Cybersecurity skills gap: Why it exists and how to address it
The cybersecurity skills shortage is putting enterprises at risk. Worse, it shows no sign of abating. Here is why it's happening and what employers can do to mitigate the problem.
It's no secret that companies are facing a huge cybersecurity talent shortage. The word's been out for several years that many high-paying positions requiring cybersecurity skills are going unfilled.
Unfortunately, broadcasting the enterprise cybersecurity skills gap hasn't done enough to increase the cybersecurity workforce -- and the strain on the current workforce reflects that. Sixty-five percent of cybersecurity professionals indicated that their job had gotten harder in the last two years, with 27% reporting that their job had gotten much more difficult, according to a late 2024 survey by Information Systems Security Association (ISSA) and analyst firm Enterprise Strategy Group, now part of Omdia.
How big is the gap? CyberSeek reported that there are just over 1.3 million people employed in cybersecurity in the U.S. in 2025, but more than 500,000 positions remain unfilled. Worldwide, the cybersecurity workforce gap increased 19% to nearly 4.8 million unfilled jobs between 2023 and 2024, according to ISC2.
Understanding the cybersecurity skills gap and its impact
The cybersecurity skills shortage, a rising workload for the existing cybersecurity team, many vacant open job requisitions and a high level of burnout have left companies, government agencies, educational institutions and other organizations with weaker security. As a result, their employees, customers and constituents face increased risk of data breaches, privacy violations, financial fraud and other adverse consequences.
Bridging this vast gap requires an understanding of why the cybersecurity skills shortage persists. This article explores the conundrum and proposes several ways that IT leaders and their organizations can address the underlying problems.
Top 5 causes of the cybersecurity skills shortage
Many factors have come together to cause the cybersecurity skills gap. Here are the top five causes:
- The demand for cybersecurity talent keeps increasing. Not only has nearly every organization become completely dependent on technology, but technology also continues to become more complex, driven by the growth in cloud computing, AI and other emerging technologies.
Securing today's systems, networks and data against cyberattacks is tougher than ever, with even more security technologies and processes needed to work in concert with each other. Thus, organizations need their cybersecurity workforces to be larger and have a wider range of skills than ever before. - The pool of cybersecurity talent lacks diversity. According to a recent workforce study from ISC2, only about 22% of the cybersecurity workforce around the world is female. A 2024 Boston Consulting Group survey also noted that women make up less than a quarter of the cybersecurity workforce -- a much lower percentage than the 36% of women employed in the broader technology sector.
- Employers have unrealistic expectations. Cybersecurity job descriptions often require college degrees, multiple certifications and years and years of experience in a variety of security disciplines. Many candidates who would be assets to organizations don't apply for these jobs because they assume that the requirements are truly required. Others do apply but don't even get a call back because they lack a degree or sufficient hands-on experience.
- Employees aren't keeping their skills up to date. The challenges that employers need to tackle change over time, such as the increasing reliance on cloud security and the evolving threats against data and systems. But employees are so overworked that they often don't have the opportunity to learn new skills, attend training, take online courses or pursue new certifications. And that's just technical skills; soft skills, such as communication, are also needed.
- Cybersecurity experts are leaving the profession. Alarmingly, ISSA and Enterprise Strategy Group found that two-thirds of the cybersecurity workforce are actively considering leaving their jobs, and over one-third is planning to change careers entirely. There's a major employee retention problem, due in large part to constant staffing shortages and the incredible pressure of many cybersecurity jobs. As people leave the field, the shortages become even worse, which causes more people to leave the field.
3 ways organizations can address the cybersecurity skills gap
There's no way to bridge the cybersecurity skills gap overnight, but organizations can start making progress today by doing the following:
- Tap into underrepresented communities. Prioritize outreach to women, Hispanic Americans and other overlooked communities. Educate members of these communities on the incredible variety of opportunities in cybersecurity and show them how they can join the workforce. Make sure that your recruitment and hiring practices take diversity into consideration. Consider offering paid internships.
- Build skills primarily in-house instead of by hiring experts. Organizations can tap into a much larger pool of workers if they relax job requirements and instead plan on building cybersecurity skills internally by providing training, education and certification support for new employees to help get them up to speed. Enable new graduates, veterans, people transitioning from other careers, and those with an interest in and aptitude for cybersecurity to learn and grow. College degrees, certifications and several years of experience are simply not necessary for success at most cybersecurity positions.
- Support your existing talent. Burnout is rampant today at many organizations. Especially when there is such a shortage of skilled people, it's easy for anyone who's unhappy to leave your organization and find a better opportunity elsewhere. However, there are also critical cybersecurity needs that must be met. Here are some strategies for supporting your existing workforce so they'll be less likely to leave:
- Whenever feasible, automate routine tasks -- especially those that are repetitive and boring or high stress. This will help reduce your labor needs and give your employees interesting, lower-stress work to do.
- Consider using managed security services, particularly for off-hours monitoring, analysis and incident response. Small organizations might want to outsource most of their security services altogether to reduce their need for dedicated cybersecurity staff and instead train their IT personnel to also handle occasional cybersecurity tasks.
- For particularly stressful or demanding positions, consider the possibility of job rotation. For example, rotate security operations personnel to a non-operations position after 12 or 18 months. This can help prevent burnout and also enables people to build additional skills, making them more valuable to your organization.
- When your employees are taking time off for vacation, sick leave or otherwise, let them actually be off duty. Everyone needs a break from work; expecting employees to keep checking in with work while they're off -- and especially be on call or perform operational support -- is unfair to them and will certainly foster resentment. This might be a major culture change for your staff, but it's likely to be well worth it, both for retaining existing staff and for attracting new employees.
Editor's note: This article was remediated in June 2025 to update research findings and improve the reader experience.
Karen Scarfone is a general cybersecurity expert who helps organizations communicate their technical information through written content. She co-authored the Cybersecurity Framework (CSF) 2.0 and was formerly a senior computer scientist for NIST.
