Cybersecurity Skills Gap Statistics [2026]: The Real Data

📊 Cybersecurity Skills Gap: Key Numbers (2026)

The cybersecurity skills shortage dominates industry discussion, but the data tells a more complex story than the headlines suggest. ISC2 reports a 4.8 million workforce gap, but that number measures organizational aspiration, not labor market reality. CyberSeek tracks 514,359 actual US job postings. The gap grew 19.1% in 2024 while 25% of organizations simultaneously laid off cybersecurity staff. If you're evaluating whether cybersecurity is in demand, the answer is yes — but with significant caveats about what kind of demand and where.

90% of organizations report at least one skills gap on their teams (ISC2 2024), and only 14% say they have the talent they need (WEF 2025). But for the first time in ISC2's tracking history, budget replaced talent as the primary staffing barrier. The cybersecurity job market is constrained by funding, not just by a shortage of qualified people.

📈 The Gap by the Numbers: ISC2 Data Explained

ISC2's Cybersecurity Workforce Study is the most-cited source on the cybersecurity workforce shortage. In 2024, they surveyed 15,852 practitioners and decision-makers globally (conducted by Forrester Research). The headline: 4,763,963 unfilled positions, up 19.1% year-over-year. The global workforce reached 5,468,173, growing just 0.1% — the slowest rate since tracking began. Total demand: 10.2 million professionals. The workforce would need to grow 87% to close the current gap.

How ISC2 calculates the gap: They use OECD and BLS data as a baseline, then survey respondents about how many cybersecurity professionals their organization needs versus has. The gap equals demand (what organizations want over 12 months) minus supply (workers entering minus departing). It measures underlying organizational need, not active job postings. Most countries' estimates are extrapolated from the US baseline. ISC2's own CISO, Jon France, acknowledged: "That doesn't mean there are 4.8 million jobs out there."

The Ira Winkler controversy: In October 2024, renowned cybersecurity professional and CISO at CYE wrote an open letter to ISC2's board accusing them of "knowingly pushing a false narrative of a plentiful job market." He pointed to stagnant actual employment while ISC2 promoted a 4.8M gap, and conducted discussions with "dozens of unemployed cybersecurity professionals." ISC2 subsequently dropped the gap number entirely from their 2025 study, shifting focus to "critical skills as more important than the need for more people."

Workforce Growth Rates by Region (2024)

The workforce growth data is striking: North America, Europe, and Latin America are all contracting their cybersecurity workforces while reporting growing gaps. Only Middle East & Africa and Asia-Pacific show meaningful growth. The global 0.1% growth rate — the slowest since ISC2 began tracking — reflects budget-driven workforce reductions in Western markets, not an inability to find talent.

ISC2 Gap Timeline

🔍 Cybersecurity Skills Shortage: Skills Gap vs Staffing Gap vs Hiring Gap

Most articles treat "the cybersecurity skills gap" as a single problem. It's actually three distinct issues with different causes and different solutions:

Conflating these three gaps into a single "4.8 million shortage" obscures the real solutions. Training existing staff (skills gap), funding positions (staffing gap), and reforming hiring practices (hiring gap) are fundamentally different interventions. The data suggests hiring practices and budget allocation deserve far more attention than they currently receive in the cybersecurity hiring debate.

Indeed Job Postings Index: What Employers Are Actually Doing

Indeed Hiring Lab publishes a Job Postings Index tracking employer activity across sectors (Feb 2020 = 100 baseline). The data paints a starkly different picture from the "millions of unfilled positions" narrative.

Software development postings peaked at 233.92 in 2022-02. They've since collapsed to 70.92 — 29% below pre-pandemic levels. IT Systems & Solutions followed a nearly identical trajectory: peak of 197.27, now 71.93 (28% below baseline). Data & Analytics fared worst at 61.74 (38% below baseline).

Only Security & Public Safety remains above baseline at 113.3 — but it has dropped 36% from its 2022 peak.

Important caveat: Indeed's "Security & Public Safety" primarily covers physical security (security officers, guards), not cybersecurity. Cyber roles are spread across Software Development (security engineers), IT Systems (SOC analysts), and Management (CISOs). This data doesn't isolate cybersecurity postings directly. But the broader IT job market contraction across every tech-adjacent sector provides important context for evaluating claims of millions of unfilled positions.

Source: Indeed Hiring Lab, Job Postings Index (Feb 2020 = 100). Data: hiring-lab/job_postings_tracker on GitHub (CC-BY-4.0).

Indeed Wage Tracker: Are Security Wages Spiking?

Wages are the clearest market signal. If employers were truly desperate, wage growth would be sustained. It's not.

Indeed's Wage Tracker for Security & Public Safety peaked at 12% YoY in Jan-22. By mid-2023 it was 5–7%. As of Feb-26: 2% YoY — back to pre-pandemic levels. Barely above inflation.

Important caveat: Indeed's "Security & Public Safety" wage data covers the broader security sector (mostly physical security), not cybersecurity specifically. It serves as a directional indicator of the broader security labour market, not a precise cybersecurity wage measure. Source: Indeed Hiring Lab Wage Tracker (CC-BY-4.0).

Wage growth tells the real story. Indeed's Wage Tracker for Security & Public Safety shows growth peaked at 12% YoY in Jan-22. It has since declined to 2% YoY by Feb-26 — back to pre-pandemic levels. If employers were truly desperate to fill millions of positions, wages would still be spiking. They're not. Caveat: this covers "Security & Public Safety" broadly (mostly physical security), not cybersecurity specifically. But as a directional indicator, it reinforces the pattern: the hiring frenzy peaked in 2022 and has not returned.

UK Indeed Data: The Pattern Is Global

The job market contraction is not a US anomaly. Indeed's UK Job Postings Index shows an even steeper decline. Every tech-adjacent sector in the UK is now below pre-pandemic levels — including Security & Public Safety, which in the US remains slightly above baseline.

Source: Indeed Hiring Lab, UK Job Postings Index (Feb 2020 = 100). Data: hiring-lab/job_postings_tracker on GitHub (CC-BY-4.0). Same sector caveats apply — "Security & Public Safety" covers physical security broadly, not cybersecurity specifically.

The UK pattern is worse. UK Software Development postings sit at 63.25 (37% below baseline) vs US 70.92. UK IT Systems at 64.66 vs US 71.93. Even UK Security is at 78.21 (22% below baseline), while the US equivalent remains at 113.3 (13% above). The job market contraction is global, not a US anomaly.

CyberSeek US Heatmap: Where the Jobs Actually Are

CyberSeek (powered by CompTIA and NIST/NICE) tracks actual cybersecurity job postings at the state level. The distribution is heavily concentrated: the top five states — Virginia, California, Texas, Maryland, and Florida — account for roughly 37% of all US cybersecurity postings. Virginia's dominance (#1 by a wide margin despite being the 12th most-populous state) reflects federal spending: the NSA, Cyber Command, CISA, and major defense contractors are concentrated in Northern Virginia and the DC metro area. The national supply-demand ratio is 74 workers per 100 openings.

Source: CyberSeek / NIST (2025). Hover over states on the map above for individual figures. Top 5 states verified from CyberSeek; remaining states are directional estimates based on CyberSeek proportional data.

💻 Most In-Demand Cybersecurity Skills (2026)

AI/ML security tops the demand list at 41% (ISC2 2025), up from 34% in 2024. Cloud security follows at 36%, risk assessment at 29%, application security at 28%, and security engineering and GRC at 27% each. 97% of organizations are using or planning AI-enabled cybersecurity solutions (Fortinet 2025), but 67% note a shortfall in AI skills investment (WEF 2025) and only 37% have processes to assess AI security risks (WEF 2025).

ISC2's 2025 Hiring Trends Study revealed that hiring managers rank non-technical skills higher than expected. Teamwork, problem-solving, and analytical thinking outranked data security and cloud security. ISACA found 59% of organizations identify soft skills — critical thinking, communication, problem-solving — as their primary gap concern. The cybersecurity skills shortage isn't just about technical expertise.

Top Skills Demand Ranking (ISC2 2025 vs 2024)

The year-over-year shift is telling. AI/ML jumped 7 percentage points in a single year to claim the #1 position. Cloud security rose 6 points. Risk assessment, application security, and GRC appeared as newly prominent categories in 2025, reflecting the growing regulatory burden (NIS2, DORA, SEC cyber rules) and the shift-left movement in development. DFIR and zero trust dropped from the top rankings — not because demand disappeared, but because AI/ML and cloud absorbed so much more attention. The market increasingly rewards multi-disciplinary professionals who combine technical depth with business risk understanding.

🚫 The Entry-Level Paradox: Why Cybersecurity Jobs Are Hard to Get

If there's a massive cybersecurity workforce shortage, why can't entry-level candidates find jobs? Because the pipeline is broken by design. 38% of employers require CISA for entry-level roles — a certification that itself requires five or more years of auditing experience. 34% expect CISSP for entry-level, which similarly demands five years. ISC2's own Hiring Trends Study found that only three certifications actually align with entry/junior levels: ISC2 CC, CompTIA Security+, and CompTIA CASP+.

31% of security teams have zero entry-level professionals (ISC2 2024). UK DSIT data shows entry-level job postings for candidates with less than one year of experience dropped from 25% to 17% of all cyber postings since 2022. Enterprises training non-security staff for security roles fell from 41% to 29% (ISACA 2025). The cybersecurity job market is simultaneously claiming a shortage while shrinking the entry point.

Here's the contradiction the data exposes: when companies do hire entry-level, 81% of those hires are productive within a year (ISC2 2025). Training costs are modest: 31% under $1,000, 45% between $1,000 and $4,999. And 46% of current cybersecurity staff transitioned from non-security roles (ISACA 2025). The talent pool is available. The investment is affordable. The outcomes are proven. The barrier is employer willingness.

🌍 Unfilled Cybersecurity Positions by Region

Asia-Pacific accounts for more than 70% of the global workforce gap (ISC2 2024). China alone has a 2.05M gap (+19% YoY) and India 1.07M (+35.9%). Both countries are digitalizing faster than their security workforces can scale. North America's gap is 522K (+19.7%), but the workforce contracted 2.7% — not from lack of talent but from budget cuts and layoffs. Europe's gap is 348K, with the EU facing a 300,000 shortage (ENISA). The workforce contracted 0.7%.

Latin America is the only region where the gap significantly shrank (-32.5%), and Middle East & Africa has the fastest workforce growth (+7.4%). The global "4.8 million" figure is overwhelmingly an APAC-driven number that doesn't reflect the realities in Western labor markets.

Country-Level Gap Breakdown

Japan's gap surged 53.8% — the fastest growth of any major economy — driven by digital transformation in a traditionally conservative tech adoption environment. India's 35.9% growth reflects the country's booming IT services sector creating cybersecurity demand that outpaces local training capacity. The US gap grew a relatively modest 4.4%, but the 1.3M US workforce actually contracted 3.0% — meaning the gap widened because the workforce shrank, not because demand grew dramatically.

US CyberSeek Data: Where the Jobs Actually Are

The top 5 US states account for 37% of all cybersecurity job postings (CyberSeek 2025). Virginia and Maryland's dominance reflects the federal government and defense contractor ecosystem around Washington D.C. Only 8% of Fortune 100 cybersecurity roles offer fully remote positions — geographic barriers compound the skills gap for candidates who cannot relocate to these hubs.

🇬🇧 UK-Specific Data

The UK presents a fascinating case study in methodology differences. ISC2 estimates the UK gap at 93,000. The UK government's own DSIT survey (conducted by Ipsos, published September 2025) puts it at 3,800. 143,000 individuals are employed in cybersecurity roles (up 5% YoY). 49% of UK businesses report basic technical skills gaps. Core cybersecurity job postings fell 33%. Women represent just 17% of the UK cybersecurity workforce (12% in senior positions, versus 48% in the wider UK workforce).

Indeed Job Postings by Country: Software Development

Indeed Hiring Lab tracks job postings across 10 countries with sector-level data available for six. The Software Development sector — which includes many cybersecurity engineering roles — shows deep contractions in every Western market except Australia. Germany and France are hit hardest, with postings at roughly half of pre-pandemic levels.

Index: Feb 2020 = 100. Values below 100 indicate fewer job postings than pre-pandemic. Source: Indeed Hiring Lab (CC-BY-4.0).

Indeed Job Postings by Country: Security & Public Safety

The Security & Public Safety sector (which covers physical security more than cybersecurity) paints a different picture. Australia, Germany, France, and the US all remain above pre-pandemic levels. The UK is the notable outlier — security postings are 22% below baseline, suggesting the UK's security hiring contraction is broader than just tech roles.

Index: Feb 2020 = 100. Values above 100 indicate more postings than pre-pandemic. Source: Indeed Hiring Lab (CC-BY-4.0).

Aggregate Job Postings: Full 10-Country View

For countries without sector-level data, aggregate job postings provide a market-level signal. Italy, Spain, and Ireland show total job postings well above pre-pandemic levels, while the Netherlands has recovered to roughly baseline. This contrasts sharply with the software development contraction visible in the US, UK, Germany, and France.

Aggregate total postings (seasonally adjusted). Index: Feb 2020 = 100. GB data last updated Aug 2024. Source: Indeed Hiring Lab (CC-BY-4.0).

💰 Skills Gap Cost to Organizations

Let me be blunt: the financial cost of understaffing is measurable. IBM's 2024 data shows organizations with high staffing shortages pay $5.74 million per breach. Those with low or no shortages: $3.98 million. That's a $1.76 million premium — a 44% cost increase directly attributable to understaffing. If you're building a business case for cybersecurity headcount, this is the number that resonates with CFOs.

Fortinet's 2025 data reinforces this. 86% of organizations experienced at least one breach, up from 80% in 2021. 28% reported five or more breaches. 54% cite lack of skills as a leading breach cause. 52% say incidents cost over $1 million. Organizations with critical skills gaps are nearly twice as likely to experience material breaches: 22% versus 17% (ISC2 2024).

💸 Budget vs Talent: The Real Barrier to Cybersecurity Hiring

For the first time in ISC2's tracking history, "lack of budget" replaced "lack of qualified talent" as the number one cause of staffing shortages. This is a seismic shift in the narrative. 37% of organizations faced budget cuts (up 7% from 2023). 38% were under hiring freezes. 25% reported cybersecurity layoffs (up 3% from 2023). Enterprise organizations (10,000+ staff) were hit harder: 32% reported layoffs versus 17% at smaller organizations.

The data is clear: the workforce gap widened 19% while organizations were cutting positions. How? The gap measures perceived need, not funded positions. When ISC2 asks "how many cybersecurity professionals do you need?" the answer is aspirational. When CFOs ask "what can we afford?" the answer is layoffs and hiring freezes. Certification funding dropped from 89% (2023) to 73% (2025, Fortinet). The organizations that say they want cybersecurity talent are investing less in developing it.

Retention compounds the problem. 50% of organizations struggle to keep cyber talent (ISACA 2025). Top reasons people leave: poaching (50%), poor pay (50%), limited advancement (46%), high stress (46%). 66% report increased role stress versus five years ago. This isn't just a hiring problem. It's retention, funding, and organisational commitment.

Top Reasons Cybersecurity Workers Leave

Many cybersecurity vacancies are self-inflicted. Organizations cut budgets, freeze hiring, reduce training investment, and then cite a "skills shortage" when experienced staff leave for competitors offering better pay. ISACA found that 50% of departures are to competing employers and 50% cite poor financial incentives. These are retention failures dressed up as supply problems. The $1.76M extra per breach from understaffing should make the ROI case for competitive compensation straightforward — yet budget remains the #1 barrier.

📜 Certifications and the Cybersecurity Skills Gap

89% of IT decision-makers prefer candidates with certifications (Fortinet 2025). Yet 52% of employers cite a gap between what certifications validate and the practical skills they actually need (Kaspersky 2024). Certification funding declined from 89% to 73% of organizations — a budget squeeze that undermines the very credential system employers say they value.

CyberSeek data reveals a severe supply-demand mismatch in specific certifications. CISM has 44,347 job postings but only 20,300 holders (2.2x gap). CISA has 52,337 postings against 35,812 holders (1.5x gap). Meanwhile, CompTIA Security+ has 265,992 holders against 70,019 postings (3.8x oversupply). The shortage isn't in certified people generally — it's in specific mid-to-senior certifications that require years of experience. Forrester notes that "certification-first training models" have limits, and skills-based assessments are rising as an alternative evaluation method.

Certification Supply vs Demand

The certification supply-demand data (CyberSeek 2025) reveals the real story: CISM and CISA — governance and audit certifications that require years of management experience — have genuine shortages. CISSP and GIAC are roughly balanced. And Security+ has a massive oversupply (3.8x more holders than postings), which explains why entry-level candidates with Security+ still struggle to find roles despite holding the most-recommended entry credential. The shortage is at the experience tier, not the entry tier.

🤖 AI and the Cybersecurity Skills Gap

AI is simultaneously creating and collapsing the cybersecurity skills gap. On the demand side, AI/ML is the #1 skills need at 41% (ISC2 2025). 97% of organizations are using or planning AI-enabled security solutions (Fortinet 2025). 67% note a shortfall in AI skills investment (WEF 2025). 48% identify "lack of staff with sufficient AI expertise" as the biggest AI implementation challenge (Fortinet 2025).

On the supply side, AI is a potential equalizer. 63% of cybersecurity professionals report "significant productivity boost" from AI tools (ISC2 2025). Gartner predicts that by 2028, GenAI adoption will collapse the skills gap, removing the need for specialized education from 50% of entry-level cybersecurity positions. 73% of professionals believe AI will create specialized cybersecurity roles (ISC2 2025), while 91% of WEF focus group participants agree AI will generate novel roles.

The net effect: the gap is shifting from "more bodies" to "different skills." Entry-level roles that primarily involve monitoring and triage are most vulnerable to AI displacement. Mid-to-senior roles requiring judgment, context, and adversarial thinking are likely to see increased demand. The organizations investing in AI now may find their cybersecurity jobs statistics look very different in two years.

👥 Diversity and the Cybersecurity Workforce

Women represent 22% of the global cybersecurity workforce (ISC2 2024). In the UK, it's 17% — with only 12% in senior positions, compared to 48% in the wider UK workforce (DSIT 2025). An industry claiming a massive talent shortage while drawing from only half the population is leaving its biggest talent pool untapped.

Age demographics are shifting. The 39-49 age group nearly doubled from 18% to 35% of new entrants between 2022 and 2024 (ISC2), reflecting mid-career changers entering cybersecurity. 46% of current cybersecurity staff transitioned from non-security roles (ISACA 2025). The talent pipeline isn't empty — it's being underutilized. Training programs are oversubscribed, and diversity improves cyber resilience by reducing shared blind spots in homogeneous teams.

Homogeneous teams share blind spots. A security team composed entirely of people with similar backgrounds, education paths, and cognitive frameworks will consistently miss threat vectors that fall outside their shared assumptions. Diversity in cybersecurity isn't just an equity issue — it's a security effectiveness issue. The Code First Girls initiative and similar programs have demonstrated that the talent supply exists: cybersecurity training programs are oversubscribed. The bottleneck is on the employer side, not job seekers.

The industry is slowly recognizing non-traditional pathways. 46% of current cybersecurity professionals came from non-security roles (ISACA 2025), proving that career changers succeed in cybersecurity. Managed security services are growing at 11.1% in 2026 (Gartner), partly because organizations outsource to service providers who have already built diverse, experienced teams rather than building their own from scratch.

🎯 What Organizations Are Doing About the Cybersecurity Talent Shortage

Despite the narrative, organizational responses are mixed. On the positive side, 76% of boards increased cybersecurity focus in 2024 (Fortinet). 96% view cybersecurity as a business priority and 95% as a financial priority. 97% are deploying or planning AI-enabled security solutions. BLS projects 29% job growth for information security analysts through 2034 — the fifth-fastest of all occupations. Some organizations are relaxing requirements: 84% now use skills-based assessments for junior roles rather than relying solely on credentials (ISC2 2025).

On the negative side, internal training pathways are declining. Organizations training non-security staff for security roles dropped from 41% to 29% (ISACA 2025). Certification funding fell from 89% to 73% (Fortinet 2025). Budget cuts affected 37% of organizations, and hiring freezes hit 38%. The organizations that are investing in workforce development are seeing results — 81% of entry-level hires reach independence within a year — but fewer organizations are making that investment. The cybersecurity job market rewards those willing to invest in talent, but many still prioritize impossible credentials over trainable potential.

The most effective organizations are taking a multi-pronged approach: investing in internal training programs, accepting career changers with transferable skills, using AI tools to amplify existing team capacity, and offering competitive compensation to retain experienced staff. The data consistently shows that these investments pay for themselves: $1.76M less per breach with adequate staffing, 81% of entry-level hires productive within a year, and AI tools delivering 63% productivity gains. The barrier isn't a lack of proven solutions — it's organizational willingness to invest in them.

For individual career changers and job seekers navigating the cybersecurity job market, the data points to a clear strategy: focus on in-demand skill areas (AI/ML, cloud, GRC), obtain recognized entry-level certifications (CompTIA Security+, ISC2 CC), build practical experience through labs and CTFs, develop communication and critical-thinking skills (59% of employers cite these as primary gaps), and target organizations known for investing in workforce development. The cybersecurity skills gap is real — but so is the opportunity for those who approach it with the right strategy.

📋 Key Takeaways

❓ Cybersecurity Skills Gap FAQ