Has the Cybersecurity Workforce Peaked?

When training and credential provider ISC2s released its latest workforce analysis recently, the report's continued focus on a gap between the number of "needed" cybersecurity professionals and the estimate of the current workforce touched off a backlash.

Following discussions with dozens of unemployed cybersecurity professionals, field CISO Ira Winkler of CYE Security wrote an open letter to ISC2, criticizing ISC2's continued focus on the gap as a measure of true demand. Ben Rothke, a senior information security manager at Experian, also took issue with the data, as well as the marketing that fuels get-rich-in-cybersecurity training programs.

Rather than a healthy market for cybersecurity labor, workforce estimates have plateaued — both in North America and worldwide — suppressed by a lack of budget to pay for cybersecurity hires. It's something even the ISC2 even flagged in its report. Essentially, no matter how much businesses may want to hire additional cybersecurity professionals — and 59% of professionals surveyed by ISC2 claim to need skilled workers — budgets are tight and being spent elsewhere, resulting in stagnating demand for cybersecurity workers.

It's high time to sit down prospective cybersecurity professionals for a real-world talk, Winkler says.

"My gut reaction was, hey, whatever the number of openings is, that should not be [ISC2's] concern — they should be worried about the members who are long-term unemployed, of which there are many," he says. "Many of these people are really frustrated hearing that there's all these openings, and they can't get one."

For years now, reports from a number of organizations estimating the cybersecurity workforce size (and its potential size) have focused on the "cybersecurity workforce gap" between the number of workers that security managers claim they need and the estimate of actual workers they have in place. The perceived gap has attracted potential students to train — or increasingly, retrain — for a job in cybersecurity. In late October, when the ISC2 released its aforementioned "2024 Cybersecurity Workforce Study" report, the organization estimated the gap had grown 4% to 543,000 for cybersecurity workers needed in North America, while its estimate of the existing workforce shrank by 2.7% to 1.45 million.

Overall, the cybersecurity jobs market continues to struggle with factors including overestimates of demand, a lack of well defined career paths, and subpar training, industry watchers say.

Skills Gaps & Job Postings

The ISC2's survey of more than 15,8000 practitioners and decision-makers is a good-faith attempt at determining how much cybersecurity expertise is needed by businesses worldwide. But even with the majority of those surveyed claiming a need to hire more help, when paired with other data — such as job openings and government data — the ISC2 noted that "the cybersecurity workforce growth is slowing" worldwide, essentially plateauing with a 0.1% growth rate.

Still, using the same data, the shortfall in cybersecurity workers is estimated to be 4.8 million globally.

"For clarity, that doesn't mean there is 4.8 million jobs out there," acknowledges Jon France, CISO for ISC2. "It means the profession — by asking nearly 16,000 people and using secondary data sources — reckons that to become secure as we need to be, 4.8 million people need to come into the market."

The cybersecurity workforce peaked in North America in 2023 and has plateaued globally, while the overall "needed" workforce continues to grow globally. Source: Author, using data from ISC2's Cybersecurity Workforce Studies 2021-2024

Cyberseek — a collaboration between certificate group CompTIA, workforce analysis firm Lightcast, and the US National Institute of Standards and Technology (NIST) — estimates that there are 457,000 cybersecurity-related job openings in the United States and a total workforce of 1.25 million, according to its website. The analysis counts any worker with significant cybersecurity responsibilities as related to cybersecurity, and it focuses on counting actual job postings with an emphasis on deduplicating, says Will Markow, formerly with Lightcast but now senior vice president of Workforce Solutions for Cyberwarrior, a training and consulting services firm.

"That's gives us a view into how many jobs there actually are, not how many jobs companies would like there to be," he says. "You can think of the estimates as two ends of the spectrum: They both still show a gap, but the data from Cyberseek is going to show a smaller gap, because it's looking at how many jobs are companies actively recruiting for and trying to fill, as opposed to how many in an ideal world security leaders would be hiring for if they had as much budget as they could possibly want."

"Ghost Jobs" & Reverse Pyramids

Jobseekers are likely also running afoul of the trend in ghost-job posting. Nearly half of hiring managers have admitted to keeping job postings open, even when they are not looking to fill a specific position. That's being used as a way to keep employees motivated, give the impression the company is growing, or to placate overworked employees, according to a survey conducted by Clarify Capital.

These ghost jobs are a significant problem for cybersecurity job seekers in particular, with one resume site estimating that 46% of listings for a cybersecurity analyst in the United Kingdom were positions that would never be filled--compared with about a third for all roles.

Budgets are getting tighter as well, with nearly half of security teams (49%) facing cutbacks in the past year, up from 48% in 2023, according to ISC2. Cutbacks include hiring freezes experienced by 38% of companies, budget cuts faced by 37% of teams, freezes on promotions (32%), and layoffs (25%).

Those economic pressures are another reason that purported jobs are not materializing, says Jon Brandt, director of professional practices and innovation at ISACA, an information-technology certification organization.

"People can respond to any survey and say, hey, we have a need for 20 more people," he says. "But at the end of the day, unless an organization is taking active steps to hire, then that's not a data point we should be looking at right now."

For entry-level workers without significant experience, the picture is especially grim. Cyberseek's career pathway data shows that demand for workers resembles a reverse pyramid. Entry-level jobs are more rare, with about 20,000 jobs available, while there are 34,000 midlevel positions and 73,000 advanced positions.

Entry-level cybersecurity professionals are not in high demand because most security positions require and automation and AI is exacerbating the issues, says Experian's Rothke.

"To a degree, entry-level security is a misnomer," he says. "Security roles really aren't entry level to begin with, because hiring managers want you to have this technical level of IT. So spend a few years to get work experience, and then you're going to get into security."

Job seekers with significant technical experience are still in demand, while those fresh out of a degree program are finding the job search more difficult.

False Hopes & Expectations: "It's Criminal"

While there remains a lot of potential in the industry for technical people, especially as the profession expands in the future, job seekers are not currently being well served, cybersecurity recruiter Jeff Combs said recently during a streamed discussion with ISACA's Brandt.

"I think one of the disservices that is being done to many people who are entering the field," Combs said, "is the promise of this new exciting field where, if you finish your degree or you go through this bootcamp or you get this specific certification, you're guaranteed an entry point into a $100,000 per year career path. Honestly, I think it is criminal."

In the end, between economic pressures on security budgets, a pipeline that does not adequately account for training, and training that struggles to provide the right mix of skills, the workforce trials of cybersecurity professionals will likely continue, says Cyberwarrior's Markow.

"I like to think of it right now as a tale of two job markets, because on the one hand, you do see strong evidence of a gap overall within cyber, but there are two different camps of workers who have very different job-hunting experiences," he says.

He adds: "Many companies are still asking for heightened experience requirements, heightened degree requirements, and heightened certification requirements that effectively constrain the talent pipeline into cyber security, and that means that we actually see very different dynamics across different corners of the workforce."