Cybersecurity Labor Shortage Grows Worse in U.S. And Worldwide: Report

The number of unfilled security jobs across the globe increased to 3.4 million over the past year, up 26.2 percent, according to new survey


Despite the training and hiring of hundreds of thousands of new workers, the cybersecurity industry’s labor shortage is only growing worse, not better, according to a new report.

The International Information System Security Certification Consortium, known as ISC2, reports that a survey of 11,799 cybersecurity professionals shows that the total global workforce for security personnel rose over the past year to 4.6 million people, a jump of 11.1 percent.

The U.S. cybersecurity workforce grew to 1.2 million, up 5.5 percent, according to the report by ISC2, a nonprofit based in Alexandria, Va.

Sponsored post

[RELATED STORY: The 10 Hottest Cybersecurity Startups In 2022 (So Far)]

The workforce increases are a direct result of the strong demand by customers for security tools and services amid a worldwide spike in cyberattacks.

But as hundreds of thousands of people were recruited into the cybersecurity industry over the past year, demand for talent continues to outstrip supply, as companies around the world scramble to shore up their security defenses.

As a result, the total number of needed cybersecurity personnel across the globe rose to 3.4 million, up 26.2 percent, according to the ISC2 survey.

In the U.S., the number of unfilled jobs rose to 410,695, up 9 percent.

The need for workers is most critical in the Asia/Pacific region, where the number of needed workers rose to 2.1 million people over the past year, up 52.4 percent, according to the ISC2.

“The findings show that we are in dire need of cybersecurity professionals to enter the field,” Char Rosso, chief executive of ISC2, told CRN in an email interview. “Although we have added 464,000 cybersecurity professionals to the field this year alone – the workforce gap continues to grow as organizations realize the strategic importance of building their cybersecurity capabilities.”

Rosso added that “hiring managers have told us they need entry- and junior-level team members with broad foundational skills across many areas.”

She added: “Specifically, we have seen that cloud security skills and experience are in high demand. Our CCSP certification is one of our most popular certifications, and it is designed for individuals wanting to advance in cloud security and architecture.”

Rosso also noted that organizations have reported that they lack sufficient cybersecurity personnel among all key National Initiative for Cybersecurity Education (NICE) categories. “The largest shortage they face is professionals in investigative roles such as cyber investigation and digital forensics.”

One way to close the hiring gap is for cybersecurity companies to broaden their search field for new workers, Rosso said.

“To make significant inroads into decreasing the cybersecurity workforce gap, we need to recruit individuals from non-traditional backgrounds and remove economic and experience barriers that may be artificially limiting the growth or recruitment of the profession,” Rosso said.

“Specifically, we need to bring greater diversity into the profession to solve the complex challenges within our industry.”

Kevin McDonald, chief operating officer and CISO at Alvaka Networks, an Irvine, Calif.-based MSP and ransomware specialist, agreed that the cybersecurity sector needs to think differently about how and who it hires.

“As an industry, we need to mentor people up and bring in more women,” said McDonald, who also serves as co-chair of the CompTIA Cybersecurity Advisory Council.

He said demand for security products and services just keeps growing.

“Companies that have been in denial for decades about their security needs are now saying, ‘Oh, we have to do something,’ he said. “Unfortunately, there’s not enough workers in the pipeline.”

In its survey, ISC2 found that 20 percent of respondents said the lack of workers put their organizations at “extreme risk,” while 54 percent said it put organizations at “moderate risk.”

According to survey results, the labor shortage is specifically interfering with security categories such as risk assessment and management; the patching of critical systems; and training of workers, among other categories.

One survey result in particular perplexed Rosso.

She noted that the report clearly shows that a “company culture” heavily defines an employee’s experience and satisfaction at a firm.

“(But) what surprises me the most is that many organizations are not necessarily doing what is most impactful when it comes to supporting their security teams and employees,” she told CRN. “Only 28% of cybersecurity professionals report their organizations actively listen to and value the input of all staff.”

Though overall employee satisfaction is considered high within the cybersecurity industry, Rosso said the last thing employers need to do is alienate workers amid a labor shortage.

“Those who are not satisfied with the cultural aspects of their job share that it affects their work and response to cybersecurity incidents, and they are looking for new jobs,” Rosso said.