Over an eight-year period tracked by Cybersecurity Ventures, the number of unfilled cybersecurity jobs grew by 350 percent, from one million positions in 2013 to 3.5 million in 2021. For the first time in a decade, the cybersecurity skills gap is leveling off. Looking five years ahead, we predict the same number of openings in 2025.
The New York Times reported in 2018 that a stunning statistic is reverberating in cybersecurity: Cybersecurity Ventures’ prediction that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014.
Despite industry-wide efforts to reduce the skills gap, the prediction has come true and the world’s open cybersecurity positions in 2021 is enough to fill 50 NFL stadiums.
In the U.S. the cybersecurity workforce has more than 950,000 workers — with around 465,000 of them yet to be filled, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology in the U.S. Department of Commerce.
The U.S. job market reflects a global supply and demand problem around recruiting candidates with cybersecurity certifications.
Nationwide, there are just over 90,000 CISSPs (Certified Information Systems Security Professionals), according to CyberSeek, but more than 106,000 job openings require the CISSP certification, our industry’s gold standard. Or consider CISMs (Certified Information Security Managers), with just 17,000 people holding the credentials but nearly 40,000 advertised jobs requesting them.
The U.S. Bureau of Labor Statistics projects “information security analyst” will be the 10th fastest growing occupation over the next decade, with an employment growth rate of 31 percent compared to the 4 percent average growth rate for all occupations. A majority of these (entry to mid-level) positions do not require certifications and allow employers to cast a wider net for candidates.
The Hindu Business Line cites a report from Michael Page, a global recruiting consultancy, which states that India alone is expected to have more than 1.5 million job vacancies in cybersecurity by 2025.
As the numbers trend up in India, the world’s second largest country with a population of nearly 1.4 billion and a hub of talent for global IT outsourcing, the cybersecurity worker shortage in the U.S. is expected to gradually decrease, beginning in 2022.
The cybersecurity worker shortage isn’t going away anytime soon — but there is finally light at the end of the tunnel
Big Tech is hacking the skills shortage in the U.S.
Microsoft recently launched a national campaign with U.S. community colleges to help place 250,000 people into the cybersecurity workforce by 2025, representing half of the country’s labor shortage.
Google is running a full-page ad in The Wall Street Journal that says they’re training 100,000 Americans for vital jobs in data privacy and security. A couple of months ago, the company stated in a blog post that this pledge is being made through the Google Career Certificate program.
A Fact Sheet published by The White House announced that IBM will train 150,000 people in cybersecurity skills over the next three years, and they will partner with more than 20 historically black colleges and universities to establish cybersecurity leadership centers to grow a more diverse cyber workforce.
Training providers, and other smaller firms, are partnering with Big Tech and the U.S. government, in the war against cybercrime.
Code.org joined Microsoft, Google, IBM, Apple, and Amazon at the White House recently and committed to teaching cybersecurity concepts to three million students. This includes two million K-12 students across 35,000 classrooms over the next three years, and the launch of a new instructional cybersecurity video series with a goal of reaching one million students of all ages. 45 percent of Code.org students are young women, and 49 percent are from underrepresented racial and ethnic groups.
Although some tech analysts and associations have been way off on their cybersecurity employment forecasts (requiring frequent and large adjustments to their figures) and portray the number of job openings based on limited surveys or job board listings, neither one of these methods accurately reflect the current job market.
Many cybersecurity jobs (which should not be calculated into the worker shortage) are advertised in order to generate potential replacement candidates in a competitive market with high turnover. There are also duplicate job postings from employers and search firms (as well as contract recruiters) for the same positions.
Every IT position is also a cybersecurity position now. Every IT worker, every technology worker, is (or should be) involved at some level with protecting and defending apps, data, devices, infrastructure, and people.
While many mid-sized to large organizations post cybersecurity jobs that go unfilled, a growing portion of the responsibilities for those positions are being absorbed by IT workers taking on security as part of their overall role.
There are more than 12 million tech workers in the U.S., and around 75 million tech workers globally. Whether it is by design or out of sheer necessity, these workers will (unofficially) continue to soak up the cybersecurity responsibilities designated for the positions that employers are grappling to fill.
Women In Cybersecurity
Women represent 25 percent of the global cybersecurity workforce in 2021, according to Cybersecurity Ventures, up from 20 percent in 2019, and around 10 percent in 2011. We expect a steady uptick in the number of women filling cybersecurity jobs over the next decade — which will shrink the skills gap even further.
In their past four annual conferences from 2018 to 2021, presenters at WiCyS, a leading global community of women in cybersecurity, shared our employment data with students, educators, practitioners and leaders in the field.
“WiCyS aims to advance women’s and especially female students’ interest in cyber as a viable and compelling career path. With (Cybersecurity Ventures’) estimate of 3.5 million global cybersecurity jobs unfilled by 2021, the world simply requires all of the talent we can marshal,” wrote Michele Guel in a 2018 Cisco blog post. Guel is an avid speaker, influencer and evangelist in the cybersecurity industry for more than 30 years.
Sylvia Acevedo, a rocket scientist and former CEO of Girl Scouts of the USA, spearheaded a partnership that launched with Palo Alto Networks in 2017 for the first-ever national cybersecurity badges. To date, more than 200,000 girls have earned cybersecurity badges. The hope is for many of these girls to pursue an education and career in cybersecurity.
Deloitte Cyber recently introduced a global awareness and recruitment campaign to attract more women with diverse skill sets and backgrounds into the cyber profession. “We have to expand the vernacular used today around careers so that when asked, ‘what do you want to be when you grow up?’ the answers include roles like ethical hacker, data privacy professional and cyber strategist. We have to break down the common misconceptions about the type of work that exists for cyber professionals and the type of experience you have to have to do that work,” says Emily Mossburg, Deloitte global cyber leader.
The book “Women Know Cyber: 100 Fascinating Females Fighting Cybercrime,” which was derived from the @WomenKnowCyber Twitter list of women in our field, has contributed to the global movement around recruiting more women to our field. A new documentary on women in cybersecurity, based on the book, has been produced by Cybersecurity Ventures, and sponsored by Mastercard with support from Deloitte Cyber and KnowBe4.
Cybersecurity Ventures predicts that women will represent 30 percent of the global cybersecurity workforce by 2025, and that will reach 35 percent by 2031.
Jobs For Everyone
Cybercrime, which is predicted to cost the world $10.5 trillion annually by 2025, up from $6 trillion in 2021, will continue generating a number of new jobs roughly equal to those being filled over the next 5 years.
“If you know cybersecurity, then you have a job for life,” said Robert Herjavec, a Shark on ABC’s Emmy Award winning TV show “Shark Tank,” in a 2018 Cybercrime Magazine podcast interview. At that time, he claimed there is a zero-percent unemployment rate in cybersecurity.
Based on the number of openings today and over the next five years, the idea of lifetime employment may arguably be a statistical truth. How much one needs to know about cybersecurity, however, is subjective, but career opportunities in our field are seemingly limitless.
“Cybersecurity needs you,” says Vasu Jakkal, corporate vice president, Security, Compliance and Identity at Microsoft, in a recent blog post. She isn’t referring only to people with technical experience. “Cybersecurity needs people with diverse backgrounds — business, law enforcement, the military, science, liberal arts, marketing design, and an array of other fields.”
“Allow me to bust a popular myth: that cybersecurity professionals must be technical wunderkinds, hoodie-clad prodigies who can crack a password in six seconds with time to spare for an energy drink,” writes Joanna Burkey, CISO at HP Inc. “While highly technical roles are key, on average they make up less than a third of a healthy cybersecurity organization.”
“With an estimated 3.5 million cybersecurity jobs globally that are likely to go unfilled in 2021, there’s much more room under the ‘big tent’ of this industry than people think,” adds Burkey. “To be successful in the future, we need to invite people who have expertise not just in technical roles, but also in risk management, business analysis, sales, deal support, and even marketing and communications.”
“People who are neurodiverse have to be a part of our workforce,” said Craig Froehlich, CISO at Bank of America, in a recent interview with Cybercrime Magazine. The way Froelich sees it, people in the neurodiverse community bring advantages, especially for roles in cybersecurity.
“Everybody knows the statistics by this point in time,” said Jen Easterly, director at CISA (Cybersecurity and Infrastructure Security Agency), in a presentation for the Black Hat USA 2021 conference. “There are 3.5 million unfilled cybersecurity jobs around the world (according to Cybersecurity Ventures), and some 500,000 here in the U.S. In my personal opinion, this needs to be a highly ambitious national effort to be able to build a cybersecurity workforce to deal with the highly digitized world that we live in.”
“One particular passion of mine,” Easterly said, “is developing diverse organizations. I honestly believe that organizations that want to build, particularly in technology and cybersecurity, must reflect the incredible diversity of our nation, and gender and ethnicity, and sexual orientation in education and background that all translates into diversity of thought. That helps us solve our most complicated puzzles, better and faster. That incredible diversity helps us be able to address these problems, much more collaboratively.”
Nitin Natarajan, deputy director at CISA, has what he calls an “unconventional” background that speaks loudly to the critical need and immense benefit of diversifying the cybersecurity industry talent pool.
“I started my career as a flight paramedic and volunteer firefighter, and did that for 13 years,” said Natarajan, on the Cybercrime Magazine podcast. He went on to work in healthcare administration for a number of years after that, then worked in state government for a few years before joining the federal government, and then finally spent time in the private sector leading up to a position at CISA. Today Natarajan helps lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.
Ron Green, executive vice president and chief security officer at Mastercard, sums it up best when he says, “You can’t be what you can’t see.” If we want young people, women, minorities, people with disabilities, and cross-overs from other industries, then we need to show them role models. If we do, then they’ll flock to our field.
If you’re a student, parent, teacher, IT worker, or anyone interested in the cybersecurity field, then this handy list of 50 titles will provide insight into a myriad of possible career opportunities.
While some cybersecurity associations have put forward their own job estimations, they have coalesced around our cybersecurity jobs data, providing the industry with a reliable de facto statistic that we can all agree upon.
A 2021 paper published by ISACA, which serves 145,000 professionals in 180 countries, who span several roles in assurance, governance, risk and information security, states that “the cybersecurity talent crunch will reach 3.5 million unfilled jobs globally in 2021, according to Cyberecurity Ventures” — and “research on this number was corroborated by multiple sources.”
For years, CompTIA, a leading voice and advocate for the estimated 75 million industry and tech professionals globally, has shared our employment data. In 2017, they stated, “Unfilled cybersecurity jobs will reach 3.5 million by 2021. Cybersecurity Ventures estimates that by 2021 every large company (F500/G2000) globally will have a chief information security officer (CISO), compared to the 65 percent that have one now and the 50 percent that did in 2016.” What CompTIA shared from us 5 years ago around CISOs has also come true. The 2021 “CISO 500,” an annual compilation of Fortune 500 CISOs, indicates a CISO or equivalent title for each company.
In 2019, the leadership team at ISC(2), an international, nonprofit membership association for information security leaders, posted a blog on their website which states, “the cybersecurity skills shortage is expected to result in 3.5 million unfilled positions by 2021, according to Cybersecurity Ventures” — underscoring their alignment to our research. More recently, ISC(2) updated their own research figures from 1.8 million unfilled positions to line up with ours. (The association then posted a figure at nearly 3 million, and another at more than 4 million. While the inconsistency and wide variations are concerning, the average of their last two estimates aligns squarely to our research)
Cybersecurity Ventures’ prediction around unfilled jobs has been corroborated by hundreds of media outlets, including the world’s largest, as well as universities, governments, vendors, recruitment firms, and security experts, since we first published the figure five years ago. Our next annual Cybersecurity Jobs Report will be published in Q4 2022.