Cyberskills Gaps and Staff Shortages are Reducing Cyber Resilience

Recent reports quantify scope of challenges affecting systems security

Fewer than 15% of organizations are confident that they have both the people and the skills necessary to meet their cybersecurity objectives, according to a 2025 report by the World Economic Forum. More than 65% of organizations report a moderate to critical cyberskills gap. The report also cites a global staffing shortage of four million cybersecurity professionals.

The 2024 ISC2 Cybersecurity Workforce Study produced similar findings, although it estimates the global staffing shortage at 4.8 million. Most respondents reported concerns that their cybersecurity teams lack sufficient numbers or the right range of skills to meet organizational objectives. Almost 60% of respondents indicate that cyberskills gaps have significantly affected their ability to secure their organizations. According to the study, even as demand rises for cyber professionals needed to adequately secure their companies, employers are cutting back on both hiring new personnel and developing their existing cybersecurity teams. These combined actions are reducing cyber resilience around the world, including in the U.S.

According to multiple reports, a lack of distinct career paths, the rising cost of professional certifications, outdated training content, stress on the job, and the threat of being replaced by AI applications are discouraging individuals from pursuing careers in cybersecurity—creating shortfalls in qualified cybersecurity personnel and cybersecurity expertise.

Personnel Shortages in Cybersecurity Exceed 450,000

Out of necessity, organizations worldwide continue to embrace digital transformation initiatives at an unprecedented rate, with related spending expected to reach $3.4 trillion in 2026, according to a World Economic Forum article in 2023.

At the same time, personnel shortages in the cybersecurity industry are growing more acute. More than 50% of organizations struggle to recruit and retain new talent. Cyberskills gaps combined with cybersecurity staffing shortages are impacting cyber resilience.

According to CyberSeek data, the U.S. currently has more than 457,000 open positions in cybersecurity. Against a total employed workforce of 1.25 million individuals, that’s a shortage of more than 25%.

A joint initiative of NIST, CompTIA, and Lightcast, CyberSeek was created to provide detailed, actionable data about the cybersecurity job market and is a reliable resource for organizations.

“Key findings from the CyberSeek data revealed that the pullback in tech hiring during much of 2023 impacted cybersecurity jobs. Employer job postings for all tech occupations declined by 37% in the 12 months from May 2023 to April 2024. Cyber job postings decreased 29%, signaling that cybersecurity is less affected by hiring slowdowns than the IT sector overall,” CyberSeek reported.

The Collision of High Demand and Low Budget

Driven by the increasing number and sophistication of cyberattacks, as well as more stringent data protection regulations, the cybersecurity industry is experiencing high demand for cybersecurity professionals across multiple industries.

From business and finance to healthcare and defense, there is high demand for network and system engineers, system administrators, cybersecurity engineers, cybersecurity analysts, and information systems security officers. However, lack of budget has been cited most frequently as the main obstacle preventing hiring of these in-demand workers.

Even the top cyber position, the Chief Information Security Officer (CISO), is experiencing a shortage. According to Steve Morgan, Editor-in-Chief at Cybercrime Magazine, most large organizations have a CISO. In 2022, for example, 100% of Fortune 500 organizations employed a CISO. The bad news is that “most small businesses, and far too many mid-sized companies, do not have a dedicated fulltime leader focused exclusively on cybersecurity.” Which means that insufficient attention is being paid to securing those businesses, despite the non-stop rise and evolution of cybercrime.

Skills Gaps in Cybersecurity Plague 70% of Organizations

Beyond personnel shortages, nearly 70% of security leaders say they face additional risks because of cyberskills gaps, according to the World Economic Forum. The widely reported gap in specialized skills and knowledge among the existing workforce is a product of constant evolution in the cybersecurity field — including the complexity of the technology and systems that require protection from cybercrime and data breaches.

For both personnel shortages and skills gaps, respondents in the 2024 ISC2 study indicate the number one cause is lack of budget. Just a year previously, in 2023, the top cause for both problems was the inability to find the people or the skills needed for organizations to succeed.

Cyberskills gaps of moderate to critical severity are reported by 67% of organizations. More than a quarter (26%) highlighted the challenges of retaining people with high-value skills, while 22% are struggling with developing and advancing their existing cybersecurity staff. These challenges are expected to persist, with nearly 20% of respondents anticipating more cybersecurity layoffs in the next 12 months.

Meeting these demands is one of today’s important challenges, because cybersecurity as an organizational need and as a career is not going away. If anything, the rising tide of cybercrime and increasingly complex information technologies require more robust cybersecurity, not less.

Currently, artificial intelligence skills are among the most significant gaps for cybersecurity teams, with 23% of respondents claiming it as their top skills shortfall in the 2024 ISC2 study. Employees who have a strong foundation in AI-driven security tools, and who understand how AI is used for threat detection, automated response, and behavioral analysis, have a significant advantage over those who do not.

What Some Organizations are Doing About the Shortfalls

Nearly two thirds of respondents (64%) in the 2024 ISC2 study believe that skills gaps can have a more negative impact than staffing shortages, and 90% of respondents currently have one or more skills gaps on their cybersecurity teams. Further, 59% of respondents agree that cyberskills gaps have substantially affected their ability to secure their organizations. 58% believe it puts their organizations at significant risk. Organizations with critical or significant skills gaps are almost twice as likely to experience a material breach as the 10% of organizations who report having no gaps.

Knowing their skills-gap challenges, many organizations are investing in learning initiatives and on-the-job training to meet their organizations’ business goals. They are also investing in automating certain processes through the use of artificial intelligence software.

Some report success in recruiting cybersecurity employees from backgrounds or verticals other than IT, which is the traditional path into cybersecurity. In the face of growing talent and skills shortages, it may be a smart strategy to consider candidates with less traditional professional experience to fill certain gaps.

Some organizations are bridging their cyberskills gaps by hiring contract or temporary labor for specific projects or functions requiring particular expertise. Others are outsourcing functions like tech support to overseas companies who offer specific skills at lower costs.

Among SMBs, hiring a Virtual CISO (i.e., on a contract or project basis) is an effective way to lead company cybersecurity initiatives because it delivers the required expertise more affordably.

Organizations are increasingly pressured to keep pace with rapidly advancing technological innovations, such as artificial intelligence, in order to maintain and improve efficiency and agility. Among enterprises, some managers are prioritizing transferable skills that will complement AI adoption, such as problem-solving, as they plan for AI implementation over the next few years.

The ISC2 Cybersecurity Workforce Study outlines ten skills that are growing most rapidly in importance among organizations. Of particular interest, problem-solving capabilities outrank technological expertise among the top three skills:

Cyberskills gaps cannot be effectively addressed through the use of AI alone.

Cognitive skills (required for complex problem-solving in the workplace)
Creative thinking, followed closely by analytical thinking (for same purpose)
Technology literacy
Self-efficacy skills, followed closely by collaboration skills
Curiosity and lifelong learning
Resilience, flexibility, and agility
Motivation and self-awareness (i.e., initiative)
Systems thinking
AI and big data skills
Talent management, service orientation, and customer service skills.

How Job Seekers Can Help Bridge the Gap

The 2024 ISC2 study found that nearly one-third (31%) of cybersecurity teams had no entry-level members, and 15% had no junior-level representation (1-3 years of experience). Traditionally, these are among the lowest paid and least skilled of an organization’s cyber workforce. For prospective employers looking to fill open positions at these and other levels, there are a number of actions inexperienced candidates can take to make themselves more recruitable. According to the Forbes article, these include:

Applying for internships, and being willing to relocate and to work pro bono to gain useful experience.
Setting up a home security lab and practicing with tools like Splunk, Wireshark, or Metasploit.
Participating in ethical hacking competitions and software bug bounty programs to build experience, credibility, and confidence.
Contributing to open source endeavors, working with others on cybersecurity-related projects to showcase specific skills and gain others.

Because cybersecurity is an enormous field with dozens of specializations, candidates who specialize in high-demand areas and focus on clearly describing those special skills in their resumes possess a competitive advantage. Developing a strong base in AI applications will also add power to a resume regardless of whether an employer plans to use those skills now or later.

In addition to AI skills (cited by 23% of study respondents as their leading skills gap), other notable cyberskills gaps include cloud computing (30%), zero trust (27%), incident response (25%), and application security (24%), according to the ISC2 study. Here again, candidates can give themselves an advantage by specializing in these fields.

Companies have trouble finding specialists in application security, so adding skills in secure coding and OWASP Top 10 vulnerabilities can set a candidate apart.
With the adoption of cloud services soaring among organizations of all types and sizes, expertise in securing AWS, Azure, or GCP is highly valuable.
Threat intelligence is another desirable niche, as organizations seek analysts trained in anticipating, diagnosing, and mitigating cyberthreats.
Very few companies are immune from security incidents or data breaches, which is why they are always looking for specialists who can manage security breaches effectively using incident response and digital forensics skills.

Also in high demand are network and system engineers who can design, implement, maintain, and secure computer network infrastructures that enable reliable communication and data flow within and between systems in an organization. Having formal education and certifications in this high-value discipline is a strong competitive advantage. As cyber professionals make themselves more valuable to prospective employers, personnel shortages and skills gaps should begin to decline.

Summary

The cyberskills gap and the shortage of cybersecurity personnel have combined to reduce cyber resilience among organizations in the U.S. and internationally, according to several respected sources. Organizations in the private and public sectors are operating without the people or skills they need to secure their assets against the increasing sophistication of cyberattacks as well as to meet stringent data protection regulations. Fully two thirds of organizations report moderate to critical cyberskills gaps, and half struggle to recruit and retain new talent.

These aren’t necessarily new challenges. However, their impact on our individual and collective cybersecurity is distressing. 24By7Security can help address shortfalls in your cyber workforce, whether in numbers or skills, with resources available in a range of experience levels that can be engaged for specific projects or for finite periods of time. Virtual CISOs are available under similar conditions. Contact us for a confidential consultation about your specific needs.