.png?width=2000&name=Horsefly-Logo-NewTag_White%20(3).png){kind=logo}
Let's start with the numbers, because they're hard to ignore.
According to ISC2's Cybersecurity Workforce Study, the global cybersecurity workforce gap currently sits at approximately 4 million professionals. That's the number of additional workers the industry would need just to adequately protect today's organizations. Europe alone accounts for a significant portion of that IT security deficit, and the UK's National Cyber Security Centre (NCSC) has flagged the domestic shortage as a sustained risk to national resilience.
Demand for cybersecurity professionals has outpaced supply consistently over the past decade. Job postings for security roles routinely go unfilled for months, and when positions are filled, it's increasingly through internal promotions or lateral hires that simply shift the gap rather than close it.
So, is there a talent shortage in cybersecurity? Yes. There's a legitimate debate about whether the problem is a pure shortage of bodies or a more nuanced mismatch between the skills organizations need and the skills available workers actually have. The honest answer is that it's both; there aren't enough people, and of the people who are available, many don't have the specific technical depth that organizations are looking for.
Looking ahead, projections from Gartner suggest the gap is unlikely to close without significant structural changes. Demand continues to grow as cloud adoption accelerates, AI introduces new attack surfaces, and regulatory requirements multiply. Supply, meanwhile, is constrained by slow-moving educational pipelines and high attrition in the existing workforce.
One thing worth addressing directly is that cybersecurity is not oversaturated. Despite what some career forums might suggest, entry-level applicants face a frustrating paradox (more on that shortly), but the field as a whole remains one of the most undersupplied areas in the entire labor market.
The cybersecurity talent shortage didn't appear overnight. It's the product of several reinforcing problems that have been building for years.
The pace of digital transformation has outrun the talent pipeline. Every time an organization moves workloads to the cloud, deploys a new connected device, or adopts a SaaS platform, it creates new security requirements. The threat landscape evolves continuously, and educational institutions have struggled to keep up. Many university curricula are still teaching concepts and tools that are years out of date by the time students graduate.
The experience paradox keeps new talent stuck, with many cybersecurity job postings requiring three to five years of experience for what are ostensibly entry-level roles. This creates a circular problem: people can't get experience without a job, and they can't get a job without experience. It's one of the most frequently cited frustrations among people trying to break into the field, and it actively suppresses the number of new professionals entering the workforce.
Lack of diversity compounds the problem. Across the 65 countries covered by Horsefly data, women represent approximately 17% of cybersecurity talent. While this should not be positioned as a complete global workforce measure, it does highlight a clear gender imbalance across a broad international sample.
This matters not just from an equity standpoint, but from a practical one. If cybersecurity employers continue to rely on narrow or traditional talent pools, they risk limiting the number of people entering the profession. Broadening who cybersecurity is marketed to, how roles are written, and where employers search for talent could meaningfully expand the available supply.
Image shows the significant difference between men and women within cybersecurity roles, globally, according to Horsefly data
Retention is as big a problem as recruitment - high workloads, constant pressure, and the emotional weight of being responsible for protecting organizations from threats that never stop, all add up. Burnout is endemic in the cybersecurity sector. When skilled professionals leave because they're exhausted or undervalued, organizations lose institutional knowledge that takes years to rebuild. And the remaining team gets even more stretched, creating a feedback loop that accelerates attrition.
Misconceptions about what cybersecurity actually involves put off potential new entrants. The field is often portrayed as exclusively technical, requiring deep coding expertise or a computer science degree. In reality, many cybersecurity roles involve significant amounts of risk management, policy, communication, and analysis. The talent pool expands considerably when the field is presented more accurately.
Salaries, while competitive at the upper end, aren't always structured to attract and retain junior talent. Can you make $500,000 a year in cybersecurity? At senior specialist levels, in certain industries and geographies, yes. But that figure bears no resemblance to the entry or mid-level salary experience. Organizations that anchor their compensation expectations to market medians without adjusting for scarcity often lose the people they've invested in training.
An IT security shortage of talent doesn't stay neatly in the HR department, it ripples outward into operational risk, financial exposure, and organizational resilience.
Organizations are more vulnerable, with teams operating at reduced capacity, and the time to detect and respond to incidents increases. Threats that would have been caught earlier in a fully-staffed environment go unnoticed for longer. The average cost of a data breach continues to rise, and understaffed security teams are a contributing factor.
Existing professionals are burning out. Security Operations Center (SOC) analysts are monitoring alerts around the clock. Threat intelligence teams are tracking a constantly evolving adversary landscape. When these roles are understaffed, the people in them carry the weight of two or three jobs. Burnout follows, turnover increases, and the cycle continues.
The chart below, from Horsefly data, highlights this, showing that ‘work life balance and wellbeing’ is the priority for SOC analysts.
Compliance and regulatory pressure intensify the strain. New regulations across financial services, healthcare, critical infrastructure, and data privacy require dedicated compliance expertise. Organizations that can't hire to meet those requirements face legal and reputational risk on top of operational risk.
The cost of talent itself rises. When skilled cybersecurity professionals are scarce, organizations compete on salary and benefits in ways that are unsustainable for many mid-sized businesses. The talent shortage doesn't just create a security risk, it creates a financial one.
Innovation will start to slow down, security reviews that take weeks instead of days will become a bottleneck for product development and digital transformation initiatives. Organizations with understaffed security functions often find themselves forced to slow down - not for lack of ambition, but for lack of the people needed to keep new initiatives secure.
There's no single fix. But there are several approaches that, combined, can meaningfully move the needle.
Enhancing Education and Training
The pipeline problem won't solve itself. Organizations, governments, and educational institutions all have a role in building more robust pathways into cybersecurity careers.
Promoting cybersecurity education earlier, at secondary school level, helps build the foundational interest and skills that make the field accessible. Several UK government initiatives and US programs like those coordinated through CISA have begun addressing this, though the scale of investment needs to increase significantly.
At the post-secondary level, the growth of cybersecurity bootcamps and accelerated certification programs has been genuinely helpful. Programs built around certifications like CompTIA Security+, CISSP, and CEH give career changers a credible entry point without requiring a four-year degree. These programs work best when they're built in partnership with employers who are committed to actually hiring their graduates.
University programs need updating, too. Curricula that incorporate cloud security, AI security, and hands-on lab environments produce graduates who are more immediately useful to employers - reducing the onboarding gap and making it easier for organizations to justify hiring at entry level.
Reskilling and Upskilling Existing Workforces
Not all cybersecurity talent has to come from the external market; many organizations are sitting on an underutilized internal resource: employees with adjacent skills who could be developed into cybersecurity professionals.
IT administrators, network engineers, and developers often have transferable skills that, with targeted training, translate well into security roles. Internal apprenticeship programs and structured mentorship arrangements can create a pipeline from within, reducing recruitment costs and building loyalty in the process.
Continuous professional development for existing security staff is equally important. The threat landscape evolves too quickly for skills to stay static. Organizations that fund ongoing certifications, conference attendance, and access to threat intelligence platforms retain their best people and keep them sharp.
Attracting and Retaining Diverse Talent
Broadening the talent pool is one of the highest-leverage interventions available to organizations facing the shortage.
This means actively recruiting from groups that have historically been underrepresented in cybersecurity, including women, ethnic minorities, veterans, and career changers from non-technical backgrounds. It means reviewing job descriptions to remove unnecessary barriers (that "five years of experience" requirement for an entry-level role, for instance). And it means building work environments where diverse professionals feel they belong and can advance.
Addressing burnout is not a soft issue; it's a retention strategy. Flexible working arrangements, manageable workloads, clear career progression, and genuine organizational support for mental health all contribute to keeping people in the field longer. The most dangerous version of the talent shortage is one where organizations keep hiring and then losing people to burnout before they ever reach their full contribution.
Leveraging Technology and Automation
Technology can't replace human expertise in cybersecurity, but it can multiply what human expertise is capable of. AI and machine learning tools are increasingly being used to automate the triage of security alerts, flag anomalous behavior, and generate threat intelligence summaries - freeing up SOC analysts to focus on the threats that actually require human judgment.
Automation doesn't eliminate the need for skilled security professionals. If anything, it changes the skills profile required, shifting emphasis toward threat analysis, decision-making, and strategic response rather than manual monitoring. Organizations that adopt these tools thoughtfully can do more with the teams they have while they work on building the capacity they need.
Government and Industry Collaboration
The talent shortage is too large and structural to be solved by individual organizations acting alone. Government and industry collaboration at scale is a necessary part of the solution.
Policy initiatives that fund cybersecurity education, create apprenticeship frameworks, and incentivize organizations to hire and train entry-level professionals help address the pipeline problem systematically. Information-sharing programs between government agencies and private sector organizations help spread threat intelligence more effectively, reducing the burden on individual security teams.
International collaboration matters too. Cyber threats don't respect national borders, and neither should workforce development strategies. ENISA in Europe and CISA in the US have both identified workforce development as a national security priority - the question is whether the urgency of that designation translates into sustained investment.
Across the cybersecurity workforce, certain skill areas are facing particularly acute shortages.
Cloud security tops most lists. As organizations migrate infrastructure to AWS, Azure, and Google Cloud, the demand for professionals who understand cloud-native security architecture has outpaced supply significantly.
AI and machine learning security is an emerging gap; as AI systems become more embedded in business operations, the need for professionals who understand the benefits of AI in cybersecurity and how to secure those systems, and how adversaries might exploit them, is growing fast.
Incident response and digital forensics professionals are chronically in short supply. These roles require a combination of technical depth, composure under pressure, and methodical thinking that's difficult to train quickly.
Data privacy and compliance have become their own specialism as GDPR, CCPA, and sector-specific regulations multiply. Organizations need people who can translate regulatory requirements into technical controls - a skillset that spans both legal and technical domains.
Application security professionals who can integrate security into software development pipelines (DevSecOps) are in high demand as organizations recognize that security needs to be built in, not bolted on.
Risk management expertise that connects technical risk to business risk is consistently sought after at the CISO level and below. The ability to communicate security posture to board-level stakeholders is genuinely rare.
Image shows Horsefly’s Signal Skills tools which helps identify skills in high demand
