An estimated 700,000 cybersecurity specialists entered the global workforce in the past year, shrinking the gap between supply and demand to an estimated 2.7 million unfilled positions, according to (ISC)²'s new annual Cyber Workforce Study.

While the gap shrank from last year's 3.1 million, demand continues to be strong, and most cybersecurity workers (77%) continue to be satisfied or extremely satisfied with their jobs, up from 66% in 2019, according to the survey of 4,750 professionals responsible for cybersecurity at companies. Ironically, some of that satisfaction may have been caused by changes wrought by the coronavirus pandemic, with more than half of security professionals (53%) citing better workplace flexibility, more impetus behind digital transformation initiatives (37%), and better communication and collaboration (34%).

The workforce and training continue to be a dynamic space for companies, says Tara Wisniewski, executive vice president of advocacy, global markets and member engagement at (ISC)².

"This is an incredibly important and exciting workforce, but one that is in great need for more trained professionals to come into it," she says. "Key recommendations for organizations looking to build their workforce are, first and foremost, that organizations understand their own gap and what their individual needs are."

With ransomware, data breaches, and nation-state attacks continuing to target companies, cybersecurity continues to be an in-demand calling. Currently, about 4.2 million people are working as cybersecurity specialists, but that population needs to grow by 65% to satisfy demand, according to the (ISC)2 report.

In North America and the UK, the cybersecurity workforce continues to be mostly Caucasian (72%) and male (76%), while women make up about 25% of the cybersecurity workforce globally. Efforts to diversify and promote inclusion require more mentorship opportunities, increased flexibility in working conditions, and hiring managers focused on workforce diversification.

"The cybersecurity workforce – the very people on the front lines defending our critical assets around the world – are telling us where talent is needed most; that old habits in hiring need to change; that technology spending alone won’t fix our problems; that remote work is a greater opportunity than a threat; and that they expect meaningful diversity, equity and inclusion (DEI) initiatives from their employers," the (ISC)² report stated.

Overall, the global cybersecurity community is highly educated, with 86% having a bachelor's degree or higher; technically proficient, with more than two-thirds having a math or engineering degree; and well compensated. In 2021, the average salary among survey respondents was just shy of $91,000, up from $83,000 in 2020 and $69,000 in 2019. Nearly a third of workers — almost half in the US — make $100,000 or more.

Some countries, such as South Korea, had less than 5% growth in their cybersecurity workforce. Meanwhile, other nations suffered a drop, such as the United Kingdom, which experienced an 18% drop in the number of working cybersecurity professionals. But most saw significant increases in their workforce, with Germany leading the pack with a 165% increase in cybersecurity professionals — or 465,000 currently working in the industry compared with 175,000 in 2020.

Hiring Disconnect
One problem for the average company: Businesses continue to have unrealistic expectations when hiring cybersecurity professionals, often looking for far more experienced candidates than a given position requires. Hiring managers often call for a level of expertise not needed for entry-level positions, Wisniewski says.

"There is pretty severe competition for the talent, and we are hearing from people that they are getting multiple job offers," she says. "It is a challenge for organizations, for small and medium enterprises are often very lucky if they have anyone who is considering security. And that challenge gets more severe if you are talking about the federal workforce in the US."

More workers, especially younger ones, are training either in college or through skills-focused courses for a career in cybersecurity, rather than starting in IT and moving laterally to the cybersecurity field, the study found. 

Four in 10 workers under 39 years old, classified as Generation Z or Millennials, either have a degree in cybersecurity or learned on their own before taking a job in the field, while only 14% of workers over the age of 55 did the same.

"We cannot rely on a four-year degree as the only way in for cybersecurity professionals," Wisniewski says. "The pandemic has really heightened some of those gaps and also changed the higher education universe and I see that as an opportunity for cyber."