For years, enterprises and government agencies pointed to a lack of tech talent as the main reason cybersecurity jobs went unfilled… even as malicious activity such as ransomware piled up, adding risks and threatening the bottom line.
New numbers compiled from ISC2, a cybersecurity training and certification non-profit organization, show that shrinking or stagnant security budgets are causing CISOs and other security leaders to reduce or forgo hiring talent. Layoffs and hiring freezes also play a role.
The initial release of the 2024 ISC2 Cybersecurity Workforce Study earlier this month finds that the worldwide cybersecurity workforce gap increased 19 percent year-over-year, which equals 4.8 million tech pros needed to fill these open positions.
The global cybersecurity workforce now stands at about 5.5 million, according to the ISC2 report, which includes responses from more than 15,000 practitioners and decision-makers from North America, Europe, Asia-Pacific and other regions.
For quite some time, organizations have reported that a lack of talent meant they could not hire and recruit enough tech pros for open cybersecurity positions. The 2024 ICS2 report found that 39 percent of respondents reported that budget constraints now hinder hiring. Other issues related to hiring and developing security talent included:
- Twenty-five percent of respondents reported layoffs
- Thirty-eight percent of respondents reported hiring freezes
- Third-two percent of respondents reported few promotions
The ISC2 numbers dovetail with a recent Wall Street Journal report that finds cybersecurity spending is set to increase 8 percent this year, compared to 6 percent in 2023. Despite those numbers, the report noted that security spending is lower in 2024 compared to the 17 percent increase in 2022.
These developments are putting additional pressure on CISOs and other security leaders at a time when tech talent is needed to counter growing threats and attacks. Experts noted that these circumstances could also deter younger professionals from pursuing a cybersecurity career.
“This shift emphasizes that budget constraints are a major hurdle, further exacerbating the shortage of skilled cybersecurity professionals,” said Patrick Tiquet, vice president of security and architecture at Keeper Security.
Concerns Over Talent, Concerns Over Attacks
As security leaders struggle to recruit and hire talent, they also have concerns over the number of threats they face. The ISC2 numbers show that 58 percent of respondents are concerned that a shortage of skills puts their organization at risk.
Experts and industry insiders noted that, with attacks and threats becoming more sophisticated (as well as costing more to recover from), talented tech and security pros are needed now more than ever.
“For organizations, now is not the time to pull back on cybersecurity investments,” Tal Mandel Bar, product manager at security firm DoControl, told Dice. “If anything, the growing sophistication of threats means we need to double down on building strong, diverse security teams. This includes creating pathways for entry-level talent and investing in ongoing training and development for existing staff.”
Reduced cybersecurity budgets are also harming the ability of organizations to hire entry-level tech talent to fill gaps in coverage and find a new generation of workers to move up the ladder. The ISC2 study found that 31 percent of respondents report their teams lack entry-level security and tech pros. Another 15 percent told researchers that they had no junior-level professionals.
To build a security team, junior and entry-level employees can be trained for an array of positions and can fill critical coverage gaps. “Organizations should focus their limited budget on investing in existing workers to make sure they have the skills to address the latest threats and bringing on lower-cost entry-level workers who have the soft skills, such as problem-solving, collaboration, and curiosity, required to quickly grow into the role,” Dena Bauckman, senior vice president of product at security firm Sectigo, told Dice. “If done correctly, this approach will help keep existing employees motivated while reducing staffing and skills shortages.”
For those tech pros looking to break into cybersecurity, Keeper Security’s Tiquet noted that there are opportunities despite the hiring challenges.
“For those entering the cybersecurity field, the current reduction in entry-level roles may present some challenges,” Tiquet told Dice. “However, this creates a valuable opportunity for newcomers to distinguish themselves through practical experience and specialized skills. A proactive approach and a focus on relevant certifications can make candidates more appealing in a competitive job market.”
What Cybersecurity Skills Are in Demand?
Whether entry- or senior-level, tech and security professionals with certain skills remain in demand for many organizations. The ISC2 report shows that nine in 10 respondents report a skills gap within their team.
What skills are currently the most-sought? Unsurprisingly, the survey found that more than a third of respondents still cited artificial intelligence (A.I.) as the biggest skills shortfall in their teams. Other skill shortfalls included:
- Cloud computing (30 percent)
- Zero Trust (27 percent)
- Incident Response (25 percent)
- Application Security and Pen Testing (both 24 percent)
For those interested in cybersecurity, these must-have skills are the areas to focus on and the ones that can help you stand out during the hiring process, said Piyush Pandey, CEO of Pathlock.
“With significant skills gaps in areas like A.I., cloud security, zero trust, digital forensics, identity and application security, developing expertise in these fields will make you a highly valuable candidate,” Pandey told Dice. “The most critical digital business risk today is controlling access at the transaction level within highly regulated applications. The skills to recognize and effectively manage this shift are beginning to emerge.”
Experts and insiders also note that those tech pros starting out in the workforce should seek out opportunities to learn more about these particular skills.
“The growing skills gap, especially in areas like A.I. and cloud security, highlights the need for continuous learning and development. The threat landscape is evolving rapidly, and our skills need to keep pace,” DoControl’s Mandel Bar noted. “For those looking to enter or advance in cybersecurity, my advice is to focus on developing practical skills in high-demand areas like cloud security, zero trust implementation and A.I. Look for opportunities to gain hands-on experience, even if it means taking on volunteer projects or internships. The demand is there—it's about positioning yourself to meet it.”
Still, other experts note that building a strong security culture can not only attract talent—even when budgets are tight—but can also help with talent retention and recruitment.
“Building a strong cybersecurity culture within the organization and focusing on employee retention can help mitigate the impact of this shortage,” said Chad Graham, manager of the cyber incident response team at Critical Start. “Additionally, collaboration within the cybersecurity community, including information sharing and joint threat intelligence efforts, can enhance the overall security posture and resilience of an organization.”