Even though 90% of organizations have unfilled positions or underskilled workers on their cybersecurity teams, hiring for those jobs has, for the first time in six years, ground to a halt.
That’s according to the 2024 ISC2 Cybersecurity Workforce Study, which found that the global workforce has held steady at 5.5 million people year-over-year, recording just a negligible 0.1% increase from 2023 (though some pockets of increased cyber hiring remain).
To put that in perspective, last year, the cybersecurity workforce grew 8.7% year-on-year, despite declining investment in technology and cyber platforms.
The main driver for 2024’s job market inertia is straightforward: a lack of budget for adding head count and upskilling. A full 67% of respondents to the ICS2 survey cited budget as their top cause for staffing shortages, replacing last year’s No. 1 cited reason for empty positions, which was a lack of qualified talent.
Even though 74% of respondents said the threat landscape is the most challenging they have experienced in the past five years, “professionals are feeling the impact of declining investments in the cybersecurity workforce, including budget cutbacks and layoffs, [which affects] workforce satisfaction, the development of organizational security, the adoption of new technologies, and more,” according to the report.
Source: 2024 ISC2 Cybersecurity Workforce Study
Indeed, ISC2 found that cybersecurity job satisfaction has fallen from 74% in 2022 to 66% in 2024. Furthermore, respondents said that worker shortages were their biggest challenge over the past 12 months, but there’s no end in near-term sight. They also predicted that shortages will continue to be a significant challenge over the next two years.
“As economic conditions continue to impact workforce investment, this year’s Cybersecurity Workforce Study underscores that many organizations are putting their cyber teams under significant strain, risking burnout and attrition as job satisfaction rates fall,” said ISC2 acting CEO and CFO Debra Taylor, in a statement.
Meanwhile, more than half of those surveyed (58%) believe a shortage of skills puts their organization at significant risk; 59% of respondents agree that skills gaps have already substantially affected their ability to secure their organizations. The statistics bear this out: ISC2 found that organizations with critical or significant skills gaps are almost twice as likely to experience a material breach compared with organizations that reported no skills gaps.
The good news is that out of those already in cyber-related jobs, three-quarters (73%) said they’re focused on building their cybersecurity skill set, with 48% interested in learning more AI-related skills (more than one-third of respondents cited AI as the biggest skills shortfall on their teams).
About half (52%) said they’re focused on hanging on to their positions by becoming a more strategic contributor to their organizations.
AI to the Cyber Job Rescue?
If there’s a silver lining to the perceived staffing shortage, respondents believe it will come from the year’s hottest buzz category: generative artificial intelligence (GenAI).
ISC2 respondents said that AI and automation will have the most significant impact on their ability to secure their organizations. A full 68% agree that within the next two years, they will be able to use GenAI effectively as part of their roles. And a large majority (80%) said their cybersecurity skill set will be more important in an AI-driven world.
“AI is viewed by professionals as a solution to strengthen their organizations’ security and create new efficiencies for their teams,” Taylor said. “They also view effectively managing risk associated with AI adoption and its strategic importance to their organization’s future success as career growth opportunities for themselves and their peers. Organizations and cybersecurity leaders must recognize how AI can contribute to creating more resilient security teams, especially while economic challenges persist.”
Already, 45% of respondents’ teams are using AI in cybersecurity tools. ISC2 found the top five use cases to be:
-
Augmenting common operational tasks (56%)
-
Speeding up report writing and incident reporting (49%)
-
Simplifying threat intelligence (47%)
-
Accelerating threat hunting (43%)
-
Improving policy simulations (41%)
That said, the lack of a clear GenAI strategy was cited as one of the top barriers to its organizational adoption by nearly half (45%) of all participants. And just how AI will affect the kinds of expertise a future cyber workforce will need remains unclear.
According to the report, “AI is a game changer for two main reasons. First, experts predict AI will be able to replace some of the technical skills needed in cybersecurity. Second, and arguably more important, no one is certain how AI will manifest in cybersecurity since they currently cannot predict what skills, if any, it will replace. As a result of this uncertainty, hiring managers aren’t rushing to hire more specialized workers. Instead, they are prioritizing nontechnical skills, like problem-solving, that will be transferable through the increased use of AI.”