Study: we’re going to need 145% more Cybersecurity specialists to deal with threats

(ISC)² Cybersecurity Workforce Study claims that the amount of additional trained staff needed to close the skills gap stands at nearly 5 million extra professionals

Posted 7 November 2019 by Gary Flood

(ISC)², which claims to be the world’s largest nonprofit membership association of certified cybersecurity professionals, has just announced the findings of its 2019 (ISC)² Cybersecurity Workforce Study, which it says shows that the world needs to boost the global Cybersecurity workforce by no less than 145%. 

That’s because it says the current cybersecurity workforce stands at 2.8 million IT Security professionals, but the amount of additional trained staff needed to close the skills gap is more like 4.07 million.

“[This] the study provides actionable insights and strategies for building and growing strong cybersecurity teams” – (ISC)²

In the UK, the current cybersecurity workforce estimate is 289,000, alongside 121,000 in France and 133,000 in Germany, for example – but the shortage of skilled professionals across the whole of EMEA has grown to 291,000.

Essentially, The Cybersecurity Workforce Study shows that cybersecurity and IT professionals are largely satisfied in their careers and optimistic about their futures – but that the the size of the current workforce still leaves a significant gap between the number of cybersecurity professionals working in the field and the number needed to keep organisations safe. 

“We’ve been evolving our research approach for 15 years to get to [a] point where we can confidently estimate the current [global Cybersecurity] workforce and better understand what it will take as an industry to add enough professionals to protect our critical assets,” claimed the organisation’s COO, Wesley Simpson.

“Perhaps more importantly, the study provides actionable insights and strategies for building and growing strong cybersecurity teams. Knowing where we stand and the delta that needs to be filled is a powerful step along the pathway to overcoming our industry’s staffing challenges.”

Along with providing these estimates, the study takes a closer look at who cybersecurity professionals are and what motivates them, reveals how organisational security teams are staffed, and outlines data-driven insights into immediate and longer-term methods for building qualified and resilient cybersecurity teams now and in the future. 

Among the key findings from the study:

  • 65% of organisations that responded to the survey report a shortage of cybersecurity staff, and a lack of skilled/experienced cybersecurity personnel is the top job concern among respondents (36%)
  • Two-thirds (66%) of respondents report that they are either somewhat satisfied (37%) or very satisfied (29%) in their jobs
  • 65% intend to work in IT security for their entire careers
  • 30% of survey respondents are women, 23% of whom have security-specific job titles
  • 37% are below the age of 35, and 5% are categorised as Generation Z, i.e. under 25
  • 62% of large organisations with more than 500 employees have a CISO; that number drops to 50% among smaller organisations
  • 48% of those companies represented say their security training budgets will increase within the next year
  • The average North American salary for cybersecurity professionals is $90,000, while those holding security certifications have an average salary of $93,000 while those without earn $76,500 on average
  • 59% of cybersecurity professionals are currently pursuing a new security certification, or plan to do so within the next year
  • Just 42% of respondents indicate that they started their careers in cybersecurity, meaning 58% moved into the field from other disciplines
  • Top recruiting sources outside of the core cybersecurity talent pool include new university graduates (28%), consultants/contractors (27%), other departments within an organisation (26%), security/hardware vendors (25%) and career changers (24%).

Four main strategies get outlined in the report on how to close the skills gap. These include:

  • highlighting training and professional development opportunities that contribute to career advancement
  • properly level setting on applicant qualifications to make sure the net is cast as wide as possible for undiscovered talent
  • attracting new workers such as recent college graduates who have tangential degrees to cybersecurity, or seasoned pros such as consultants and contractors into full-time roles, and
  • “strengthening from within” by further developing and cross-training existing IT professionals with transferrable skills.

The study is based on online survey data from 3,237 individuals responsible for security/cybersecurity throughout North America, Europe, Latin America and Asia-Pacific.

Respondents were a mix of certified professionals in official cybersecurity roles, as well as IT/ICT professionals who spend a minimum of 25% of a typical work week handling Cybersecurity-related responsibility.

To download a free copy of the study, and to read the detailed report methodology, please visit https://isc2.org/Research/Workforce-Study

Celebrating its 30th anniversary this year, (ISC)² is an international non-profit membership association focused on inspiring a safe and secure cyber world.


Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security.