Despite a significant increase in the number of people entering the cyber field in 2023, demand is still far outpacing that supply.
The size of the global cybersecurity workforce has reached a new peak of 5.5 million people, a 9% increase from 2022. But despite that rise, demand for cyber workers is still outpacing supply, according to a new workforce study released Tuesday.
The gap between the number of cybersecurity professionals needed and the supply of qualified personnel grew by nearly 13%, and 4 million new workers would be needed to close it, according to the annual workforce study by ISC2, a nonprofit member organization and provider of cyber training and certifications.
“The good news is more people are coming in,” Tara Wisniewski, executive vice president for advocacy, global markets and member engagement at ISC2, told Nextgov/FCW. “The bad news is we can't keep up with the pace.”
The Biden administration released a strategy focused on cybersecurity workforce issues in the United States over the summer, but as the latest report notes, a “perfect storm” of challenges has set a high-stakes backdrop.
Of the nearly 15,000 cyber professionals surveyed in the spring, 75% reported that they are seeing the most challenging threat landscape of the last five years. ISC2 used that data, along with third party and trending estimates, to gauge workforce numbers and gaps.
“Economic uncertainty, rapidly emerging technologies, fragmented regulations and ever-widening workforce and skills gaps” are “creating huge uncertainty for a profession whose role it is to protect global infrastructure and systems from attack,” the report says.
Nearly half reported staff cutbacks via either layoffs; hiring or promotion freezes; or budget cuts, although governments were one of the industries with the fewest cyber layoffs reported by respondents.
Respondents also reported insider threats and keeping pace with a changing regulatory environment around artificial intelligence, breach disclosure rules and more as big challenges over the last year. ISC2 included an ask for policymakers, regulators and lawmakers to harmonize regulations in the report.
Surveyed cybersecurity professionals also reported skills gaps around artificial intelligence — which nearly half of respondents admitted to having no or minimal knowledge about — along with cloud computing security and zero trust implementation.
With a growing need for more cyber workers, the report also included some insights on who is making it into the profession and how organizations are hiring. The field has historically been largely white and male.
There’s been a significant increase in people entering cybersecurity later in their career, as well as new entrants into the field being older than they were in previous years. Nearly half of the newest cyber workers were 39 or older, and only 21% under 30.
Cybersecurity workers with less than a year of experience are more likely to have a bachelor’s degree in cybersecurity and less likely to have gotten their start in IT, according to the report.
Despite the rise of cybersecurity degrees, a majority of respondents — 70% — said that they valued entry-level experience over having a degree when asked what qualifications add up to an ideal candidate for the field.
Still, only 37% reported actually de-emphasizing technical degrees and certifications for new hires as a way to address workforce shortages. Doing so would align with a push to skills-based hiring included in the White House strategy, where employers vet for certain skills and aptitudes instead of checking for experience or educational attainment.
“There’s a lot of inconsistency on hiring practices,” said Wisniewski of the discrepancies, although she noted that “the conversation about, ‘Do you really need a degree to do that?’ is picking up some steam.”
As for the impact, “the escalating challenges facing cybersecurity professionals underscore the urgency of our message: organizations must invest in their teams, both in terms of new talent and existing staff, equipping them with the essential skills to navigate the constantly evolving threat landscape,” said ISC2 CEO Clar Rosso in a statement. “It is the only way to ensure a resilient profession that can strengthen our collective security.”