0% found this document useful (0 votes)
104 views84 pages

ISC2 Cybersecurity Workforce Study 2023

The study found that the global cybersecurity workforce and workforce gap have both grown in the past year. It also found that cybersecurity professionals are facing challenges like cutbacks, staffing shortages, skills gaps, and an unprecedented threat landscape. While job satisfaction took a slight dip, the majority remain satisfied with their jobs.

Uploaded by

thecodehasbytes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
104 views84 pages

ISC2 Cybersecurity Workforce Study 2023

The study found that the global cybersecurity workforce and workforce gap have both grown in the past year. It also found that cybersecurity professionals are facing challenges like cutbacks, staffing shortages, skills gaps, and an unprecedented threat landscape. While job satisfaction took a slight dip, the majority remain satisfied with their jobs.

Uploaded by

thecodehasbytes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 84

ISC2 CYBERSECURITY WORKFORCE STUDY

How the Economy, Skills Gap and


Artificial Intelligence are Challenging the
Global Cybersecurity Workforce
2023

ISC2 Cybersecurity Workforce Study, 2023 1


Table of Contents

Executive Summary 3

Key Findings 5
Workforce Gap & Estimate 9

Current State of the Cybersecurity Workforce 13

Culture & DEI 32


New Career Pathways 44
Skills in Demand 53
Certifications 60
Cybersecurity Landscape: Present & Future 66
Conclusion 78
Appendix 79

ISC2 Cybersecurity Workforce Study, 2023 2


Executive Summary

Cybersecurity professionals are facing greater pressures than ever that diminish their
ability to defend institutions and organizations around the world from ever-increasing
threats.

Dealing with emerging challenges with grave consequences is not a new phenomenon for
cybersecurity professionals. However, our study shows that a perfect storm of economic
uncertainty, rapidly emerging technologies, fragmented regulations and ever-widening
workforce and skills gaps is creating huge uncertainty for a profession whose role it is to
protect global infrastructure and systems from attack. The cybersecurity workforce needs
more support and investment from leaders across the public and private sectors.

This piles on top of nearly three years of rapidly evolving business and threat
environments that started with cybersecurity professionals securely transitioning their
organizations through accelerated work-from-home and cloud services deployments
in response to the COVID-19 pandemic. And critical vulnerabilities across entrenched
platforms continue to be exploited throughout the IT services and software supply chains.
When war broke out in Eastern Europe, the conflict in Ukraine ushered in a new era of
cyber warfare.

Today, cybersecurity professionals continue to contend with challenges that have built
since the outbreak of COVID, while also facing the consequences of greater economic
pressure across the globe. Cybersecurity leaders and professionals at all levels are
adjusting to staff layoffs and budget cutbacks. For the first time since the beginning of the
2020 pandemic, many study participants expect cybersecurity hiring to decrease in their
organizations over the next year. The pressure on the workforce is real, with our study
finding a modest decrease in job satisfaction for the first time. Many professionals remain
concerned that leadership in their organizations does not listen to their guidance, which
creates additional risk. They also say the threat landscape is the worst it’s been in the last
five years, with reports of malicious insiders increasing.

Meanwhile, the disruptive arrival of the latest generation of artificial intelligence brings
additional uncertainty. Will AI advance how we identify and respond to threats? Will
AI force us to rethink security roles and responsibilities that may eliminate jobs or
create new ones? Does AI herald a new era of rapidly evolving threats? Will AI foster
a combination of all three scenarios, as well as others we have not yet imagined?
Cybersecurity professionals remain both optimistic and cautious about AI.

ISC2 Cybersecurity Workforce Study, 2023 3


Despite these headwinds, the workforce — and demand for their expertise — continues
to grow. We estimate the size of the global cybersecurity workforce at 5.5 million —
a 9% increase from 2022, and the highest we’ve ever recorded. Conversely, the global
workforce gap continues to grow even faster: The gap grew by 13% from 2022, which
means that in 2023 there are roughly 4 million cybersecurity professionals needed
worldwide. The profession needs to almost double to be at full capacity.

Our study also reveals how the ongoing workforce gap and pressures from budget
cutbacks and layoffs are creating critical workforce skills gaps. Study participants
expressed concern that skills gaps leave their organizations more vulnerable than the
lack of qualified team members. This is highlighted
even more as rapidly evolving technologies like AI
expose gaps in knowledge and experience, as well
as in risk management processes. Organizations and

75%
policymakers need strategies to address both, and
our study reveals solutions to help mitigate these risks
despite the global workforce and skills deficits.
said the current threat
Our review of career pathways, shifting demographics
landscape is the most for new entrants into the field, adoption of new hiring
challenging it has been practices and investment in developing and retaining
in the past five years. existing staff reveal how organizations are mitigating
risk, keeping staff engaged and offsetting the impacts
of budget cutbacks.

For this report, we surveyed a larger and more


geographically diverse audience than ever before — 14,865 international practitioners
and decision-makers. These cybersecurity professionals span the globe from North
America to Asia, Latin America, Europe, the Middle East and Africa. This report
captures their perspectives and experiences. We are pleased to celebrate and share
their creativity, resiliency and dedication. This report presents valuable findings to
cybersecurity professionals and leaders, executives, policymakers and others to reveal
solutions to the top challenges facing the workforce today.

ISC2 Cybersecurity Workforce Study, 2023 4


Key Findings

THE CYBERSECURITY WORKFORCE AND GAP HAVE BOTH GROWN. In the past
year, the cybersecurity workforce has grown by 8.7%. In addition, the gap between
the number of workers needed and the number available has also continued to
grow, with a 12.6% increase year over year.

CYBERSECURITY HAS NOT BEEN IMMUNE TO CUTBACKS. 47% of cybersecurity


professionals have dealt with cutbacks to their teams in the form of layoffs, budget
cuts and hiring or promotion freezes. 22% have experienced layoffs,
and 31% expect additional cutbacks in the next year.

STAFFING SHORTAGES AND SKILLS GAPS ARE CONSISTENT CHALLENGES.


67% of respondents reported that their organization has a shortage of
cybersecurity staff needed to prevent and troubleshoot security issues. And 92%
report having skills gaps in their organization — the most common being cloud
computing security, AI/ML and Zero Trust implementation. We will examine these
skills gaps in depth this year as 67% of those whose organizations had both
shortages in total staff and skills gaps say that skills gaps are often worse.

ISC2 Cybersecurity Workforce Study, 2023 5


ONGOING EDUCATION AND TRAINING HELP SHRINK SKILLS GAPS. 58% of
cybersecurity professionals said that the negative impact of worker shortages
can be mitigated by filling key skills gaps. We found that those who continue their
training, education and certification reimbursement programs were far better
prepared to weather times of economic uncertainty. Organizations with layoffs
who kept these programs, were less likely to experience significant organizational
skills gaps in cybersecurity.

CYBERSECURITY PROFESSIONALS FACE AN UNPRECEDENTED THREAT


LANDSCAPE. 75% of cybersecurity professionals view the current threat landscape
as the most challenging it has been in the past five years, and only 52% believe
that their organization has the tools and people needed to respond to cyber
incidents over the next two to three years. Those with shortages and skills gaps
are far more worried about being able to keep their organizations secure.

TIMES OF ECONOMIC UNCERTAINTY POSE SIGNIFICANT THREATS TO


CYBERSECURITY. 71% of respondents agree that periods of economic uncertainty
increase the risk of malicious insiders. Our study found that 39% of cybersecurity
professionals have been approached or know someone who has been approached
by a malicious actor. Those at companies that have had layoffs in cybersecurity are
three times more likely to have been approached to act as a malicious insider.

ISC2 Cybersecurity Workforce Study, 2023 6


JOB SATISFACTION TOOK A SLIGHT DIP BUT REMAINS HIGH. 70% of
cybersecurity professionals say they are satisfied with their jobs today, which
represents a 4% drop from last year. This seems to be due in large part to
cutbacks and layoffs, which our study shows significantly impact job satisfaction
through overwork and loss of employee trust.

PATHWAYS INTO CYBERSECURITY ARE SHIFTING. We saw a significant shift in


who is entering the cybersecurity profession and how they are doing it. Our study
found that new workers are significantly more likely to have received a bachelor’s
degree in cybersecurity before entering the field and are also more likely to
previously have worked in a non-IT role. They are less likely to have worked in IT
before entering. We also found that there are significantly more people entering
cybersecurity later in their career and that the gender and ethnic breakdowns of
the new workforce have undergone a considerable shift.

ORGANIZATIONS NEED PROFESSIONALS WITH CLOUD COMPUTING SKILLS,


BUT THEY ARE HARD TO FIND. Our study found that cloud computing security
is the skill that hiring managers most look for when hiring. However, it is also the
most common area where respondents cited their organization having a skills gap.

ISC2 Cybersecurity Workforce Study, 2023 7


AI/ML IS BECOMING INCREASINGLY CRITICAL. This year, for the first time, AI/ML
skills were among the top five in terms of demand, representing a significant jump
since last year when they were near the bottom of the list.

CYBERSECURITY PROFESSIONALS VALUE EXPERIENCE OVER FORMAL


EDUCATION. We asked cybersecurity professionals to compare qualifications
to understand what they value most in potential candidates and found that they
value experience over education. Professionals favor senior-level experience over
doctorate degrees (86% vs. 14%) and entry-level cybersecurity experience over
cybersecurity bachelor’s degrees (70% vs. 30%).

ISC2 Cybersecurity Workforce Study, 2023 8


Workforce Gap & Estimate

Cybersecurity is evolving, and so is its workforce. To better understand this ever-


changing field, we first need to understand its scope and scale — how it is growing and
whether the supply of new workers is keeping up with organizational demand. In order
to achieve this, ISC2 introduced the cybersecurity workforce estimate in 2019. This
proprietary methodology integrates a wide array of primary and secondary data sources
to extrapolate the number of workers responsible for securing their organizations (see
Appendix A for details). This year, this number includes four new countries not previously
included in ISC2’s global estimate: Saudi Arabia, the United Arab Emirates, Nigeria and
South Africa.

ISC2 estimates the global cybersecurity workforce at 5.5 million, representing an 8.7%
increase year over year and nearly 440,000 new jobs. All regions saw growth this year,
but these gains are particularly high in our two new Middle East countries, Asia-Pacific
and North America. Japan in particular is growing at a rapid rate — 24% year over year.
Latin America, after years of substantial growth, is starting to balance out, with Brazil
decreasing from an 18.3% growth rate in 2022 to 8.9% this year, and Mexico dropping
slightly year over year (see figures 1-A and 1-B).

2023 Global Cybersecurity Workforce


FIGURE 1-A

5,452,732 +8.7% YoY*

REGIONS

EUROPE
NORTH
AMERICA 1,309,588
+8.2%
+7.2%
1,495,825
+11.3%
+11.3%
ASIA-PACIFIC
MIDDLE EAST 960,231
& AFRICA +11.8%
LATIN +11.8%
AMERICA 401,582
+11.7%
+8.2%
1,285,505
+4.5%
+4.5%

*2023 estimate includes four new countries — United Arab Emirates, Saudi Arabia, Nigeria and South Africa. YoY growth is based on back-estimates for those
countries for 2022.

ISC2 Cybersecurity Workforce Study, 2023 9


FIGURE 1-B
2023 Global Cybersecurity Workforce Estimate

5,452,732 +8.7% YoY*

NORTH AMERICA LATIN AMERICA


USA CANADA MEXICO BRAZIL

1,338,507 157,318 536,027 749,479


+11.0% +13.4% -1.2%
-1.2% +8.9%
+8.9%
+11.0% +13.4%

EUROPE AFRICA
UK FRANCE GERMANY IRELAND SPAIN NETHERLANDS NIGERIA SOUTH AFRICA

367,300 217,190 455,951 19,476 182,144 67,527 25,574 177,802


+8.3%
+8.3% +8.3% -1.9%
-1.9% +10.1% +18.9% +17.1% +6.6%* +6.6%*
+14.5% +10.1% +18.9% +17.1% +6.6%* +6.6%*

ASIA-PACIFIC MIDDLE EAST


AUSTRALIA JAPAN SINGAPORE SOUTH KOREA UNITED ARAB SAUDI ARABIA
EMIRATES

138,860 480,659 76,942 263,771 144,300 53,907


-3.4%
-3.4% +23.8% -0.6%
-0.6% +5.7%
+5.7% +18.0%* +16.2%*
+23.8% +18.0%* +16.2%*

*2023 estimate includes four new countries — United Arab Emirates, Saudi Arabia, Nigeria and South Africa. YoY growth is based on back-estimates for those
countries for 2022.

ISC2 Cybersecurity Workforce Study, 2023 10


Despite the continued growth in the workforce, ISC2’s cybersecurity workforce study
revealed that demand is still outpacing supply. The workforce gap grew an additional
12.6% this year, with the greatest rise in Asia-Pacific (especially Japan and India) and
North America. Areas with particularly rapid growth in supply like the Middle East and
Latin America are starting to finally see demand catch up such that the workforce gap
actually shrank this year (see figures 2-A and 2-B).

It’s important to note what this year’s workforce gap represents. The workforce gap
calculates the difference between the number of cybersecurity professionals that
organizations require to properly secure themselves and the number of cybersecurity
professionals available for hire. The workforce gap does not aim to estimate the actual
current job market for cybersecurity professionals. During times of economic uncertainty,
many organizations have made cutbacks involving hiring freezes and layoffs, which
we discuss in more detail throughout this paper. This, however, does not affect the
workforce gap because organizations’ need for cybersecurity workers remains the same
regardless of whether or not those organizations currently have the funds to actually hire
and employ sufficient staff.

2023 Global Cybersecurity Workforce Gap


FIGURE 2-A

3,999,964 +12.6% YoY*

REGIONS

EUROPE
NORTH
AMERICA 347,761
+8.2%
+9.7%
521,827
+11.3%
+19.7%
ASIA-PACIFIC
MIDDLE EAST
& AFRICA 2,670,316
+11.8%
+23.4%
LATIN 111,801
AMERICA
-7.1%
+8.2%
348,259
-32.5%
-32.5%

*2023 gap includes 4 new countries – United Arab Emirates, Saudi Arabia, Nigeria and South Africa. YoY growth are based on back estimates for those
countries for 2022

ISC2 Cybersecurity Workforce Study, 2023 11


FIGURE 2-B
2023 Global Cybersecurity Workforce Gap

3,999,964 +12.6% YoY*

NORTH AMERICA LATIN AMERICA


USA CANADA MEXICO BRAZIL

482,985 38,842 116,331 231,927


+11.0% +13.4% -1.2% +8.9%
+17.6% +53.0% -42.7% -25.9%

EUROPE AFRICA
UK FRANCE GERMANY IRELAND SPAIN NETHERLANDS NIGERIA SOUTH AFRICA

73,439 59,117 104,660 6,990 74,498 29,058 8,352 57,269


+8.3% +14.5%
-2.9% -1.9%
+0.4% +10.1% +18.9% +17.1% +6.6%* +6.6%*
+29.3% -17.6% +23.3% +10.6% +11.6%* +10.1%*

ASIA PACIFIC MIDDLE EAST


AUSTRALIA JAPAN SINGAPORE SOUTH KOREA CHINA INDIA UNITED ARAB SAUDI ARABIA
EMIRATES

27,756 110,254 3,961 17,611 1,720,941 789,793 31,928 14,252


-3.4% +23.8% +5.7% +10.1% +18.9% +18.0%* +16.2%*
-29.7% +97.6% -34.8% +5.8% +16.1% +40.2% -29.2%* -9.8%*

*2023 estimate includes four new countries — United Arab Emirates, Saudi Arabia, Nigeria and South Africa. YoY growth is based on back-estimates for those
countries for 2022.

ISC2 Cybersecurity Workforce Study, 2023 12


Current State of the Cybersecurity
Workforce
Cutbacks and economic uncertainty add to the existing skills
gap challenge

The current macroeconomic environment has normalized higher costs, lower revenue and
worker shortages. As a result, many organizations are choosing to implement cost-saving
cutbacks (e.g., budget cuts, layoffs, hiring freezes and promotion freezes) to support their
balance sheet. However, these organizational cutbacks — especially within cybersecurity
teams — have implications that extend beyond just cost.

Cybersecurity professionals are critical protectors against risk and vulnerability, but cutbacks
throttle their productivity, satisfaction and skill development. In this study, cybersecurity
professionals share how cutbacks and related challenges like staffing shortages and skills
gaps truly impact their day-to-day work, so organizations can discover opportunities for
improvement.

After surveying 14,865 cybersecurity professionals, we found that:

• Cutbacks are a pervasive challenge for cybersecurity professionals. Overall, 47% of


cybersecurity workers have experienced cybersecurity-related cutbacks (layoffs, budget
cuts, hiring or promotion freezes) — and 22% of this group have been impacted by
layoffs (both firsthand and secondhand) within cybersecurity. An additional 28% have had
layoffs elsewhere in their organizations, which can significantly affect the cybersecurity
workforce (see figure 3). 41% of respondents feel as though cutbacks have affected their
security team disproportionately in comparison to the rest of their organization. And, as
we’ll discuss more in depth later in the paper, cutbacks to both the cybersecurity team
and the rest of the organization can create significant cybersecurity risks.

Has your organization experienced the following cutbacks in the past 12 months?
FIGURE 3

Yes, in cybersecurity Yes, but not in cybersecurity No, we have not experienced this

Hiring freeze
32% 26% 42%

Budget cuts
30% 32% 38%

Freeze on promotions/raises
26% 22% 52%

Layoffs
22% 28% 50%

Base: 11,656-12,200 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 13


• Cutbacks impact some industries and regions significantly more than others.
All major industries have experienced cutbacks, but the entertainment, construction,
automotive and tech sectors have been hit particularly hard by layoffs in cybersecurity
(see figure 4). Geographically, Latin America has seen the greatest layoffs, followed by
the Middle East and Africa (see figure 5). Latin America has seen rapid growth over the
past few years within its cybersecurity workforce, so this could be the beginning of a
level-setting for that growth as the workforce more accurately reflects demand.

Has your organization experienced layoffs in the past 12 months?


FIGURE 4

(Showing percentage of layoffs in cybersecurity in the past year)

INDUSTRIES WITH FEWEST LAYOFFS IN CYBER INDUSTRIES WITH MOST LAYOFFS IN CYBER

Military/military contractor 8% Entertainment/media 33%

Government (non-military) 9% Construction 31%

Education 13% Security software/ 31%


hardware development
Aerospace 13% Automotive 29%

Transportation 16% Hosted/cloud services 29%

Base: 145-1,306 global cybersecurity professionals in listed industries


Note: “Don’t know/does not apply” responses were removed from the sample base.

Has your organization experienced layoffs in the past 12 months?


FIGURE 5

(Showing percentage of layoffs in cybersecurity in the past year)

COUNTRIES WITH FEWEST LAYOFFS IN CYBER COUNTRIES WITH MOST LAYOFFS IN CYBER

Hong Kong 11% Brazil 38%

United States 18% Mexico 37%

Saudi Arabia 19% Nigeria 33%

Canada 21% United Arab Emirates 33%

Singapore 23% China 31%

Base: 121-5,479 global cybersecurity professionals in listed countries


Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 14


• Cutbacks create a ripple effect for cybersecurity teams. As a result of cutbacks,
organizations are consolidating resources and restructuring, often changing the
way cybersecurity professionals operate. 53% say that cutbacks have resulted in
delays in purchasing or implementing technology, while 40% of those with cutbacks
have had their security teams restructured or moved within their organization. 35%
have even eliminated cybersecurity training programs, which are a critical resource
for developing skills and closing skills gaps.

Cutbacks also impact cybersecurity organizations at the team and individual


level. 71% of cybersecurity professionals have experienced a negative impact on
their workload as a result of cutbacks. Almost two-thirds of professionals say that
cutbacks also degrade productivity, team morale and the ability to prepare for
future threats. Insider risk and threat response are two additional key elements of
the impact of cutbacks at the team level. More than half of professionals (57%) felt
that their threat response was inhibited by organizational cutbacks, and 52% saw
an increase in insider risk-related incidents (see figure 6).

Which of the following effects has your organization/team experienced as a result


FIGURE 6

of cutbacks?
IMPACT OF CUTBACKS ON CYBERSECURITY ORGANIZATION

53%
There have been
40%
The security team
35%
The organization
delays in purchasing/ was restructured has changed
implementing or moved within its strategic
technology the organization direction

35%
Cybersecurity training
29%
Cybersecurity
24%
Cybersecurity
programs have been certifications/education software licenses
cut (e.g., professional reimbursements have have not been
development) been cut renewed
Base: 9,822 global cybersecurity professionals whose organizations had cutbacks over the past 12 months
Note: “Don’t know/does not apply” responses were removed from the sample base.

IMPACT OF CUTBACKS ON CYBERSECURITY PROFESSIONALS AND TEAMS

71%
Increase in
63%
Cybersecurity
62%
Productivity
62%
Ability to prepare
workload team morale for future threats

61%
Skills gaps
57%
Ability to
52%
Increase
on the respond to in insider
cybersecurity cybersecurity risk-related
team threats incidents
Base: 8,598-8,907 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 15


These cutbacks are expected to continue. 31% of respondents expect there to be
additional cutbacks within cybersecurity at their organization, and 70% expect those
cutbacks to include layoffs. 54% expect additional cutbacks in their organizations in
general, whether in cybersecurity or not.

• Perceptions may differ from reality. Nearly two-thirds of cybersecurity workers


know someone who was laid off this year. This includes cybersecurity and non-
cybersecurity workers at their own organization, along with cybersecurity and
non-cybersecurity workers at other organizations (see figure 7). Seeing cybersecurity
peers laid off at other organizations can significantly affect workers’ perceptions of
their own companies. Even if a respondent didn’t know someone who was laid off
from their own organization, if they knew someone who was let go from another
organization this year, they were nearly three times as likely to expect to see layoffs
within their own organization over the next 12 months (see figure 8).

Did you know anybody personally who was laid off in the past 12 months in any
FIGURE 7

of the following groups?

18% Cybersecurity personnel at my organization

27% Cybersecurity personnel at other organizations

64%
29% Non-cybersecurity personnel at other organizations

30% Non-cybersecurity personnel at my organization

36% I do not know anybody personally who was laid off

Base: 14,009 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 16


Did you know anybody personally who was laid off in the past 12 months in any
FIGURE 8

of the following groups?

EXPECT TO SEE LAYOFFS IN CYBERSECURITY AT


THEIR ORGANIZATION OVER THE NEXT 12 MONTHS

32%

12%

Know cybersecurity person from Do not know cybersecurity person


another org that was laid off from another org that was laid off

Base: 9,676 global cybersecurity professionals who do not know a cybersecurity worker from their organization who was laid off in the last 12 months
Note: “Don’t know” responses were removed from the sample base.

ORGANIZATIONS HAVE STAFFING SHORTAGES AND SKILLS GAPS BUT ARE


FINDING SOLUTIONS

Staffing Shortages Are Expected to Get Worse but Are Also Perceived Differently
Based on Seniority

Though the need for cybersecurity staff is as great as it’s ever been, layoffs and
cutbacks — among other factors — have caused significant staffing shortages and skills
gaps within cybersecurity. We found that there’s a shortage of staff to prevent and
troubleshoot security issues — and a lack of budget is a common cause.

ISC2 Cybersecurity Workforce Study, 2023 17


67% of respondents reported that their organizations have a shortage of the
cybersecurity staff needed to prevent and troubleshoot security issues (see figure 9).
Layoffs clearly play a role in this: 28% of those who have had cybersecurity layoffs report
significant staffing shortages compared to 18% of those who have not had cybersecurity
layoffs in the past 12 months. When asked to name the biggest cause of staffing
shortages, 34% of respondents indicated a lack of budget as the leading cause, which has
increased compared to 2022 (29%). Respondents were also less likely to cite problems
with attrition compared to last year (27% vs. 34%) (see figure 10).

Which of the following best describes how you feel about the number
FIGURE 9

of cybersecurity employees your organization currently employs to


prevent and troubleshoot cybersecurity issues at your organization?

My organization has a significant shortage of cybersecurity


staff to prevent and troubleshoot cybersecurity issues Which industries have the
greatest staffing shortages?
21%
67% Industry

Education
Percentage
with staffing
shortages
78%
Government (non-military) 78%
My organization has a slight shortage of cybersecurity Non-profit 76%
staff to prevent and troubleshoot cybersecurity issues Military/military contractor 76%
Aerospace 75%

46% Healthcare
Automotive
74%
71%
Energy/power/utilities 70%
Insurance 69%
Food/beverage/hospitality/travel 68%
Transportation 68%
My organization has the right amount of cybersecurity
Entertainment/media 67%
staff to prevent and troubleshoot cybersecurity issues Manufacturing 67%
Non-security software/

30%
67%
hardware development
Retail/wholesale 63%
Agriculture 62%
Construction 62%
Financial services 62%
Telecommunications 62%
My organization has a surplus of cybersecurity staff
Engineering 61%
to prevent and troubleshoot cybersecurity issues Security software/
60%
hardware development

2% Hosted/cloud services
Consulting
55%
54%

Base: 8,212 global cybersecurity professionals.


Note: Percentages may not total 100 due to rounding; “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 18


You indicated that your organization has a shortage of cybersecurity
FIGURE 10

staff. What do you think is the biggest cause for this shortage?

41% 4% 34% 5% 30%


My organization My organization My organization
can’t find enough doesn’t have doesn’t pay a
qualified talent the budget competitive wage

27% 7% 24% 24%


My organization is Leadership misaligns staff My organization can’t
struggling to keep up resources (i.e., we have too offer opportunities
with turnover/attrition much staff in some areas for growth/promotion
and not enough in others) for security staff

23% 20%
My organization doesn’t My organization
put enough resources into doesn’t prioritize
training non-security IT staff security
to become security staff

17% 15%
My organization My organization
doesn’t have plans in doesn’t sufficiently
place to backfill roles train staff

Base: 5,526 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base.

Skills Gaps Are Common but Can Be More Challenging Than Staffing Shortages

Staffing shortages (i.e., shortages in the number of total cybersecurity workers at an


organization) aren’t the only way that organizations can be lacking in their cybersecurity
workforce. This year, we are diving into the subject of skills gaps. A skills gap is an area
in which cybersecurity teams lack workers with proficiency or expertise in particular
skills that are necessary to function effectively.

ISC2 Cybersecurity Workforce Study, 2023 19


We have found that there is a clear and critical need
to fill skills gaps in the cybersecurity profession.
By identifying the areas in which these gaps exist
and which skills are most desirable, we can better
understand the pain points and get closer to a
solution. We found that: 58%
• Nearly all organizations have cybersecurity believe that the
skills gaps. 92% of cybersecurity professionals negative impact of worker
say their organization suffers from skills gaps in shortages can be mitigated
one or more areas, and 43% cite one or more by filling key skills gaps.
significant or critical skills gap at their organization
(see figure 11). Skills gaps range from technical
skills like penetration testing and Zero Trust
implementation to non-technical skills like communication. Layoffs have an outsized
effect on skills gaps. Most organizations that have had cybersecurity layoffs (51%)
have been impacted by one or more significant skills gaps compared to just 39%
of organizations that have not had layoffs (see figure 12). In fact, layoffs seem to
have a greater effect on skills gaps than they do on total staffing shortages.

To what extent does your organization’s security team have one or more
FIGURE 11

skills gaps?

We have one or more critical skills gaps


17%

92%
We have one or more significant skills gaps
26%

We have one or more moderate skills gaps


31%
We have one or more slight skills gaps
17%
We do not have any skills gaps
8%
Base: 12,468 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base; Total percentages may not equal separate values due to rounding.

ISC2 Cybersecurity Workforce Study, 2023 20


To what extent does your organization’s security team have one or more
FIGURE 12

skills gaps?
Have had layoffs in cybersecurity Have not had layoffs

23%
We have one or more critical skills gaps
15%

29%
We have one or more significant skills gaps
24%

26%
We have one or more moderate skills gaps
33%

16%
We have one or more slight skills gaps
19%

We do not have any skills gaps 7%


9%

Base: 7,900 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 21


• Skills gaps are often worse than shortages. Organizations may have a number of
cybersecurity workers, but if those workers all lack certain critical skills, that surplus
of headcount can be completely negated. 59% of cybersecurity workers said that
skills gaps can be worse than total worker shortages. This number is even higher
(67%) among workers whose organization actually has both skills gaps and total
staffing shortages (see figure 13).

To what extent do you agree or disagree with the following statements


FIGURE 13

about hiring and recruiting cybersecurity roles at your organization?

59% 58%


“ “
of respondents agree/strongly agree that of respondents agree/strongly agree that
Skills gaps can be worse than
total worker shortage gaps.
We can help mitigate worker
shortages if we have efficient

distribution of skills across the team.

Base: 13,105-13,148 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base.

67% of those whose


67%
organizations have both skills
gaps and worker shortages
agree that skills gaps can
be worse than total worker
shortages compared to
52% of those who have
52%
neither.

ISC2 Cybersecurity Workforce Study, 2023 22


The survey also revealed opportunity here, as 58% of respondents also believe that
the negative impact of worker shortages can be mitigated by filling key skills gaps.
This places critical priority on identifying and taking action to educate employees
in vital areas of cybersecurity knowledge or providing reimbursements to explore
external professional development or third-party certifications/education.

• Recruiting issues and lack of strategic budgeting also drive skills gaps. The two
most common reasons for skills gaps cited by respondents were the inability to find
the people with the skills they need and the struggle to keep people with in-demand
skills due to low wages, lack of promotion opportunities, etc. (see figure 14). Offering
sufficient compensation plays a big role here: 58% of cybersecurity workers at
organizations that do not offer a competitive salary say their organization has skills
gaps because they struggle to keep people with in-demand skills. In comparison, only
38% of those at organizations that pay competitive wages see skills gaps. And overall,
48% of organizations that don’t offer competitive salaries have significant skills gaps,
compared with 31% of those organizations that do offer competitive compensation.

48%
of respondents at organizations that
don’t offer competitive salaries have
significant skills gaps, compared with

31%
of those organizations that do offer
competitive compensation.

ISC2 Cybersecurity Workforce Study, 2023 23


You indicated that your organization has one or more skills gaps. What do you
FIGURE 14

think are the biggest causes for these gaps?


(Showing top nine ranked responses)

44% 42%
My organization can’t find In general, we struggle to keep
people to hire with the people with in-demand skills
skills we need (e.g., due to low wages, lack of
promotion opportunities, etc.)

41% 36%
My organization doesn’t Leadership misaligns staff
have the budget to hire resources (i.e., too much staff
enough people in some areas and not enough
in others)

33% 32%
My organization doesn’t put enough People with these skills
resources into training non-security recently quit, and we
IT staff to become security staff haven’t replaced them

31% 25%
My organization doesn’t People with these skills
sufficiently train staff recently were laid off, and
we haven’t replaced them
Base: 12,011 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base.

• Cybersecurity hiring managers are held back by their organizations’ policies.


Times of economic uncertainty present a critical opportunity for organizations
to encourage new pathways for cybersecurity careers while filling skills gaps.
Respondents cite a lack of training resources for non-security IT staff to become
cybersecurity professionals (33%) as another top cause of skills gaps at their
organizations. In the New Career Pathways section of this paper, we highlight how
more technically experienced professionals with no prior cybersecurity experience
are interested in joining the profession. These motivated professionals are applying
for positions and joining cybersecurity teams, but some organizations are still too
reluctant to broaden their hiring scope.

ISC2 Cybersecurity Workforce Study, 2023 24


Cybersecurity hiring managers are more likely to agree than non-hiring
managers that their organizations are too reluctant to hire certain types of
employees. Roughly half (45%) say that they are too reluctant to hire entry-level
employees or that they rely too heavily on education/degrees when looking for
applicants (45%) (see figure 15).

To what extent do you agree or disagree with the following statements about
FIGURE 15

hiring and recruiting cybersecurity roles at your organization?


(Showing Somewhat/Completely agree responses)

Non-hiring manager Hiring manager

My organization is reluctant 36%


to hire entry-level employees
with little experience 45%

My organization relies too 34%


heavily on education/degrees
when looking for applicants 45%

My organization relies too 25%


heavily on certifications
when looking for applicants 37%
Base: 14,009 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base.

• Skills gaps are most common in critical areas. We found that the most
common skills gaps tend to be in areas that are gaining importance in the
cybersecurity world. Cloud computing security, artificial intelligence and machine
learning security and Zero Trust implementation are the current top three most
common skills gaps (see figure 16).

ISC2 Cybersecurity Workforce Study, 2023 25


You indicated that your organization’s security team has one or more skills gaps.
FIGURE 16

Where are these gaps?


(Showing top ten responses)

Cloud computing security


35%
Artificial intelligence/machine learning
32%
Zero Trust implementation
29%
Penetration testing
27%
Application security

26%
Digital forensics and incident response
26%
Risk assessment, analysis and management
24%
Security engineering

23%
Threat intelligence analysis
23%
Malware research/analysis
22%
Base: 11,473 global cybersecurity professionals
Note: Showing top ten responses; “Don’t know/does not apply” responses were removed from the sample base.

Not Surprisingly, Staffing and Skills Shortages Create Risks for Organizations

Cutbacks, staffing shortages and skills gaps have created a perfect storm, increasing risk
across all industries. But what are these risks? We found that:

• Cybersecurity staffing shortages pose a significant threat to organizations.


57% of workers say shortages at their organization put them at a moderate or
extreme risk of cybersecurity attacks (see figure 17). This is due to staffing shortages
that decrease their ability to perform critical, careful risk assessment and remain
agile amid a challenging threat landscape (see figure 18).

ISC2 Cybersecurity Workforce Study, 2023 26


In your opinion, to what degree does this shortage of cybersecurity staff put your
FIGURE 17

organization at risk of experiencing a cybersecurity attack?


Extreme risk

Moderate risk
9%
57%
48%
Slight risk
31%
Low risk
12%
No risk
1%
Base: 5,437 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base; Percentages may not total 100 due to rounding.

Which of the following have you experienced that you feel would have been
FIGURE 18

mitigated if you had enough cybersecurity staff?


(Showing top ten responses)

50% 45% 38%


Not enough time Oversights in Misconfigured
for proper risk process and systems
assessment and procedure
management

38% 35% 34%


Slow to patch Inability to remain Not enough time
critical systems aware of all threats to adequately train
active against our each cybersecurity
network team member

30% 30%
Slowness in
responding to
incidents
Rushed
deployments 75%
said the current threat
landscape is the most
29% 28% challenging it has been
Not enough resources Overreliance in the past five years.
to adequately train our on third-party
cybersecurity staff support

Base: 5,526 global cybersecurity professionals who reported staff shortages.


Note: “Don’t know/does not apply” responses were removed from the sample base

ISC2 Cybersecurity Workforce Study, 2023 27


• Economic uncertainty reduces cybersecurity confidence. Periods of economic
uncertainty pose threats of their own: 52% of respondents are worried about their
cybersecurity teams’ ability to keep their organization secure — and those with
staffing shortages and skills gaps are especially worried (see figure 19).

How strongly do you agree with the following statements related to the state
FIGURE 19

of cybersecurity work?

“I’m worried about our cybersecurity team’s ability to keep our


organization secure during times of economic uncertainty.”

67% 63%
48%
42%

Orgs with Orgs with Orgs with Orgs with no


significant staffing no staffing critical skills skill gaps
shortages shortages gaps
Base: 2,954-7,861 global cybersecurity professionals who reported staff shortages
Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 28


What It Means
for Organizations

Targeted Upskilling and Working Culture Improvements Mitigate Risks Stemming


from Staffing and Skills Shortages

Despite these challenges, there are ways that organizations can mitigate cyber risks
stemming from staffing shortages and skills gaps. Take the following actions to
overcome these obstacles:

• Implement initiatives to prevent or mitigate staffing shortages. Training


initiatives top this list, along with creating better working conditions and creating
diversity, equity and inclusion (DEI) initiatives (see figure 20). These are aimed at
attracting and retaining top talent and upskilling workers in-house.

• Upskill existing workers. Upskilling workers is important, especially during


times of economic uncertainty when many organizations face hiring freezes.
Training initiatives can mitigate staff shortages by distributing skills and preventing
significant skills gaps. In fact, we found that organizations investing in training today
are only half as likely to have critical skills gaps as those that aren’t investing and
have no plans to. On the flip side, we found that outsourcing services had little to
no effect on mitigating staffing shortages. It was the only initiative where those who
implemented it were more likely to have staffing shortages than those who hadn’t.
This seems to be a trend, as last year we observed the same result.

• Be aware of workers’ worries. We found that nearly 65% of entry- and junior-
level staff expected the number of cybersecurity workers at their organization
to decrease over the next 12 months. However, the higher the seniority of the
respondent, the less likely they were to expect a worker reduction in the next 12
months (see figure 21). It’s important for cybersecurity leaders to understand the
worries of those below them in the organizational hierarchy and make sure to
communicate the company’s plans for staffing in the near future.

ISC2 Cybersecurity Workforce Study, 2023 29


Which of the following is your organization doing or planning to do to help
FIGURE 20

prevent or mitigate cybersecurity staff shortages at your organization?


Invest in training
72%

Provide more flexible working conditions


69%

Invest in diversity, equity and inclusion initiatives


68%

Invest in certifications
67%

Recruiting, hiring and onboarding of new staff


67%

Use technology to automate aspects of the security job


65%

Hire for attitude and aptitude, and train for technical skills
61%

Be more willing to hire entry-level employees who can grow with us


60%

Use outsourcing/services
56%

Create mentorship programs


55%

Encourage employees at your org outside IT and security to consider a career in cybersecurity
50%

Address pay and promotion gaps, if they exist


50%

Hire from outside the geographic regions we typically have hired from because of work from home
50%

Be more willing to hire people with non-traditional backgrounds


43%

Implement rotational job assignments


41%

De-emphasize technical degrees and certifications for new hires


37%
Base: 10,521-13,120 global cybersecurity professionals
Note: Showing organizations that responded with “My
organization is doing this today”; “Don’t know/does not
apply” responses were removed from the sample base. Organizations investing in training today are
only half as likely to have critical skills gaps
or significant staffing shortages as those that
aren’t investing and have no plans to.

ISC2 Cybersecurity Workforce Study, 2023 30


Do you expect your organization to employ more, fewer or the same
FIGURE 21

number of security professionals in 12 months compared to today?


(Comparing surveyed headcount to respondent’s projected future headcount)

Fewer in 12 months The same number More in 12 months

32%

26% 42%

C-level executive

30% 30%

21% 49% 23% 47%

Director/middle manager Executive management

23% 25%

12% 65% 19% 56%

Entry-/junior-level staff Manager

Base: 8,085 global cybersecurity professionals who reported present and expected future company size

ISC2 Cybersecurity Workforce Study, 2023 31


Culture & DEI

Last year, we introduced the Employee Experience (EX) rating system to better
understand what affects cybersecurity professionals’ satisfaction and overall
experiences. This year, we’re continuing to examine culture using this system.
The EX rating looks at a variety of key factors, including engagement in work,
burnout rates, the sense of being fairly evaluated and more. It uses a scale from
0 (terrible) to 100 (excellent). Once evaluated, we grouped respondents into three
categories based on their ratings: High EX, Medium EX and Low EX.

Employee Experience Rating


Respondents fall into three overall categories based
on their employee experience levels:
RATING N
3,822
HIGH EX Employees with high level
of happiness at their work
62 and above
(31.3%)

4,175
MEDIUM EX Employees with medium level
of happiness at their work
42 – 61
(31.8%)

3,716
LOW EX Employees with low level
of happiness at their work
41 and below
(36.9%)

• EX ratings are based on aggregated responses from a series of employee


experience questions

• Ratings were indexed on a 100-point scale for ease of analysis

This year, considerably more cybersecurity professionals ended up in the Low EX bucket
than last year. However, the average EX rating only dropped slightly, from 51.75 to 51.49.

2022 2023
32.6% 51.75
High EX 51.49
31.3%

35.6%
Medium EX
31.8%

31.7%
2022 2023
Low EX
36.9% Average EX
rating by year
Base: 14,865 global cybersecurity professionals

ISC2 Cybersecurity Workforce Study, 2023 32


DESPITE HIGH JOB SATISFACTION, BURNOUT RISKS STEM FROM THE RIPPLE
EFFECTS OF CUTBACKS, LAYOFFS AND LACK OF MANAGEMENT SUPPORT

Having a strong culture within cybersecurity is critical for organizational success.


Happy workers are more motivated, more focused and are less likely to make
mistakes. Building effective culture is harder than ever during times of economic
uncertainty. Hiring and promotion freezes, budget cuts and layoffs loom large in
workers’ minds, and organizations need to scramble to keep their workers from
burning out. We found that:

• Overall job satisfaction remains high. Despite significant turmoil, an uncertain


economy and the most challenging threat landscape to date, cybersecurity
workers are fairly content with their roles. 70% reported being somewhat or very
satisfied in their jobs today (see figure 22). In addition, 82% say they work well
with security team members, and 79% say they work well with non-cybersecurity
people at their organization.

Overall, how would you rate your level of job satisfaction?


FIGURE 22

Very satisfied
28%

Somewhat satisfied
70%
42%

Neither satisfied nor dissatisfied


13%

Somewhat dissatisfied
12%

Very dissatisfied
4%

Base: 14,865 global cybersecurity professionals

ISC2 Cybersecurity Workforce Study, 2023 33


• Overall satisfaction has dipped somewhat this year. When asking about
overall job satisfaction, we saw a 4% decrease year over year — a trend that
showed consistently throughout all satisfaction-related questions. Much like last
year, satisfaction is higher the closer we look at the actual worker. Passion for
cybersecurity work in general is highest, while satisfaction with workers’ teams
is slightly lower, and satisfaction with workers’ departments and organizations
overall are lower still (see figure 23).

Rate your feelings for each following item on a scale


FIGURE 23

from very low to very high.


(Showing High/Very high responses)
YEAR-OVER-YEAR
Passion for cybersecurity work in general CHANGE

73% -2%

Satisfaction with my team

66% -3%

Satisfaction with my department

60% -3%

Overall satisfaction with my organization

58% -2%

Base: 13,815-14,574 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base.

• Cutbacks and layoffs have harmed morale. As cutbacks and layoffs have
increased — resulting in staffing shortages and skills gaps — satisfaction and overall
worker happiness this year have dipped. Respondents whose organizations have
had layoffs in cybersecurity in the past year have an average EX rating of 46.0,
while those who haven’t rated an average of 55.5. This is even more stark among
those who expect layoffs in cybersecurity over the next 12 months. Their average
EX rating is just 38.9, compared with an average of 59.5 for those who do not
expect cybersecurity cutbacks at all (see figure 24). 68% of those who experienced
layoffs said those layoffs significantly hurt team morale, and 62% reported that
cybersecurity cutbacks have a negative effect on productivity.

ISC2 Cybersecurity Workforce Study, 2023 34


Have you had layoffs in Do you expect cutbacks/layoffs in
FIGURE 24

cybersecurity at your organization cybersecurity at your organization


over the past 12 months? over the next 12 months?
(Showing average EX rating) (Showing average EX rating)

Have not Do not expect cutbacks in cybersecurity


had layoffs over the next 12 months
55.5 59.5

Have had layoffs elsewhere in the Expect cutbacks but not layoffs in
organization (but not in cybersecurity) cybersecurity over the next 12 months
47.7 49.3

Have had layoffs Expect layoffs in cybersecurity over


in cybersecurity the next 12 months
46.0 38.9

Base: 3,772-14,009 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base

• Layoffs and cutbacks created more work for employees. Downsizing adds work
to cybersecurity professionals’ plates, hurting worker satisfaction. 71% report that
cutbacks in cybersecurity resulted in an increased workload. When asked what
issues negatively impact their job satisfaction, cybersecurity professionals cited
an overabundance of emails and tasks, overwork due to staff or skills shortages
and inadequate resources to sufficiently protect their organization — three issues
related to overwork (see figure 25). These issues were significantly more common
among those who have staffing shortages and skills gaps compared to those who
don’t (see figure 26).

ISC2 Cybersecurity Workforce Study, 2023 35


Which of the following are issues in your current role that negatively impact
FIGURE 25

your job satisfaction?


(Showing top nine responses)

Too many I experience overwork due My team has inadequate resources


emails/tasks to staff or skill shortages to sufficiently protect the organization

31% 30% 25%

Lack of support from Pay is too low It’s difficult to stay current
executives/managers on security issues/trends

24% 23% 23%

I get stressed out from the The organization is not realistic Poor security policies/
weight of responsibility I feel in the way it measures the standards at my company
as a security professional success of security create extra work for me

22% 22% 19%

Base: 14,009 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base

Which of the following are issues in your current role that negatively impact
FIGURE 26

your job satisfaction?


Employees of orgs with both staff shortages and significant skills gaps

Employees of orgs with neither staff shortages nor significant skills gaps

Too many emails/tasks 34%


27%

I experience overwork due 39%


to staff or skill shortages 19%

My team has inadequate resources 42%


to sufficiently protect the organization 13%
Base: 4,172 global cybersecurity professionals.
Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 36


• Organizational support impacts morale. While issues around overwork are
the most common problems for cybersecurity professionals, they aren’t the most
impactful. The issues that resulted in the lowest EX ratings were more likely to be
related to feeling unheard, feeling unsupported by management and their expertise
not being respected by their organizations (see figure 27). So while overwork
has become more common, the thing that really hurts worker morale is a lack of
support and respect from the organization. These were top issues last year as well,
meaning it was no statistical anomaly. This is a fundamentally important issue in the
cybersecurity profession.

We found that the inverse of these issues is also true. The initiatives that create a
positive work culture and result in the highest EX ratings are valuing and listening to
employees’ needs. Not listening to cybersecurity professionals can be a particularly
harmful issue because, beyond the effect it has on employee morale, it also
increases the likelihood that organizations could miss out on crucial risk-related
information and put themselves at risk.

Which of the following are issues in your current role that negatively impact
FIGURE 27

your job satisfaction?

LEAST NEGATIVELY IMPACTFUL ISSUES MOST NEGATIVELY IMPACTFUL ISSUES

ISSUES AVERAGE EX RATING ISSUES AVERAGE EX RATING

It’s difficult to stay current My employer does not


49.0 36.9
on security issues/trends value or listen to my input
Too many Poor relationship with team
46.5 39.9
emails/tasks members or managers
My team has inadequate I feel like my job exists only
resources to sufficiently 44.7 to prevent breaches, and I 40.4
protect the organization will be blamed if one occurs
Poor security policies/ Lack of support from
40.8
standards at my company 44.2 executives/managers
create extra work for me
I am expected to
40.8
I experience overwork due work long hours
43.8
to staff or skill shortages

Base: 10,521-13,120 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base

ISC2 Cybersecurity Workforce Study, 2023 37


• The wrong cybersecurity tools and resources lead to a lack of trust.
Staffing shortages and skills gaps play a surprisingly large role here as well.
When cybersecurity professionals are not given the tools and resources they
need to succeed, it usually leads to lost trust between management and the
workforce. Those at organizations with staffing shortages and skills gaps are
considerably more likely to report a lack of support from managers/executives,
a feeling that their employers don’t value — or even listen to — their input and
more (see figure 28).

Which of the following are issues in your current role that negatively impact
FIGURE 28

your job satisfaction?


Employees of orgs with both staff shortages and significant skills gaps

Employees of orgs with neither staff shortages nor significant skills gaps

Lack of support from 32%


executives/managers 18%

The organization is not realistic in the 31%


way they measure success of security 16%

I feel like my job exists only to


prevent breaches, and I will be 21%
13%
blamed if one occurs

My employer does not value 21%


or listen to my input 11%
Base: 4,172 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base

AN INCREASINGLY DIVERSE WORKFORCE IS A BRIGHT SPOT, WITH ROOM


TO IMPROVE DEI INITIATIVES

Last year we began to explore trends around a rapidly diversifying cybersecurity


workforce, and these trends continue this year. We found that:

• Cybersecurity is diversifying more quickly across race/ethnicity than gender.


Our data shows that the makeup of the cybersecurity workforce is changing both in
gender and race and ethnicity. The biggest increase we saw by age is in non-white
men. Within the US, Canada, Ireland and the UK, 70% of cybersecurity professionals
60 or older are white men. In those same countries, just 37% of those under 30 are
white men. We saw this trend emerge last year, and it seems to be accelerating. 66%
of security workers who entered the profession in these countries in the past 12
months are non-white (see figure 29).

ISC2 Cybersecurity Workforce Study, 2023 38


However, the change in race and ethnicity is much
more significant than the change in gender. Even in
the under-30 group, women represent only 26% of
the cybersecurity workforce. And while this is twice
66%
of cybersecurity
as many as the 60-or-older group, it still makes up a
significant minority. The pathways into cybersecurity
workers who
differ by gender and race. Both women and non-white entered the
cybersecurity professionals are more likely to take an profession in the
education pathway into the field and less likely to come past 12 months in
from an IT background. these countries
are non-white.

Age group by race and gender


FIGURE 29

White men White women Non-white men Non-white women

60 or older 70% 13% 15% 2%

50-59 63% 10% 22% 6%

39-49 54% 7% 31% 8%

30-38 45% 7% 35% 13%

Under 30 37% 6% 40% 18%


Base: 5,768 cybersecurity professionals in the United States, Canada, United Kingdom and Ireland
Note: Total percentages may not equal separate values due to rounding.

Which of the following With which of the following


most accurately ethnic or cultural groups do
describes you? you primarily identify?
Female Male Non-white White

60 or older 13% 87% 60 or older 17% 83%

50-59 14% 86% 50-59 28% 72%

39-49 14% 86% 39-49 40% 60%

30-38 22% 78% 30-38 48% 52%

Under 30 26% 74% Under 30 57% 43%

Base: 13,682 global cybersecurity professionals Base: 5,874 cybersecurity professionals in the United States, Canada, United
Kingdom and Ireland

ISC2 Cybersecurity Workforce Study, 2023 39


• There’s value in a diverse cybersecurity workforce. Cybersecurity professionals
value a diverse workforce. 69% said that an inclusive environment is essential for
their team to succeed, and 65% feel that it’s important that their security team
is diverse. 57% say that DEI will continue to become more important for their
cybersecurity team over the next five years (see figure 30). This is slightly lower
than last year (62%) but still indicates a continuation of this trend.

How much do you agree or disagree with the following statements about
FIGURE 30

diversity and inclusion within your organization/team?


(Showing Somewhat Agree/Completely Agree responses)

An inclusive environment is essential for our team to be able to succeed


69%
It’s important that my security team is diverse
65%
DEI will continue to become more important for our security team over the next five years
57%
Diversity within the security team has contributed to my security team’s success
53%
DEI has been increasingly important for our security team over the past five years
51%
My organization’s DEI initiative has had a significant impact on my daily work life
36%
My company is not doing enough to address DEI issues
27%
I feel discriminated against at my workplace
20%
Base: 11,373-13,041 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base

ISC2 Cybersecurity Workforce Study, 2023 40


• DEI initiatives are lacking. However, despite cybersecurity professionals
recognizing the importance of diversity, the adoption of DEI initiatives remains fairly
low overall. Less than half of respondents (46%) reported that their organization
currently has DEI training for employees, and 8% said that their organization does
not have any DEI initiatives at all (see figure 31).

What types of programs/initiatives/tools does your company use to promote


FIGURE 31

DEI and accessibility?

DEI training for employees 46%

HR team that supports employees who feel


discriminated against in the workplace
43%

Accessible workplace design (remote work option,


technology for persons with disabilities, etc.)
42%

Anonymous and clear pathways to report discrimination 42%

Skills-based hiring (evaluating talent objectively based


on skills and potential)
40%

DEI employee groups or affinity groups 35%

DEI events 34%

DEI council or committee 31%

Job descriptions that refer to DEI programs/goals 26%

We do not have any DEI initiatives 8%

Base: 14,009 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base

ISC2 Cybersecurity Workforce Study, 2023 41


• DEI initiatives make a significant impact, though adoption is low. Organizations
that are adopting initiatives related to hiring, such as skills-based hiring and using
job descriptions that refer to DEI programs/goals, can create a more diverse
workforce. Those with skills-based hiring have an average of 25.5% women in their
workforces compared with 22.2% of those who have not adopted this initiative. This
is also true for adding job descriptions that refer to DEI programs/goals (26.6% vs.
22.3%) (see figure 32).

Percentage of women in cybersecurity


FIGURE 32

Implemented Not implemented

Skills-based hiring (evaluating 25.5%


talent objectively based on skills
and potential) 22.2%

Job descriptions that refer 26.6%


to DEI programs/goals
22.3%
Base: 10,703 global cybersecurity professionals

DEI initiatives don’t just make a difference in creating a more diverse workforce
— they produce a more effective workforce as well. Cybersecurity professionals
at organizations that have adopted these two DEI hiring practices were
considerably more likely to feel like their organization had the tools and people
they needed to ensure they are prepared to respond to cyberthreats over the
next two to three years (see figure 33).

“My organization has the tools and people they need to ensure the organization
FIGURE 33

is prepared to respond to cyber incidents over the next two to three years”

57% 57%

51% 51%

Implemented Have not implemented Implemented job Have not implemented


skills-based hiring skills-based hiring descriptions that refer job descriptions that refer
to DEI programs/goals to DEI programs/goals
Base: 13,028-13,116 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 42


What It Means
for Organizations

• Seek input and listen to feedback from employees. We have seen consistently
over the past two years that cybersecurity professionals who feel their organizations
truly listen and consider their depth of expertise and knowledge as well as their
preferences on working environment are far happier than those who feel unheard.
Listen to your staff — don’t work against them.

• Use DEI initiatives to help navigate times of economic uncertainty. Preventing


your organization from unintentionally excluding large swaths of the available talent
pool (by hiring with significant bias or creating an uninclusive environment) will
be critical in ensuring that you have the right balance of skills needed to operate
effectively during difficult times. In addition, the long-term effects are exceedingly
valuable. A workplace where all cybersecurity professionals feel comfortable keeps
workers happy, productivity high and attrition low.

ISC2 Cybersecurity Workforce Study, 2023 43


New Career Pathways

80% of cybersecurity professionals agree that there are more pathways into
cybersecurity today than there were in the past, and 82% agree that the increase in
alternative pathways is positive for the industry. These new pathways are a product of
an agile profession and the willingness of the people in it to adapt to the ever-changing
and often unpredictable environment around them.

More professionals with no prior cybersecurity experience but with a more diverse
technical background are applying to cybersecurity jobs. This contributes to a growing
trend of experienced professionals from outside the field joining the cybersecurity
industry midway through their careers, compared with a traditional wave of college
graduates who have more education than on-the-job experience. This new trend helps
normalize cybersecurity as a viable option for capable, experienced professionals from
outside the industry looking to make a midcareer change.

This year, we offer the most detailed look ever at the career choices made by
cybersecurity professionals and how they could impact the industry for generations to
come. After surveying respondents of all ages and backgrounds who are charting new
pathways into and throughout the profession, we found that:

• Cybersecurity is increasingly attractive to professionals with technical,


non-cyber experience. More than half of hiring managers (59%) agree that they
see an increase in job applications from technically experienced people with no
prior cybersecurity experience, and organizations are embracing this. 51% say their
organization is changing their hiring requirements to recruit more people from
non-cybersecurity backgrounds. What’s more, 56% agree
that they are actively trying to recruit more of these technical
professionals internally, which is also most prominent within
the security software/hardware development industry (62%).
Most hiring
Layoffs are an unfortunate side effect of a volatile economic managers (52%)
environment, but with change comes opportunity. Most agree that
hiring managers (52%) agree that widespread tech layoffs widespread tech
give them an opportunity to get more people involved
layoffs give them
in cybersecurity (see figure 34). Layoffs can mean an
an opportunity
abundance of skilled IT professionals hitting the job market,
which creates an opportunity for cybersecurity teams who
to get more
need support to hire and train them. people involved
in cybersecurity.
In addition, layoffs within cybersecurity offer a chance for the
industry to capitalize on the wealth of strong cybersecurity
talent hitting the job market. The organizations that can pounce
on hiring these people will set themselves up for success in the future.

ISC2 Cybersecurity Workforce Study, 2023 44


How strongly do you agree with the following statements related to the state
FIGURE 34

of cybersecurity work?
(Showing Agree/Strongly Agree responses)

We are seeing an increase in job applications from technically experienced people


with no cybersecurity experience

59%
We are actively trying to recruit technical people from within our organization
to move to cybersecurity

56%
We see widespread tech layoffs as a chance to get new people into cybersecurity

52%
We are changing our hiring requirements/expectations to accept more applications
from applicants with non-cybersecurity backgrounds

51%
We are actively trying to recruit non-technical people from within our organization
to move to cybersecurity

41%
Base: 6,381-6,484 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base.

• For many, IT is a stepping stone into cybersecurity. 52% of cybersecurity


professionals kickstart their careers with a non-cybersecurity IT position. The
next most popular pathways into the profession are by earning a cybersecurity
certification (51%) or independently learning about cybersecurity concepts
outside of formal training (45%). More interestingly, earning a bachelor’s degree in
cybersecurity (31%) is less popular than all the above as a precursor to joining the
profession (see figure 35.)

• Challenging work and career advancement are key motivators. After entering
the industry, cybersecurity professionals focus on gaining traction in their new roles
more than anything else. The most popular next milestones in a cybersecurity career
include earning a promotion from a practitioner to a managerial/leadership role
(35%), earning a certification for the first time (32%), changing role directions from a
specialist to a generalist (26%) or changing back from generalist to specialist (19%).
Only 16% report leaving for a new profession, almost the same amount who leave to
pursue higher education in cybersecurity or a related field (14%). This showcases the
“stickiness” of this career path. After joining the industry, cybersecurity professionals
are more motivated to increase responsibility in their current roles and improve
their skills for that role, rather than making another career pivot (see figure 36).

ISC2 Cybersecurity Workforce Study, 2023 45


Which of the following did you do before your first cybersecurity job?
FIGURE 35

(Showing 15 top ranked responses)

Got a non-cybersecurity IT position


52%

Got my first cybersecurity certification


51%

Independently learned about cybersecurity concepts on my own time


45%

Got a bachelor’s degree in a field not related to cybersecurity


31%

Got a bachelor’s degree in cybersecurity or other related field


31%

Served in the military (volunteer/compulsory military service)


26%

Got a position not in IT or cybersecurity


26%

Received cross-training in cybersecurity from employer


20%

Got an advanced degree (master’s, PhD, etc.) in cybersecurity or other related field
20%

Got an advanced degree (master’s, PhD, etc.) in a field not related to cybersecurity
16%

Worked in law enforcement (in a non-cybersecurity position)


16%

Got recruited/headhunted
14%

Had an internship/apprenticeship in cybersecurity


12%

Found a mentor/career coach


11%

Went to a job fair


10%
Base: 13,103 global cybersecurity professionals

ISC2 Cybersecurity Workforce Study, 2023 46


Which of the following did you do after you took your first cybersecurity job?
FIGURE 36

(Showing top 17 ranked responses)

Moved from a practitioner role to a managerial/leadership role


35%

Earned my first cybersecurity certification


32%

Moved from a specialist role to a generalist role (e.g., cybersecurity consultant)


26%

Moved from a generalist role to a specialist role (e.g., application security, cloud security)
19%

Left cybersecurity for another profession


16%

Started working as an independent cybersecurity contractor/consultant


16%

Left cybersecurity to pursue higher education


14%

Pursued higher education in cybersecurity or related field


14%

Left cybersecurity for compulsory/volunteer military service


14%

Switched from the private to the public sector


13%

Became a mentor for the first time


12%

Started my own cybersecurity business (e.g., managed services, tech startup)


12%

Switched from the public to the private sector


11%

Came back to cybersecurity (after leaving)


9%

Became a cybersecurity educator/professor


8%

Found my first mentor


7%

Switched from working independently (as a contractor or at my own business) to working at an organization
5%
Base: 12,154 global cybersecurity professionals

ISC2 Cybersecurity Workforce Study, 2023 47


A number of factors drive the motivation to enter and continue working in the
cybersecurity profession, and these can differ based on industry. Primarily, the
prospect of career advancement opportunities (27%), skills demand (25%), enjoyment
(25%) and high compensation (24%) are attracting people to join and stay in
cybersecurity (see figure 37).

Which of the following best describes why you originally entered the cybersecurity
FIGURE 37

profession?
Career advancement
Career advancement opportunities 27% opportunities

High demand for skills 25% 1. Healthcare (33%)


2. Government (31%)
3. Aerospace (31%)
I thought I would enjoy the work 25%
High demand for skills
I did some cybersecurity work while
in another role and enjoyed it
24% 1. Military (29%)
2. Aerospace (28%)
3. Food/beverage (28%)
Potential for high compensation/salary 24%
It fit my skill set/education 23% I thought I would
enjoy the work

Ability to solve problems 22% 1. Financial services (29%)


2. Consulting (28%)
3. Non-security software/
Ability to work in a continuously
evolving field
19% hardware (26%)

Personal/emotional satisfaction 17%

Ability to help people/society 14%

Job stability/low unemployment 14%


I did some cybersecurity on my own 14%
and enjoyed it

My company reorganized and I was


pushed into a cybersecurity role
13%

Encouragement from a role 11%


model in cybersecurity

I did cybersecurity coursework 11%


in school and enjoyed it

I was laid off from another job and 10%


there were openings in cybersecurity

Base: 14,865 global cybersecurity professionals

ISC2 Cybersecurity Workforce Study, 2023 48


The happiest employees are those who are challenged to continue adapting and
evolving — as evidenced by our research finding that employees with the highest EX
ratings are most motivated by the ability to work in a continuously evolving field that
fits their skill set/education. Conversely, professionals who have been pushed into
cybersecurity by their organization or through a layoff at another organization have the
lowest EX ratings. Decisions made by professionals who have freedom of choice are the
most motivating (see figure 38).

Which of the following best describes why you originally entered the cybersecurity
FIGURE 38

profession?

MOTIVATIONS WITH HAPPIEST SECURITY WORKERS MOTIVATIONS WITH LEAST HAPPY SECURITY WORKERS

MOTIVATION FOR MOTIVATION FOR


ENTERING SECURITY AVERAGE EX RATING ENTERING SECURITY AVERAGE EX RATING

Ability to work in a My company reorganized


52.98
continuously evolving field and I was pushed into a 48.43
cybersecurity role
It fit my skill
52.49
set/education I have role models in my life
in cybersecurity (e.g., family
Career advancement 48.64
52.16 members, mentors) who
opportunities
encouraged me
Ability to solve I was laid off from another
52.12
problems job and there were 50.54
High demand openings in cybersecurity
52.06
for skills I did some cybersecurity
50.63
on my own and enjoyed it
Job stability/low
50.79
unemployment
Base: 14,865 global cybersecurity professionals

• Pathways are changing. In 2023, new entrants into the cybersecurity


profession are considerably older on average than they have been in the
past, with 48% of new entrants joining at age 39 years or older. This is a
significant difference from 2022 (24%) and shows a change in the pathways into
cybersecurity (see figure 39). Besides the change in age of new cybersecurity
professionals, we also see a significant shift in the backgrounds of workers
entering the field. New cybersecurity professionals are more likely to have a
bachelor’s degree in cybersecurity, more likely to come from a non-IT role and
less likely to have started in IT (see figure 40).

ISC2 Cybersecurity Workforce Study, 2023 49


Ages of new entrants into the cybersecurity profession
FIGURE 39

2021 2022 2023


60 or older 60 or older 60 or older

2% 0% 3%

50-59 50-59 50-59

8% 6% 16%

39-49 39-49 39-49

27% 18% 29%

30-38 30-38 30-38

39% 45% 32%

Under 30 Under 30 Under 30

24% 31% 21%

Base: 695 global cybersecurity professionals who started in the past 12 months; 356 surveyed in 2022 and 610 surveyed in 2021
Note: Total percentages may not equal separate values due to rounding.
FIGURE 40

NEW CYBERSECURITY EMPLOYEES TENURED CYBERSECURITY EMPLOYEES


(1 YEAR OR LESS IN THE FIELD) (10+ YEARS IN THE FIELD)

46% Got cybersecurity bachelor’s degree


before entering cybersecurity 32%

55% Worked in IT before entering


cybersecurity 63%

39% Worked in a non-IT role before


entering cybersecurity 28%

24% Had an internship or apprenticeship


in cybersecurity before their first job 9%

16% Influenced to join cybersecurity by role


models in their life in the field 9%
Base: 404 new and 6,121 tenured global cybersecurity professionals

ISC2 Cybersecurity Workforce Study, 2023 50


Professionals of all ages are united and motivated to join the industry by a simple
but powerful feeling — their sheer enjoyment of the work (see figure 41). As
previously mentioned, career advancement opportunities are the most common
motivator to join cybersecurity, but when we look at the age-specific breakdown
among workers, we see an interesting trend. Younger professionals (especially those
under the age of 30) primarily join the industry based on what they perceive to be
an enjoyable career, and older professionals joining midcareer have performed
cybersecurity work in another role and decided to join full-time based on their own
enjoyment of it.

Which of the following best describes why you originally entered the cybersecurity
FIGURE 41

profession?
(Showing top motivating factors)

UNDER 30 30-38 39-49 50-59 60 OR OLDER

I thought 27% Career 26% Career 27% I did some 30% I did some 31%
I would advancement advancement cybersecurity work cybersecurity work
enjoy the opportunities opportunities while in another while in another
work role (e.g., general role (e.g., general
IT) and enjoyed it IT) and enjoyed it

Potential 27% I thought 26% High 25% Career 28% Career 31%
for high I would demand advancement advancement
compensation/ enjoy the for skills opportunities opportunities
salary work

Career 24% Potential 25% I thought 25% High 25% It fit my 28%
advancement for high I would demand skill
opportunities compensation/ enjoy the for skills set/education
salary work

High 24% High 25% I did some 25% It fit my 24% Ability to 28%
demand demand cybersecurity work skill solve problems
for skills for skills while in another set/education
role (e.g., general
IT) and enjoyed it

Ability to 24% Ability to 22% Potential 24% Ability to 24% High 26%
solve problems solve problems for high solve problems demand
compensation/ for skills
salary

Base: 14,145 global cybersecurity professionals

ISC2 Cybersecurity Workforce Study, 2023 51


What It Means
for Organizations

New Career Pathways Shape the Future Cybersecurity Workforce

Cybersecurity career paths are shaped by the professionals with traditional and
non-traditional experiences who get hired, as well as the organizations that make
the decisions to hire them. As more professionals with diverse backgrounds join the
industry, new pathways open and evolve the expectations and recruiting habits of
hiring managers.

Here are our key takeaways for organizations and professionals with the ability to
impact the career pathways for a new generation of cybersecurity professionals:

• Organizations, rethink your hiring parameters. New career trajectories and


hiring trends make cybersecurity a more attractive place for technically skilled
workers of all ages, not just those with traditional education or cybersecurity
experience. Organizations seeking to nurture a skilled cybersecurity team should
also look for those with non-traditional backgrounds and expand their internal and
external recruiting.

• Professionals, stay agile (and satisfied) by challenging yourselves. Enjoyment,


challenge and career advancement go hand in hand. The happiest employees are
those who are challenged to continue adapting and evolving, as evidenced by our
EX rating. Cybersecurity is a continuously evolving field, and it’s important to evolve
with it. Ask your employer about their professional development opportunities,
certifications and skills development programs. This will help you stand out as a key
contributor, and help you build new competencies for the future.

ISC2 Cybersecurity Workforce Study, 2023 52


Skills in Demand

As with pathways into the field, the demand for new cybersecurity skills is evolving.
Cloud computing security continues to be the most desired technical skill set, but
the perceived demand for AI/machine learning skills is growing quickly. In addition,
the unstable market environment gives rise to a demand for more curious and
communicative employees with professional experience. Those with technical on-the-
job experience and relevant certifications are more attractive to recruiters than those
entering the market with just a degree.

We interviewed both hiring managers and professionals without hiring responsibilities


to uncover the most desirable skills, qualifications and experiences that drive recruiting
and education demand within the cybersecurity world. Here’s what we found:

• Cloud computing security is a critical skill, but it’s in short supply. Cybersecurity
professionals (non-hiring managers) consider cloud computing security to be
the most in-demand skill for those looking to advance their careers (47%). Hiring
managers continue to validate this perception — for the second year in a row, cloud
computing security (32%) is the most desirable skill sought by cybersecurity hiring
managers who are looking for recruits. Hiring managers are also prioritizing risk
assessment, analysis and management (31%); security analysis (28%); and security
engineering (28%) as attractive skills for prospective employees (see figure 42).

Contributing to the high demand for cloud computing security skills is the
aforementioned supply shortage of cybersecurity professionals who have
experience in this area. As previously reported, cybersecurity professionals said that
cloud computing security is the number one area where there are skills gaps on
their team (35%). This only makes the skill more attractive to hiring managers.

• Demand for AI/ML skills is growing. Although it’s not currently a top requirement
from hiring managers, the demand for artificial intelligence skills is growing in the
eyes of the average cybersecurity professional. AI/ML skills (28%) are among the top
five categories for in-demand skills (see figure 43). As recent as our 2022 study, AI/
ML did not even make the top ten for most in-demand skills and was ranked close to
the bottom. In the coming years, this skill has the potential to spike in demand as AI
matures and influences various aspects of cybersecurity threats and defense.

ISC2 Cybersecurity Workforce Study, 2023 53


What skills are you most looking Which of these skills do you think
FIGURE 42

for right now when hiring? are most in demand for security
professionals looking to advance their
(Showing top ten responses)
careers (via new jobs and promotions)?
(Showing top ten responses)

ASKED TO HIRING MANAGERS ASKED TO NON-HIRING MANAGERS

Cloud computing security Cloud computing security


32% 47%

Communication skills Governance, risk management


31% and compliance (GRC)
35%
Risk assessment, analysis
and management Security engineering
31% 32%

Security analysis Risk assessment, analysis


28% and management
30%
Security engineering
28% Artificial intelligence/machine
learning
Governance, risk management 28%
and compliance (GRC)
26% Zero Trust implementation
27%
Application security
24% Communication skills
24%
Security administration
(e.g., VPN security/patching, SecOps
mobile device management) 24%
22%
Digital forensics and incident
SecOps response
21% 24%

Identity and access Application security


management 23%
20%

Base: 7,143-7,184 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 54


• Curiosity, communication and certifications are growing in importance.
Cybersecurity professionals consider problem-solving abilities to be the most
important qualifying characteristic for themselves on the job (45%). However,
curiosity/eagerness to learn (39%), communication skills (38%) and cybersecurity
certifications (32%) have grown in value year over year. When compared to 2022,
these traits increased in importance by 3% to 5%, and this upward trend reflects the
needs of the modern risk landscape. When operating in a market characterized by
instability, organizations need professionals who are knowledgeable, adaptable and
efficient facilitators of information (see figure 43).

What are the top five most important qualifications for cybersecurity
FIGURE 43

professionals seeking employment?


(Showing top five and bottom five responses)

2022 2023

LARGEST INCREASES IN TRENDS


33%
Strong communication skills
38%
29%
Cybersecurity certifications
32%
36%
Curiosity/eagerness to learn
39%

Knowledge of basic cybersecurity 33%


and cybersecurity concepts 35%

Cybersecurity qualifications (e.g., trainings, 17%


etc.) other than certifications or a degree 19%

LARGEST DECREASES IN TRENDS


27%
Strong strategic thinking skills
25%
9%
Strong coaching/team development skills
7%
22%
Extensive cybersecurity work experience
20%
16%
Familiarity with relevant frameworks
13%

Knowledge of advanced cybersecurity 31%


and cybersecurity concepts 25%

Base: 14,865 global cybersecurity professionals

ISC2 Cybersecurity Workforce Study, 2023 55


• Professional experience and certifications are seen as more valuable than
formal education. Cybersecurity skills are shaped by education, training and
experience. When asked about the experiences and education that constitute
the ideal cybersecurity candidate, respondents made it clear that experience and
certification top all else. Senior-level cybersecurity experience (86%) was highly
favored over advanced doctoral degrees (14%) (see figure 44).

Experience carries weight, even if it isn’t specific to cybersecurity. Mid-level non-


cybersecurity technical experience (63%) was favored over entry-level cybersecurity
experience (37%). However, entry-level cybersecurity experience (70%) is still
more important than entry-level cybersecurity education (30%). This tells us that
cybersecurity professionals view professional exposure in any manner as more
valuable than education in a classroom or virtual setting.

Certifications are also a highly regarded form of cybersecurity qualification. They


are favored over both a bachelor’s degree in a related field (66% vs. 34%) and
independent competition experience (54% vs. 46%) (e.g., hackathons). Despite
the new pathways and trends shaping the modern cybersecurity profession,
certifications continue to be a core ingredient for the ideal cybersecurity candidate.

ISC2 Cybersecurity Workforce Study, 2023 56


If you were to design your ideal cybersecurity candidate, which of these things
FIGURE 44

would you prefer?

30%
Entry-level Entry-level education (e.g., bachelor’s degree
in related field or basic certification)
cybersecurity
experience is preferred
to entry-level degrees

70%
Base: 13,742

Entry-level cybersecurity experience


(1 to 3 years)

37%
Mid-level (non-cyber) Entry-level cybersecurity experience
(1 to 3 years)
experience is preferred
to entry-level cyber
experience

63%
Base: 13,615

Midcareer-level non-cybersecurity IT/


technical experience
(5 to 10 years)

14%
Senior-level Advanced doctoral degree
cybersecurity
experience is perceived
as far more valuable
than advanced degrees

86%
Base: 13,500

Senior-level cybersecurity experience


(10+ years)

ISC2 Cybersecurity Workforce Study, 2023 57


If you were to design your ideal cybersecurity candidate, which of these things
FIGURE 44

would you prefer?

46%
Independent competition experience
Certifications are (e.g., hackathon, capture the flag, etc.)
more valuable than
independent experience

54%
Base: 13,222

Cybersecurity certification

34%
Bachelor’s degree in related field
Certifications are more
valuable than entry-level
degrees

66%
Base: 13,496

Cybersecurity certification

Base: 13,222-13,742 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 58


What It Means
for Organizations

Continue to Nurture and Develop Skill Sets for Well-Rounded Talent

The current macroeconomic environment calls for a generation of cybersecurity workers


who are curious, agile and open to new challenges. This is who modern organizations
seek as they grapple with cutbacks and skills gaps.

Here are our key takeaways for organizations and professionals looking to hire, nurture
and develop skill sets to fill gaps and improve the future of work:

• Organizations, expand basic cybersecurity training to everyone. For many


organizations, the need for basic cybersecurity skills has eclipsed the need for niche
and advanced skill sets. Attributes like eagerness to learn, communication skills
and curiosity have never been more important. To create more well-rounded and
knowledgeable cybersecurity employees, try offering basic training/professional
development to other departments within the organization. Encouraging basic skills
development on a holistic level can also organically promote your cybersecurity
team as a new career pathway.

• Professionals, supplement education with hands-on experience. Cybersecurity


professionals (especially hiring managers) favor on-the-job experience over
traditional education, and this includes non-cybersecurity experience. So those
pursuing a career in cybersecurity should try to supplement their education with
hands-on, technical on-the-job experience — whether an internship, certification
or independent competition (hackathon, etc.) — to diversify their resume.

ISC2 Cybersecurity Workforce Study, 2023 59


Certifications

Certifications continue to be a pillar of cybersecurity professional development.


Certification activity and planning have stayed generally constant, which shows that
professionals remain steadfast in their journey to expand their cybersecurity skills and
knowledge.

Both employees and their organizations have expressed resilience and dedication
to certifications in an uncertain economy. Even amid corporate cutbacks like hiring
freezes and job layoffs, more than half of professionals are offered reimbursements for
certification exams by their employer. Employers that do so are successful at filling skills
gaps.

We spoke to more than 14,000 cybersecurity professionals to learn about how and when
they plan to earn certifications and found that:

• Certification pursuit remains strong. Cybersecurity professionals continue to plan


ahead for their professional development, with only minor postponements from
near-term to long-term plans. Within the next six months, 21% of respondents plan
to pursue a vendor-neutral certification, with 49% thinking longer-term (six months
to two years and beyond). Those planning for vendor-specific certifications are
behaving similarly, with 19% planning for the immediate future and 49% extending
their pathway beyond six months. On average, we observed a 6% increase in those
who are planning on continuing their certification work in the period beyond the
next six months. In general, however, the market has not deterred cybersecurity
professionals from furthering their education and skill sets (see figure 45).

More than half


of cybersecurity
professionals receive
incentives in the form
of certification exam
reimbursements (54%).

ISC2 Cybersecurity Workforce Study, 2023 60


Which of the following best describes your plans to pursue any vendor-neutral
FIGURE 45

or vendor-specific cybersecurity certifications in the future?


Vendor-neutral certifications (e.g., ISC2, ISACA, CompTIA) Vendor-specific certifications (e.g., Cisco, Microsoft)

Currently pursuing
16% 17%
4% 3%

Planning to pursue within the next six months


21% 19%
4% 3%

Planning to pursue six to 12 months from now


23% 19%
2% 1%

Planning to pursue one to two years from now


17% 18%
2% 2%

Planning to pursue more than two years from now


9% 12%
3% 4%

Planning to pursue at some point, but not sure when


7% 8%
1% 1%

No plans to pursue any additional security certifications


7% 7%
Base: 3,818-3,829 global cybersecurity professionals (Panel respondents)
Note: “Don’t know/does not apply” responses were removed from the sample base.

• Skills growth continues to be the driving motivator for certification.


Cybersecurity professionals are still pursuing certifications to grow and develop their
skills (65%). This is true for workers of all ages. Professionals in the 50+ age range
(67%) agree to this, and so do those under 49 (65%). This paints a picture of the wide
applicability of certifications, regardless of experience or industry tenure.

Other motivators include staying current with security trends (53%) and the sheer
enjoyment of the challenge (43%) (see figure 46). Those with high school diplomas
agree more with this (47%) than those with more advanced degrees (42%).
Professionals without undergraduate or graduate degrees use certifications to
demonstrate their cybersecurity knowledge, skills and abilities.

While personal motivation is key to earning certifications and growing skills,


organizations need to support their employees’ pursuit to holistically close skills gaps.

ISC2 Cybersecurity Workforce Study, 2023 61


You indicated you have plans to get a certification in the future. What is your
FIGURE 46

motivation for doing so?

To improve my skills
65%

To stay current with security trends


53%

Certifications are an important part of my career and professional development


50%

I enjoy the challenge and the accomplishment


43%

To expand and demonstrate my experience to employers


39%

To expand and demonstrate my experience to peers


31%

To improve my organization’s security posture


30%

It is required for a job that I’m applying to/want to apply to outside of my organization
17%

It is required in order for me to get a promotion


15%

My organization asked me to do it to fill a skills gap


13%
Base: 11,660 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 62


• Organizations continue to subsidize certifications as professional
development. Despite economic headwinds, 96% of respondents are offered
professional development incentives from their organizations. More than half of
cybersecurity professionals receive these incentives in the form of certification exam
reimbursements (54%), which continues to be the top mode of educational assistance
year over year. Certification reimbursements aren’t the only form of professional
development incentive, however. Companies also include reimbursements for
conferences/events (43%), in-house training (42%), career pathing/planning for
advancement (32%) and tuition assistance (32%) (see figure 47).

Which of the following does your organization offer in terms of professional


FIGURE 47

development initiatives/incentives?

Payment/reimbursement for third-party certification exams


54%
Payment/reimbursement for third-party certification courses
49%
Payment/reimbursement for conference/event attendance (i.e., reimbursement for expenses/tickets)
43%
Time for professional development during work hours
42%
In-house training courses
42%
Career pathing/planning for advancement
32%
Tuition assistance for undergraduate/graduate degree programs
32%
Mentoring program
29%
Bring in outside consultants/third-party training organizations to train internal staff
23%
Job shadowing
18%
My organization does not offer professional development initiatives or incentives
4%
Base: 14,009 global cybersecurity professionals
Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 63


• Certification reimbursement can shrink skills gaps. Professional development
incentives could be a not-so-secret weapon in the fight against the global
cybersecurity gap. 47% of organizations that do not offer reimbursements
for certification courses or exams have significant skills gaps in cybersecurity,
compared to only 38% that do offer reimbursements. If more organizations
encouraged certifications, this could organically nurture core cybersecurity skills
without requiring more outside hiring.

Employees are taking action to fill these gaps. 56% of cybersecurity professionals
at organizations with critical skills gaps plan to get a vendor-neutral certification
within the next year.

Regions with organizations offering


payment/reimbursement for third-party
certification exams
North America 62% Europe 52%
Asia-Pacific 48% Middle East/Africa 35%
Latin America 33%

Industries with organizations offering


payment/reimbursement for third-party
certification exams

Consulting 67% Financial services 63%


Automotive 40% Construction 36%

ISC2 Cybersecurity Workforce Study, 2023 64


What It Means
for Organizations

Expand Your Definition of Professional Development

Certifications are a foundational aspect of skills development, and organizations play


a crucial role in making them accessible and available to their employees, especially
in an uncertain economic environment. To encourage development from within and
close skills gaps, organizations need to ensure their employees know that they are
serious about their certification development — enough to dedicate time for them to
focus on it.

Here is a key takeaway for companies that want to show their dedication to
employees’ professional development:

• Organizations need more than just money to promote skills growth. Even
amid corporate cutbacks like hiring freezes and layoffs, more than half of
professionals are still offered reimbursements for certification exams by their
organizations. This is an important step toward encouraging skills development,
but to truly signal to your employees that you care about their growth, you need
to give them time to earn it. Reserving specific blocks of study time for certification
or professional development seminars on a biweekly or even monthly basis will
help to signal to your employees that you care about their skills growth. It will also
provide breathing room for employees who feel overworked or those without
the ability to dedicate time outside their workday to focus on training rather than
emails or personal responsibilities.

ISC2 Cybersecurity Workforce Study, 2023 65


Cybersecurity Landscape: Present & Future

Three out of four cybersecurity professionals view the current landscape as the most
challenging it’s been in the past five years. The modern economic environment has
increased the risk of malicious insiders, and staff/skill shortages impede the ability
of cybersecurity teams to properly secure their organizations. As professionals adapt
to today’s challenges, they are also looking to the horizon for emerging threats and
opportunities.

The topic of AI is unavoidable in a conversation about the positive and negative


impacts of tomorrow’s technology. Speculation about its use commands global
attention: Will it become a tool for more efficient threat response or a door to more
sophisticated attacks? Cybersecurity professionals are weighing these potential futures
with cautious optimism to understand and adopt the emerging technology while at the
same time preparing for the potential risks that it could create.

Here is what we learned from cybersecurity professionals who are adapting to today’s
challenges while preparing for the future of work:

• For most, the threat landscape has reached a peak. 75% of all respondents
view the current threat landscape as the most challenging it’s been in the past
five years (see figure 48), and this varies by industry. Respondents from some
industries indicated more sensitivity than others to the modern environment:
those in healthcare (79%), military (79%), energy/power/utilities (79%), government
(78%) and manufacturing (77%) industries agree/strongly agree that they have
reached their peak threat level since 2018. Even those that are less sensitive like
automotive (64%), construction (65%) and telecom (69%) still mostly agree with this
sentiment (see figure 49).

ISC2 Cybersecurity Workforce Study, 2023 66


How strongly do you agree with the following statements related to the state
FIGURE 48

of cybersecurity work?
(Showing Agree/Strongly Agree responses)

75% 70% 52%


The threat We are more carefully I’m worried about our
landscape is the evaluating all third- cybersecurity team’s
most challenging it’s party software and ability to keep our
been in the last five hardware on our organization secure
years network (including during times of
open source) economic uncertainty

52% 52% 43%


My organization has Times of economic During times of
the tools and people we uncertainty have economic uncertainty,
need to ensure we are negatively impacted I feel pressure to come
prepared to respond to my business as to the office rather
cyber incidents over the an independent than work from home
next two to three years security contractor in order to be seen

Base: 13,048-14,093 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base.

ISC2 Cybersecurity Workforce Study, 2023 67


The threat landscape is the most challenging it’s been in the past five years.
FIGURE 49

(Showing Agree/Strongly Agree responses)

TOP FIVE INDUSTRIES BOTTOM FIVE INDUSTRIES

Healthcare Transportation

79% 70%

Military/military contractor Food/beverage/hospitality/travel

79% 70%

Energy/power/utilities Telecommunications

79% 69%

Government Construction

78% 65%

Manufacturing Automotive

77% 64%

Base: 130-1,239 global cybersecurity professionals in listed industries


Note: “Don’t know/does not apply” responses were removed from the sample base.

Contextualizing the modern threat landscape is key to understanding how to


prepare for it. Ultimately, only 52% of cybersecurity professionals say that their
organization has the tools and people to ensure that they are prepared to respond
to cyber incidents over the next two to three years. The same proportion say that
they worry about keeping their organization secure during times of economic
uncertainty. This uncertainty is more significant among companies who have had
cybersecurity layoffs in the past 12 months (63%) versus those who haven’t had
any layoffs (47%), which prompts the question of whether the security risks of
cybersecurity layoffs are worth the cost savings.

• Staff and skill shortages have shaped the current threat landscape.
In the past 12 months, worker/skills shortages (45%) have been the number one
challenge faced by cybersecurity professionals (see figure 50). Geography is a
key differentiator here, as respondents in North America (55%) have felt a more
significant impact from these shortages than those in other parts of the world like
Europe (42%), the Middle East and Africa (42%), Latin America (32%) and Asia-
Pacific (31%). This contextualizes the roughly 20% workforce gap increase within
North America.

ISC2 Cybersecurity Workforce Study, 2023 68


What were the biggest challenges cybersecurity professionals faced in the
FIGURE 50

past 12 months?
Worker/skill shortages in the workforce
45%
Insider threats
38%
Keeping up with changing regulatory requirements (e.g., PCI v4.0, GPDR, AI regulations,
breach disclosure requirements, etc.)
37%
Risks of emerging technologies like blockchain, AI, VR, quantum computing,
intelligent automation, etc.
36%
Addressing risks from an employee’s home environment
35%
Cyberattacks stemming from cyber operations as a precursor to military conflict,
tactic of military operations or tool of retaliation
31%
Adapting to risks from advances in employee computing technologies
(e.g., increased prevalence of sensors, AI, etc.)
30%
Misinformation and disinformation sowing confusion among executives
and the board about cyber risks
30%
Keeping up with environmental regulatory requirements about cyber risks
19%
Addressing the impact of cyber insurance premium increases on the security
program and practices
19%
Tension between tenured and junior security employees
15%
Base: 14,865 global cybersecurity professionals

Two-thirds of respondents from organizations with significant staff shortages (67%)


say they worry about their team’s ability to keep their organization secure, and 63%
of those with skills gaps agree with the same sentiment (see figure 51). In general,
62% of cybersecurity professionals say that corporate cutbacks like layoffs, budget
cuts and hiring freezes reduce their ability to prepare for future threats.

ISC2 Cybersecurity Workforce Study, 2023 69


I’m worried about our cybersecurity team’s ability to keep
FIGURE 51

our organization secure during times of economic uncertainty.


We do not have any skills gaps. Surplus of Right amount of
cybersecurity staff cybersecurity staff
We have one or more critical skills gaps.
Slight shortage of Significant shortage of
cybersecurity staff cybersecurity staff

26%
13%
15%
Strongly agree Strongly agree 11%
25%
22%

63% 32% 67%


29%
32%
Agree Agree 41%
38%
45%

20%
24%
Neither agree Neither agree 28%
30%
or disagree 21% or disagree
20%

11%
24% 20%
Disagree Disagree 16%
11%
9%

11%
11%
Strongly Strongly 6%
2%
disagree 5% disagree
3%

Base: 7,861-11,915 global cybersecurity professionals


Note: Total percentages may not equal separate values due to rounding.

To future-proof themselves from new threats on the horizon, more organizations


need to encourage and incentivize skills growth from within through certification
programs.

• Malicious insiders are on the rise. 71% of respondents agree that times of
economic uncertainty increase the risk of malicious insiders, which next to staff/
skill shortages were ranked the second biggest challenge (38%) for cybersecurity
professionals in the near term. Even more significant: Half of all cybersecurity
professionals taking part in this study have had personal or secondhand contact
with a malicious insider within the past year (see figure 52).

ISC2 Cybersecurity Workforce Study, 2023 70


In the past year, which of the following threat scenarios have occurred?
FIGURE 52

I don’t know anyone who has been


approached or targeted 50%

Someone I know has been approached by


a malicious actor wanting them to act as a 23%
malicious insider

I have been targeted at work because


of my role within my organization 22%

50%
I have been approached by a malicious actor
wanting me to act as a malicious insider 16%

I have been targeted at home because


of my role within my organization 11%
Security people at orgs
that have had security
Base: 14,865 global cybersecurity professionals
layoffs are 3x more
likely to have been
approached to act as a
malicious insider.

Cybersecurity professionals at organizations that have had layoffs in cybersecurity


are three times more likely to have been approached to act as malicious insiders.
It remains to be seen whether the future of work and the impact of emerging
technologies have a positive or negative impact on this trend.

• Service and manufacturing organizations are better prepared than federally


funded entities for future risk. Cybersecurity professionals working for a diverse
cross-section of industries around the world shared how well-prepared their
organizations are for what the future holds. Most respondents working in the food/
hospitality/travel (60%), construction (59%), entertainment/media (59%), retail/
wholesale (59%) and IT services (57%) industries are confident in their ability to
manage cybersecurity risk in the next two to three years. This confidence contrasts
with government-led and publicly funded institutions like education (42%),
government (45%), military/military contracting (46%), healthcare (46%) and
aerospace (48%) — less than half of whom believe they can withstand future
cyber incidents (see figure 53).

ISC2 Cybersecurity Workforce Study, 2023 71


My organization has the tools and people we need to ensure we are prepared
FIGURE 53

to respond to cyber incidents over the next two to three years.


(Showing Agree/Strongly Agree responses)

TOP FIVE INDUSTRIES BOTTOM FIVE INDUSTRIES

Food/beverage/hospitality/travel Aerospace

60% 48%

Construction Healthcare

59% 46%

Entertainment/media Military/military contractor

59% 46%

Retail/wholesale Government

59% 45%

IT services Education

57% 42%

Base: 129-1,210 global cybersecurity professionals in listed industries.


Note: “Don’t know/does not apply” responses were removed from the sample base

ISC2 Cybersecurity Workforce Study, 2023 72


• Cybersecurity professionals approach AI with cautious optimism. Within
the next two years, roughly half (45%) of cybersecurity professionals surveyed
believe that AI will overtake worker/skill shortages to become the biggest
challenge faced by the industry (see figure 54).

What are the biggest challenges that cybersecurity professionals will have
FIGURE 54

to face over the next two years?

Risks of emerging technologies (e.g., blockchain, AI, VR, quantum computing, intelligent
automation, etc.)
45%

Worker/skill shortages in the workforce


43%

Keeping up with changing regulatory requirements (e.g., PCI v4.0, GPDR, AI regulations,
breach disclosure requirements, etc.)
38%

Cyber attacks stemming from cyber operations as a precursor to military conflict, tactic
of military operations, or tool of retaliation
36%

Insider threats
35%

Adapting to risks from advances in employee computing technologies (e.g., increased


prevalence of sensors, AI, etc.)
34%

Misinformation and disinformation sowing confusion among executives and the board
about cyber risks
27%

Addressing risks from an employee’s home environment


24%

Keeping up with environmental regulatory requirements


20%

Addressing the impact of cyber insurance premium increases on the security program
and practices
18%

Tension between tenured and junior security employees


14%
Base: 14,865 global cybersecurity professionals
Note: Showing top five ranked

ISC2 Cybersecurity Workforce Study, 2023 73


As AI/ML gains prominence, we have learned that employees are much less
prepared to wield and effectively use its power compared with other cybersecurity
competencies. 84% of respondents say that they have no/minimal knowledge or
only some/moderate knowledge of AI/ML (see figure 55). The gap in AI/ML skills
(32%) is second only to the gap in cloud computing security (35%), and based on
the year-over-year rise in demand for these skills among cybersecurity employees,
access to more AI-based professional development is needed immediately.

What is your level of expertise in each of the following areas/skills?


FIGURE 55

I have no/minimal knowledge in this area

I have some/moderate knowledge in this area

I have significant knowledge/am an expert in this area

Artificial intelligence/machine learning

47% 37% 16%


Base: 14,297 global cybersecurity professionals. “Don’t know/does not apply” responses were removed from the sample base

Nevertheless, many cybersecurity professionals are optimistic about the prospects


of AI. Respondents believe that advancements in AI will have one of the top three
most positive impacts on their ability to secure their organization (30%), behind Zero
Trust (34%) and automation (40%) (see figure 56). Anticipating the need to better
understand AI, organizations are taking action to regulate it. 52% of cybersecurity
professionals say their organizations are governing the use of AI internally,
expanding their management of AI, or planning to formally manage AI use within
the next 12 months. This is compared with 45% of respondents who admit that they
need to learn more before diving in (see figure 57).

ISC2 Cybersecurity Workforce Study, 2023 74


Which of the following emerging cybersecurity technologies/architectures
FIGURE 56

do you believe will have the greatest positive impact on your ability to
secure your organization?
Automation in cybersecurity
40%

Zero Trust network access


34%

Advancements in AI
30%

Risk-based vulnerability management


29%

Passwordless authentication
22%

Extended detection and response


22%

Zero Trust edge


19%

Quantum computing
13%

Hardware-based/firmware security
13%

Increase in processing power and speed


12%

Blockchain
10%

Increases in edge computing


10%

Reduction in hardware form factor


9%

Telecommunications improvements (e.g., 6G)


9%

Mobile computing advances


9%
Base: 14,865 global cybersecurity professionals
Note: Showing top three ranked

ISC2 Cybersecurity Workforce Study, 2023 75


How has the increasing use and popularity of modern AI applications
FIGURE 57

(e.g., ChatGPT) impacted your cybersecurity program from a regulatory


standpoint?

21%
Currently regulating

45%
We need to learn more
before regulating 18%
Planning to regulate within
the next 12 months

14%
Expanding regulation

3%
Decreasing/removing regulation

Base: 11,735 global cybersecurity professionals


Note: “Don’t know/does not apply” responses were removed from the sample base; Total percentages may not equal separate values due to rounding.

ISC2 Cybersecurity Workforce Study, 2023 76


What It Means
for Organizations

Preparing for the Future of Work

Cybersecurity professionals are weighing the potential opportunities and threats


of tomorrow’s technology — most notably, the impact of AI. As individuals and
organizations alike approach AI with cautious optimism, one thing becomes
increasingly clear — whether you are investing, regulating or avoiding AI completely,
learning more about it is critical.

Here is our takeaway after speaking with cybersecurity professionals about AI:

• AI education is critical before adoption. 45% of cybersecurity professionals


surveyed believe that within two years, AI will overtake worker/skill shortages
as their top challenge. While we still don’t know the full breadth of AI’s potential
impact on cybersecurity, we do know how little we know about it. 84% of
respondents say that they have no/minimal knowledge or only some/moderate
knowledge of AI/ML, and the gap in AI/ML skills is second only to the gap in cloud
computing security. If the demand for this skill continues to increase, organizations
will be left with no one skilled enough to manage or regulate it. Companies need
to begin offering enterprise-wide AI training programs to nurture expertise on this
emerging technology from within.

ISC2 Cybersecurity Workforce Study, 2023 77


Conclusion

Cybersecurity professionals remain steadfastly focused on defending their


organizations. However, our findings reveal increasingly stressed cybersecurity
teams. Workforce gaps and skills deficits have made their jobs more challenging
than ever. It is time for leaders in the public and private sectors to recognize that
the cybersecurity workforce needs help. It is time to act.

The good news? Our study reveals that proactive organizations and leadership
can make a powerful difference for their cybersecurity teams right now.
Organizations that invest in their teams benefit from more engaged and satisfied
workers dedicated to their mission despite mounting economic pressure, a
heightened threat landscape and the uncertain, looming impact of emerging
technologies such as AI.

Forward-thinking organizations are already shaping the future of cybersecurity


by embracing new pathways into the field, blazing trails for the generations of
cybersecurity professionals who follow. Data shows the powerful impact of more
open-minded hiring practices, DEI initiatives and professional development
reimbursements, as well as the negative impacts of layoffs on morale and
security — but organizations can find a blueprint for success if they act on these
findings. While times of economic uncertainty may result in organization-wide
cutbacks, staffing reductions in cybersecurity contain significant risk. Any short-
term financial gain will likely be quickly negated by financial and reputational loss
from increased cyber risk or long-term vulnerability.

The private sector can’t do it alone. It is also time for lawmakers, policymakers
and regulators around the world to listen to the cybersecurity workforce.
Governments need to coordinate and harmonize efforts because cybersecurity
is a global challenge. Cybersecurity professionals need supportive environments
wherever they work, with sound policies that make sense and don’t add to the
burden of already-understaffed teams. Policymakers are making tremendous
progress in prioritizing cybersecurity, but equally important to the urgency
needed to address these matters is to ensure these efforts become enablers
for cybersecurity professionals and not obstacles. Governments and regulators
must focus on encouraging a skilled workforce, providing the right tools and
resources and most importantly, listening to and heeding professionals’ advice.
Doing so is vital to successfully defending our critical assets around the world.

The 2023 ISC2 Cybersecurity Workforce Study saw our largest participation yet.
Its insights create the foundation for smarter decisions and policies that will
make meaningful and lasting contributions to a safe and secure cyber world.

ISC2 Cybersecurity Workforce Study, 2023 78


Appendix A: Methodology

This year, our method compiles a variety of secondary data sources in combination
with proprietary survey data to create a single, holistic estimate. This tactic of
combining multiple different methodological approaches keeps any single number
from disproportionately influencing the final estimate.

WORKFORCE ESTIMATE METHODOLOGY

The estimate of the global cybersecurity workforce begins with estimates of the US
workforce, as the US provides a crucial combination of a robust sample and reliable
secondary data sources. The US estimate is derived from three main methodological
groups:

1. Survey-based estimates. Survey data on the number of cybersecurity


professionals who are employed by organizations is combined with secondary
data estimates of the number of US business entities in various size
strata. These secondary sources include: the US Bureau of Labor Statistics’
Quarterly Census of Employment and Wages; the US Census’s Statistics of US
Businesses Survey; and the US Census’s County Business Patterns study.

2. Third-party estimates. Various estimates of related populations were


modified based on survey findings to match our estimation criteria. This
includes the US Bureau of Labor Statistics’ estimate of cybersecurity analysts.

3. Trending estimates. Previous years’ estimates were trended using multiple


methodologies to provide expected estimates for this year’s numbers.

The US estimate provides a baseline for the estimates of the rest of the world.
Estimates for other countries used similar methods except replacing third-party
estimates for estimates derived from the US baseline; most countries did not have
reliable third-party estimates. The secondary data estimates for countries outside
of the US came primarily from the Organisation for Economic Co-operation and
Development (OECD). China and India, while included in the gap estimate, were
excluded from the workforce estimate due to a lack of reliable secondary sources.

ISC2 Cybersecurity Workforce Study, 2023 79


GAP ESTIMATE METHODOLOGY

The workforce gap used similar approaches to the estimate of the total cybersecurity
workforce. A combination of survey-based, trending and third-party methodologies
provided the US estimate, which was then used as the baseline for the rest of the
world. The basic calculation for the workforce gap comes down to: gap equals demand
minus supply.

U.S. ESTIMATE REST OF WORLD ESTIMATE

• Survey-based estimates • Survey-based estimates

• Third-party estimates • U.S. baseline estimates

• Trending estimates • Trending estimates

• Demand is defined as the number of cybersecurity jobs organizations would like


to employ over the next year minus the number of current workers.

• Supply is defined as the number of workers who will enter the field over the next
12 months minus the number of workers who will leave the field.

In total, this makes the equation for calculating the gap: workforce gap equals (total
demand over the next 12 months minus the current workforce) minus (number of
workers entering the field minus number of workers leaving the field).

WORKFORCE
GAP = DEMAND - SUPPLY

TOTAL
DEMAND - CURRENT
WORKFORCE NUMBER OF NEW
CYBERSECURITY
-
NUMBER OF
WORKERS
LEAVING
WORKERS
CYBERSECURITY

ISC2 Cybersecurity Workforce Study, 2023 80


Appendix B: Study
Participant Demographics

COMPANY SIZE INDUSTRY (TOP 10 SHOWN)

20,000 or more 24% IT services 23%

10,000-19,999 8% Financial services 11%

5,000-9,999 9% Government 10%

2,500-4,999 9% Consulting 7%

1,000-2,499 11% Military/military contractor 7%

500-999 10% Healthcare 4%

250-499 7% Telecommunications 4%

100-249 7% Manufacturing 4%

50-99 5% Security software/hardware 4%


development
20-49 3%
Education 3%
10-19 2%

5-9 1%

2-4 1%

1 (independent contractor ROLE (TOP 10 SHOWN)


2%
or self-employed) 7%
Security consultant/advisor

IT security manager 7%

IT manager 7%

RESPONDENT LEVEL Security engineer 7%

C-level executive 5% Security architect 5%

Executive management 6% IT security director 5%

Director/middle manager 19% IT director 5%

Manager 22% Security analyst 4%

Non-managerial mid- 39% CISO 4%


or advanced-level staff
Security specialist 3%
Entry/junior-level staff 4%

Independent contractor/ 4%
consultant

ISC2 Cybersecurity Workforce Study, 2023 81


DEPARTMENT FULL TIME/PART TIME

IT 44% Employed/self-employed full-time 93%

Security/privacy 56% Employed/self-employed 3%


part-time

Retired 1%

Not currently working/ 1%


INTERNAL/EXTERNAL unemployed

Internal security staff Prefer not to answer 1%


61%
for my organization

Security consultant 22%


or consultancy

External security service provider TIME SPENT ON SECURITY


(e.g., MSSP, external SOC, 12%
independent contractor etc.) 100% of a typical week 18%

Other 6% 75%-99% 22%

50%-74% 25%

25%-49% 21%

1%-24% 13%
HIRING AUTHORITY

I make final decisions 25%


about hiring

I am part of a team that 25% AGE


makes hiring decisions
74 or older 0.2%
I interview candidates and
influence decisions but do 26% 65-73 2.0%
not make final decisions
60-64 4.4%
I do not have hiring authority
or influence over decisions 24% 55-59 8.5%
about hiring
50-54 12.2%

45-49 15.5%

39-44 20.7%

35-38 13.0%

30-34 11.9%

23-29 6.7%

Under 23 0.3%

ISC2 Cybersecurity Workforce Study, 2023 82


COUNTRY STATE (TOP 20 SHOWN)

United States (US) 40% Virginia 9%

United Kingdom (UK) 7% Texas 9%

Japan 6% California 8%

Canada 5% Maryland 6%

China 4% Florida 6%

Singapore 3% Colorado 4%

Germany 3% New York 4%

India 3% Georgia 4%

Australia 3% Washington 3%

Netherlands 3% Illinois 3%

South Korea 2% Pennsylvania 3%

France 2% Ohio 3%

Spain 2% North Carolina 3%

Brazil 2% Massachusetts 2%

South Africa 1% Arizona 2%

Republic of Ireland 1% New Jersey 2%

United Arab Emirates 1% Minnesota 2%

Mexico 1% Washington, DC 2%

Saudi Arabia 1% Michigan 2%

Nigeria 1% Alabama 2%

Hong Kong 1%

Switzerland 1%

Taiwan 1%
GENDER OF RESPONDENTS
Other 3%
Female 16%

Male 77%

Intersex 0.2%

Transgender 0.3%

Nonbinary 0.3%

Prefer to self-describe 0.2%

Prefer not to say 6%

Note: Percentages may not total 100 due to rounding.

ISC2 Cybersecurity Workforce Study, 2023 83


Appendix C: Supplemental Material

ABOUT ISC2

ISC2 is the world’s leading member organization for cybersecurity professionals,


driven by our vision of a safe and secure cyber world. Our more than 500,000
members, candidates and associates around the globe are a force for good,
safeguarding the way we live. Our award-winning certifications — including
cybersecurity’s premier certification, the CISSP® — enable professionals to
demonstrate their knowledge, skills and abilities at every stage of their careers.
ISC2 strengthens the influence, diversity and vitality of the cybersecurity profession
through advocacy, expertise and workforce empowerment that accelerates cyber
safety and security in an interconnected world. Our charitable foundation, The Center
for Cyber Safety and Education, helps create more access to cyber careers and
educate those most vulnerable. Learn more and get involved at ISC2.org. Connect
with us on X, Facebook and LinkedIn.

ABOUT THE ISC2 CYBERSECURITY WORKFORCE STUDY

ISC2 conducts in-depth research into the challenges and opportunities facing the
cybersecurity profession. The ISC2 Cybersecurity Workforce Study is conducted
annually to assess the cybersecurity workforce gap, to better understand the barriers
facing the cybersecurity profession and to uncover solutions that enable individuals
to excel in their profession, achieve their career goals and better secure their
organizations’ critical assets.

The 2023 ISC2 Cybersecurity Workforce Study is based on online survey data collected
in collaboration with Forrester Research, Inc. in April and May 2023 from 14,865
individuals responsible for cybersecurity at workplaces throughout North America,
Latin America (LATAM), the Asia-Pacific region (APAC) and Europe, Africa and the
Middle East (EMEA). Respondents in non-English-speaking countries completed a
locally translated version of the survey.

Learn more at www.isc2.org/research.

© 2023 ISC2 Inc., ISC2, CISSP, SSCP, CCSP, CGRC,


CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-
ISSMP and CBK are registered marks, and CC is a
service mark of ISC2, Inc.

ISC2 Cybersecurity Workforce Study, 2023 84

You might also like