The global cybersecurity workforce gap reached 4.76 million in 2024, and for the first time, budget, not talent, is the leading cause.
The 2024 ISC2 Cybersecurity Workforce Study put the global shortage at 4,763,963 professionals. I keep the full number rather than rounding it because the precision is part of what makes it strange. It sounds like an estimate dressed up as a count. But the direction of the number is what matters: it represents a 19.1 percent increase in the gap from 2023. The world is not getting closer to staffing its security functions. It is falling further behind, and now for a reason that most of the coverage gets wrong.
The standard explanation for the workforce gap has always been that qualified people do not exist in sufficient numbers. Train more people, run more bootcamps, partner with universities, build pipelines. That reasoning was never entirely right, but it was at least directionally defensible. The 2024 ISC2 report is the first time in the study's history that budget was cited as the top cause of staffing shortages, displacing "lack of qualified talent." Organizations are not failing to fill positions because they cannot find people. They are failing to fill them because leadership decided not to spend the money. Those are very different problems.
The global cybersecurity workforce sits at roughly 5.5 million professionals, growing 0.1 percent year on year, effectively stalled. The workforce is not shrinking but it is not growing in any meaningful way either. Meanwhile the threat surface keeps expanding, the regulatory environment keeps adding compliance requirements, and the gap between what organizations need and what they have gets wider every cycle. Job satisfaction dropped from 74 percent in 2022 to 66 percent in 2024. People already in the field are less satisfied than they were two years ago. When you combine frozen headcount with declining satisfaction, you create the conditions for attrition in a profession that cannot absorb it.
The geographic picture matters here too. ISC2 found that the greatest gap growth is in Asia-Pacific and Europe. This is not a US-centric problem, and it is not a problem that any single national education system can fix. The skills required for effective security work, threat modeling, incident response, cloud security architecture, regulatory compliance across multiple jurisdictions, do not develop quickly. You cannot run a six-month bootcamp and produce someone who can manage a security operations center. Organizations in every region know this. They also know they cannot outbid each other for a small pool of experienced professionals without either inflating salaries or burning out the people they do hire.
What I find intellectually interesting about the budget-as-constraint finding is how it maps onto what IS research says about organizational investment in IT. The technology adoption literature is full of studies about perceived usefulness, ease of use, and individual acceptance decisions. But organizational investment decisions operate on a different logic. Executives approve security headcount when they believe the expected loss from a breach exceeds the cost of prevention. When economic conditions tighten, they revise that calculation downward. The breach is probabilistic. The salary line is certain. Post-pandemic, when tech hiring froze broadly, security functions were not exempted. The freeze happened at exactly the moment when the workforce gap was accelerating.
There is an experience paradox sitting inside this data that gets less attention than it deserves. Organizations with frozen hiring budgets tend to concentrate their spending on the positions they absolutely must fill. Those positions go to experienced people who command higher salaries. Entry-level and mid-level roles get cut first. So the pipeline that would produce experienced professionals five years from now is the part of the labor market most affected by budget constraints today. You cannot solve a talent shortage by refusing to hire talent until it is already fully formed. Every senior engineer was once a junior engineer that somebody paid to develop. This is not a novel observation, but it is one that organizations reliably ignore when budgets tighten.
I wrote about how AI and automation save $2.2 million in breach costs on average, which is one place where the workforce gap story intersects with the technology investment story. AI-assisted security operations, SIEM tools with machine learning triage, automated threat detection, do reduce the labor burden for tasks that are high volume and pattern-based. Alert triage is the clearest example. A security analyst who spends six hours a day manually reviewing SIEM alerts and dismissing 90 percent of them as false positives is not using their expertise for anything an organization could not partially automate. IBM's 2024 breach data also found that organizations with severe staffing shortages see breach costs increase by $1.76 million on average compared to peers with adequate staffing. The cost of not hiring shows up in the breach ledger.
But AI as a workforce multiplier has real limits. The roles that require judgment, stakeholder communication, architectural decision-making, and regulatory interpretation do not reduce to pattern recognition. An organization can automate its alert queue and still make catastrophic decisions about its cloud security architecture because nobody in the room understood the trade-offs well enough to push back on the vendor's recommendation. The workforce gap is not uniform. It matters most precisely in the roles where no automation currently helps. And those are the roles that budget constraints hit first, because they are expensive and their value is hardest to demonstrate on a quarterly budget review.
My read on where this goes is not optimistic in the near term. The 4.76 million gap and the 19.1 percent growth rate tell me the field is in a structural shortfall, not a cyclical one. Closing it requires both supply-side investment, education, pipeline development, entry-level hiring, and demand-side structural change, specifically the organizational recognition that security workforce investment is not an overhead cost but a loss prevention cost. As long as that framing does not shift, the budget constraint will keep producing the gap that the budget constraint is supposedly surprised by.
About the author
Share
More notes
Related notes