionals and Teams

Security impact of being short on talent

Regardless of the size of the talent shortfall, it is clear that there are important enterprise security tasks that are simply not getting done because the people aren’t there to do it. The data above shows just how overburdened many security teams are. 

The things that tend not to get done are often the ones that are most proactive in nature, such as: regularly re-assessing risks and quantifying them, documenting process and procedure, clearing out backlogs of vulnerabilities, and team training and development. 

Here’s what ISC2 found about what is not getting done:

Security impact of being short on talent

Other takeaways

 Here are other stats from the report that are particularly interesting:

  •  45% of hiring managers agree that their organizations rely too heavily on educational requirements when hiring cybersecurity workers
  • 57% of respondents indicate that a shortage of cybersecurity staff is putting their organization at moderate to extreme risk
  • 70% of respondents are somewhat or very satisfied with their current job (down 4% from last year)
  • 59% indicate that they are seeing an increase in applicants with technical backgrounds that are seeking to enter cybersecurity from adjacent technical domains
  • The top 3 reasons people entered security: 1) Career advancement opportunities, 2) High demand for skills, 3) They thought they would enjoy the work
  • The age of new entrants is skewing older- indicating that re-skilling and upskilling is happening (which we need!)
  • Top skills hiring managers are looking for: 1) Cloud computing, 2) Communication skills, 3) Risk assessment, analysis and management

You can read the full report here. I’d love to hear your takeaways!

Brad Rager
CEO

Our latest insights

expore blog
For everyone
For candidates
For hiring managers
H1 Cybersecurity talent market report
There is no spring without winter
Job market
Remote work trends
Cybersecurity industry
Certifications
For everyone
For candidates
For hiring managers
Communication as a cybersecurity skill
We all know communication is important, but we don't think about it very much
Communication
People skills
Assessing skills
For everyone
For candidates
For hiring managers
Discovering you
First, know yourself
Self-awareness
Careers
Happiness
Positive psychology
Assessment
For everyone
For candidates
For hiring managers
H1 Cybersecurity talent market report
There is no spring without winter
Job market
Remote work trends
Cybersecurity industry
Certifications
For everyone
For candidates
For hiring managers
Communication as a cybersecurity skill
We all know communication is important, but we don't think about it very much
Communication
People skills
Assessing skills
For everyone
For candidates
For hiring managers
Discovering you
First, know yourself
Self-awareness
Careers
Happiness
Positive psychology
Assessment
JobsFor CandidatesAboutContact uslog insign upHire talentpost a job
For EmployersCybersecurity sales recruitingContract/ fractional technical staffingTechnical practitioner recruitingExecutive recruiting
Insights & resourcesBlogPartnersCybersecurity conference calendar
E-mail:
info@crux.so
Phone:
312-330-0788
Social media:
© Copyright 2024 Crux Talent, Inc. All rights reserved.
Privacy PolicyTerms and Conditions