Cybersecurity Industry Marks 15 Consecutive Years Of Demanding More Cybersecurity Professionals, Asks For 16th
Filed by Cybersecurity Smith
ALEXANDRIA, VA. — The International Information System Security Certification Consortium, known as ISC2, released its annual Cybersecurity Workforce Study this fall, marking the fifteenth consecutive year in which the cybersecurity industry has called for an immediate and substantial increase in the number of cybersecurity professionals.
ISC2 is a non-profit member organization that funds its operations primarily through membership dues and certification fees. It reported a global workforce shortage of 4.8 million qualified professionals. The figure represents a 19 percent year-over-year increase in the shortage. The previous fourteen reports have also documented year-over-year increases.
The industry has indicated that solving this shortage will require, among other measures, the hiring of additional cybersecurity professionals.
A REVIEW OF THE RECORD
Cybersecurity Smith obtained and reviewed publicly available figures from the past fifteen years of industry workforce reporting. They are reproduced below.
2010: Industry calls for more cybersecurity professionals. Average breach cost: approximately $3.4 million. The U.S. Bureau of Labor Statistics begins separately tracking "information security analysts" as a distinct occupation, citing growing demand.
2015: Industry calls for more cybersecurity professionals. ISC2 releases the Certified Cloud Security Professional (CCSP) certification, expanding its credential offerings. Workforce study notes "supply lagged behind demand." Average breach cost: approximately $3.8 million.
2017: Industry calls for more cybersecurity professionals. The reporting methodology is revised in a manner that expands the definition of "cybersecurity professional" to include IT/ICT staff who spend at least 25 percent of their week on security-related tasks. The reported workforce roughly doubles.
2019: Industry calls for more cybersecurity professionals. Global workforce estimated at 2.8 million. Industry describes the figure as "impressive" and "still insufficient."
2022: Industry calls for more cybersecurity professionals. ISC2 launches the "One Million Certified in Cybersecurity" initiative, providing free entry-level Certified in Cybersecurity (CC) certification education and exams.
2023: Industry calls for more cybersecurity professionals. Global workforce reaches a record 5.5 million — an 8.7 percent year-over-year increase. ISC2 CEO Clar Rosso states: "We must double this workforce to adequately protect organizations and their critical assets." Concurrent figure: workforce gap reaches a record 4 million. Average breach cost: $4.45 million.
2024: Industry calls for more cybersecurity professionals. Workforce growth slows to 0.1 percent. Workforce gap grows 19 percent to 4.8 million. Eighty-six percent of organizations experience at least one breach. The reported cause of the staffing shortage, for the first time in the study's history, shifts from "lack of qualified talent" to "lack of budget."
2025: Industry calls for more cybersecurity professionals. ISC2 declines, for the first time, to publish a workforce gap estimate, citing "more pressing and specific measures of skills and staffing needs."
The workforce, by the industry's own measure, has grown approximately 95 percent since 2019. The number of organizations experiencing breaches has also grown. The average breach cost has grown from $3.4 million to nearly $5 million. The gap, throughout this period, has not closed. It has widened every year except those in which the methodology changed.
THE PATTERN, FOR THE RECORD
In each of the past fifteen annual reports, the cybersecurity industry has identified the following as both the cause of and the solution to the cybersecurity crisis:
— A shortage of cybersecurity professionals.
In each report, the industry has noted that the threat landscape is the most complex it has ever been. In each report, the industry has indicated that the previous year's recommended actions — increased hiring, increased certifications, increased budget — were appropriate but insufficient. In each report, the industry has called for the same actions, at greater scale, in the coming year.
Asked whether the addition of approximately 2.5 million cybersecurity professionals between 2019 and 2024 had measurably reduced the global cybersecurity risk profile, several industry analysts declined to answer directly and referred this publication to forthcoming reports.
"It's a complex landscape," said Brad Thornwell-Pierce, CISSP, CISM, CRISC, CISA, speaking from his office. "Adversaries are sophisticated. Attack surfaces have expanded. We have made tremendous progress as an industry. The work is essential. We will need additional headcount."
Thornwell-Pierce was unable to specify what success in cybersecurity would look like, or how the industry would know if it had been achieved.
A NOTE ON METHODOLOGY
ISC2's workforce gap figures are derived from a proprietary methodology that surveys cybersecurity practitioners — many of whom are ISC2 members — about how many additional cybersecurity professionals their organizations require.
ISC2's revenue derives substantially from certification fees paid by cybersecurity professionals.
Cybersecurity Ventures, which projects that the shortage will reach five million unfilled positions by 2030 and that global cybercrime costs will exceed thirty trillion dollars annually, is a research firm whose magazine accepts advertising from cybersecurity vendors.
This publication does not call for the hiring of additional cybersecurity professionals.
This publication notes that, somewhere, a senior sysadmin named Dave Karlsen is patching a server. He has been doing this for twenty-two years. The industry has never asked him what he needs. He has not been counted in the workforce study. He says it's fine.
At press time, the industry was preparing to release its 2026 workforce study. Sources familiar with the report indicate that it will call for additional cybersecurity professionals.
EDITOR'S NOTE: Cybersecurity Smith is a satirical publication. All quoted individuals named "Brad Thornwell-Pierce" are fictional. Factual claims about real organizations, including the International Information System Security Certification Consortium (ISC2), Cybersecurity Ventures, IBM, and the U.S. Bureau of Labor Statistics, are drawn from publicly available reports and press releases issued by those organizations.