ISC2 reports a 4.76 million person cybersecurity gap while the existing workforce stagnates. For the first time, budget, not talent, is the top barrier.
The ISC2 2024 Cybersecurity Workforce Study puts the global gap at 4.76 million unfilled positions, a 19.1% increase from the year before. The workforce itself is 5.5 million, and it grew by just 0.1% last year. Those two numbers next to each other say something important.
A gap of 4.76 million in a workforce of 5.5 million means the field needs to nearly double its current size just to reach equilibrium. It has not grown by 0.1% in a year. The workforce is effectively stalled while the gap is expanding. That is not a pipeline problem or a training program problem in any straightforward sense.
What makes the ISC2 2024 findings particularly significant is a shift in the reported cause. For the first time, budget was cited as the top barrier to hiring and growing cybersecurity teams, displacing talent as the primary explanation. That is a meaningful change in the data and I think it deserves more attention than it has gotten. In prior years, the narrative was that the talent simply was not available. Organizations wanted to hire but could not find qualified people. Now organizations are saying something different: the qualified people may exist, but the organization is not allocating the money to hire them. That is a governance decision, not a labor market condition.
The resource-based view of the firm, developed by Barney (1991) and applied to IS contexts by Wade and Hulland (2004), treats certain organizational resources as sources of sustained competitive advantage when they are valuable, rare, inimitable, and non-substitutable. Cybersecurity professionals fit this description in ways that most IT labor does not. They are valuable because the cost of their absence is measurable in breach costs. IBM's 2024 Cost of Data Breach report found that security staffing shortages added $1.76 million to average breach costs. That is a concrete quantification of the value a security professional creates, or more precisely, of what is lost when one is absent. They are rare because the supply has stalled at 5.5 million in a market that needs more than double that. They are difficult to imitate because security competence is built through years of exposure to real incidents, tooling, and organizational context. A new hire does not substitute for an experienced security analyst even if they have the same certification.
What the RBV lens makes clear is that organizations citing budget as the reason they cannot grow their security teams are making a deliberate choice to underinvest in a strategic resource. That is an IS governance decision with consequences that are now precisely quantified. When IBM says staffing shortages cost $1.76 million per breach, that is the premium organizations pay for the governance decision not to fund the security team adequately. The premium is real, it is measurable, and it arrives at the worst possible moment.
I want to press on the budget framing a bit more. When ISC2 reports that budget is the top barrier, there are at least two interpretations. One is that security leaders are asking for resources and being denied them, meaning the board and C-suite are making a deliberate tradeoff in favor of other priorities. The other is that security leaders are not making a compelling business case, meaning the failure is partly communicative and organizational. In my experience reading the IS governance literature, both are probably true in different organizations, and the distinction matters for what the solution looks like. If boards are systematically undervaluing cybersecurity investment, the intervention is at the governance level, specifically in how security risk is reported to the board and how it is connected to business outcomes. If security leaders are not making the case effectively, the intervention is at the framing level, translating technical risk into financial exposure.
The job satisfaction data makes me think it is more the first problem than the second. ISC2 found that job satisfaction among cybersecurity professionals dropped from 74% in 2022 to 66% in 2024. A workforce where satisfaction is falling, where the gap is growing, and where budget is now the primary barrier is describing an organizational environment where security professionals feel undervalued and underresourced. That is not consistent with a story where security leaders are failing to advocate effectively and boards are making rational decisions in response. It is more consistent with a story where the advocacy is happening and the resources are not following.
The structural dynamic here is one that institutional theory predicts but cannot fully explain. Organizations face enormous normative and coercive pressure to say they take cybersecurity seriously. Every board presentation includes a cybersecurity slide. Every CEO letter to shareholders mentions security as a priority. But the resource allocation decisions happen separately from those public commitments, and the ISC2 data suggests the allocation decisions are not matching the rhetoric. The gap between what organizations say about security as a priority and what they actually spend on security staffing is the institutional gap between normative conformity and operational commitment.
What makes this dynamic stubborn is that the cost of underinvestment is often invisible until a breach. An organization that funded its security team adequately and avoided a breach has no data point to point to. An organization that underfunded its security team and got breached has very clear data, including the $4.88 million average from IBM. But the underfunded organization that did not get breached cannot distinguish its outcome from the result of good luck versus the result of adequate investment. This makes the return on security staffing investment genuinely hard to demonstrate in real time, and boards that demand clear ROI before approving headcount are asking a question the data structure makes difficult to answer.
I am not sure this changes based on the aggregate workforce numbers alone. A board that sees the ISC2 gap figure as a macro labor market problem, something happening out there in the economy, is less likely to connect it to their own organization's budget decisions than a board that sees the IBM breach cost data broken down by staffing levels. That connection, between the decision not to hire and the financial consequence of not having the capability, is where IS governance research should be doing more work. The individual-level theories that explain security behavior are well developed. The organizational-level theory connecting security resource allocation decisions to breach outcomes is not.
The 0.1% workforce growth number is the one I find hardest to sit with. The security community has been aware of the gap for years. Training programs have proliferated. Certifications have multiplied. The discourse about the talent shortage is constant. And after all of that, the workforce grew by 0.1%. The data is saying something about the supply-side interventions that is uncomfortable: they are not working at the scale the problem requires, and the constraint has shifted from supply to demand. Organizations are not creating the positions that would absorb new entrants into the field at the rate needed to close the gap. That is a budget decision. And budget is a governance decision. The two data sets are telling the same story about where the real constraint lives.
About the author
Share
More notes
Related notes