Growth of the global cybersecurity workforce has slowed for the first time in six years, according to new research, while cyber threats show no signs of slowing.
ISC2’s Cybersecurity Workforce Study found the global workforce amounted to 5.5 million people, marking a 0.1% year on year increase, whereas the labor pool had grown by as much as 8.7% year on year in 2023.
This makes 2024 the first year in which the cyber workforce has slowed in the six years since ISC2 began estimating the workforce size in 2018.
The cybersecurity workforce gap reached a new high with approximately 4.8 million professionals needed to effectively secure organizations around the world, marking a 19% year on year increase.
ISC2 noted that for the first time, respondents cited a ‘lack of budget’ as the primary factor driving their staff shortages, overtaking the ‘lack of qualified talent’, which participants have pointed to in previous years.
For example, 37% of respondents reported they had their budgets cut in the last year, up 7% year on year.
Budget pressures also came in the form of layoffs to security teams, which affected a quarter of the participants in the survey. A further 38% of cyber professionals said they had experienced hiring freezes at their organization, which represents a 6% increase from 2023.
Similarly, almost one third (32%) of participants reported seeing fewer promotions at their company during this period.
The slowdown comes at a time cyber attacks are coming thick and fast, with 74% of cyber practitioners and IT decision-makers stating that the 2024 threat landscape was the most challenging it has been in the last five years.
Speaking to ITPro, Andrew Johnston, head of training at IT Governance Ltd, expressed his concern that budget constraints have overtaken a lack of cyber talent as the primary reason behind staff shortages..
“The fact that these shortages are due to budget cuts, rather than a lack of available talent, is worrying. Organizations (should) know the risks, yet many aren’t investing in building strong security teams,” he warned.
“With attacks increasing, the demand for skilled professionals is higher than ever, and without enough people on the front lines, the gap between attackers and defenders continues to widen. This will inevitably lead to more breaches, slower response times, and overstressed teams.”
Johnston said it’s time businesses recognized the importance of security in their budget allocations and urged leaders to invest in upskilling staff.
“Businesses need to prioritize cyber security in their budgets and get creative – whether that’s promoting internal talent or using automation and AI to handle routine tasks like monitoring and alerts. This gives security teams more time to focus on critical issues.”
UK sees largest decline in cyber workers around the world
Notably, a number of nations saw their cyber workforce shrink over the course of 2024, according to ISC2 estimates, including Canada, Germany, Mexico, the UK, and the US.
The number of UK cyber professionals dropped from 367,300 to 349,360 over the year, falling by almost 5%, the largest contraction around the world.
Moving to the US, American cyber workers numbered 1,338,507 in 2023, and shrunk by 3% to 1,298,804 in 2024, but despite the decrease the region still held the largest active cyber workforce in the world.
Matt Middleton-Leal, managing director EMEA at Qualys, told ITPro the most significant implication of shrinking cyber workforces will be increased risk of burnout in understaffed security teams, which security leaders will need to take into account.
“The biggest issue will be the risk to the team around burnout or losing people as they quit the industry. Those that are in jobs will have to deal with more threats, and that could lead to missed opportunities to stop breaches or prevent attacks. The challenge here is how to help security teams prioritize risks for their organizations based on what they use,” he explained.
“For CISOs, getting their boards to understand these risks and what the team is doing to prevent them is essential. It can flag what the team is able to achieve, but also point to where more resources are needed to eliminate risks. This communication element will be important for the future, where budgets are tight and where recruitment is most necessary.”
Cyber teams have no young talent coming through the door
The workforce deficit was not the only gap on the front of security practitioner’s minds, ISC2 noted, adding that skills shortages continue to plague organizations around the world.
More than half (58%) of the participants indicated that they faced skills shortages at their organization, while 64% said skills gaps present a greater challenge to securing businesses than staffing shortages.
Respondents cited AI (34%), cloud security (27%), zero trust implementation (27%), and application security (24%) as the top areas where skills gaps are being felt the most hardest.
The result is that security teams are experiencing a dearth of new talent coming through the door. Nearly one-third of participants added that their security teams had no entry-level professionals on their teams, and 15% said they had no junior level professionals (those with 1 – 3 years of experience).
In addition, hiring managers, 62% of which reported having open roles in their teams, said they were focusing on hiring mid to advanced-level roles rather than a broad mix of experience and abilities.
ISC2 argued this demonstrates that a large swathe of organizations do not have a steady flow of cyber professionals who can “develop their foundational skillset in-house to bolster existing teams and instead are relying solely on hiring pre qualified talent.”
