ISC2 Cybersecurity Workforce Study 2023
ISC2 Cybersecurity Workforce Study 2023
Executive Summary 3
Key Findings 5
Workforce Gap & Estimate 9
Cybersecurity professionals are facing greater pressures than ever that diminish their
ability to defend institutions and organizations around the world from ever-increasing
threats.
Dealing with emerging challenges with grave consequences is not a new phenomenon for
cybersecurity professionals. However, our study shows that a perfect storm of economic
uncertainty, rapidly emerging technologies, fragmented regulations and ever-widening
workforce and skills gaps is creating huge uncertainty for a profession whose role it is to
protect global infrastructure and systems from attack. The cybersecurity workforce needs
more support and investment from leaders across the public and private sectors.
This piles on top of nearly three years of rapidly evolving business and threat
environments that started with cybersecurity professionals securely transitioning their
organizations through accelerated work-from-home and cloud services deployments
in response to the COVID-19 pandemic. And critical vulnerabilities across entrenched
platforms continue to be exploited throughout the IT services and software supply chains.
When war broke out in Eastern Europe, the conflict in Ukraine ushered in a new era of
cyber warfare.
Today, cybersecurity professionals continue to contend with challenges that have built
since the outbreak of COVID, while also facing the consequences of greater economic
pressure across the globe. Cybersecurity leaders and professionals at all levels are
adjusting to staff layoffs and budget cutbacks. For the first time since the beginning of the
2020 pandemic, many study participants expect cybersecurity hiring to decrease in their
organizations over the next year. The pressure on the workforce is real, with our study
finding a modest decrease in job satisfaction for the first time. Many professionals remain
concerned that leadership in their organizations does not listen to their guidance, which
creates additional risk. They also say the threat landscape is the worst it’s been in the last
five years, with reports of malicious insiders increasing.
Meanwhile, the disruptive arrival of the latest generation of artificial intelligence brings
additional uncertainty. Will AI advance how we identify and respond to threats? Will
AI force us to rethink security roles and responsibilities that may eliminate jobs or
create new ones? Does AI herald a new era of rapidly evolving threats? Will AI foster
a combination of all three scenarios, as well as others we have not yet imagined?
Cybersecurity professionals remain both optimistic and cautious about AI.
Our study also reveals how the ongoing workforce gap and pressures from budget
cutbacks and layoffs are creating critical workforce skills gaps. Study participants
expressed concern that skills gaps leave their organizations more vulnerable than the
lack of qualified team members. This is highlighted
even more as rapidly evolving technologies like AI
expose gaps in knowledge and experience, as well
as in risk management processes. Organizations and
75%
policymakers need strategies to address both, and
our study reveals solutions to help mitigate these risks
despite the global workforce and skills deficits.
said the current threat
Our review of career pathways, shifting demographics
landscape is the most for new entrants into the field, adoption of new hiring
challenging it has been practices and investment in developing and retaining
in the past five years. existing staff reveal how organizations are mitigating
risk, keeping staff engaged and offsetting the impacts
of budget cutbacks.
THE CYBERSECURITY WORKFORCE AND GAP HAVE BOTH GROWN. In the past
year, the cybersecurity workforce has grown by 8.7%. In addition, the gap between
the number of workers needed and the number available has also continued to
grow, with a 12.6% increase year over year.
ISC2 estimates the global cybersecurity workforce at 5.5 million, representing an 8.7%
increase year over year and nearly 440,000 new jobs. All regions saw growth this year,
but these gains are particularly high in our two new Middle East countries, Asia-Pacific
and North America. Japan in particular is growing at a rapid rate — 24% year over year.
Latin America, after years of substantial growth, is starting to balance out, with Brazil
decreasing from an 18.3% growth rate in 2022 to 8.9% this year, and Mexico dropping
slightly year over year (see figures 1-A and 1-B).
REGIONS
EUROPE
NORTH
AMERICA 1,309,588
+8.2%
+7.2%
1,495,825
+11.3%
+11.3%
ASIA-PACIFIC
MIDDLE EAST 960,231
& AFRICA +11.8%
LATIN +11.8%
AMERICA 401,582
+11.7%
+8.2%
1,285,505
+4.5%
+4.5%
*2023 estimate includes four new countries — United Arab Emirates, Saudi Arabia, Nigeria and South Africa. YoY growth is based on back-estimates for those
countries for 2022.
EUROPE AFRICA
UK FRANCE GERMANY IRELAND SPAIN NETHERLANDS NIGERIA SOUTH AFRICA
*2023 estimate includes four new countries — United Arab Emirates, Saudi Arabia, Nigeria and South Africa. YoY growth is based on back-estimates for those
countries for 2022.
It’s important to note what this year’s workforce gap represents. The workforce gap
calculates the difference between the number of cybersecurity professionals that
organizations require to properly secure themselves and the number of cybersecurity
professionals available for hire. The workforce gap does not aim to estimate the actual
current job market for cybersecurity professionals. During times of economic uncertainty,
many organizations have made cutbacks involving hiring freezes and layoffs, which
we discuss in more detail throughout this paper. This, however, does not affect the
workforce gap because organizations’ need for cybersecurity workers remains the same
regardless of whether or not those organizations currently have the funds to actually hire
and employ sufficient staff.
REGIONS
EUROPE
NORTH
AMERICA 347,761
+8.2%
+9.7%
521,827
+11.3%
+19.7%
ASIA-PACIFIC
MIDDLE EAST
& AFRICA 2,670,316
+11.8%
+23.4%
LATIN 111,801
AMERICA
-7.1%
+8.2%
348,259
-32.5%
-32.5%
*2023 gap includes 4 new countries – United Arab Emirates, Saudi Arabia, Nigeria and South Africa. YoY growth are based on back estimates for those
countries for 2022
EUROPE AFRICA
UK FRANCE GERMANY IRELAND SPAIN NETHERLANDS NIGERIA SOUTH AFRICA
*2023 estimate includes four new countries — United Arab Emirates, Saudi Arabia, Nigeria and South Africa. YoY growth is based on back-estimates for those
countries for 2022.
The current macroeconomic environment has normalized higher costs, lower revenue and
worker shortages. As a result, many organizations are choosing to implement cost-saving
cutbacks (e.g., budget cuts, layoffs, hiring freezes and promotion freezes) to support their
balance sheet. However, these organizational cutbacks — especially within cybersecurity
teams — have implications that extend beyond just cost.
Cybersecurity professionals are critical protectors against risk and vulnerability, but cutbacks
throttle their productivity, satisfaction and skill development. In this study, cybersecurity
professionals share how cutbacks and related challenges like staffing shortages and skills
gaps truly impact their day-to-day work, so organizations can discover opportunities for
improvement.
Has your organization experienced the following cutbacks in the past 12 months?
FIGURE 3
Yes, in cybersecurity Yes, but not in cybersecurity No, we have not experienced this
Hiring freeze
32% 26% 42%
Budget cuts
30% 32% 38%
Freeze on promotions/raises
26% 22% 52%
Layoffs
22% 28% 50%
INDUSTRIES WITH FEWEST LAYOFFS IN CYBER INDUSTRIES WITH MOST LAYOFFS IN CYBER
COUNTRIES WITH FEWEST LAYOFFS IN CYBER COUNTRIES WITH MOST LAYOFFS IN CYBER
of cutbacks?
IMPACT OF CUTBACKS ON CYBERSECURITY ORGANIZATION
53%
There have been
40%
The security team
35%
The organization
delays in purchasing/ was restructured has changed
implementing or moved within its strategic
technology the organization direction
35%
Cybersecurity training
29%
Cybersecurity
24%
Cybersecurity
programs have been certifications/education software licenses
cut (e.g., professional reimbursements have have not been
development) been cut renewed
Base: 9,822 global cybersecurity professionals whose organizations had cutbacks over the past 12 months
Note: “Don’t know/does not apply” responses were removed from the sample base.
71%
Increase in
63%
Cybersecurity
62%
Productivity
62%
Ability to prepare
workload team morale for future threats
61%
Skills gaps
57%
Ability to
52%
Increase
on the respond to in insider
cybersecurity cybersecurity risk-related
team threats incidents
Base: 8,598-8,907 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base.
Did you know anybody personally who was laid off in the past 12 months in any
FIGURE 7
64%
29% Non-cybersecurity personnel at other organizations
32%
12%
Base: 9,676 global cybersecurity professionals who do not know a cybersecurity worker from their organization who was laid off in the last 12 months
Note: “Don’t know” responses were removed from the sample base.
Staffing Shortages Are Expected to Get Worse but Are Also Perceived Differently
Based on Seniority
Though the need for cybersecurity staff is as great as it’s ever been, layoffs and
cutbacks — among other factors — have caused significant staffing shortages and skills
gaps within cybersecurity. We found that there’s a shortage of staff to prevent and
troubleshoot security issues — and a lack of budget is a common cause.
Which of the following best describes how you feel about the number
FIGURE 9
Education
Percentage
with staffing
shortages
78%
Government (non-military) 78%
My organization has a slight shortage of cybersecurity Non-profit 76%
staff to prevent and troubleshoot cybersecurity issues Military/military contractor 76%
Aerospace 75%
46% Healthcare
Automotive
74%
71%
Energy/power/utilities 70%
Insurance 69%
Food/beverage/hospitality/travel 68%
Transportation 68%
My organization has the right amount of cybersecurity
Entertainment/media 67%
staff to prevent and troubleshoot cybersecurity issues Manufacturing 67%
Non-security software/
30%
67%
hardware development
Retail/wholesale 63%
Agriculture 62%
Construction 62%
Financial services 62%
Telecommunications 62%
My organization has a surplus of cybersecurity staff
Engineering 61%
to prevent and troubleshoot cybersecurity issues Security software/
60%
hardware development
2% Hosted/cloud services
Consulting
55%
54%
staff. What do you think is the biggest cause for this shortage?
23% 20%
My organization doesn’t My organization
put enough resources into doesn’t prioritize
training non-security IT staff security
to become security staff
17% 15%
My organization My organization
doesn’t have plans in doesn’t sufficiently
place to backfill roles train staff
Skills Gaps Are Common but Can Be More Challenging Than Staffing Shortages
To what extent does your organization’s security team have one or more
FIGURE 11
skills gaps?
92%
We have one or more significant skills gaps
26%
skills gaps?
Have had layoffs in cybersecurity Have not had layoffs
23%
We have one or more critical skills gaps
15%
29%
We have one or more significant skills gaps
24%
26%
We have one or more moderate skills gaps
33%
16%
We have one or more slight skills gaps
19%
59% 58%
“
“ “
of respondents agree/strongly agree that of respondents agree/strongly agree that
Skills gaps can be worse than
total worker shortage gaps.
We can help mitigate worker
shortages if we have efficient
“
distribution of skills across the team.
• Recruiting issues and lack of strategic budgeting also drive skills gaps. The two
most common reasons for skills gaps cited by respondents were the inability to find
the people with the skills they need and the struggle to keep people with in-demand
skills due to low wages, lack of promotion opportunities, etc. (see figure 14). Offering
sufficient compensation plays a big role here: 58% of cybersecurity workers at
organizations that do not offer a competitive salary say their organization has skills
gaps because they struggle to keep people with in-demand skills. In comparison, only
38% of those at organizations that pay competitive wages see skills gaps. And overall,
48% of organizations that don’t offer competitive salaries have significant skills gaps,
compared with 31% of those organizations that do offer competitive compensation.
48%
of respondents at organizations that
don’t offer competitive salaries have
significant skills gaps, compared with
31%
of those organizations that do offer
competitive compensation.
44% 42%
My organization can’t find In general, we struggle to keep
people to hire with the people with in-demand skills
skills we need (e.g., due to low wages, lack of
promotion opportunities, etc.)
41% 36%
My organization doesn’t Leadership misaligns staff
have the budget to hire resources (i.e., too much staff
enough people in some areas and not enough
in others)
33% 32%
My organization doesn’t put enough People with these skills
resources into training non-security recently quit, and we
IT staff to become security staff haven’t replaced them
31% 25%
My organization doesn’t People with these skills
sufficiently train staff recently were laid off, and
we haven’t replaced them
Base: 12,011 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base.
To what extent do you agree or disagree with the following statements about
FIGURE 15
• Skills gaps are most common in critical areas. We found that the most
common skills gaps tend to be in areas that are gaining importance in the
cybersecurity world. Cloud computing security, artificial intelligence and machine
learning security and Zero Trust implementation are the current top three most
common skills gaps (see figure 16).
26%
Digital forensics and incident response
26%
Risk assessment, analysis and management
24%
Security engineering
23%
Threat intelligence analysis
23%
Malware research/analysis
22%
Base: 11,473 global cybersecurity professionals
Note: Showing top ten responses; “Don’t know/does not apply” responses were removed from the sample base.
Not Surprisingly, Staffing and Skills Shortages Create Risks for Organizations
Cutbacks, staffing shortages and skills gaps have created a perfect storm, increasing risk
across all industries. But what are these risks? We found that:
Moderate risk
9%
57%
48%
Slight risk
31%
Low risk
12%
No risk
1%
Base: 5,437 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base; Percentages may not total 100 due to rounding.
Which of the following have you experienced that you feel would have been
FIGURE 18
30% 30%
Slowness in
responding to
incidents
Rushed
deployments 75%
said the current threat
landscape is the most
29% 28% challenging it has been
Not enough resources Overreliance in the past five years.
to adequately train our on third-party
cybersecurity staff support
How strongly do you agree with the following statements related to the state
FIGURE 19
of cybersecurity work?
67% 63%
48%
42%
Despite these challenges, there are ways that organizations can mitigate cyber risks
stemming from staffing shortages and skills gaps. Take the following actions to
overcome these obstacles:
• Be aware of workers’ worries. We found that nearly 65% of entry- and junior-
level staff expected the number of cybersecurity workers at their organization
to decrease over the next 12 months. However, the higher the seniority of the
respondent, the less likely they were to expect a worker reduction in the next 12
months (see figure 21). It’s important for cybersecurity leaders to understand the
worries of those below them in the organizational hierarchy and make sure to
communicate the company’s plans for staffing in the near future.
Invest in certifications
67%
Hire for attitude and aptitude, and train for technical skills
61%
Use outsourcing/services
56%
Encourage employees at your org outside IT and security to consider a career in cybersecurity
50%
Hire from outside the geographic regions we typically have hired from because of work from home
50%
32%
26% 42%
C-level executive
30% 30%
23% 25%
Base: 8,085 global cybersecurity professionals who reported present and expected future company size
Last year, we introduced the Employee Experience (EX) rating system to better
understand what affects cybersecurity professionals’ satisfaction and overall
experiences. This year, we’re continuing to examine culture using this system.
The EX rating looks at a variety of key factors, including engagement in work,
burnout rates, the sense of being fairly evaluated and more. It uses a scale from
0 (terrible) to 100 (excellent). Once evaluated, we grouped respondents into three
categories based on their ratings: High EX, Medium EX and Low EX.
4,175
MEDIUM EX Employees with medium level
of happiness at their work
42 – 61
(31.8%)
3,716
LOW EX Employees with low level
of happiness at their work
41 and below
(36.9%)
This year, considerably more cybersecurity professionals ended up in the Low EX bucket
than last year. However, the average EX rating only dropped slightly, from 51.75 to 51.49.
2022 2023
32.6% 51.75
High EX 51.49
31.3%
35.6%
Medium EX
31.8%
31.7%
2022 2023
Low EX
36.9% Average EX
rating by year
Base: 14,865 global cybersecurity professionals
Very satisfied
28%
Somewhat satisfied
70%
42%
Somewhat dissatisfied
12%
Very dissatisfied
4%
73% -2%
66% -3%
60% -3%
58% -2%
• Cutbacks and layoffs have harmed morale. As cutbacks and layoffs have
increased — resulting in staffing shortages and skills gaps — satisfaction and overall
worker happiness this year have dipped. Respondents whose organizations have
had layoffs in cybersecurity in the past year have an average EX rating of 46.0,
while those who haven’t rated an average of 55.5. This is even more stark among
those who expect layoffs in cybersecurity over the next 12 months. Their average
EX rating is just 38.9, compared with an average of 59.5 for those who do not
expect cybersecurity cutbacks at all (see figure 24). 68% of those who experienced
layoffs said those layoffs significantly hurt team morale, and 62% reported that
cybersecurity cutbacks have a negative effect on productivity.
Have had layoffs elsewhere in the Expect cutbacks but not layoffs in
organization (but not in cybersecurity) cybersecurity over the next 12 months
47.7 49.3
• Layoffs and cutbacks created more work for employees. Downsizing adds work
to cybersecurity professionals’ plates, hurting worker satisfaction. 71% report that
cutbacks in cybersecurity resulted in an increased workload. When asked what
issues negatively impact their job satisfaction, cybersecurity professionals cited
an overabundance of emails and tasks, overwork due to staff or skills shortages
and inadequate resources to sufficiently protect their organization — three issues
related to overwork (see figure 25). These issues were significantly more common
among those who have staffing shortages and skills gaps compared to those who
don’t (see figure 26).
Lack of support from Pay is too low It’s difficult to stay current
executives/managers on security issues/trends
I get stressed out from the The organization is not realistic Poor security policies/
weight of responsibility I feel in the way it measures the standards at my company
as a security professional success of security create extra work for me
Which of the following are issues in your current role that negatively impact
FIGURE 26
Employees of orgs with neither staff shortages nor significant skills gaps
We found that the inverse of these issues is also true. The initiatives that create a
positive work culture and result in the highest EX ratings are valuing and listening to
employees’ needs. Not listening to cybersecurity professionals can be a particularly
harmful issue because, beyond the effect it has on employee morale, it also
increases the likelihood that organizations could miss out on crucial risk-related
information and put themselves at risk.
Which of the following are issues in your current role that negatively impact
FIGURE 27
Which of the following are issues in your current role that negatively impact
FIGURE 28
Employees of orgs with neither staff shortages nor significant skills gaps
Base: 13,682 global cybersecurity professionals Base: 5,874 cybersecurity professionals in the United States, Canada, United
Kingdom and Ireland
How much do you agree or disagree with the following statements about
FIGURE 30
DEI initiatives don’t just make a difference in creating a more diverse workforce
— they produce a more effective workforce as well. Cybersecurity professionals
at organizations that have adopted these two DEI hiring practices were
considerably more likely to feel like their organization had the tools and people
they needed to ensure they are prepared to respond to cyberthreats over the
next two to three years (see figure 33).
“My organization has the tools and people they need to ensure the organization
FIGURE 33
is prepared to respond to cyber incidents over the next two to three years”
57% 57%
51% 51%
• Seek input and listen to feedback from employees. We have seen consistently
over the past two years that cybersecurity professionals who feel their organizations
truly listen and consider their depth of expertise and knowledge as well as their
preferences on working environment are far happier than those who feel unheard.
Listen to your staff — don’t work against them.
80% of cybersecurity professionals agree that there are more pathways into
cybersecurity today than there were in the past, and 82% agree that the increase in
alternative pathways is positive for the industry. These new pathways are a product of
an agile profession and the willingness of the people in it to adapt to the ever-changing
and often unpredictable environment around them.
More professionals with no prior cybersecurity experience but with a more diverse
technical background are applying to cybersecurity jobs. This contributes to a growing
trend of experienced professionals from outside the field joining the cybersecurity
industry midway through their careers, compared with a traditional wave of college
graduates who have more education than on-the-job experience. This new trend helps
normalize cybersecurity as a viable option for capable, experienced professionals from
outside the industry looking to make a midcareer change.
This year, we offer the most detailed look ever at the career choices made by
cybersecurity professionals and how they could impact the industry for generations to
come. After surveying respondents of all ages and backgrounds who are charting new
pathways into and throughout the profession, we found that:
of cybersecurity work?
(Showing Agree/Strongly Agree responses)
59%
We are actively trying to recruit technical people from within our organization
to move to cybersecurity
56%
We see widespread tech layoffs as a chance to get new people into cybersecurity
52%
We are changing our hiring requirements/expectations to accept more applications
from applicants with non-cybersecurity backgrounds
51%
We are actively trying to recruit non-technical people from within our organization
to move to cybersecurity
41%
Base: 6,381-6,484 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base.
• Challenging work and career advancement are key motivators. After entering
the industry, cybersecurity professionals focus on gaining traction in their new roles
more than anything else. The most popular next milestones in a cybersecurity career
include earning a promotion from a practitioner to a managerial/leadership role
(35%), earning a certification for the first time (32%), changing role directions from a
specialist to a generalist (26%) or changing back from generalist to specialist (19%).
Only 16% report leaving for a new profession, almost the same amount who leave to
pursue higher education in cybersecurity or a related field (14%). This showcases the
“stickiness” of this career path. After joining the industry, cybersecurity professionals
are more motivated to increase responsibility in their current roles and improve
their skills for that role, rather than making another career pivot (see figure 36).
Got an advanced degree (master’s, PhD, etc.) in cybersecurity or other related field
20%
Got an advanced degree (master’s, PhD, etc.) in a field not related to cybersecurity
16%
Got recruited/headhunted
14%
Moved from a generalist role to a specialist role (e.g., application security, cloud security)
19%
Switched from working independently (as a contractor or at my own business) to working at an organization
5%
Base: 12,154 global cybersecurity professionals
Which of the following best describes why you originally entered the cybersecurity
FIGURE 37
profession?
Career advancement
Career advancement opportunities 27% opportunities
Which of the following best describes why you originally entered the cybersecurity
FIGURE 38
profession?
MOTIVATIONS WITH HAPPIEST SECURITY WORKERS MOTIVATIONS WITH LEAST HAPPY SECURITY WORKERS
2% 0% 3%
8% 6% 16%
Base: 695 global cybersecurity professionals who started in the past 12 months; 356 surveyed in 2022 and 610 surveyed in 2021
Note: Total percentages may not equal separate values due to rounding.
FIGURE 40
Which of the following best describes why you originally entered the cybersecurity
FIGURE 41
profession?
(Showing top motivating factors)
I thought 27% Career 26% Career 27% I did some 30% I did some 31%
I would advancement advancement cybersecurity work cybersecurity work
enjoy the opportunities opportunities while in another while in another
work role (e.g., general role (e.g., general
IT) and enjoyed it IT) and enjoyed it
Potential 27% I thought 26% High 25% Career 28% Career 31%
for high I would demand advancement advancement
compensation/ enjoy the for skills opportunities opportunities
salary work
Career 24% Potential 25% I thought 25% High 25% It fit my 28%
advancement for high I would demand skill
opportunities compensation/ enjoy the for skills set/education
salary work
High 24% High 25% I did some 25% It fit my 24% Ability to 28%
demand demand cybersecurity work skill solve problems
for skills for skills while in another set/education
role (e.g., general
IT) and enjoyed it
Ability to 24% Ability to 22% Potential 24% Ability to 24% High 26%
solve problems solve problems for high solve problems demand
compensation/ for skills
salary
Cybersecurity career paths are shaped by the professionals with traditional and
non-traditional experiences who get hired, as well as the organizations that make
the decisions to hire them. As more professionals with diverse backgrounds join the
industry, new pathways open and evolve the expectations and recruiting habits of
hiring managers.
Here are our key takeaways for organizations and professionals with the ability to
impact the career pathways for a new generation of cybersecurity professionals:
As with pathways into the field, the demand for new cybersecurity skills is evolving.
Cloud computing security continues to be the most desired technical skill set, but
the perceived demand for AI/machine learning skills is growing quickly. In addition,
the unstable market environment gives rise to a demand for more curious and
communicative employees with professional experience. Those with technical on-the-
job experience and relevant certifications are more attractive to recruiters than those
entering the market with just a degree.
• Cloud computing security is a critical skill, but it’s in short supply. Cybersecurity
professionals (non-hiring managers) consider cloud computing security to be
the most in-demand skill for those looking to advance their careers (47%). Hiring
managers continue to validate this perception — for the second year in a row, cloud
computing security (32%) is the most desirable skill sought by cybersecurity hiring
managers who are looking for recruits. Hiring managers are also prioritizing risk
assessment, analysis and management (31%); security analysis (28%); and security
engineering (28%) as attractive skills for prospective employees (see figure 42).
Contributing to the high demand for cloud computing security skills is the
aforementioned supply shortage of cybersecurity professionals who have
experience in this area. As previously reported, cybersecurity professionals said that
cloud computing security is the number one area where there are skills gaps on
their team (35%). This only makes the skill more attractive to hiring managers.
• Demand for AI/ML skills is growing. Although it’s not currently a top requirement
from hiring managers, the demand for artificial intelligence skills is growing in the
eyes of the average cybersecurity professional. AI/ML skills (28%) are among the top
five categories for in-demand skills (see figure 43). As recent as our 2022 study, AI/
ML did not even make the top ten for most in-demand skills and was ranked close to
the bottom. In the coming years, this skill has the potential to spike in demand as AI
matures and influences various aspects of cybersecurity threats and defense.
for right now when hiring? are most in demand for security
professionals looking to advance their
(Showing top ten responses)
careers (via new jobs and promotions)?
(Showing top ten responses)
What are the top five most important qualifications for cybersecurity
FIGURE 43
2022 2023
30%
Entry-level Entry-level education (e.g., bachelor’s degree
in related field or basic certification)
cybersecurity
experience is preferred
to entry-level degrees
70%
Base: 13,742
37%
Mid-level (non-cyber) Entry-level cybersecurity experience
(1 to 3 years)
experience is preferred
to entry-level cyber
experience
63%
Base: 13,615
14%
Senior-level Advanced doctoral degree
cybersecurity
experience is perceived
as far more valuable
than advanced degrees
86%
Base: 13,500
46%
Independent competition experience
Certifications are (e.g., hackathon, capture the flag, etc.)
more valuable than
independent experience
54%
Base: 13,222
Cybersecurity certification
34%
Bachelor’s degree in related field
Certifications are more
valuable than entry-level
degrees
66%
Base: 13,496
Cybersecurity certification
Here are our key takeaways for organizations and professionals looking to hire, nurture
and develop skill sets to fill gaps and improve the future of work:
Both employees and their organizations have expressed resilience and dedication
to certifications in an uncertain economy. Even amid corporate cutbacks like hiring
freezes and job layoffs, more than half of professionals are offered reimbursements for
certification exams by their employer. Employers that do so are successful at filling skills
gaps.
We spoke to more than 14,000 cybersecurity professionals to learn about how and when
they plan to earn certifications and found that:
Currently pursuing
16% 17%
4% 3%
Other motivators include staying current with security trends (53%) and the sheer
enjoyment of the challenge (43%) (see figure 46). Those with high school diplomas
agree more with this (47%) than those with more advanced degrees (42%).
Professionals without undergraduate or graduate degrees use certifications to
demonstrate their cybersecurity knowledge, skills and abilities.
To improve my skills
65%
It is required for a job that I’m applying to/want to apply to outside of my organization
17%
development initiatives/incentives?
Employees are taking action to fill these gaps. 56% of cybersecurity professionals
at organizations with critical skills gaps plan to get a vendor-neutral certification
within the next year.
Here is a key takeaway for companies that want to show their dedication to
employees’ professional development:
• Organizations need more than just money to promote skills growth. Even
amid corporate cutbacks like hiring freezes and layoffs, more than half of
professionals are still offered reimbursements for certification exams by their
organizations. This is an important step toward encouraging skills development,
but to truly signal to your employees that you care about their growth, you need
to give them time to earn it. Reserving specific blocks of study time for certification
or professional development seminars on a biweekly or even monthly basis will
help to signal to your employees that you care about their skills growth. It will also
provide breathing room for employees who feel overworked or those without
the ability to dedicate time outside their workday to focus on training rather than
emails or personal responsibilities.
Three out of four cybersecurity professionals view the current landscape as the most
challenging it’s been in the past five years. The modern economic environment has
increased the risk of malicious insiders, and staff/skill shortages impede the ability
of cybersecurity teams to properly secure their organizations. As professionals adapt
to today’s challenges, they are also looking to the horizon for emerging threats and
opportunities.
Here is what we learned from cybersecurity professionals who are adapting to today’s
challenges while preparing for the future of work:
• For most, the threat landscape has reached a peak. 75% of all respondents
view the current threat landscape as the most challenging it’s been in the past
five years (see figure 48), and this varies by industry. Respondents from some
industries indicated more sensitivity than others to the modern environment:
those in healthcare (79%), military (79%), energy/power/utilities (79%), government
(78%) and manufacturing (77%) industries agree/strongly agree that they have
reached their peak threat level since 2018. Even those that are less sensitive like
automotive (64%), construction (65%) and telecom (69%) still mostly agree with this
sentiment (see figure 49).
of cybersecurity work?
(Showing Agree/Strongly Agree responses)
Healthcare Transportation
79% 70%
79% 70%
Energy/power/utilities Telecommunications
79% 69%
Government Construction
78% 65%
Manufacturing Automotive
77% 64%
• Staff and skill shortages have shaped the current threat landscape.
In the past 12 months, worker/skills shortages (45%) have been the number one
challenge faced by cybersecurity professionals (see figure 50). Geography is a
key differentiator here, as respondents in North America (55%) have felt a more
significant impact from these shortages than those in other parts of the world like
Europe (42%), the Middle East and Africa (42%), Latin America (32%) and Asia-
Pacific (31%). This contextualizes the roughly 20% workforce gap increase within
North America.
past 12 months?
Worker/skill shortages in the workforce
45%
Insider threats
38%
Keeping up with changing regulatory requirements (e.g., PCI v4.0, GPDR, AI regulations,
breach disclosure requirements, etc.)
37%
Risks of emerging technologies like blockchain, AI, VR, quantum computing,
intelligent automation, etc.
36%
Addressing risks from an employee’s home environment
35%
Cyberattacks stemming from cyber operations as a precursor to military conflict,
tactic of military operations or tool of retaliation
31%
Adapting to risks from advances in employee computing technologies
(e.g., increased prevalence of sensors, AI, etc.)
30%
Misinformation and disinformation sowing confusion among executives
and the board about cyber risks
30%
Keeping up with environmental regulatory requirements about cyber risks
19%
Addressing the impact of cyber insurance premium increases on the security
program and practices
19%
Tension between tenured and junior security employees
15%
Base: 14,865 global cybersecurity professionals
26%
13%
15%
Strongly agree Strongly agree 11%
25%
22%
20%
24%
Neither agree Neither agree 28%
30%
or disagree 21% or disagree
20%
11%
24% 20%
Disagree Disagree 16%
11%
9%
11%
11%
Strongly Strongly 6%
2%
disagree 5% disagree
3%
• Malicious insiders are on the rise. 71% of respondents agree that times of
economic uncertainty increase the risk of malicious insiders, which next to staff/
skill shortages were ranked the second biggest challenge (38%) for cybersecurity
professionals in the near term. Even more significant: Half of all cybersecurity
professionals taking part in this study have had personal or secondhand contact
with a malicious insider within the past year (see figure 52).
50%
I have been approached by a malicious actor
wanting me to act as a malicious insider 16%
Food/beverage/hospitality/travel Aerospace
60% 48%
Construction Healthcare
59% 46%
59% 46%
Retail/wholesale Government
59% 45%
IT services Education
57% 42%
What are the biggest challenges that cybersecurity professionals will have
FIGURE 54
Risks of emerging technologies (e.g., blockchain, AI, VR, quantum computing, intelligent
automation, etc.)
45%
Keeping up with changing regulatory requirements (e.g., PCI v4.0, GPDR, AI regulations,
breach disclosure requirements, etc.)
38%
Cyber attacks stemming from cyber operations as a precursor to military conflict, tactic
of military operations, or tool of retaliation
36%
Insider threats
35%
Misinformation and disinformation sowing confusion among executives and the board
about cyber risks
27%
Addressing the impact of cyber insurance premium increases on the security program
and practices
18%
do you believe will have the greatest positive impact on your ability to
secure your organization?
Automation in cybersecurity
40%
Advancements in AI
30%
Passwordless authentication
22%
Quantum computing
13%
Hardware-based/firmware security
13%
Blockchain
10%
21%
Currently regulating
45%
We need to learn more
before regulating 18%
Planning to regulate within
the next 12 months
14%
Expanding regulation
3%
Decreasing/removing regulation
Here is our takeaway after speaking with cybersecurity professionals about AI:
The good news? Our study reveals that proactive organizations and leadership
can make a powerful difference for their cybersecurity teams right now.
Organizations that invest in their teams benefit from more engaged and satisfied
workers dedicated to their mission despite mounting economic pressure, a
heightened threat landscape and the uncertain, looming impact of emerging
technologies such as AI.
The private sector can’t do it alone. It is also time for lawmakers, policymakers
and regulators around the world to listen to the cybersecurity workforce.
Governments need to coordinate and harmonize efforts because cybersecurity
is a global challenge. Cybersecurity professionals need supportive environments
wherever they work, with sound policies that make sense and don’t add to the
burden of already-understaffed teams. Policymakers are making tremendous
progress in prioritizing cybersecurity, but equally important to the urgency
needed to address these matters is to ensure these efforts become enablers
for cybersecurity professionals and not obstacles. Governments and regulators
must focus on encouraging a skilled workforce, providing the right tools and
resources and most importantly, listening to and heeding professionals’ advice.
Doing so is vital to successfully defending our critical assets around the world.
The 2023 ISC2 Cybersecurity Workforce Study saw our largest participation yet.
Its insights create the foundation for smarter decisions and policies that will
make meaningful and lasting contributions to a safe and secure cyber world.
This year, our method compiles a variety of secondary data sources in combination
with proprietary survey data to create a single, holistic estimate. This tactic of
combining multiple different methodological approaches keeps any single number
from disproportionately influencing the final estimate.
The estimate of the global cybersecurity workforce begins with estimates of the US
workforce, as the US provides a crucial combination of a robust sample and reliable
secondary data sources. The US estimate is derived from three main methodological
groups:
The US estimate provides a baseline for the estimates of the rest of the world.
Estimates for other countries used similar methods except replacing third-party
estimates for estimates derived from the US baseline; most countries did not have
reliable third-party estimates. The secondary data estimates for countries outside
of the US came primarily from the Organisation for Economic Co-operation and
Development (OECD). China and India, while included in the gap estimate, were
excluded from the workforce estimate due to a lack of reliable secondary sources.
The workforce gap used similar approaches to the estimate of the total cybersecurity
workforce. A combination of survey-based, trending and third-party methodologies
provided the US estimate, which was then used as the baseline for the rest of the
world. The basic calculation for the workforce gap comes down to: gap equals demand
minus supply.
• Supply is defined as the number of workers who will enter the field over the next
12 months minus the number of workers who will leave the field.
In total, this makes the equation for calculating the gap: workforce gap equals (total
demand over the next 12 months minus the current workforce) minus (number of
workers entering the field minus number of workers leaving the field).
WORKFORCE
GAP = DEMAND - SUPPLY
TOTAL
DEMAND - CURRENT
WORKFORCE NUMBER OF NEW
CYBERSECURITY
-
NUMBER OF
WORKERS
LEAVING
WORKERS
CYBERSECURITY
2,500-4,999 9% Consulting 7%
250-499 7% Telecommunications 4%
100-249 7% Manufacturing 4%
5-9 1%
2-4 1%
IT security manager 7%
IT manager 7%
Independent contractor/ 4%
consultant
Retired 1%
50%-74% 25%
25%-49% 21%
1%-24% 13%
HIRING AUTHORITY
45-49 15.5%
39-44 20.7%
35-38 13.0%
30-34 11.9%
23-29 6.7%
Under 23 0.3%
Japan 6% California 8%
Canada 5% Maryland 6%
China 4% Florida 6%
Singapore 3% Colorado 4%
India 3% Georgia 4%
Australia 3% Washington 3%
Netherlands 3% Illinois 3%
France 2% Ohio 3%
Brazil 2% Massachusetts 2%
Mexico 1% Washington, DC 2%
Nigeria 1% Alabama 2%
Hong Kong 1%
Switzerland 1%
Taiwan 1%
GENDER OF RESPONDENTS
Other 3%
Female 16%
Male 77%
Intersex 0.2%
Transgender 0.3%
Nonbinary 0.3%
ABOUT ISC2
ISC2 conducts in-depth research into the challenges and opportunities facing the
cybersecurity profession. The ISC2 Cybersecurity Workforce Study is conducted
annually to assess the cybersecurity workforce gap, to better understand the barriers
facing the cybersecurity profession and to uncover solutions that enable individuals
to excel in their profession, achieve their career goals and better secure their
organizations’ critical assets.
The 2023 ISC2 Cybersecurity Workforce Study is based on online survey data collected
in collaboration with Forrester Research, Inc. in April and May 2023 from 14,865
individuals responsible for cybersecurity at workplaces throughout North America,
Latin America (LATAM), the Asia-Pacific region (APAC) and Europe, Africa and the
Middle East (EMEA). Respondents in non-English-speaking countries completed a
locally translated version of the survey.