The cybersecurity workforce in 2026 is bigger, more stressed, and farther from staffed than it has ever been. ISC2's 2024 Cybersecurity Workforce Study measured the global active workforce at 5.5 million while pegging the workforce gap at 4.8 million professionals, a 19% year-on-year increase even as active hiring grew only 0.1%. ISACA's 2025 State of Cybersecurity, surveying nearly 4,000 cybersecurity professionals worldwide, found 55% of teams understaffed and 65% with unfilled cybersecurity positions. The World Economic Forum's Global Cybersecurity Outlook 2025 reported that only 14% of organizations have the skilled people they need in the current cyber landscape. Demand is racing ahead; supply is treading water; the gap is now a structural feature of the global security operating model.
Three forces shape the 2026 picture. Skills now bind harder than headcount: ISC2's 2025 study, drawing on a record 16,029 respondents, declined for the first time to publish a fresh workforce-gap estimate, on the grounds that 95% of respondents reported at least one skill need (up 5% YoY) and 88% experienced a significant cybersecurity event in the past 12 months that respondents tied directly to a skills shortage. Budgets are the new top constraint: ISC2 found that "lack of budget" overtook "lack of qualified talent" as the most-cited cause of staffing shortages, with 33% of organizations saying they cannot adequately staff teams and 29% saying they cannot afford the skilled hires they want. AI is the load-bearing variable: Gartner projects more than 50% of SOC Tier 1 analyst responsibilities will be handled by AI by 2028, Splunk's 2025 State of Security found 33% of teams planning to fill skills gaps with AI and automation, and ISACA reported 32% of organizations already use AI for threat detection and 47% have helped develop AI governance. The headline numbers for CISOs, security buyers, hiring managers, journalists, and policy researchers are below.
This post is the Stingrai research team's canonical 2026 reference for the cybersecurity skills gap. It assembles 75+ numeric claims from 14 named primary publishers, including ISC2, ISACA, the World Economic Forum, the US Bureau of Labor Statistics, NIST CyberSeek, Fortinet, Splunk, CompTIA, UK DSIT, ENISA, Sophos, Bitsight, Proofpoint, and Gartner. Lead data is full-year 2024 and 2025 telemetry, the freshest available; primary publishers have not yet released full-year 2026 reports as of April 2026, with the WEF Global Cybersecurity Outlook 2026 (published January 2026) being the only 2026-dated dataset in this post. Every figure links back to its primary publisher so any claim can be audited.
TL;DR: 12 labeled key stats
Global cybersecurity workforce gap (2024): 4.8 million, a 19% YoY increase against an active workforce of 5.5 million (ISC2 2024 Workforce Study).
Active workforce growth versus demand growth (2024): +0.1% in active workforce versus +8.1% in total workforce demand (ISC2 2024 Workforce Study).
Organizations reporting at least one skill need (2025): 95%, up 5 points YoY; 88% experienced a significant cybersecurity event in the past 12 months tied to a skills shortage (ISC2 2025 Workforce Study).
Cybersecurity teams understaffed (2025): 55%; 65% have unfilled cybersecurity positions (ISACA State of Cybersecurity 2025).
Time to hire entry-level cyber roles (2025): 38% of organizations say it takes three to six months; 39% say the same for non-entry-level roles (ISACA State of Cybersecurity 2025).
Organizations with the skilled cyber talent they need (2025): 14% (WEF Global Cybersecurity Outlook 2025).
US cybersecurity job postings (12 months through April 2025): 514,359, a 12% YoY increase, against a 74% supply-demand ratio (NIST CyberSeek update).
US Bureau of Labor Statistics median annual wage for information security analysts (May 2024): US$124,910, with the 90th percentile above US$186,420 (US BLS Occupational Outlook Handbook).
Projected employment growth, information security analysts (2024 to 2034): +29%, much faster than the average for all occupations, with about 16,000 openings per year (US BLS).
Top critical-skills priorities (2025): AI security at 41%, cloud security at 36% (ISC2 2025 Workforce Study). Soft skills are 59% of identified gaps; critical thinking 57%, communication 56% (ISACA State of Cybersecurity 2025).
Plan to fill skills gaps with AI and automation (2025): 33%; 59% have moderately or significantly boosted efficiency with AI; only 11% trust AI completely for mission-critical tasks (Splunk State of Security 2025).
Gartner projection for AI in security operations: more than 50% of SOC Tier 1 responsibilities handled by AI by 2028; AI applications driving 50% of incident response effort by 2028 (Gartner press release, March 2026).
Key takeaways
The gap stopped being a headcount problem and became a skills problem. ISC2's 2025 study, the largest and longest-running workforce survey in the industry, declined for the first time to publish a fresh global workforce-gap estimate. The reason is structural, not statistical: 95% of respondents reported at least one skill need, 59% reported critical or significant skills gaps (up 15% YoY), and 88% experienced a security event in the past year tied directly to a skills shortage. Adding more bodies no longer closes the gap on its own; the binding constraint is whether the bodies can do AI security, cloud security, and identity engineering at the level the threat landscape now demands.
Budget displaced talent supply as the top cause of staffing shortages. For the first time in the ISC2 series, respondents in 2024 cited "lack of budget" as the leading cause of their staffing shortfall, ahead of "lack of qualified talent." That pattern carried into 2025: 36% of orgs reported budget cuts, 39% reported hiring freezes, 33% said they lack the resources to staff teams adequately. Large organizations bore the brunt: 46% reported budget cuts, 49% reported hiring freezes, 32% reported layoffs. The 2025 workforce gap is therefore a function of how CFO budget allocation interacts with a still-rising threat landscape, not of an absolute talent floor.
AI is reshaping entry-level hiring before it reaches senior hiring. Gartner projects more than 50% of SOC Tier 1 analyst responsibilities will be handled by AI by 2028. ISACA reported 32% of orgs already using AI for threat detection. The implication for hiring managers is asymmetric: senior architect, identity engineering, and AI-security-engineering roles are still acutely understaffed and command rising premiums, while traditional Tier 1 SOC analyst pipelines are contracting as alert triage and ticket enrichment automate. Organizations that disinvest from junior hiring entirely will find themselves with no Tier 2 pipeline in 2028; the right move is to redesign entry-level roles around AI-augmented investigation and threat hunting, not eliminate them.
Soft skills now outrank technical skills in stated hiring need. ISACA 2025 reported that soft skills were the top skills gap at 59%, with critical thinking (57%), communication (56%), and problem-solving (47%) outranking specific technical disciplines. Adaptability is the single most-cited hiring qualification at 61%, narrowly ahead of prior cybersecurity experience at 60%. The hiring market in 2026 is paying for senior generalists who can move across cloud, identity, AI, and incident response, not for narrow specialists with deep stack-specific tooling expertise but limited communication range.
Burnout is operational risk, not a wellness slogan. Sophos's 2025 work on the human cost of vigilance found cybersecurity workers losing 4.8 hours per week to burnout, an increase of over 25% YoY, with 39% reporting reduced productivity and 33% reporting reduced engagement. Bitsight's 2025 burnout survey of 1,000+ risk and security pros found 47% reporting some level of burnout. Proofpoint's Voice of the CISO 2025 found 63% of CISOs experienced or witnessed burnout in the past year. The defensive math is straightforward: a SOC running at 4.8 hours per week of attrition per analyst is shipping the same coverage with measurably less capacity, exactly when AI-augmented adversaries are compressing the time-to-impact.
The geography of the gap is widening, not converging. The WEF Global Cybersecurity Outlook 2026 found that 65% of organizations in Latin America and the Caribbean, and 63% in sub-Saharan Africa, identify cybersecurity skills shortages as the most acute talent constraint. APAC carried the largest absolute gap in the ISC2 2024 study at 3.4 million professionals. The UK workforce gap, by contrast, narrowed from 11,100 (2023) to 3,800 (2025) per DSIT, driven by 20% growth in graduate volumes. The global picture is bifurcating: mature markets are stabilizing while emerging markets are falling further behind.
Methodology
Sources used: ISC2 (2024 Cybersecurity Workforce Study, surveying 14,865 cybersecurity professionals across regions, published October 2024; 2025 Cybersecurity Workforce Study, surveying a record 16,029 respondents from North America, Latin America, APAC, and EMEA, fieldwork in 2025, published December 2025); ISACA (State of Cybersecurity 2025, the 11th annual edition, surveying nearly 4,000 business and IT professionals worldwide between 9 May and 23 May 2025, published October 2025; complementary ISACA Now blog and at-ISACA newsletter coverage of soft-skills findings); World Economic Forum (Global Cybersecurity Outlook 2025, published January 2025, drawing on the WEF Cybersecurity Pulse Survey; Global Cybersecurity Outlook 2026, published January 2026, drawing on 804 qualified respondents across 92 countries including 316 CISOs, 105 CEOs, and 123 other C-suite executives; Future of Jobs Report 2025, published January 2025); US Bureau of Labor Statistics (Occupational Outlook Handbook for Information Security Analysts, May 2024 wage data, 2024 to 2034 employment projections); NIST CyberSeek (June 2025 update covering the 12-month window from May 2024 through April 2025); Fortinet (2025 Cybersecurity Skills Gap Report, surveying 1,850 IT and cybersecurity decision-makers across 29 markets, fieldwork conducted by Sapio Research in February 2025, published October 2025); Splunk (State of Security 2025, surveying 2,058 security leaders across nine countries and 16 industries, fieldwork October to December 2024, published 2025); CompTIA (State of the Tech Workforce 2025; State of Cybersecurity 2025, surveying 1,026 US business and IT professionals in Q3 2025, ±3.1 percentage points at 95% confidence); UK Department for Science, Innovation and Technology (Cyber security skills in the UK labour market 2025, the 7th annual edition, conducted by Ipsos and Perspective Economics); ENISA (NIS Investments 2025, drawing on 1,080 professionals across the EU 27, published 2025); Sophos (Human Cost of Vigilance, 2025); Bitsight (2025 burnout survey of 1,000+ risk and security professionals); Proofpoint (Voice of the CISO 2025); and Gartner (multiple press releases issued 2025 to March 2026 covering AI's projected impact on SOC and incident response operations).
Date cutoff: April 25, 2026. Statistics are reported with their primary publisher's data window, and we lead with the most recent full-year figures wherever a primary source has released them. Statistics that could not be reached on at least one verification pass against a named primary source were dropped rather than estimated. Vendor blogs and aggregator sites that restate other publishers' numbers without adding methodology were not used as primary sources. Where a stat could only be reached via a secondary publisher, the secondary publisher is named so the reader can pursue the underlying primary source.
Figure 1: ISC2's 2024 Cybersecurity Workforce Study measured the global active cybersecurity workforce at 5.5M, total demand at 10.2M, and the workforce gap at 4.8M. Source: ISC2 2024 Cybersecurity Workforce Study.
How big is the cybersecurity skills gap in 2026?
Three datasets anchor the answer: ISC2's global workforce census, NIST CyberSeek's US job-posting count, and the WEF's resilience-versus-skills correlation.
Global workforce gap (ISC2)
ISC2's annual Cybersecurity Workforce Study is the most-cited workforce census in the industry. The most recent edition with a published global gap figure is the 2024 study, which combined survey data with macroeconomic modeling to produce the headline number. Key figures from the 2024 ISC2 study:
Metric | Value | YoY change | Source |
|---|---|---|---|
Active cybersecurity workforce, global | 5.5M | +0.1% | ISC2 2024 |
Total demand, global | 10.2M | +8.1% | ISC2 2024 |
Workforce gap | 4.8M | +19% | ISC2 2024 |
APAC regional gap | 3.4M | n/a | ISC2 2024 |
Respondents reporting skills shortages | 90% | n/a | ISC2 2024 |
Skills shortage as significant org risk | 58% | n/a | ISC2 2024 |
Skills gaps a greater challenge than staffing | 64% | n/a | ISC2 2024 |
Job satisfaction | 66% | -4 points | ISC2 2024 |
The active workforce grew by 0.1%; demand grew by 8.1%; the gap consequently widened by 19%. That is the single most important asymmetry in the 2026 cybersecurity labour market, and the reason the gap continues to expand even in years where total cybersecurity job postings rise.
The 2025 ISC2 study, drawing on a record 16,029 respondents, declined for the first time in the series to publish a fresh global workforce-gap number. ISC2's stated rationale is that respondents now treat critical-skills shortfalls as a more binding constraint than headcount alone:
2025 metric | Value | YoY change | Source |
|---|---|---|---|
Reporting at least one skill need | 95% | +5 points | ISC2 2025 |
Critical or significant skills gaps | 59% | +15 points | ISC2 2025 |
Significant cyber event tied to skills shortage (12 mo) | 88% | n/a | ISC2 2025 |
More than one such event | 69% | n/a | ISC2 2025 |
Right level of cybersecurity staffing | 34% | flat since 2023 | ISC2 2025 |
Lack budget to adequately staff teams | 33% | n/a | ISC2 2025 |
Cannot afford skilled hires | 29% | n/a | ISC2 2025 |
Top critical-skills priority: AI | 41% | n/a | ISC2 2025 |
Top critical-skills priority: cloud security | 36% | n/a | ISC2 2025 |
US job postings (NIST CyberSeek)
NIST CyberSeek tracks US cybersecurity employer demand using Lightcast job-posting data, supported by NIST's NICE Workforce Framework. The June 2025 update reported:
514,359 US cybersecurity job postings over the 12 months from May 2024 through April 2025, an increase of nearly 57,000 over the prior 12-month period (+12% YoY).
A CyberSeek-calculated supply-demand ratio of 74%, meaning 26% of US cybersecurity roles were vacant in the measurement window.
Top five US states for openings: Virginia, California, Texas, Maryland, Florida, reflecting concentration around federal agencies (NSA, CISA, DoD), Silicon Valley, and major financial centres.
WEF and the resilience-skills correlation
The WEF Global Cybersecurity Outlook 2025 and the 2026 edition reframe the gap as a resilience problem rather than a staffing problem:
WEF metric | Value | Year | Source |
|---|---|---|---|
Orgs with the skilled cyber talent they need | 14% | 2025 | WEF GCO 2025 |
Cyber skills gap YoY rise | +8% | 2025 | WEF GCO 2025 |
Public-sector orgs lacking necessary cyber talent | 49% (+33% YoY) | 2025 | WEF GCO 2025 |
Public-sector insufficient resilience | 38% | 2025 | WEF GCO 2025 |
Medium-large private-sector insufficient resilience | 10% | 2025 | WEF GCO 2025 |
Resilience-deficient orgs that also lack critical cyber skills | 85% | 2026 | WEF GCO 2026 |
LATAM/Caribbean cite cyber skills as biggest obstacle to resilience | 50% | 2026 | WEF GCO 2026 |
Europe/Central Asia cite cyber skills as biggest obstacle | 42% | 2026 | WEF GCO 2026 |
Public-sector lack of cyber expertise | 57% | 2026 | WEF GCO 2026 |
NGO lack of cyber expertise | 51% | 2026 | WEF GCO 2026 |
Small org lack of cyber expertise | 46% | 2026 | WEF GCO 2026 |
Large org lack of cyber expertise | 29% | 2026 | WEF GCO 2026 |
The 85% correlation between insufficient resilience and a critical skills gap, reported in the WEF 2026 outlook, is the strongest published linkage between workforce capability and outcome resilience to date. It reframes the skills-gap conversation as a board-level resilience question, not a CISO-level recruiting question.
Hiring difficulty: time, source, and qualification
Volume tells you what the market is asking for. Hiring difficulty tells you how poorly the labour market is matching ask to supply.
Figure 2: ISACA's 2025 State of Cybersecurity reports 55% of teams understaffed, 65% with unfilled cybersecurity positions, and 38% reporting 3 to 6 months to hire even at entry level. Source: ISACA State of Cybersecurity 2025.
Time-to-hire and unfilled positions (ISACA)
ISACA's 2025 State of Cybersecurity, the 11th annual edition, surveyed nearly 4,000 cybersecurity professionals worldwide. Key hiring metrics:
55% of cybersecurity teams are understaffed.
65% of organizations have unfilled cybersecurity positions.
38% say it takes 3 to 6 months to hire for entry-level roles.
39% say the same for non-entry-level roles.
In Europe specifically, 19% of organizations have entry-level openings that do not require experience, a degree, or credentials, yet 45% still take 3 to 6 months to hire at this level, per the ISACA Europe 2025 release.
The ISACA data flags a structural mismatch: even when entry-level requirements are removed, the hiring funnel does not accelerate. Organizations are unwilling to bet on cold-start junior hires because the cost of a misfire in cybersecurity has scaled with the threat landscape.
Top hiring qualifications (ISACA)
ISACA's 2025 commentary on staffing challenges identified the qualifications hiring managers value most in 2025:
Qualification | % of hiring managers citing | Source |
|---|---|---|
Adaptability | 61% | ISACA 2025 |
Prior cybersecurity experience | 60% | ISACA 2025 |
Communication | 56% | ISACA 2025 |
Critical thinking | 57% | ISACA 2025 |
Problem-solving | 47% | ISACA 2025 |
Adaptability outranks even prior cybersecurity experience. The pattern reflects a hiring market that expects practitioners to retool quickly across new tools, new threats, and new regulatory regimes.
Career-changer pipeline (ISACA, ISC2)
ISACA 2025 found that 46% of current cyber staff transitioned from roles outside the field, while only 29% of enterprises provided training for non-security staff to move into security roles, down from 41% the prior year. The career-changer pipeline carries roughly half of the workforce, but the on-ramp investment from employers is shrinking.
ISC2's complementary 2025 hiring trends research identified internships (55%) and apprenticeships (46%) as the most powerful tools for early-career talent identification. Yet many organizations made zero entry-level cybersecurity hires in 2024 even while reporting talent shortages.
UK and EU hiring difficulty (DSIT, ENISA)
The UK DSIT 2025 cyber security skills in the labour market study found:
UK metric | Value | Year | Source |
|---|---|---|---|
UK cyber security workforce | 143,000 | 2024 | UK DSIT 2025 |
Annual UK workforce gap | 3,800 | 2025 | UK DSIT 2025 |
Annual UK workforce gap | 3,500 | 2024 | UK DSIT 2025 |
Annual UK workforce gap | 11,100 | 2023 | UK DSIT 2025 |
UK businesses with basic cyber skills gaps | 49% | 2025 | UK DSIT 2025 |
UK businesses with advanced cyber skills gaps | 30% | 2025 | UK DSIT 2025 |
UK women in cyber workforce | 17% | 2025 | UK DSIT 2025 |
UK women in senior cyber roles (6+ years) | 12% | 2025 | UK DSIT 2025 |
UK female representation in wider workforce | 48% | 2025 | UK DSIT 2025 |
The UK gap narrowed substantially over two years, from 11,100 in 2023 to 3,800 in 2025, on the back of a 20% rise in graduate numbers. The UK is the clearest case of a national pipeline-investment strategy producing measurable gap closure.
ENISA's 2025 NIS Investments report, drawing on 1,080 professionals across EU 27 Member States, reported:
An estimated EU cybersecurity workforce shortage of approximately 300,000.
76% of organizations report difficulties attracting cybersecurity professionals.
71% report difficulties retaining them.
70% cite regulatory compliance, particularly NIS2, as the primary investment driver.
Salary, role mix, and compensation
Demand without a salary anchor is hard to reason about. The US Bureau of Labor Statistics is the clean primary source for median compensation and projected employment growth.
Figure 3: Median 2024-2025 cybersecurity compensation versus the US median wage. Sources: US BLS Occupational Outlook Handbook (May 2024 data) for the all-occupations median and information security analyst median; secondary aggregators (EC-Council 2025 salary guide, Robert Half 2025) for the security architect and CISO bands, which are then normalized against BLS Occupational Wages methodology.
US BLS data
The US BLS Occupational Outlook Handbook for Information Security Analysts, drawing on May 2024 wage data and 2024 to 2034 employment projections, reports:
Median annual wage: US$124,910.
10th percentile: <US$69,660.
90th percentile: >US$186,420.
Projected employment growth 2024 to 2034: +29%, much faster than the 4% average across all US occupations.
About 16,000 openings per year over the decade.
All-occupations median annual wage in May 2024: US$49,500, against which the information security analyst median is roughly 2.5x.
The BLS occupation code 15-1212 (Information Security Analysts) is narrower than the full cybersecurity workforce; many cybersecurity practitioners report under adjacent occupational codes for software engineers, network engineers, or computer systems analysts. The BLS median therefore understates the senior-architect and CISO bands, which sit substantially higher in industry compensation surveys.
CompTIA US tech workforce growth premium
CompTIA's State of the Tech Workforce 2025 frames cybersecurity inside the broader US tech labour market:
US tech occupation workforce: 5.9M in 2024, projected to reach approximately 6.1M in 2025.
Cybersecurity Analysts and Engineers projected to grow at 346% over the national rate over the next 10 years, making cybersecurity one of the fastest-growing tech occupations.
The 346% premium is a forward-looking projection; even with AI-driven SOC automation pulling Tier 1 hiring down, total cybersecurity-skilled employment is expected to rise faster than the broader tech labour market.
Critical-skills priorities: where the gap binds hardest
A workforce gap is meaningless if you cannot identify which skills are scarce. Three primary publishers triangulate the skills hierarchy.
Figure 4: 2025 critical-skills priorities and identified gaps from primary publishers. Sources: ISC2 2025 Workforce Study; ISACA State of Cybersecurity 2025.
ISC2 critical-skills priorities (2025)
The 2025 ISC2 study ranked the most-cited critical-skills priorities:
Skill | % citing as critical priority | Source |
|---|---|---|
AI security | 41% | ISC2 2025 |
Cloud security | 36% | ISC2 2025 |
AI security overtook cloud security as the single most-cited critical-skills priority for the first time in the ISC2 series. The displacement reflects the operational reality: AI-augmented adversaries, AI-generated phishing, and AI-orchestrated reconnaissance now dominate threat-actor playbooks, and defending against them requires a workforce that can secure AI systems and use AI defensively.
ISACA skills gaps (2025)
ISACA 2025 measured identified skills gaps from a different angle: not "what we want next" but "what we're actually missing":
Skill area | % identifying as a gap | Source |
|---|---|---|
Soft skills (overall) | 59% | ISACA 2025 |
Critical thinking | 57% | ISACA 2025 |
Communication | 56% | ISACA 2025 |
Problem-solving | 47% | ISACA 2025 |
Soft skills now lead identified gaps. The pattern is consistent across the ISACA, ISC2, and Fortinet datasets: hiring managers will pay for technical skills but will lose talent that cannot communicate findings up the chain or adapt across new tooling.
Certifications as a hiring filter (Fortinet)
Hiring managers use certifications as a sorting mechanism. Fortinet's 2025 Cybersecurity Skills Gap Report, surveying 1,850 IT and cybersecurity decision-makers across 29 markets:
89% of hiring managers prefer to hire candidates with certifications.
67% say certifications validate cybersecurity knowledge.
61% say certifications demonstrate ability to stay current.
56% say certifications indicate familiarity with vendor tools.
73% of orgs are willing to fund certifications, down from 89% in 2023.
The combination of rising candidate certification preference and falling employer funding willingness is a structural mismatch that is widening across most regions in the Fortinet sample.
Most-in-demand certifications
Across CyberSeek, Lightcast job-posting data, and certification-vendor research, the most-cited cybersecurity certifications in 2025 hiring requests are:
Certification | Issuing body | Typical role band | Demand signal (2025) |
|---|---|---|---|
CISSP | ISC2 | Senior security engineer / architect / CISO | Most-cited certification across senior-role postings |
CompTIA Security+ | CompTIA | Entry to mid-level | Most-cited entry-level certification |
CISM | ISACA | Security manager / leadership | Strong leadership-track signal |
CISA | ISACA | Audit / compliance | Top compliance-track certification |
OSCP | OffSec | Penetration tester / red team | Hands-on offensive security benchmark |
CCSP | ISC2 | Cloud security practitioner | Rising fast on the back of ISC2's cloud-security-skills priority finding |
CEH | EC-Council | SOC analyst / penetration tester | Wide entry-level adoption |
GIAC family (GCIH, GSEC, GCFA) | SANS / GIAC | SOC, IR, forensics | Top vendor-neutral hands-on credentials |
Vendor selection in this table privileges certifications whose demand signal is corroborated across at least two of the named primary sources.
Burnout, stress, and retention
Burnout is a workforce-supply problem disguised as a wellness problem. The 2025 data is uniformly bleak.
Burnout / stress metric | Value | Source |
|---|---|---|
Cyber pros losing hours per week to burnout | 4.8 hrs (+25% YoY) | Sophos 2025 |
Cyber pros experiencing burnout (2025) | 76% | Sophos 2025 |
Risk and security pros experiencing some burnout (n=1,000) | 47% | |
Reduced productivity from burnout | 39% | Sophos 2025 |
Reduced engagement from burnout | 33% | Sophos 2025 |
CISOs experienced or witnessed burnout in past year | 63% | Proofpoint Voice of the CISO 2025 |
Cyber pros planning to stay in role next 12 months | 75% | Sophos 2025 |
Cyber pros planning to stay in role next 24 months | 66% | Sophos 2025 |
Cyber pros considering career change (per ISC2 commentary) | 59% | ISC2 commentary 2025 |
ISACA: role more stressful than 5 yrs ago | 66% | ISACA 2025 |
ISACA: top stressor: complex threat landscape | 63% | ISACA 2025 |
ISACA: high stress as top reason for attrition | 47% | ISACA 2025 |
Splunk's State of Security 2025, surveying 2,058 security leaders, sharpened the operational picture inside the SOC:
52% of SOC teams overworked.
57% report losing valuable investigation time to data management gaps.
46% spend more time maintaining tools than defending the organization.
33% plan to fill skills gaps with AI and automation.
The retention numbers tell their own story: cybersecurity pros plan to stay in cybersecurity but not necessarily in their current jobs. The 24-month commitment drop from 75% to 66% in the Sophos data is the leading indicator of a churn cycle that recruiters will be paying for in 2026 to 2027.
AI's effect on the cybersecurity workforce
AI is the variable that decides whether the gap shrinks or shifts.
Figure 5: AI augmentation in cybersecurity, 2025 to 2028 (projected). Sources: Splunk State of Security 2025; ISACA State of Cybersecurity 2025; Fortinet 2025 Skills Gap Report; Gartner press release, March 2026.
How AI is being used today (ISACA, Splunk)
ISACA 2025 measured current AI adoption in security operations:
AI use case | % of orgs adopting | Source |
|---|---|---|
Threat detection | 32% | ISACA 2025 |
Endpoint security | 30% | ISACA 2025 |
Routine task automation | 28% | ISACA 2025 |
Helped develop AI governance | 47% (up from 35%) | ISACA 2025 |
Involved in AI implementation | 40% (up from 29%) | ISACA 2025 |
Splunk AI metric | Value | Source |
|---|---|---|
Plan to fill skills gaps with AI/automation | 33% | Splunk 2025 |
Boosted efficiency moderately or significantly with AI | 59% | Splunk 2025 |
Trust AI completely for mission-critical | 11% | Splunk 2025 |
Domain-specific AI enhances security | 63% | Splunk 2025 |
Prioritized AI in security workflows | 56% | Splunk 2025 |
Fortinet 2025: 87% of cybersecurity professionals expect AI to enhance their roles, contingent on upskilling.
Where AI is going (Gartner projections)
Gartner's 2025 to 2026 cycle of cybersecurity press releases produced multiple projections specifically about AI's effect on the security workforce:
Gartner projection | Year | Source |
|---|---|---|
AI applications driving 50% of cybersecurity incident response effort | 2028 | |
AI agents reducing time to exploit account exposures by 50% | 2027 | |
Cybersecurity functions redesigning appsec out of security org | 30% by 2027 | Gartner Top Predictions 2026 |
DLP and insider risk integrated with IAM | 70% of orgs by 2027 | Gartner Top Predictions 2026 |
Sovereignty of cloud security controls required | 30% of orgs by 2027 | Gartner Top Predictions 2026 |
The cumulative direction of travel: AI is replacing repetitive Tier 1 work (alert triage, IR enrichment, log correlation) and is simultaneously creating new categories of role (AI/ML security specialist, AI security engineer, AI governance analyst). Industry analysis reported by Help Net Security, drawing on Lightcast and Indeed job-posting data, found:
Security analyst job postings down ~53% since 2022.
SOC and security analyst role reductions: 32% of orgs experiencing workforce changes.
AI/ML security specialist roles filled: 34% of orgs.
AI security engineer roles added: 32%.
AI governance analyst roles employed: 30%.
The implication for hiring strategy is concrete: pull spend out of pure SOC Tier 1 expansion and reinvest in AI security engineering, identity engineering, and threat hunting. The SOC will not disappear; it will be re-staffed at a higher per-headcount skills bar.
Diversity and inclusion
The cybersecurity workforce is more diverse than it was a decade ago, but progress has slowed.
DEI metric | Value | Year | Source |
|---|---|---|---|
Women on cybersecurity teams (global) | 22% | 2024 | |
Women in <30 cohort | 26% | 2024 | ISC2 2024 |
Women in 65+ cohort | 13% | 2024 | ISC2 2024 |
Orgs reporting no women on security team | 11% | 2024 | ISC2 2024 |
Women experiencing budget cuts (vs 36% men) | 40% | 2024 | ISC2 2024 |
Women experiencing hiring freezes (vs 37% men) | 42% | 2024 | ISC2 2024 |
Women experiencing promotion freezes (vs 31% men) | 36% | 2024 | ISC2 2024 |
UK women in cybersecurity workforce | 17% | 2025 | |
UK women in senior cyber roles (6+ years) | 12% | 2025 | UK DSIT 2025 |
UK female representation in wider workforce | 48% | 2025 | UK DSIT 2025 |
The under-30 cohort runs at 26% women, which is the leading indicator that representation will continue to creep up over the next decade. The 11% of organizations reporting no women on the team and the 31-point gap between UK female representation in the wider workforce and the cyber workforce are the lagging indicators of how far the field still has to travel.
Regional snapshot
Regional gaps diverge widely.
Region | Reported workforce gap or skills constraint | Source |
|---|---|---|
Asia-Pacific | 3.4M workforce gap (largest absolute regional gap) | |
Europe (EU 27) | ~300,000 cyber workforce shortage | |
Europe / Central Asia | 42% cite cyber skills as biggest obstacle to resilience | |
Latin America / Caribbean | 50% cite cyber skills as biggest obstacle; 65% most-acute talent gap | WEF GCO 2026 |
Sub-Saharan Africa | 63% most-acute talent gap | WEF GCO 2026 |
United States | 514,359 12-month postings; 26% vacancy rate | |
United Kingdom | 143,000 workforce; 3,800 annual gap (down from 11,100 in 2023) |
The UK case is the most encouraging. A two-year graduate-pipeline investment narrowed the annual gap by roughly 66%. The pattern is replicable in markets with similar policy levers.
What this means for defenders and hiring leaders
A workforce paper that does not turn data into decisions wastes the reader's time. Five concrete moves the data supports:
Pay for senior generalists, not narrow specialists. The combined ISC2, ISACA, and Fortinet datasets converge on adaptability and soft skills as the binding constraint. Senior practitioners who can move across cloud, identity, AI, and IR carry more option value than narrow stack specialists, and the salary data confirms the market is pricing this in: BLS 90th-percentile information security analyst pay sits above US$186,420 versus US$124,910 at the median.
Redesign entry-level roles around AI augmentation, not eliminate them. The Gartner 50%-of-SOC-L1-by-2028 projection is real, but a workforce with no entry-level pipeline produces no Tier 2 and no senior generalists in 5 years. Pivot junior hiring toward AI-augmented investigation, threat hunting, and detection engineering.
Treat burnout as a coverage problem. Sophos's 4.8 hours/week per analyst lost to burnout, multiplied across a 50-person SOC, is roughly 6 full-time equivalents of capacity disappearing into stress. Investments in workload reduction (alert deduplication, AI-augmented triage, automation of low-fidelity playbook steps) pay back in coverage, not just morale.
Use certifications as a sort, not a gate. 89% of Fortinet hiring managers prefer certified candidates, but 73% of orgs (down from 89% in 2023) will fund certifications, and 19% of European entry-level postings deliberately drop credential requirements. The mismatch is recoverable by paying for certifications during the first year of employment, especially where the certification (CCSP, OSCP, CISSP, GIAC family) maps to identified critical-skills priorities.
Outsource the gap where it cannot be hired. Penetration testing, red team, and offensive security capability are the role bands where the senior-talent shortage is most acute and the cost of a misfire is highest. Stingrai's PTaaS and penetration testing services are designed to extend an in-house security team's offensive coverage without adding headcount, and our team holds OSCE3, OSCP, OSWE, OSED, OSEP, CREST CRT, and CISSP credentials with 18 published CVEs across the team. For organizations that cannot ship a hire fast enough to keep the gap closed, outsourced offensive coverage is the cleanest available bridge.
Frequently asked questions
How big is the cybersecurity workforce shortage in 2026?
The most-cited figure remains ISC2's 2024 estimate of a 4.8 million global cybersecurity workforce gap, against an active workforce of 5.5 million and total demand of 10.2 million, a 19% YoY widening of the gap. ISC2's 2025 study, drawing on a record 16,029 respondents, declined for the first time to publish a fresh global gap number on the grounds that critical-skills shortfalls now outweigh headcount as the binding constraint. In the US specifically, NIST CyberSeek's June 2025 update tracked 514,359 cybersecurity job postings over the 12 months from May 2024 through April 2025, against a 74% supply-demand ratio (26% of US roles vacant).
How long does it take to hire a cybersecurity professional in 2026?
ISACA's 2025 State of Cybersecurity reports 38% of organizations need 3 to 6 months to hire even at entry level, and 39% report the same for non-entry-level roles. In Europe, 45% of organizations still take 3 to 6 months to hire entry-level even when degree, experience, and credential requirements are removed. Industry research cited via Robert Half puts the typical IT role at roughly 41 days to fill versus 50 days for cybersecurity roles, with cleared senior architect and OT defence engineering roles taking 90 days or more.
What is the median cybersecurity salary in 2026?
The US Bureau of Labor Statistics put the May 2024 median annual wage for information security analysts at US$124,910, with the 10th percentile below US$69,660 and the 90th percentile above US$186,420. That is roughly 2.5x the US all-occupations median of US$49,500. Senior bands are higher: industry surveys put security architect medians around US$157,632 and CISO total compensation in the US$220,000 to US$420,000-plus range at large enterprises.
Is AI replacing cybersecurity jobs?
Not at the aggregate level. Gartner projects more than 50% of SOC Tier 1 analyst responsibilities will be handled by AI by 2028, but the same projection set has Information Security Analysts ranked among the top 15 fastest-growing professions globally through 2030 per the WEF Future of Jobs 2025, and the US BLS projects 29% employment growth for the role from 2024 to 2034. AI is reshaping where the gap binds: pulling Tier 1 SOC hiring down while pushing AI-security-engineering, identity, and threat-hunting hiring up. Fortinet 2025 found 87% of cybersecurity professionals expect AI to enhance their roles, contingent on upskilling.
Which cybersecurity skills are in highest demand in 2026?
ISC2 2025 ranks AI security at 41% and cloud security at 36% as the top critical-skills priorities. ISACA 2025 reports that soft skills are the top identified skills gap at 59%, with critical thinking (57%) and communication (56%) following. Adaptability is the single most-cited hiring qualification at 61%, narrowly ahead of prior cybersecurity experience at 60%.
Which cybersecurity certifications are most in demand?
Across CyberSeek, Lightcast job-posting data, and certification-vendor research, the most-requested cybersecurity certifications in 2025 hiring are CISSP (most-cited senior credential), CompTIA Security+ (most-cited entry-level credential), CISM, CISA, OSCP, CCSP, CEH, and the GIAC family (GCIH, GSEC, GCFA). Fortinet 2025 found 89% of hiring managers prefer certified candidates, while only 73% of organizations are willing to fund certifications (down from 89% in 2023).
How serious is the burnout problem in cybersecurity?
Severe and worsening. Proofpoint's Voice of the CISO 2025 found 63% of CISOs experienced or witnessed burnout in the past year. Sophos's 2025 Human Cost of Vigilance research measured 4.8 hours per week lost per cybersecurity worker to burnout, an increase of more than 25% YoY, with 39% reporting reduced productivity and 33% reporting reduced engagement. Bitsight's 2025 burnout survey of 1,000+ pros found 47% reporting some level of burnout. ISACA 2025 found 66% of professionals saying their role is more stressful than five years ago, 63% citing the complex threat landscape as the top stressor, and 47% citing high stress as the top reason for attrition.
How many women work in cybersecurity?
ISC2's 2024 study put women at 22% of cybersecurity teams globally, with 26% representation in the under-30 cohort and 13% in the 65+ cohort. 11% of organizations report no women on their security team. UK DSIT 2025 reports 17% female representation in the UK cyber workforce, falling to 12% in senior roles (6+ years experience), against a 48% female representation in the wider UK workforce.
Where can I find the latest cybersecurity workforce data?
The four annually-updated primary sources are the ISC2 Cybersecurity Workforce Study (annual, fall release), ISACA's State of Cybersecurity (annual, fall release), the WEF Global Cybersecurity Outlook (annual, January release), and NIST CyberSeek (rolling US data with quarterly updates). For salary, US BLS Occupational Outlook Handbook is the canonical primary source. UK data sits with the Department for Science, Innovation and Technology; EU data sits with ENISA. Vendor research worth tracking includes the annual Fortinet Cybersecurity Skills Gap Report and Splunk State of Security.
How can my organization close its skills gap fastest?
A combination of three moves consistently appears in the highest-performing organizations across the ISC2, ISACA, and Fortinet datasets: (1) invest in internal training and certifications during the first year of employment rather than gating hires on pre-existing credentials, (2) build apprenticeship and internship pipelines (cited as powerful tools by 55% and 46% of orgs respectively in ISC2 2025 hiring trends research), and (3) outsource the role bands where the senior-talent shortage is most acute (penetration testing, red team, AI security engineering) to specialists. Stingrai supports the third move via PTaaS and penetration testing services for organizations that cannot hire fast enough to keep the gap closed.
References
ISC2. 2024 Cybersecurity Workforce Study. October 2024. https://www.isc2.org/Insights/2024/10/ISC2-2024-Cybersecurity-Workforce-Study. Annual census of the global cybersecurity workforce, surveying 14,865 professionals; produced the most-cited 4.8M workforce-gap figure.
ISC2. 2025 Cybersecurity Workforce Study (press release). December 2025. https://www.isc2.org/Insights/2025/12/ISC2-Publishes-2025-Cybersecurity-Workforce-Study. Surveying a record 16,029 respondents; declined to publish a fresh workforce-gap estimate, citing skills shortfalls as a more binding constraint than headcount.
ISC2. A Focus on Skills: The 2025 ISC2 Cybersecurity Workforce Study. December 2025. https://www.isc2.org/Insights/2025/12/a-focus-on-skills-isc2-workforce-study. Detailed breakdown of critical-skills priorities including AI 41% and cloud security 36%.
ISC2. 2025 Cybersecurity Hiring Trends. June 2025. https://www.isc2.org/Insights/2025/06/cybersecurity-hiring-trends-study. Companion research on entry-level pipelines, internships (55%), and apprenticeships (46%).
ISC2. Women Comprise 22% of the Cybersecurity Workforce. March 2025. https://www.isc2.org/Insights/2025/03/Women-Comprise-22-percent-of-the-Cybersecurity-Workforce. Diversity and inclusion data drawn from the 2024 workforce study.
ISACA. State of Cybersecurity 2025 Global Press Release. October 2025. https://www.isaca.org/about-us/newsroom/press-releases/2025/state-of-cybersecurity-2025-global-press-release. The 11th annual State of Cybersecurity, surveying nearly 4,000 professionals worldwide; primary source for hiring difficulty, training, and stress data.
ISACA. State of Cybersecurity 2025 Europe Press Release. October 2025. https://www.isaca.org/about-us/newsroom/press-releases/2025/state-of-cybersecurity-2025-europe-press-release. Europe-specific cut of the same survey; covers entry-level posting requirements and time-to-hire.
ISACA. Cybersecurity Staffing Challenges Persist with Adaptability and Soft Skills in High Demand. At-ISACA newsletter Volume 19, 2025. https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2025/volume-19/cybersecurity-staffing-challenges-persist-with-adaptability-and-soft-skills-in-high-demand. Detailed soft-skills gap breakdown: 59% overall, critical thinking 57%, communication 56%.
World Economic Forum. Global Cybersecurity Outlook 2025. January 2025. https://www.weforum.org/publications/global-cybersecurity-outlook-2025/digest/. Primary source for the 14% skilled-talent figure and the 8% YoY rise in the cyber skills gap.
World Economic Forum. Global Cybersecurity Outlook 2026. January 2026. https://www.weforum.org/publications/global-cybersecurity-outlook-2026/. 804 respondents across 92 countries; primary source for the 85% resilience-deficit-to-skills-gap correlation and regional breakdowns.
World Economic Forum. Future of Jobs Report 2025. January 2025. https://www.weforum.org/publications/the-future-of-jobs-report-2025/digest/. Ranks networks and cybersecurity as the second fastest-growing skill category globally and Information Security Analysts in the top 15 fastest-growing professions through 2030.
US Bureau of Labor Statistics. Occupational Outlook Handbook: Information Security Analysts. May 2024 wage data; 2024 to 2034 employment projections. https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm. Primary source for US median wage US$124,910, 90th percentile US$186,420, +29% projected growth.
NIST CyberSeek. New CyberSeek Updates Reveal 57,000 Increase in Cybersecurity Job Openings. June 2025. https://www.nist.gov/news-events/news/2025/06/new-cyberseek-updates-reveal-57000-increase-cybersecurity-job-openings. Primary source for 514,359 US cybersecurity job postings over a 12-month window and the 74% supply-demand ratio.
Fortinet. 2025 Cybersecurity Skills Gap Global Research Report. October 2025. https://www.fortinet.com/content/dam/fortinet/assets/reports/2025-cybersecurity-skills-gap-report.pdf. Surveying 1,850 IT and cybersecurity decision-makers across 29 markets; primary source for breach-rate-vs-skills correlation and certification preferences.
Splunk. State of Security 2025. 2025. https://www.splunk.com/en_us/newsroom/press-releases/2025/global-state-of-security-report-reveals-critical-need-for-connected-security-operations.html. Surveying 2,058 security leaders across 9 countries and 16 industries; primary source for SOC overwork (52%) and AI-skills-gap-fill plans (33%).
CompTIA. State of the Tech Workforce 2025. 2025. https://www.comptia.org/en-us/resources/research/state-of-the-tech-workforce-2025/. Primary source for the 346% above-national-rate growth projection for cybersecurity analysts and engineers.
CompTIA. State of Cybersecurity 2025. 2025. https://www.comptia.org/en-us/resources/research/state-of-cybersecurity/. Surveying 1,026 US business and IT professionals in Q3 2025.
UK Department for Science, Innovation and Technology. Cyber security skills in the UK labour market 2025. August 2025. https://www.gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market-2025/cyber-security-skills-in-the-uk-labour-market-2025. The 7th annual edition; primary source for the 143,000 UK cyber workforce, 3,800 annual gap, and UK women-in-cyber data.
ENISA. NIS Investments 2025. 2025. https://www.enisa.europa.eu/topics/skills-and-competences (related landing page; full report referenced via complexdiscovery summary at https://complexdiscovery.com/enisa-2025-nis-investments-report-technology-prioritized-as-cyber-talent-pools-contract/). Drawing on 1,080 professionals across the EU 27; primary source for the EU 300,000 workforce shortage and 76% recruitment difficulty.
Sophos. The Human Cost of Vigilance: Addressing Cybersecurity Burnout in 2025. 2025. https://www.sophos.com/en-us/blog/report-addressing-cybersecurity-burnout-in-2025. Primary source for 4.8 hours/week lost to burnout (+25% YoY) and the 76% burnout prevalence.
Bitsight. The State of Cybersecurity Burnout in 2025. 2025. https://www.bitsight.com/blog/state-of-cyber-security-burnout-today. Surveying 1,000+ risk and security professionals; primary source for 47% any-burnout and aggregator of Sophos and Proofpoint figures.
Proofpoint. Voice of the CISO 2025. 2025. Cited via Bitsight 2025 state of burnout summary at https://www.bitsight.com/blog/state-of-cyber-security-burnout-today. Primary source for 63% CISO burnout exposure.
Gartner. Gartner Predicts AI Applications Will Drive 50% of Cybersecurity Incident Response Efforts by 2028. March 2026. https://www.gartner.com/en/newsroom/press-releases/2026-03-17-gartner-predicts-ai-applications-will-drive-50-percent-of-cybersecurity-incident-response-efforts-by-2028. AI's projected effect on incident response operations.
Gartner. Gartner Predicts AI Agents Will Reduce the Time It Takes to Exploit Account Exposures by 50% by 2027. March 2025. https://www.gartner.com/en/newsroom/press-releases/2025-03-18-gartner-predicts-ai-agents-will-reduce-the-time-it-takes-to-exploit-account-exposures-by-50-percent-by-2027.
Stingrai's view
The cybersecurity skills gap in 2026 is mostly a story about where the gap binds, not whether it exists. Senior offensive-security and AI-security-engineering roles are the hardest to staff, the most expensive when misfilled, and the lowest-tolerance for operational error. Stingrai was founded in 2021 in Toronto, Ontario, with a London, UK office, and we have invested in those exact role bands. Our team holds OSCE3, OSCP, OSWE, OSED, OSEP, CREST CRT, CISSP, CRTO, GCPN, CRTE, and eWPTX credentials. The team has shipped 18 published CVEs (Ivan Spiridonov 10, Moaaz Taha 5, Victor Villar 3) and presents research at DEFCON and BSIDES. Stingrai's PTaaS and penetration testing services are designed to extend an internal security team's offensive capability without adding the headcount, certifications, or 6-month time-to-hire that the workforce data above documents. If your organization is one of the 65% of ISACA respondents with unfilled cybersecurity positions, or one of the 88% that experienced a security event tied to a skills shortage, our team is the most efficient way to extend coverage while you hire.
