1、1ISC2 Cybersecurity Workforce Study,2023I�����SC2 CYBERSECUR������ITY WORKFORCE STUDYHow the Economy,Skills Gap and Artificial Intelligence are Challenging the Global Cybersecurity Workforce 20232ISC2 Cybersecurity Workforce Study,2023Executive SummaryKey FindingsWorkforce Gap&Estimate Current State of the Cyb
2、ersecurity Workforce Culture&DEI New Career Pathways Skills in DemandCertifications Cybersecurity Landscape:Present&FutureConclusionAppendix39532344Table of Contents3ISC2 Cybersecurity Workforce Study,2023Execut�����ive SummaryCybersecurity professionals are facing greater pressures than ever
3、that diminish their ability to defend institutions and organizations around the world from ever-increasing threats.Dealing with emerging challenges with grave consequences is������� not a n��������ew phenomenon for cybersecurity professionals.However,our study shows that a perfect storm of economic uncertainty,rap
4、idly emerging technologies,fragmented regulations and ever-widening workforce and skills gaps is crea������ting huge uncertainty for a profession whose role it is to pro������tect global infrastructure and systems from attack.The cybersecurity workforce needs more support and investment from leaders across the
5、public and private sectors.This piles on top of nearly three years of rapidly evolving business and threat environments that started with cybersecurity professionals securely transitioning their organizations through����� accelerated work-from-home and cloud services deployments in response to the COVID-
6、19 pandemic.And critical vulnerabilities across entrenched platforms continue to be exploited throughout the IT services and software supply chains.When war broke������� out in Eastern Europe,the conflict in Ukraine ushered in a new era of cyber warfare.Today,cybersecurity professionals continue to contend
7、 with ch������allenges that have built since the outbreak of COVID,while also facing the consequences of greater economic pressure across the globe.Cybersecurity leaders and professionals at all levels are adjusting to staff layoffs and budget ��������cutbacks.For the first time since the beginning of the 2020 pa
8、ndemic,many study participants expect cybersecurity hi��������ring to decrease in their organizations over the next year.The pressure on th������e workforce is real,with our study finding a modest decrease in job satisfaction for the first time.Many professionals remain concerned that leadership in their organiza
9、tions does not listen to their guidance,which creates additional risk.They also say the threat landscape is the worst its been in the last five years,with reports of malicious insiders increasing.Meanwhile,the disruptive arrival of the latest generation of artifi����cial intelligence brings additional u
10、ncertainty.Will AI advance how we identify and respond to threats?Will AI force us to rethink security roles and responsibilities that may eliminate������ jobs or create new ones?Does AI herald a new era of rapidly evolving threats?Will AI foster a combination of all three scenarios,as well as others we h
11、ave not yet imagined?Cybersecurity profess�����ionals remain both optimistic and cautious about AI.4ISC2 Cybersecurity Workforce Study,202375%said the current threat landscape is the most challenging it has been in the past five years.Despite these headwinds,the workforce and demand for their expertise c
12、ontinues to grow.We estimate the size of the gl������obal cybersecurity workforce at 5.5 million a 9%increase from 2022,and the highest weve ever recorded.Conversely,the global workforce gap continues to grow even faster:The gap grew by 13%from 2022,which means that in 2023 there are roughly 4 million cyb
13、ersecurity professionals needed worldwide.The profession needs to almost double to be at������ full capacity.Our study also reveals how the ongoing workforce gap and pressures from budget cutbacks and layoffs are creating critical workforce skills gaps.Study participants expressed concern that skills gaps
14、 leave their organizations more vulnerable than the lack of qualified team members.This is highlighted even more a�������s rapidly evolving technologies like AI expose gaps in knowledge and experience,as well as in risk management processes.Organizations and policymakers need strategies to address both,and
15、 our study reveals solutions to help mitigate these risks despite the global workforce and skills deficits.Ou��������r review of career pathways,shifting demographics for new entrants into the field,adoption of new hiring practices and investment in developing and retaining existing staff reveal how organiz
16、ations are mitigating ris����k,keeping staff engaged and offsetting the impacts of budget cutbacks.For this report,we surveyed a larger and more geographically diverse audience than ever before 14,865����� international practitioners and decision-makers.These cybersecurity professionals span the globe from N
17、orth America to Asia,Latin America,Europe,the Middle East and Africa.This report captures their perspectives and experiences.We are pleased to celebrate and share their creativity,resiliency and dedication.This report presents valuab������le findings to cybersecurity professionals and leaders,executives,p
18、olicymakers and others to reveal solutions to the top challenges facing the workforce today.5ISC2 Cybersecurity Workforce Study��������,2023Key FindingsSTAFFING SHORTAGES AND SKILLS GAPS ARE CONSISTENT CHALLENGES.67%of respondents rep���orted that their organization has a shortage of cybersecurity staff needed
19、 to prevent and troub�������leshoot security issues.And 92%report having skills gaps in their organization the most common being cloud computing security,AI/ML and Zero Trust implementation.We will examine these skills gaps in depth this year as 67%of those whose organizations had both shortages in total s
20、taff and skills gaps say that skills gaps are often worse.THE CYBERSECURITY WORKFORCE AND GAP HAVE BOTH GROWN.In the past year,the cybersecuri�������ty workforce has grown by 8.7%.In addition,the gap between the number of workers needed and the number available has also continued to grow,with a 12.6%increa
21、se year over year.CYBERSECURITY HAS NOT BEEN IMMUNE TO CUTBACKS.47%of cybersecurity professionals have dealt with cutbacks to their teams in the form of layoffs,budget cuts and hiring or promotion freezes.22%have experienced layoffs,and 31%expect a��������dditional cutbacks in the next year.6ISC2 Cybersecur
22、ity Workforce Study,2023ONGOING EDUCATION A������ND TRAINING HELP SHRINK SKILLS GAPS.58%of cybersecurity professionals said �������that the negative impact of worker shortages can be mitigated by filling key skills gaps.We found that those who continue their training,education and certification reimbursement pro
23、grams were far better prepared to w�������eather times of economic uncertainty.Organizations with layoffs who kept these programs,were less likely to experience significant organizational skills gaps in cybersecurity.CYBERSECURITY PROFESSIONALS FACE AN UNPRECEDENTED THREAT LANDSCAPE.75%of cybe����rsecurity pro
24、fessionals view the current threat landscape as the most challenging it has been in the past five years,and only 52%believe that their organization has the tools and people needed to respond to cyber incidents over������� the next two to three years.Those with shortages and skills gaps are fa������r more worried
25、 about being able to keep their organizations secure.TIMES OF ECONOMIC UNCERTAINTY POSE SIGNIFICANT THREATS TO CYBERSECURITY.71%of respondents agree that periods of economic�������� uncertainty increase the risk of malicious insiders.Our study found that 39%of cybersecurity professionals����� have been approache
26、d or know someone who has been approached by a malicious actor.Those at companies that have had layoffs in cybersecurity���� are three times more likely to have been approached to act as a malicious insider.7ISC2 Cybersecurity Workforce Study,2023PATHWAYS INTO CYBERSECURITY ARE SHIFTING.We saw a signifi
27、cant shift �������in who is entering the cybersecurity profession and how they are doing it.Our study found that new workers are significantly more likely to have received a bachelors degree in cybersecurity before entering the field and are also more likely to previously have worked in a non-IT role.They
28、are less likely to have worked in IT before entering.We also found that there are significantly more people entering cybersecurity later in their career and that the gender and ethnic breakdowns of the new workforce have undergone a considerable shift.JOB SATISFACTION TOOK A SLI�����GHT DIP BUT REMAINS H
29、IGH.70%of cybersecurity professionals say they are satisfied with their jobs today,which represents a 4%drop from last year.This seems to be due i����n large part to cutbacks and layoffs,which our study shows significantly impact job satisfaction through overwork and loss of employee trust.ORGANIZATIONS
30、 NEED PROFESSIONALS WITH CLOUD COMPUTING SKILLS,BUT THEY ARE HARD TO FIND.Our study f�������ound that cloud computing security is the skill that hiring managers most look for when hiring.However,it is also the most common area where respondents cited their organization having a skills gap.8ISC2 Cybersecuri
31、ty ��������Workforce Study,2023AI/ML IS BECOMING INCREASINGLY CRITICAL.This year,for the first time,AI/ML skills were among the top five in terms of demand,representing a significant jump since last year when they were near the bottom of t��������he list.CYBERSECURITY PROFESSIONALS VALUE EXPERIENCE OVER FORMAL EDUC
32、ATION.We asked cybersecurity professionals to compare qualifications to understand what they value most in potential candid���ates and found that they value experience over education.Professionals favor senior-level experience over doctorate degrees(86%vs.14%)and entry-level cybersecurity experience ov
33、er cybersecurity bachelors degrees(70%vs.30%).9ISC2 Cybersecurity Workforce Study,2023Cybersecurity is evolving,and so is its workforce.To better understand this ever-changing field,we first need to understand its scope and scale how it i�������s growing and whether the supply of new workers is keeping up
34、wit������������h organizational demand.In order to achieve this,ISC2 introduced the cybersecurity workforce estimate in 2019.This proprietary methodology integrates a wide array of primary and secondary data sources to extrapolate the number of workers responsible for securing their organizations(see Appendix A
35、 for details).This year,this number includes four new countries not previously included in ISC2s global estimate:Saudi Arabia,the United Arab Emirates�����,Nigeria and South Africa.ISC2 estimates the global cybersecurity workforce at 5.5 million,representing an 8.7%increase year over year and nearly 440,
36、000 new jobs.All regions saw growth this year,but these gains are particularly high in our two new Middle East countries,Asia-Pacific and North America.Japan in particular is growing at a rapid rate 24%year over year.Latin A�������merica,after years of substantial growth,is starting to balance out,with Bra
37、zil decreasing from an 18.3%growth rate in 2022 to 8.9%this year,and Mexico dropping slightly year ��������over year(see figures 1-A and 1-B).Workforce Gap&Estimate 5,452,7322023 Global Cybersecurity Workforce REGIONSFIGURE 1-A+8.7%YoY*NORTH AMERICA1,495,825+11.3%EUROPE1,309,588+8.2%MIDDLE EAST&AFRICA401,58
38、2+8.2%ASIA-PACIFIC960,231+11.8%+11.3%LATIN AMERICA1,285,505+4.5%+4.5%+7.2%+11.7%+11.8%*2023 estimate includes four new countries United Arab Emirates,Saudi Arabia,Nigeria and South Africa.YoY grow�����th is based on back-estimates for those countries for 2022.10ISC2 Cybersecurity Workforce Study,20235,45
39、2,7322023 Global Cybersecurity Workforce Estimate FIGURE 1-B+8.7%YoY*2023 esti������mate includes four new countries United Arab Emirates,Saudi Arabia,Nigeria and South Africa.YoY growth is based on back-estimates for those countries for 2022.NORTH AMERICAUSA1,338,507+11.0%CANADA157,318+13.4%LATIN AMERICA
40、MEXICO536,027-1.2%BR����AZIL749,479+8.9%AFRICANIGERIA25,574+6.6%*ASIA-PACIFICSINGAPORE76,942-0.6%SOUTH KOREA263,771+5.7%AUSTRALIA138,860-3.4%JAPAN480,659+23.8%MIDDLE EASTUNITED ARAB EMIRATES144,300+18.0%*SAUDI ARABIA53,907+16.2%*EUROPENETHERLANDS67,527+17.1%+17.1%UK367,300+8.3%FRANCE217,190+8.3%+8.3%+23
41、.8%+5.7%+14.5%+11.0%+13.4%+8.9%IRELAND19,476+10.1%+10.1%SPAIN182,144+18.9%+18.9%+6.6%*+18.0%*+16.2�������%*GERMANY455,951-1.9%-1.9%-1.2%-3.4%-0.6%SOUTH AFRICA177,802+6.6%*+6.6%*11ISC2 Cybersecurity Workforce Study,2023Its important to note what this years workforce gap represents.The workforce gap calculat
42、es the difference between the num�����ber of cybersecurity professionals that organizations require to properly secure themselves and the number of cybersecurity professionals available for hire.The workforce gap does not aim to estimate the actual current job market for cybersecurity professionals.Durin
43、g times of economic uncertainty,many organi�����zations have made cutbacks involving hiring freezes and layoffs,which we discuss in more detail throughout this paper.This,however,does not affect the workforce gap because organizations need for cybersecurity workers remains the same regardless of������ whether
44、or not those organizations currently have the funds to actually hire and employ sufficient staff.Despite the continued growth in the workforce,ISC2s cybersecurity workforce study revealed that demand is still outpacing supply.The workforce gap grew an additional 12.6%this year,with the greatest �����rise
45、 in Asia-Pacific(especially Japan and India)and North America.Areas with particularly rapid growth in supply like the Middle East and Latin America are starting�������� to finally see demand catch up such that the workforce gap actua��������lly shrank this year(see figures 2-A and 2-B).3,999,9642023 Global Cybersec
46、urity Workforce GapFIGURE 2-A+12.6%YoY*2023 gap includes 4 new countries United Arab Emirates,Saudi Arabia,Nigeria and South Africa.YoY growth are based on back estimates for those countri���������es for 2022NORTH AMERICA521,827+11.3%ASIA-PACIFIC2,670,316+11.8%+19.7%LATIN AMERICA348,259-32.5%-32.5%+23.4%REGI
47、ONSEUROPE347,761+8.2%��������MIDDLE EAST&AFRICA111,801+8.2%+9.7%-7.1%12ISC2 Cybersecurity Workforce Study,2023FIGURE 2-B*2023 estimate includes four new countries United��� Arab Emirates,Saudi Arabia,Nigeria and South Africa.YoY growth is based on back-estimates for those countries for 2022.NORTH AMERICAUSA482
48、,985+11.0%CANADA38,842+13.4%LATIN AMERICAMEXICO116,331-1.2%�����BRAZIL231,927+8.9%AFRICANIGERIA8,352+6.6%*SOUTH AFRICA57,269+6.6%*MIDDLE EASTUNITED ARAB EMIRATES31,928+18.0%*SAUDI ARABIA14,252+16.2%*EUROPEAS������IA PACIFICNETHERLANDS29,058+17.1%+10.6%UK73,439+8.3%+29.3%JAPAN110,254+23.8%+97.6%+17.6%+53.0%IREL
49、AND6,990+10.1%CHINA1,720,941+10.1%+16.1%SPAIN74,498+18.9%+23.3%INDIA789,793+�����18.9%+40.2%+11.6%*+10.1%*FRANCE59,117+14.5%GERMA������NY104,660-1.9%-2.9%-17.6%SOUTH KOREA17,611+5.7%SINGAPORE3,961-34.8%-29.2%*-9.8%*AUSTRALIA27,756-3.4%-29.7%-42.7%-25.9%3,999,9642023 Global Cybersecurity Workforce Gap+12.6%YoY*
50、+0.4%+5.8%13ISC2 Cybersecurity Workforce Study,2023The current macroeconomic environment has normalized higher costs,lower revenue and worker shortages.As a result,many organizations are choosing ����to implement cost-saving cutbacks(e.g.,budget cuts,layoffs,hiring freezes and promotion freezes)to suppo
51、rt their balance sheet.However,these organizational cutbacks especially within cybersecurity teams have implications that extend beyond just cost.Cybersecurity professionals are critical protectors against risk a������nd vulnerability,but cutbacks throttle their productivity,s���atisfaction and skill develop
52、ment.In this study,cybersecurity professionals share how cutbacks and related challenges like staffing shortages and skills gaps truly impact their day-to-day work,so organizations can discover opportunities for improvement.After surveying 14,865 cybersecurity professionals,we fo�������und that:Cutbacks ar
53、e a pervasive challenge for cybersecurity professi������onals.Overall,47%of cybersecurity workers have experienced cybersecurity-related cutbacks(layoffs,budget cuts,hiring or promotion freezes)and 22%of this group have been impacted by layoffs(both firsthand and secondhand)within cybersecurity.An additio
54、nal 28%have had layoffs elsewhere in their organizations,which can significantly affect the cybersecurity workforce(see figure 3).41%of respon������dents feel as though cutbacks have affected their security team disproportionately in comparison to the rest of their organization.And,as well discuss more in
55、 depth later in the paper,cutbacks to both the cybersecurity team and the rest of the organization can create signific�����ant cybersecurity risks.Current State of the Cybersecurity WorkforceCutbacks and economic uncertainty add to the existing skills gap challenge Has y�������our organization experienced the f
56、ollowing cutbacks �������in the past 12 months?Yes,in cybersecurityYes,but not in cybersecurityNo,we have not experienced thisBase:11,656-12,200 global cybersecurity professionals Note:“Dont know/do������es not apply”responses were removed from the sample base.FIGURE 342%Hiring freeze32%26%38%30%32%Budget cuts52
57、%26%22%�����Freeze on promotions/raises50%22%28%Layoffs14ISC2 Cybersecuri����ty Workforce Study,2023Has your organization experienced layoffs in the past 12 months?(Showing percentage of layoffs in cybersecurity in the past year)Base:145-1,306 global cybersecurity professionals in listed industries Note:“Don
58、t know/does not apply”responses were removed from the sample base.FIGURE 4INDUSTRIES WITH MOST LAYOFFS IN CYBEREntertainment/media33%Construction31%Security software/hardware development31%Automotive29%Hosted/cloud services������29%Military/military contractor8%Govern������ment(non-military)9%Education13%Aerosp
59、ace13%Transportation16%INDUSTRIES WITH FEWEST LAYOFFS IN CYBER Cutbacks impact some industries and regions significantly more than others.A������ll major industries have experienced cutbacks,but the entertainment,construction,automotive and tech sectors have been hit particularly hard by layoffs in cybers
60、ecurity(see figure 4).Geographically,Latin America h�������as seen the greatest layoffs,followed by the Middle East and Africa(see figure 5).Latin America has seen rapid growth over the past few years within its cybersecurity workforce,so this could������� be the beginning of a level-setting for that growth as th
61、e workforce more accurately reflects demand.Has your organization experienced layoffs in the past 12 months?(Showing percentage of layoffs in cybersecurity in the past year)B������ase:121-5,479 global cybersecurity professionals in listed countries Note:“Dont know/does not apply”responses were removed fro
62、m the sample base.FIGURE 5COUNTRIES WITH MOST LAYOFFS IN CYBERBrazil38%Mexico37%Nigeria33%United Arab Emirates33%China31%Hong Kong11%United States18%Saudi Arabia19%Canada21%Singapore23%COUNTRIES WITH FEWEST LAYOFFS IN CYBER15ISC2 Cybersecurity �����Workforce Study,2023Which of the following effects has y
63、our organization/team experienced as a result of cutbacks?FIGURE 6There have been delays in purchasing/implementing technologyIncrease in workloadCybersecurity training programs have been cut(e.g.,professional developm������ent)The security team was restructured or moved withi������n the organizationCybersecuri
6���4、ty certifications/education reimbursements have been cutThe organization has changed its strategic directionCybersecurity software licenses have not been renewedAbility to respond to cybersecurity threatsIncrease in insider risk-related incidents53%71%35%40%29%Skills gaps on the cybersecurity team61
65、%35%24%57%52%Ability to prepare for future threats62%Cybersecurity team morale 63%Productivity62%Base:8,598-8,907 global cybersecurity professionals Note:“Dont know/does not apply”responses were removed from the sample base.Base:9,822 global cybersecurity profes������sionals whose organizations had cutbac
66、ks over the past 12 months Note:“Dont know/does not apply”responses were removed from the sample base.Cutbacks create a ripple effect for cybersecurity teams.As a result of cutbacks,organizations are consolidating resources and ������restructuring,often changing the way cybersecurity professionals operate
67、.53%say that cutbacks have resulted in delays in purchasing or implementing technol�����ogy,while 40%������of those with cutbacks have had their security teams restructured or moved within their organization.35%have even eliminated cybersecurity training programs,which are a critical resource for developing sk
68、ills and closing skills gaps.Cutbacks also impact cybersecurity or�����ganizations at the team and individual level.71%of cybersecurity professionals have experienced a negative impact on their workload as a result of cutbacks.Almost two-thirds of professionals say that cutbacks also degrade productivity
69、,team morale and the ability to prepare for future threats.Insider risk and threat response are two additional key elements of the impact of cutbacks at the team level.More than half of professionals(57%)felt that their threat response was inhibited b������y organizational cutbacks,and 52%saw an increase
70、in insider risk-related incidents(see figure 6).IMPACT O����F CUTBACKS ON CYBERSECURITY ORGANIZATIONIMPACT OF CUTBACKS ON CYBERSECURITY PROFESSIONALS AND TEAMS16ISC2 Cybersecurity Workforce Study,2023Did you know anybody personally who was laid off in the past 12 months in any of the following groups?FI
71、GURE 7Base:14,009 global cybersecurity professionalsNote:“Dont know/does not apply”responses were removed from the sample base.Cybersecurity personnel at my organizat�����ion18%Cybersecurity personn��������el at other organizations27%Non-cybersecurity personnel at other organizations29%Non-cybersecurity personne
72、l at my organization30%I do not know anybody personally who was laid off36%64%These cutbacks are expected to continue.31%of respondents expect there to be additional cutbacks within cybersecurity at their������� organization,and 70%expect those cutbacks to include layoffs.54%expect additional cutbacks in t
73、heir organizations in general,whether in cybersecurity or not.Perceptions may differ from reality.Nearly two-thirds of cybersecurity workers����� know someone who was������ laid off this year.This includes cybersecurity and non-cybersecurity workers at their own organization,along with cybersecurity and non-cy
74、bersecurity workers at other organizations(see figure 7).Seeing cybersecurity peers laid off at other organizations can significantly affec�������t workers perceptions of their own companies.Even if a respondent didnt know �������someone who was laid off from their own organization,if they knew someone who was le
75、t go from another organization this year,they were nearly three times as likely to expect to see layoffs within their own organization over the next 12 months(see figure 8).17ISC2 Cybersecu�������rity Workforce S����tudy,2023Did you know anybody personally who was laid off in the past 12 months in any of the f
76、ollowing groups?EXPECT TO SEE LAYOFFS IN CYBERSECURITY AT THEIR ORGANIZATION OVER THE NEXT 12 MONTHS FIGURE 8Base:9,676 global cybersecurity professionals who do not know a cybers�������ecurity worker from their organization who was laid off in the last 12 monthsNote:“Dont know”responses were removed from
77、the sample base.Know cybersecurity person from another org that was laid offDo not know cybersecurity person from another org that was laid off32%12%ORGANIZATIONS HAVE STAFFING SHORTAGES AND SKILLS GAPS B�������UT A�������RE FINDING SOLUTIONSStaffing Shortages Are Expected to Get Worse but Are Also Perceived Diff
7������8、erently Based on SeniorityThough the need for cybersecurity staff is as great as its ever been,layoffs and cutbacks among other factors have caused significant staffing shortages and skills gaps within cybersecurity.We found that���� theres a shortage of staff to prevent and troubleshoot security issues
79、 and a lack of budget is a common cause.18ISC2 Cybersecurity Workforce Study,2�����023Which of the following best describes how you feel about the number of cybersecurity employees your organizati�����on currently employs to prevent and troubleshoot cybersecurity issues at your organization?FIGURE 9Base:8,212
80、 global cybersecurity professionals.Note:Percentages may not total 100 due to rounding;“Dont know/does not apply”responses were removed fr������om the sample base.My organization has a significant shortage of cybersecurity staff to prevent and troubleshoot cybersecurity issues21%46%My organization has a s
81、light shortage of cybersecurity staff to prevent and troubleshoot cybersecurity issues30%My organization has the right amount of cybersecurity staff to prevent and troubleshoot cybersecurity issues2%My organization has a surplus of cybersecurity staff to prevent an����d troubleshoot cybersecurity issues
82、Which industries have the greatest staffing shortages?IndustryPercentage with staffing shortagesEducation78%Government(non-military)78%Non-profit76%Military/military contractor76%Aerospace75%Healthcare74%Automotive71%Energy/power/utilities70%Insurance69%Food/beverage/hospitality/travel�������68%Transportat
83、ion68%Entertainment/media67%Manufacturing67%Non-security software/hardware development67%Retail/wholesale63%Agriculture62%Construction62%Financial services62%Telecommunications62%Engi�����neering61%Security software/hardware development60%Hosted/cloud services55%Consulting54%67%of respondents reported th
84、at their organizations have a shortage of the cybersecurity staff needed to prevent and troubleshoot security issues(see figure 9).Layoffs clearly play a role in this:28%of those who have had cybersecurity layoffs report significant staffing shortages compared to 18%of those who h���������ave not had cyberse
85、curity layoffs in the past 12 months.When asked to name���� the biggest cause of staffing shortages,34%of respondents indicated a lack of budget as the leading cause,which has increased compared to 2022(29%).Respondents were also less likely to cite problems with attrition compared to last year(27%vs.34
86、%)(see figure 10).67%19ISC2 Cybersecurity Workforc������e Study,2023FIGURE 10You indicated that your organization has a shortage of cybersecurity staff.What do you think is the biggest cause for this shortage?My organization cant find enough qualified talentMy organization is struggling to keep up with tu
87、rnover/attritionMy organ������ization doesnt put enough resources into training non-security IT staff ��������to become security staffMy organization doesnt have the budgetLeadership misaligns staff resources(i.e.,we have too much staff in some areas and not enough in others)My organization doesnt prioritize secu
88、rityMy organization doesnt pay a competitive wageMy organization cant offer opportunities for growth/promotion for security s�������taffMy organization doesnt have plans in place to backfill rolesMy organization doesnt sufficiently train staff41%27%23%34%24%20%30%24%17%15%4%7%5%Skills Gaps Are Common but C
89、an Be More Challenging Than Staffing Shortages Staffing shortages(i.e.,shortages in the number of total cybersecurity workers at an organization)arent the only way that organizations can be lacking in their cybersecurity workforce.This year,we are diving into the subject ������of skills gaps.A skills gap
90、is an area in which cybersecurity teams lack workers with proficiency or expertise in particular skills that are necessary to function effectively.Base:5,526 global cybersecurity professionals Note:“Don����������t know/does not apply”responses were removed from the sample base.20ISC2 Cybersecurity Workforce S
91、tudy,2023We have found that there is a cl�������ear and critical need to fill skills gaps in the cy����bersecurity profession.By identifying the areas in which these gaps exist and which skills are most desirable,we can better understand the pain points and get closer to a solution.We found that:Nearly all org
92、anizations have cybersecurity skills gaps.92%of cybersecurity professionals say their organization suffers from skills gaps i������n one or more areas,and 43%cite one or more significant or critical skills gap at their organization(see figure 11).Skills gaps range from technical skills like penetration te
93、sting and Zero Trust implementation to non-technical skills like communication.Layoffs have an outsized effect o������n skills gaps.Most organizations that have had cybersecurity layoffs(51%)have been impacted by one or more significant skills gaps compared to just 39%of organizations that have not had la
94、yoffs�������(see figure 12).In fact,layoffs seem to have a great������er effect on skills gaps than they do on total staffing shortages.58%believe that the negative impact of worker shortages can be mitigated by filling key skills gaps.FIGURE 11To what extent does your organizations security team have one or mor
95、e skills gaps?We have one or more critical skills gapsWe have one or more significant skills gapsWe have one or more moderate skills gapsWe have one or more slight skills gapsWe do not have any s�����kills gaps17%26%31%17%8%92%Base:12,468 global cybersecurity professionals Note:“Dont know/does not apply”
96、responses were removed from the sample base;Total percentages may not equal separate values due to rounding.21ISC2 Cybersecurity Workforce Study,2023FIGURE 12To what extent does your organizations security team have one or more skills gaps?We have one or more critical skills gapsWe have ��������one or more
97、significant s������kills gapsWe have one or more moderate skills gapsWe have one or more slight skills gapsWe do not have any skills gaps23%29%24%15%26%16%7%9%33%19%Base:7,900 global cybersecurity professionalsNote:“Dont know/does not apply”responses were re������moved from the sample base.Have had layoffs in c
98、ybersecurityHav������e not had layoffs22ISC2 Cybersecurity Workforce Study,2023 Skills gaps are often worse than shortages.Organizations may have a number of cybersecurity workers,but if those workers all lack certain critical skil�������ls,that surplus of headcount can be completely negated.59%of cybersecurity
99、workers said that skills gaps can be worse than total worker shortages.This number is even higher(67%)among workers whose orga��������nization actually has both skills gaps and total staffing shortages(see figure 13).FIGURE 13To what extent do you agree or disagree with the following statements about hiring
100、 and recruiting cybersecurity roles at your organization?59%58%of respondents agree/strongly agree thatWe can help mitigate worker shortages if we have efficient distribution of skill����s across the team.“of respondents agree/strongly agree thatSkills gaps can be worse than total worker shortage������� gaps.“
101、Base:13,105-13,148 globa���l cybersecurity professionals Note:“Dont know/does not apply”responses were rem���������oved from the sample base.67%of those whose organizations have both skills gaps and worker shortages agree that skills gaps can be worse than total worker shortages compared to 52%of those who have
102、 neither.67%52%23ISC2 Cybersecurity Workforce Study,202348%of respondents at organizations that dont offer competitive salaries have significant skills gaps,compared with 31%of those organizations that do offer competiti������ve compensation.48%31%The survey also revealed opportunity here,as 58%of respond
103、ents also believe that the negative impact of worker shortages can be mitigated by filling key skills gaps.This places critical priority on identifying and taking action to educate employees in vital areas of cybersecurity knowledg��������e or������ providing reimbursements to explore external professional develo
104、pment or third-party certifications/e������ducation.Recruiting issues and lack of strategic budgeting also drive skills gaps.The two most common reasons for skills gaps cited by respondents were the inability to find the people with the skills they need and the struggle to keep people with in-demand skill
105、s due to low wages,lack of promotion opportunit������ie��������s,etc.(see figure 14).Offering sufficient compensation plays a big role here:58%of cybersecurity workers at organizations that do not offer a competitive salary say their organization has skills gaps because they struggle to keep people with in-demand
106、 skills.������In comparison,only 38%of those at organizations that pay competitive wages see skills gaps.And overall,48%of organizations that dont offer competitive salari�����es have significant skills gaps,compared with 31%of those organizations that do offer competitive compensation.24ISC2 Cybersecurity Wor
107、kforce Study,2023FIGURE 14You indicated that your organization has one or more skills gaps.What do you think are the biggest causes for these gaps?(Showing top nine ranked responses)Cybersecurity hiring managers are held back by their organizations policies.Times of economic uncertainty prese��������nt a cr
108、itical opportunity for organizations to encourage new pathways for cybersecurity careers while filling skills gaps.Respondents cite a lack of training res����ources for non-security IT staff to become cybersecurity professionals(33%)as another top cause of skills gaps at their organizations.In the New C
109、areer Pathways section of this pape������r,we highlight how more technically experienced professionals with no prior cybersecurity experience are interested in joining the profession.These motivated professionals are applying for positions �������and joining cybersecurity teams,but some organizations are still t
110、oo reluctant to broaden their hiring scope.My organization cant find people to hire with the skills we needM�����y organization d����oesnt have the budget to hire enough peopleLeadership misaligns staff resources(i.e.,too much staff in some areas and not enough in others)My organization doesnt put enough res
111、ources into training non-security IT staff to become security staffPeople with these skills recently quit,and we havent replaced themPeople with these skills recently were laid off,and we havent replaced themMy organization doesnt sufficiently train staffIn gen����eral,we struggle to keep people with in
112、-demand skills (e.g.,due to low wages,lack of promotion opportunities�����,etc.)Base:12,011 global cybersecurity professionals Note:“Dont know/does not apply”responses were removed from the sample base.44%41%33%31%25%32%36%42%25ISC2 Cybersecurity Workforce Study,2023Cybersecurity hiring managers are more
113、 likely to agree than non-hiring managers that their organizations are too reluctant to hire certa�����in types of employees.Roughly half(45%)say that they are too reluctant to hire entry-level employees or that they rely too heavily on education/degrees when looking for applicants(45%)(see figure 15).FI
114、GURE 15To what ext�������ent do you agree or disagree with the following statements about hiring and recr������uiting cybersecurity roles at your organization?(Showing Somewhat/Completely agree responses)Base:14,009 global cybersecurity professionalsNote:“Dont know/does not apply”responses were removed from the
115、sample base.Non-hiring managerHiring managerM������y organization is relucta�������nt to hire entry-level employees with little experience36%45%My organization relies too heavily on education/degrees when looking for applicants34%45%My organization relies too heavily on certifications when looking for applicants
116、25%37%Skills gaps are most common in critical areas.We found that the most common skills gaps tend to be in������� areas that are gai������ning importance in the cybersecurity world.Cloud computing security,artificial intelligence and machine learning security and Zero Trust implementation are the current top th
117、ree most common skills gaps(see figure 16).26ISC2 Cybersecurity Workforce Study,2023FIGURE 16You indicated that your organizations security team has one or more skills gaps.Where are these gaps?(Showing top ten responses)Base:11,473 global cybersecurity professi����onalsNote:Showing top ten responses;“D
118、ont know/does not apply”responses were removed from the sample base.Cloud computing security35%Artificial intell����igence/machine learning32%Zero Trust implementation29%Penetration testing27%Application security26%Digital forensics and incident response26%Risk assessment,analysis and management24%Secur
119、ity engineering23%Threat intelligence a����nalysis23%Malware research/analysis22%Not Surprisingly,Staffing and Skills Short������ages Create Risks for OrganizationsCutbacks,staffing shortages and skills gaps have created a perfect storm,increasing risk across all industries.But what are these risks?We found t
120、hat:Cybersecurity staffing shortages pose a significant threat to organizations.57%of workers say shortages at their organization������� put them at a moderate or extreme risk of cybersecurity attacks(see figure 17).This is due to �������staffing shortages that decrease their ability to perform critical,careful r
121、isk assessment and remain agile amid a challenging threat landscape(see figure 18).27ISC2 Cybersecurity Workforce Study,2023FIGURE 17In your opinion,to what degree does this shortage of cybersecurity staff put your organization at risk of experiencing a cybersecurity attack?Base:5,437 global cyb�����erse
122、curity professionalsNote:“Dont know/does not apply”responses were removed from the sample base;Percentages may not total 100 due to rounding�������.Low risk12%No risk1%Slight risk31%Extreme risk9%Moderate risk48%57%FIGURE 18Which of the following have you experienced that you feel would have been mitigated
123、 if you had enough cybersecurity staff?(Showing top ten responses)Base:5,526 global cybersecurity professionals who reported staff shortages.Note:“Dont know/does not apply”responses were removed from the sample baseNot������� enough time f�����or proper risk assessment and management50%Misconfigured systems38%4
124、5%Oversights in process and procedureInability to remain aware of all threats active against our network35%Slow to patch critical systems38%Not enough time to adequately tra�������in each cybersecu�����rity team member34%Slowness in responding to incidents30%Rushed deployments30%Not enough resources to adequate
125、ly train our cybersecurity staff29%Overreliance on third-party support28%75%said the curr���ent threat landscape is the most challenging it has been in the �����past five years.28ISC2 Cybersecurity Workforce Study,2023 Economic uncertainty reduces cybersecurity confidence.Periods of economic uncertainty pos
126、e threats of their own:52%of respondents are worried about their cybersecuri�������ty teams ability to keep their organization secure and those with staffing shortages and skills gaps are especially worried(see figure 19).FIGURE 19How strongly do you agr�������ee with the following statements related to the state
127、 of cybersecurity work?“Im worried about our cybersecurity teams ability to keep our organization secure during times of economic uncertainty.”Orgs with significant staffing shortagesOrgs with no staffing shorta����gesOrgs with critical skills gapsOrgs with no skill gaps67%48%63%42%Base:2,954-7,861 glob
128、al cybersecurity professionals who reported staff shortagesNote:“Dont know/does not apply”responses were removed from the sample base.Targeted Upskilling and Working Culture Improvements Mitigate Risks Stemming from Staffing and Skills ShortagesDespite these chal�������lenges,there are ways that organizati
129、ons can mitigate cyber risks stemming from staffing shortages and skills gaps.Take the following actions to overcome these obstacles:Implement initiatives to preve���������nt or mitigate staffing shortages.Training initiatives top this list,along with creating better �������working conditions and creating diversity
130、,equity and inclusion(DEI)initiatives(see figure 20).These are aimed at attracting and retaining top talent and upskilling workers in-house.Upskill existing workers.Upskilling workers is important,especially during times of economic uncertainty when���� many organizations face hiring freezes.Training in
131、itiatives can mitigate staff shortages by distributing skills and preventing significant skills gaps.In fact,we found ������that organizations investing in training today are only half as likely to have critical skills gaps as those that arent investing and have no plans to.On the f�������lip side,we found that
132、outsourcing services had little to no effect on mitigating staffing shortages.It was �������the only initiative where those who impl�������emented it were more likely to have staffing shortages than those who hadnt.This seems to be a trend,as last year we observed the same result.Be aware of workers worries.We fo
133、und that nearly 65%of entry-and junior-level staff expected the number of cybersecurity workers at their organization to decrease over the next 12 months.However,the higher the seniority of the respondent,the less likely they were to expect a worker re�����duction in the next 12 months(see figure 21).Its
134、 important ������for cybersecurity leaders to understand the worries of those below them in the organizational hierarchy and make sure to communicate the companys plans for staffing in the near future.What It Means for OrganizationsISC2 Cybersecurity Workforce Study,202329Organizations investing in traini
135、ng today are onl�����y half as likely to have critical skills gaps or significant staffing shortages as those that arent investing and have no plans to.FIGURE 20Base:10,521-13,120 global cybersecurity professionalsNote:Showing organizations that responded with“My organization is doing this today”;“Dont k
136、now/does not apply”responses were removed from the sample base.Which of the following������� is your organization doing or planning to do to help prevent or mitigate cybersecurity staff shortages at your organization?Invest in training72%Provide more flexible working conditions69%Invest in diversity,equity
137、 and inclusion initiatives68%Invest in certifications67%Recruiting,hiring and onboarding of new staff67%Use technology to automate aspects of the security job65�����%Hire for attitude and aptitude,and train for technical skills61%Be more willing to hire entry-level employees who can grow with us60%Use ou
138、tsourcing/services56%Create mentorship programs55%Encourage employees at your org outside IT and security to consider a career in cybersecurity50%Address pay and promotion gaps,if they exist50%Be more willing to hire people with non-traditional backgrounds4�������3%Implement rot��������ational job assignments41%De
139、������-emphasize tec�����hnical degrees and certifications for new hires37%Hire from outside the geographic regions we typically have hired from because of work from home50%30ISC2 Cybersecurity Workforce Study,202331ISC2 Cybersecurity Workforce Study,2023Fewer in 12 monthsThe same numberMore in 12 monthsFIGURE
140、 21Do you expect your organization to employ more,fewer or the same number of security professionals in 12 months compared to today?(Comparing surveyed headcoun������t to������� respondents projected future headcount)Entry-/junior-level staff23%12%65%Executive management30%23%47%C-level executive32%26%42%Manager
141、25%19%56%Director/middle manager30%21%49%Base:8,085 global cybersecurity professionals who reported present and expected future company sizeLast year,we introduced the Employee Experience(EX)rating system to better understand what affects cybersec������u������rity professionals satisfaction and overall experien
142、ces.This year,were continuing to examine culture using this system.The EX rating looks at a vari�������ety of key factors,including engagement in work,burnout rates,the sense of being fairly evaluated and more.It uses a scale from 0(terrible)to 100(excellent).Once eval������uated,we grouped respondents into thre
143、e categories based on their ratings:High EX,Medium EX and Low EX.Culture&DEIEmployee Experience RatingRespondents fall into thr������ee overall catego������ries based on their employee experience levels:RATINGNEmployees with high level of happiness at their workHIGH EX62 and above3,822(31.3%)Employees with medi
144、um level of happiness at their workMEDIUM EX42 614,175(31.8%)Employees with low level of happiness at their workLOW EX41 and below3,716(36.9%)EX ratings are based on aggregated responses from a series of employee experience questions Ratings were indexed������� on a 100-point scale for ease of analysisThis
145、 year,considerably more cybersecurity pro�����fessionals ended up in the Low EX bucket than last year.However,the average EX ������rating only dropped slightly,from 51.75 to 51.49.2022202220232023High EXMedium EXLow EX32.6%51.7551.4931.3%35.6%31.8%31.7%36.9%Average EX rating by yearBase:14,865 global cybersecu
146、rity professionalsISC2 Cybersecurity Workforce Study,20233233ISC2 Cybersecurity Workforce Study,2023DESPITE HIGH JOB SATISFACTION,BURNOUT RISK����S STEM FROM THE RIPPLE EFFECTS OF CUTBACKS,LAYOFFS AND LAC��������K OF MANAGEMENT SUPPORTHaving a strong culture within cybersecurity is critical for organizational s
147、uccess.Happy workers are more motivated,more focused and are less likely to make mistakes.Building effective culture is harder than ever during times of economic uncertainty.Hiring and promotion freezes,budget cuts and���� layoffs loom large in workers minds,and organizations need to scramble to keep th
148、eir workers from burning out.We found that:Overall job satisfaction remains high.Despite significant turmoil�����,an uncertain economy and the most challenging threat landscape to date,cybersecurity workers are fairly content with their roles.70%reported being somewhat or very satisfied in their jobs tod
149、ay(see figure 22).In addition,82%say they work well with security team members,and 79%say they work well with non-cybersecurity people at their or����ganization.FIGURE 22Overall,how would you rate your level of job satisfaction?Very s�����atisfied28%Somewhat satisfied42%Neither satisfied nor dissatisfied13%S
150、omewhat dissatisfied12%Very dissatisfied4%70%Base:14,865 global cybersecurity professionals34ISC2 Cybersecurity Workforce Study,2023FIGURE 23Rate your feelings for each following item on a scale from very low to very high.(Showing High/Very high responses)Base:13,815-14,574 global �����cybersecurity prof
151、essi������onalsNote:“Dont know/does not apply”response���s were removed from the sample base.YEAR-OVER-YEAR CHANGEPassion for cybersecurity work in general73%-2%Satisfaction with my team66%-3%Satisfaction with my department60%-3%Overall satisfaction with my organization58%-2%Overall satisfaction has dipped s
152、omewhat this year.When������ asking about overall job satisfaction,we saw a 4%decrease year over year a trend that showed consistently throughout all satisfaction-related questions.Much like last year,satisfaction is higher the closer we look at the actual wo�������rker.Passion for cybersecurity work in general
153、is highest,while satisfaction with workers teams is slightly lower,and satis�����faction with workers departments and organizations overall are lower still(see figure 23).Cutbacks and layoffs have harmed morale.As cutbacks and layoffs have increased resulting in staffing shortages and skills gaps satisfa
154、ction and overall worker happiness this year have dipped.Respondents whose organizations have had layoffs in cybersecurity in the past year have an average EX rating of 46.0,while���� those who havent rated an average of 55.5.This is even more stark among those who expect layoffs in cybersecurity over t
155、he next 12 months.Their average EX rating is just 38.9,compared with an average of 59.5 for those who do not expect cybersecurity cutbacks at all(see figure 24).68%of those who experienced layoffs said those layoffs significantly hurt team morale,and 62%reported that cybersecurity cutback�����s have a ne
156、gative effect on productivity.35ISC2 Cybersecurity Workforce Study,2023FIGURE����� 24Have you had layoffs in cybersecurity at your organization over the past 12 months?(Showing average EX rati������ng)Do you expect cutbacks/layoffs in cybersecurity at your organization over the next 12 months?(Showing average
157、EX rating)Have not had layoffsDo not expect cutbacks in cybersecurity over the next 12 monthsHave had layoffs elsewhere in the organiz������ation(but not in cybersecurity)Expect cutbacks but not layoffs in cybersecurity over the next 12 monthsHave had layoffs in cybersecurityExpect layoffs in cybersec�������urit
158、y over the next 12 months55.559.547������.749.346.038.9Base:3,772-14,009 global cybersecurity professionalsNote:“Dont know/does not apply”responses were removed from the sample base Layoffs and cutbacks created more work for employees.Downsizing adds work to cybersecurity professionals plates,hurting work
159、er satisfaction.71%report that cutbacks in cybersecurity resulted in an increased workload.When a�������sked what issues negatively impact their job satisfaction,cybersecurity professionals cited an overabundance of emails and tasks,overwork due to staff or skills shortages and inadequate resources to suff
160、iciently protect their organization three issues related to overwork(see figure 25).These issues were signif�������icantly more common among those who have staffing shortages and skills gaps compared to those who dont(see figure 26).36ISC2 Cybersecurity Workforce Study,2023FIGURE 25FIGURE 26Which of the fo
161、llowing are issues in your current role that negatively impact your job satisfaction?(Showing top nin�����e responses)Which of the following are issues in your current role that negatively impact your job sati�������sfaction?Too many emails/tasksI experience overwork due to staff or skill shortagesMy team has i
162、nadequate resources to sufficiently protect the organizationLack of support from executives/managersPay is too lowIts difficult to stay current on security issues/trendsI get stressed out from the weight of re������sponsibility I feel as a security professionalThe organization is not realistic in the way
163、it measures����� the success of securityPoor security policies/standards at my company create extra work for meMy team has inadequate resources to sufficiently protect the organizationI experience overwork due to staff or skill shortagesToo many emails/tasks31%24%22%30%23%22%34%27%19%39%42%13%25%23%19%Ba
1��64、se:14,009 global cybersecurity professionalsNote:“Dont know/does no�������t apply”responses were removed from the sample baseBase:4,172 global cybersecurity professionals.Note:“Dont know/does not apply”responses were removed from the sample base.Employees of orgs with both staff shortages and significant s
165、kills gapsEmployees of orgs with neither staff shortages nor significant skills gaps37ISC2 Cybersecurity Workforce Study,2023 Organizational support impacts morale.While issues������� around overwork are the most common problems for cybersecurity professionals,they arent the most impactful.The issues that
166、resulted in the lowest EX ratings were more likely to be related to feeling unheard,feeling unsupported by management and���� their expertise not being respected by their organizations(se������e figure 27).So while overwork has become more common,the thing that really hurts worker morale is a lack of support
167、and respect from the organization.These were top issues last year as well,meaning it was no statistical anomaly.This is a fundamentally importan������t issue in the cybersecurity profession.We found that the inverse of these issues is also true.The initiatives that create a positive work culture and resul
168、t in the highest EX ratings are valuing and listening to employees needs.Not listening to cybersecurity �����professionals can be a particularly harmful issue becaus����e,beyond the effect it has on employee morale,it also increases the likelihood that organizations could miss out on crucial risk-related inf
169、ormation and put themselves at risk.FIGURE 27Which of the following are issues in your current role that negatively impact your job satisfaction?Base:10,521-13,120 global cybersecurity professionalsNote:“Dont know/does not ����apply”responses were removed from the sample baseMOST NEGATIVELY IMPACT�����FUL IS
170、SUESMy employer does not value or listen to my input36.9Poor relationship with team members or managers39.9I feel like my job exists only to prevent breaches,and I will be blamed if one o������ccurs40.4Lack of support from executives/managers40.8I am expected to work long hours40.8Its difficult to stay cu
171、rrent on security issues/trends49.0Too many emails/tasks46.5My team has inadequate resources to sufficiently pr������otect the organization44.7Poor security policies/standards at my company create extra work for me44.2I experience overwork due to staff or skill shortages43.8LEAST NEGATIVELY IMPACTFUL ISSU
172、ESISSUESISSUESAVERAGE EX RATINGAVERAGE EX RATING38ISC2 Cybersecurity Workforce Study,2023 The wrong cybersecurity tools and resources lead to a lack of trust.Staffing shortages and skills gap�������s play a surprisingly large role here as well.When cybersecurity professionals are not given the tools and re
173、sources they need to succeed,it usually leads to lost trust between management and the workforce.Those at organizations�������� with staffing shortages and skills gaps are considerably mor�������e likely to report a lack of support from managers/executives,a feeling that their employers dont value or even listen t
174、o their input and more(see figure 28).FIGURE 28Which of the following are issues in your current role that negatively impa������ct ������your job satisfaction?Base:4,172 global cybersecurity professionalsNote:“Dont know/does not apply”responses were removed from the sample baseI feel like my job exists only to
175、prevent breaches,and I will be blamed if one occursMy employer does not value or listen to my inputThe organization is not realistic in the way they measure success of securityLack of support from ex�������ecutives/managers32%18%16%31%21%21%13%11%Employees of orgs with both staff shortages and significant
176、skills gapsEmpl�����oyees of orgs with neither staff shortages nor significant skills gapsAN INCREASINGLY DIVERSE WORKFORCE ��������IS A BRIGHT SPOT,WITH ROOM TO IMPROVE DEI INITIATIVESLast year we began to explore trends around a rapidly diversifying cybersecurity workforce,and these trends continue this year.W
177、e found that:Cybersecurity is diversifying mor����e quickly across race/ethnicity than gender.Our data shows that the makeup of the cybersecurity workforce is changing both in gender and race and ethnicity.The biggest increase we saw by age is in non-white men.Within the US,Canada,Ireland and the UK,70%
178、of cybersecurity professionals 60 or older are white men.In those same countries,just 37%of those under 30 are white men.We s��������aw this trend emerge last year,and it seems to be accelerating.66%of secu�����rity workers who entered the profession in these countries in the past 12 months are non-white(see fig
179、ure 29).39ISC2 Cybersecurity Workforce Stud������y,2023However,the change in race and ethnicity is much more ������significant than the change in gender.Even in the under-30 group,women represent only 26%of the cybersecurity workforce.And while this is twice as many as the 60-or-older group,it still makes up a
180、significant minority.The pathways into cybersecurity d�����iffer by gender and race.Both women and non-white cybersecurity professionals are more likely to take an education pathway into the field and less likely to come from an IT background.FIGURE 29Age group by race and genderWhich of the fol�����lowing mo
181、st accurately describes you?With which of the following ethnic or cultural groups do you primarily identify?Base:5,768 cybersecurity professionals in the United S��������tates,Canada,United Kingdom and IrelandNote:Total percentages may not equal separate values due to rounding.Base:5,874 cybersecurity �������profe
182、ssionals in the United States,Canada,United Kingdom and IrelandBase:13,68�������2 global cybersecurity professionalsWhite menMaleNon-whiteWhite womenFemaleWhiteNon-white menNon-white women60 or older60 or older60 or older70%15%2%13%30-3830-�������3830-3845%35%13%7%39-4939-4939-4954%31%7%8%50-5950-5950-5963%22%6%1
183、0%Under 30Under 30Under 3037%40%18%6%13%14%14%22%26%74%78%86%86%87%17%28%40%48%57%83%72%60%52%43%66%of cybersecurity workers who entered the profession in the past 12 months in these countries are non-white.40ISC2 Cybersecurity Workforce S�������tudy,2023 Theres value in a diverse cybersecurity workforce.C
184、ybersecurity professionals value a diverse workf�������orce.69%said that an inclusive environment is essential for their team to succeed,and 65%feel that its important that their security team is diverse.57%say that DEI will continue to become more important for their cybersecurity team over the next five
185、years(see figure 30).This is slightly lower than last year(62%)but still indicates a continuation of this trend.FIGURE 30How much do you agree or disagree with the following statements about div����ersity and inclusion within your organization/team?(Showing Somewhat Agree/Completely Agree responses)Base
186、:11,373-13,041 global cybersecurity professionalsNote:“Dont know/does not apply”responses were removed from the sample baseAn inclusive environment is essential for our team to be able to succeedIts important that my security team is diverseDEI will c����ontinue to become more important for our security
187、 team over the next five yearsDiversity within������ the security team has cont������ributed to my security teams successDEI has been increasingly important for our security team over the past five yearsMy organizations DEI initiative has had a significant impact on my daily work lifeMy company is not doing eno
188、ugh to address DEI issuesI feel discriminated against at my workplace69%65%57%53%51%36%27%20%41ISC2 Cybersecurity Workforce Study,2023 DEI initiatives are lacking.However,despite cybersecurity professionals recognizing the importance of diversity,the adoption of DEI initiatives remains���� fairly low ov
189、erall.Less than half of respondents(46%)reported that their organization currently has DEI training for employees,and 8%said �������that their organization doe�������s not have any DEI initiatives at all(see figure 31).FIGURE 31What types of programs/initiatives/tools does your company use to promote DEI and acce
190、ssibility?Base:14,009 global cybersecurity professi������onalsNote:“Dont know/does not apply”responses were removed from the sample baseDEI training for employees46%HR team that supports employees who feel discriminated against in the workplace43%Accessible workplace design(remote work option,technology f
191、or persons with disabilities,etc.)42%Anonymous and clear pathways to report discrimination4�������2%S�������kills-based hiring(evaluating talent objectively based on skills and potential)40%DEI employee groups or affinity groups35%DEI events34%DEI council or committee31%Job descriptions that refer to DEI programs
192、/goals26%We do not have any DEI initiatives8%42ISC2 Cybersecurity Workforce Study,2023 DEI initiatives make a significant impact,though adop�����tion is low.Organizations that are adopting initiatives related to hiring,such as skills-based hiring and using job descriptions that refer to DEI programs/goal
193、s,can create a more diverse workforce.Those with skills-based hiring have an average of 25.5%women in their work�����forces compared with 22.2%of those who have not adopted this initiative.This is also true for adding job descriptions that refer to DEI programs/goals(26.6%vs.22.3%)(see figure 32).FIGURE
194、32FIGURE 33Percentage of women in cybersecurity“My organization has the tools and people they need to ensure the organization is prep�����ared to respond to cyber incidents over the next two to three years”ImplementedNot implementedSkills-based hiring(evaluating talent objectively based on skills and pot
195、ential)Job descriptions that refer to DEI programs/goals25.5%22.2%26.6%22.3%Implemented skills-based hiringImplemented job descriptions that refer to DEI programs/goalsHave not implemen������ted skills-based hiringHave not implemented job descriptions that refer ��������to DEI programs/goals57%57%51%51%Base:10,70
196、3 global cybersecurity professionalsBase:13,028-13,116 global cybersecurity professionalsNote:“Dont know/does not apply”responses were removed from the sample base.DEI initiatives dont just ma�����ke a difference in creating a more diverse workforce they produce a more effective workforce as well.Cyberse
197、curity professionals at organizations that have adopted these two DEI hiring practices were consid�������erably more likely to feel like their organization had the tools and people they needed to ensure they are prepared to respond to cyberthreats over the next two to three years(see figure 33).43ISC2 Cybe
198、rsecurity Workforce Study,2023 Seek input and listen to feedback from employees.We have seen consistently ov�����er the past two years that cybersecurity professionals who feel their organizations truly listen and consider their depth of expertise and knowledge as well a�����s their preferences on working env
199、ironment are far happier than those who feel unheard.Listen to your staff dont work against them.Use DEI initiatives to hel���p navigate times of economic uncertainty.Preventing your organization from unintentionally excluding large swaths of the available talent pool(by hiring with significant bias or
200、 creating an uninclusive environment)will be critical in ensuring that you have the right balance of skills needed to operate effectively during difficult times.In addition,the long-term effects are exceedingly valuable.A workplace where al������l cybersecurity professio�������nals feel comfortable keeps workers
201、 happy,productivity high and attrition �������low.What It Means for Organizations44ISC2 Cybersecurity Workforce Study,202380%of cybersecurity professionals agree that there are more pathways into cybersecurity to�����day than there were in the past,and 82%agree that the increase in alternative pathways is posit
202、ive for the industry.These new pathways are a product of an agile pr�������ofession and the willingness of the people in it to adapt to the ever-changing and often unpredictable environment around them.More professionals with no prior cybersecurity experience but with a more diverse technical background ar
203、e applying to cybersecurity jobs.This contributes to a growing trend of experienced professionals from outside the field join�����ing the cybersecurity industry midway through their careers,compared wit����h a traditional wave of college graduates who have more education than on-the-job experience.This new t
204、rend helps normalize cybersecurity as a viable option for capable,experienced profession�������als from outside the industry looking to make a midcareer change.This year,we���� offer the most detailed look ever at the career choices made by cybersecurity professionals and how they could impact the industry for
205、 generations to come.After sur�������veying respondents of all ages and backgrounds who are charting new pathways into and throughout the profession,we found that:Cybersecurity is increasingly attractive to professionals with technical,non-cyber experience.More than half of hiring managers(59%)agree that t
206、hey see an increase in job applications from technically experienced people with no prior cybersecurity experience,and organizations are embracing this.51%say their organization is changing their hiring requirements to recruit more p�������eople from non-cybersecurity backgrounds.Whats m�����ore,56%agree that t
207、hey are actively trying to recruit more of these technical professionals internally,which is also most prominent within the security software/hardware development industry(62%).Layoffs are an unfortunate side effect of a volatile economic environment,but with change comes opportunity.M��������ost hiring man
208、agers(52%)agree that widespread tech layoffs give them an opportunity to get more people involved in cybersecurity(see figure 34).Layoffs can mean an abundance of skilled IT professionals hitting the job market,which creates an opp������ortunity for cybersecurity teams who need support to hire and ������train t
209、hem.In addition,layoffs within���� cybersecurity offer a chance for the industry to capitalize on the wealth of strong cybersecurity talent hitting the job ma�������rket.The organizations that can pounce on hiring these people will set themselves up for success in the future.New Career Pathways Most hiring man
210、agers(52%)agree that w������idespread tech layoffs give them an opportunity to get more people involved in cybersec�����urity.45ISC2 Cybersecurity Workforce Study,2023How strongly do you agree with the following statements related to the state of cybersecurity work?(Showing Agree/Strongly Agree responses)Base:
211、6,381-6,48����4 global cybersecurity professionalsNote:“Dont know/does not apply”responses were removed from the sample base.FIGURE 34We are seeing an increa�����se in job applications from technically experienced people with no cybersecurity experienceWe are actively trying to recruit technical people from
212、within our organization����� to move to cybersecurityWe see widespread tech layoffs as a chance to get new people into cybersecurityWe are changing our hiring requirements/expectations to accept more applications from applicants with non-cybersecurity backgroundsWe are actively trying to recruit non-tech
213、nical people from within our organization to move to cybersecurity59%56%52%51%41%For many,IT is a stepping stone into cybersecurity.52%����of cybersecurity professionals kickstart their careers with a non-cybersecurity IT position.The next mos������t popular pathways into the profession are by earning a cyber
214、security certification(51%)or independently learning about cybersecurity concepts outside of formal training(45%).More interestingly,earning a bachelors degree in cybersecurity(31%)�������is less popular than all the above as a precursor to joining the profession(see figure 35.)Challenging work and career
215、advancement are key motivators.After entering the industry,cybersecurity professionals focus on gaining traction in their new roles more than anything ���else.The most popular next milestones in a cybersecurity career include earning a promotion from a practitioner to a managerial/leadership role(35%),
216、earning a certification for the first time(32%),changing role directions from a specialist to a generalist(26%)or changing back from generalist to specialist(19%).Only����� 16%report leaving for a new profession,almost the same amount who leave to pu�����rsue higher education in cybersecurity or a related fie
217、ld(14%).This showcases the“stickiness”of this career path.After joining the industry,cybersecurity professionals are more motivated to increase responsibility in their current roles and improve their skills for that ro�������le,rather than making another career pivot(see figure 36).46ISC2 Cybersecurity Wor
218、kforce Stu�������dy,2023Which of the following did you do before your first cybersecurity job?(Showing 15 top ranked responses)Base:13,103 global cybersecurity professionalsFIGURE 35Got a non-cybersecurity IT position52%Got my first cybersecurity certification51%Independently learned about cybersecurity co
219、ncepts on my own time4���5%Got a bachelors degree in a field not related to cybersecurity31%Got a bachelors degree in cybersecur�����ity or other related field31%Served in the military(volunteer/compulsory military service)26%Got a position not in IT or cybersecurity26%Received cross-training in cybersecuri
220、ty from emp�����loyer20%Got an advanced degree(masters,PhD,etc.)in cybersecurity or other related field20%Got an advanced degree(masters,PhD,etc.)in a field not related to cybersecurity16%Worked in law enforcement(in a non-cyber�����security position)16%Got recruited/headhunted14%Found a mentor/career coach11
221、%Went to a job fair10%Had an internship/apprentices������hip in cybersecurity12%47ISC2 Cybersecurity Workforce Study,2023Which of the following did you do after you took your first cybersecurity job?(Showing top 17 ranked responses)Base:12,154 global cybersecurity professionals������FIGURE 36Moved from a practi
222、tioner role to a managerial/leadership role35%Earned my first cybersecurity certification32%Moved from a specialist role to a generalist ro�������le(e.g.,cybersecurity consultant)�����26%Moved from a generalist role to a specialist role(e.g.,application security,cloud security)19%Left cybersecurity for another
223、profession16%Started working as an independent cybersecurity contractor/consultant16%Left cybersecurity to pursue higher education14%Pursued higher education in cybersecurity or related field14%Left cybersecurity for compulsory/volunteer military service1���4%Switched from the private to the public sec
224、tor13%Became a mentor for the first time�������12%Started my own cybersecurity business(e.g.,managed services,tech startup)12%Came back to cybersecurity(after leaving)9%Became a cybersecurity educator/professor8%Found my first mentor7%Switched from working independently(as a contractor or at my own busines
225、s)to working at an organization 5%Switched from the public to the private sector11%48ISC2 Cybersecurity Workforce����� Study,2023A number of factors drive the motivation to enter and continue working in the cybersecurity profession,and these can differ based on industry.Primarily,the prospect of career a
226、dvancement opportunities(27%),skills demand(25%),enjoyment(25%)and high compensation(24%)are attracting people to join and stay in cybersecurity(see figure 37).Which of the following best describes why you originally entered the������� cybersecurity profession?FIGURE 37Base:14,865 global cybersecurity prof
227、essionalsCareer advancement opportunitiesHigh demand for skillsI thought ���������I would enjoy the workPotential for high compensation/salaryIt fit my skill set/educationAbility to solve problemsAbility to���� work in a continuously evolving fieldI did some cybersecurity on my own and enjoyed itMy company reorg
228、anized and I was pushed into a cybersecurity roleEncouragement from a role model in cybersecurityI did cybersecurity coursework in school and enjoyed itI was laid off from another job and there were openings in cybersecurityPersonal/emot��������ional satisfactionAbility to help people/societyJob stability/l
229、ow unemploymentI did some c����ybersecurity work w������hile in another role and enjoyed it27%25%25%24%24%23%22%19%17%14%14%14%13%11%11%10%1.Healthcare(33%)2.Government(31%)3.Aerospace(31%)Career advancement opportunities1.Military(29%)2.Aerospace(28%)3.Food/beverage(28%)High demand for skills1.Financial serv
230、ices(29%)2.Consulting(28%)3.Non-security software/hardware(26%)I thought I would enjoy the work49ISC2 Cybersecurity Workforce Study,2023The happiest employees are those who are challenged to continue ��������adapting and evolving as evidenced by our research finding t������hat employees with the highest EX rating
231、s are most moti��vated by the ability to work in a continuously evolving field that fits their skill set/education.Conversely,professionals who have been pushed into cybersecurity by their organization or through a layoff at another organization have the lowest EX ratings.Decisions made by professiona
232、ls who have freedom of choice are the most motivating(see figure 38).FIGURE 38Which of the following best describes why you originally entered the cybersecurity profession?Base:14,865 global cybersecurity professionalsMOTIVATIONS WITH LEAST HAPPY SECURITY WORKERSMy company reorganized and I ����was pus������h
233、ed into a cybersecurity role48.43I have role models in my life in cybersecurity(e.g.,f������amily members,mentors)who encouraged me48.64I was l�������aid off from another job and there were openings in cybersecurity50.54I did some cybersecurity on my own and enjoyed it50.63Job stability/low unemployment50.79Abil
234、ity to work in a continuously evolving field52.98I���������t fit my skill set/education52.49Career advancement opportunities52.16Ability to solve problems52.12High demand for skills52.06MOTIVATIONS WITH HAPPIEST SECURITY WORKERSMOTIVATION FOR ENTERING SECURITYMOTIVATION FOR ENTERING SECURITYAVERAGE EX RATING
235、AVERAGE EX RATING Pathways are changing.In 2023,new entrants into the cybersecurity profession are considerably older on average than they have been in the past,with 48%of new entrants joining at age 39 years or older.This is a significant dif�������ference from 2022(24%)and shows a change in the pathways
236、into cybersecurity(see figure 39).Besides the change in age of new cybersecurity pro���fessionals,we also see a significant shift in the backgrounds of workers entering the field.New cybersecurity professionals are more likely to have a bachelors degree in cybers������ecurity,more likely to come from a non-I
237、T role and less likely to have started in IT(see figure 40).50ISC2 Cybersecurity Workforce Study,2023FIGURE 39FIGURE 40Ages of new entrants into th������e cybersecurity professionBase:695 global cybersecurity professionals who started in the past 12 months;356 surveyed in 2022 and 610 surveyed in 2021Note
238、:Total percentages may not equal separate values due ������to rounding.Base:404 new and 6,121 tenured global cybersecurity professi����onals60 or older60 or older60 or older30-3830-3830-3839-4939-4939-4950-5950-5950-59Under 30Under 30Under 302021202246%32%55%63%39%28%24%9%16%9%20232%3%0%27%18%16%29%39%45%32%2
239、1%24%31%8%6%NEW CYBERSECURITY EMPLOYEES(1 YEAR OR LESS IN THE FIELD)TENURED CYBERSECURITY EMPLOYEES(10+YEARS IN THE FIELD)Got cybersecurity bachelors ������degree before entering cybersecurityWorked in IT before entering cybersecurityWorked in a non-IT role before entering cybersecurityHad an in�����ternship o
240、r apprenticeship in cybersecurity before their first jobInfluenced to join cybersecurity by role models in their life in the field51ISC2 Cybersecuri������ty Workforce Study,2023I did some cybersecurity work while in another role(e.g.,general IT)and enjoyed itI did some cybersecurity work while in another
241、role(e.g.,general IT)and enjoyed itI did some cyber������security work while in another role(e.g.,general IT)and enjoyed it25%31%30%60 OR OLDER30-3839-4950-59UNDER 30FIGURE 41Which of the follow������ing best describes why you originally entered the cybersecurity profession?(Showing top motivating factors)Base:
242、14,145 g����lobal cybersecurity professionalsI thought I would enjoy the workPotential for high compensation/salaryI thought I would enjoy the workHigh demand for skillsCareer advancement opportuni����tiesCareer advancement opportunitiesCareer advancement opportunitiesPotential for high compensation/salaryI
243、 thought I would enjoy the workHigh demand for skillsIt fit my skill set/educationIt fit ������my skill set/educationAbility to solve problemsHigh demand for skills High demand for skillsAbility to solve problemsAbility to solve problemsPotential for high compensation/salaryAbility to solve problemsHigh d
244、emand for skillsCareer advancement opportunitiesCareer advancement opportunities27%27%24%24%24%25%22%24%25%25%25%24%24%28%28%26%26%26%27%25%28%31%Profes�����sion�����als of all ages are united and motivated to join the industry by a simple but powerful feeling their sheer enjoyment of the work(see figure 41).
245、As previously mentioned,career advancement opportunities are the most common motivator to join cybersecurity,but when we look at the age-specific breakdown among workers,we see an interesting trend.Younger professionals(especially those under the age of 30)primarily jo�����in the industry based on what t
246、hey perceive to be an enjoyable career,and older professionals joining midcareer have performed cybersecurity work in another role and decided to join full-time based on their own enjoyment of it.52ISC2������ Cybersecurity Workforce Study,2023New Career Pathways Shape the Future Cybersecurity Workforce Cy
247、bersecurity career paths are shaped by the professionals with traditional and non-traditional experiences who get hired,as well as the organizations that make the decisions to hire them.As more professionals with diverse backgrounds join the industry,new pathways open and evolve the expe�����ctations and
248、 recruiting habits of hiring managers.Here are our key takeaways for organizations and professionals with the ability t�����o impact the career pathways for a new generation of cybersecurity professionals:Organizations,rethink your hiring parameters.New career trajectories and hiring trends make cybersec
249、urity a more attractive place for technically skilled workers of all ages,not just those with traditional educati����on or cybersecurity experience.Organizations seeking to nurture a skilled cybersecurity team should also look for those with������ non-traditional backgrounds and expand their internal and exte
250、rnal recruiting.Professiona����ls,stay agile(and satisfied)by challenging yourselves.Enjoyment,challenge and career advancement go hand in hand.The happi������est employees are those who are challenged to continue adapting and evolving,as evidenced by our EX rating.Cybersecurity is a continuously evolving fie
251、ld,and its important to evolve with it.Ask your employer about their professional development opportunities,certifications and skills development programs.������This will help you stand out as a key contributor,and help you build new competencies for the future.What It Means for����� Organizations53ISC2 Cybers
252、ecurity Workforce Study,2023As with pathways into the field,the demand for new cybersecurity skills is evolving.Cloud computing security continues to be the most desired technical skill set,but the perceived demand for AI/machine learning skills is growing q�����uickly.In ad�����dition,the unstable market env
253、ironment gives rise t�������o a demand for more curious and communicative employees with professional experience.Those with technica�������l on-the-job experience and relevant certifications are more attractive to recruiters than those entering the market with just a degree.We interviewed both hiring managers and
254、 professionals without hiring responsibilities to uncover the most desirable skills,qualifications and experiences that drive recruiting and education demand within the cyb���ersecurity world.Heres what we found:Cloud computing security is a critical skill,but its in short supply.Cybersecurity professi
255、onals(non-hiring managers)consider cloud computing security to be the most in-demand skill for those looking to ad������vance their careers(47%).Hiring managers continue to validate this perceptio������n for the second year in a row,cloud computing security(32%)is the most desirable skill sought by cybersecurit
256、y hiring ma������nagers who are looking for recrui���ts.Hiring managers are also prioritizing risk assessment,analysis and management(31%);security analysis(28%);and security engineering(28%)as attractive skills for prospective employees(see figure 42).Contributing to the high demand for cloud computing secu
257、rity skills is the aforementioned supply shortage of cybersecurity professionals who have experie���nce in this area.As previously reported,cybersecurity professionals said that cloud computing security is the number one area where there are skills gaps on their team(35%).This only makes the skill more
258、 attractive to hiring managers.Demand for AI/ML skills is growing.Alth���ough its not currently a top requirement from��� hiring managers,the demand for artificial intelligence skills is growing in the eyes of the average cybersecurity professional.AI/ML skills(28%)are among the top five categories for in
259、-demand skills(see figure 4���3).As recent as our 2022 study,AI/ML did not even make the top ten for most in-demand skills and was ranked clo�������se to the bottom.In the coming years,this skill has the potential to spike in demand as AI matures and influences various aspects of cybersecurity threats and def
260、ense.Skills in Demand54ISC2 Cybersecurity Workforce Study,2023FIGURE 42What skills are you most looking for right now when hiring?(Showing top ten responses)Which of ������these skills do you th����ink are most in demand for security professionals looking to advance their careers(via new jobs and promotions)?
261、(Show������ing top ten responses)Base:������7,143-7,184 global cybersecurity professionalsNote:“Dont know/does not apply”responses were removed from the sample base.Cloud computing securityCloud computing securityCommunication skillsGovernance,risk management and compliance(GRC)Security analysisRisk assessment,
262、analysis and manage�����mentSecurity engineeringArtificial intelligence/machine learningApplication securityCommunication skillsIdentity and access managementApplication securitySecOpsDigital forensics and incident responseGovernance,risk management and compliance(GRC)Zero Trust implementationSecurity ad
263、ministration (e.g.,VPN security/patching,mobile device management)SecOpsRisk assessment,analysis and managementSecurity engineering32%31%31%28%28%26%24%22%21%20%23%24%24%24%27%28%30%32%35%47%ASKED TO HIRING MANAGERSASKE������D TO NON-HIRING MANAGERS55ISC2 Cybersecurity Workforce Study,2023 Curiosity,commu
264、nication and certifications are growing in importance.Cybersecurity professionals consider problem-solving abilities ������������to be the most important qualifying characteristic for themselves on the job(45%).However,curiosity/eagerness to learn(39%),communication skills(38%)and cybersecurity certifications(3
265、2%)have grown in value year ov��������er year.When compared to 2022,these traits increased in importance by 3%to 5%,and this upward trend reflects the needs of the modern risk landscape.When operating in a market characterized by instability,organizations ne�������ed professionals who are knowledgeable,adaptable a
266、nd efficient facilitators of information(see figure 43).FIGURE 43What are the top five most important qualifications for cybersecurity professionals seeking employment?(Sh�����owing top five and bottom five responses)Base:14,865 global cybersecurity professionals20222023LARGEST INCREASES IN TRENDSLARGEST
267、 DECREASES IN TRENDSStrong�������� strategic thinking skills27%25%Extensive cybersecurity work experience22%20%Familiarity with releva������nt frameworks16%13%Knowledge of advanced cybersecurity and cybersecurity concepts31%25%Strong coaching/team development skills9%7%Cybersecurity qualifications(e.g.,trainings,
268、etc.)other than certifications or a degree17%19%Knowledge of basic cybersecurity and cybersecurity co������������ncepts33%35%Curiosity/eagerness to learn36%39%Strong communication skills33%38%Cybersecurity certifications29%32%56ISC2 Cybersecurity Workforce Study,2023 Professional experience and certifications a
269、re seen as���� more valuable than formal education.Cybersecurity skills are shaped by education,training and experience.When asked abo�����ut the experiences and education that constitute the ideal cybersecurity candidate,respondents made it clear that experience and certification top all else.Senior-level c
270、ybersecurity experience(86%)wa������s highly favored over advanced doctoral degrees(14%)(see figure 44).Experience carries weight,even if it isnt specific to cybersecurity.Mid-level non-cybersecurity technical experience(63%)was favored over entry-level cyberse������curity experience(37%).However,entry-level cy
271、bersecuri������ty experience(70%)is still more important than entry-level cybersecurity education(30%).This tells us that cybersecurity professionals view professional exposure in any manner as more valuable than education in a classroom or virtual������ setting.Certifications are also a highly regarded form of
272、 cybersecurity qualification.They are favored over both a bachelors degree in a related field(66%vs.�����34%)and independent competition experience(54%vs.46%)(e.g.,hackathons).Despite the new pathways and trends shaping the modern cybersecurity profession,certifications continue to be a core ingredient f
273、or the ideal cybersecur�������ity candidate.57ISC2 Cybersecurity Workforce Study,2023FIGURE 44If you were to design your ideal cybersecurity candidate,which of these things would you prefer?Mid-level(non-cyber)experience is preferred to entry-level cyber experience37%Entry-level cybersecurity experience (1
274、 to 3 years�����)63%Midcareer-level non-cybersecurity IT/technical experience (5 to 10 years)Entry-level cybersecurity experience is preferred to entry-level degrees30%Entry-level education(e.g.,bachelors degree in related field or basic certification)70%Entry-level cybersecurity experience (1 to 3 years
275、)Base:13,742Base:13,615Base:13,500Senior-level cybersecurity experience is perceived as far more valuable than advanced degrees14%Advanced doctoral ������degree86%Senior-level cybersecurity experience (10+years)58ISC2 Cybersecurity Workforce Study,2023FIGURE 44If you were to design your ideal cybersecurit
276、y candidate,which of these things would you prefer?Base:13,496Base:13,222-13,742 global cybersecurity professionalsNote:“Dont know/does not apply”responses were removed from the sample base.Base:13,222Certifications are more valuable than independent experienceCertifica���������tions are more valuable than e
277、ntry-level degrees46%Independent competition experience(e.g.,hackathon,capture the flag,etc.)34%Bachelors degree in related field54%Cybersecurity certification66�����%Cybersecurity certification59������ISC2 Cybersecurity Workforce Study,2023Continue to Nurture and Develop Skill Sets for Well-Rounded Talent The
278、 current macroeconomic environment calls for a generation of cybersecurity workers who are curious,agile and open to new challenges.This is who modern or������ganizations seek as they grapple with cutbacks and skills gaps.Here are our key takeaways for organizations and professionals looking to hire,nurtu
279、re and develop skill sets to fill gaps and improve the future of work:Organizations,expand basic cybersecurity training to everyone.For many organizations,the need for basic cybersecurity skills has eclipsed the n��������eed for niche and advanced skill sets.Attributes like eagerness to learn,communication
280、skills and curiosity have never been more important.To create more well-rounded and knowledgeable cybersecurity employees,try offering basic training/professional devel����opment to other departments within the organization.Encouraging basic skills development ������on a holistic level can also organically pr
281、omote your cybersecurity team as a new career pathway.Pro�����fessionals,supplement education with hands-on experience.Cybersecurity professionals(especially hiring managers)favor on-the-job experience over traditional education,and this includes non-cybersecurity experien����ce.So those pursuing a career in
282、 cybersecurity should try to supplement their education with hands-on,technical on-the-job experience whether an internship,certification or independent competition(hackathon,etc.)to diversify their resume.What It Means for Organizations60ISC2 Cybersecurity Workforce Study,2023Certific������ations continu
283、e to be a pillar o�����f cybersecurity professional development.Certification activity and planning have stayed generally constant,which shows that professionals remain steadfast in their journey to expand their cybersecurity skills and knowledge.Both employees and their organizations have expressed resi
284、l�������ience and dedication to certifications in an uncertain economy.Even amid corporate cutbacks like hiring freezes and job layoffs,more than half of professionals are offered reimbursements for certification exams by their employer.Employers that do so are successful at filling skills gaps.We spoke to
285、 more than 14,000 cybersecurity professionals to learn about how and when they plan to earn certifications and found that:Certification pursuit remains strong.Cybersecurity professionals continue to plan ahead for their professional developm���ent,with only minor postponements from near-term to long-te
286、rm plans.Within the next six������� months,21%of respondents plan to pursue a vendor-neutral certification,with 49%thinking longer-term(six months to������� two years and beyond).Those planning for vendor-specific certifications are behaving similarly,with 19%planning for the immediate future and 49%extending the
287、ir pathway beyond six months.On average,we observed a 6%increase in those who are planning on continuing their certification work in the period beyond the next six months.I�������n general,however,the market has not deterred cybersecurity professionals from furthering their education and skill sets(see fig
288、ure 45).CertificationsMore than half of cybersecurity p������rofessionals receive incentives in the form of certification exam reimbursements(54%).61ISC2 Cybersecurity Workforce Study,2023FIGURE 45Which of the following best describes your plans t������o pursue any vendor-neutral or vendor-specific cybersecurit
289、y certifications in the future?Base:3,818-3,829 ��������global cybersecurity professionals(Panel respondents)Note:“Dont know/does not apply”responses were removed from the sample base.Vendor-neutral certifications(e.g.,ISC2,ISACA,CompTIA)Vendor-specific certifications(e.g.,Cisco,Microsoft)No plans to pursue
290、 any additional security certifications7%7%Currently pursuing16%17%4%3%Planning to pursue within the next six months21%19%3%4%Planning to pursue at some point,����but not sure when7%8%1%1%Planning to pursue more than ���two years from now9%12%3%4%Planning to pursue one to two years from now17%18%2%2%Planni
291、ng to pursue six to 12 months from now23%19%2%1%Skills growth continues to be the drivi������ng motivator for certification.Cybersecurity professionals are still pursuing certifications to grow and develop their skil������ls(65%).This is true for workers of all ages.Professionals in the 50+age range(67%)agree t
292、o this,and so do those under 49(65%).This paints a picture of �������the wide applicability of certifications,regardless of experience or industry tenure.Other motivators include staying current with security trends(53%)and the sheer enjoyment of the ch�������allenge(43%)(see figure 46).Those with high school dip
293、lomas agree more with this(47%)than those with more advanced degrees(42%).Profession�������als without undergraduate or graduate degrees use certifications to demonstrate their cybersecurity knowledge,skills and abilities.While personal motivation is key to earning certifications and growing skills,organiz
294、ations need to support their employees pu�����������rsuit to holistically close skills gaps.62ISC2 Cybersecurity Workforce Study,2023FIGURE 46You indicated you have plans to get a certification in the future.What is your motivation for doing so?Base:11,660 global cybersecurity professionalsNote:“Dont know/does
295、 not apply”responses were removed fro����m the sample base.50%Certifications are an important part of my career and professional development43%I enjoy the challenge and the accomplishment39%To expand and demonstrate my experience to employers31%To expand and demonstrate my experience to peers30%To impro
296、ve my organizations security posture17%It is required for a job that Im applying to/want to apply to outside of my organization15%It is required in order for me to get a promotion13%My organization asked me to do it to fill a skills gapTo improve my skills65%To stay current with se����curity trends53%63
297、ISC2 Cybersecurity Workforce Study,2023 Organizations continue to subsidize certifications as professional development.Despite economic headwinds,96%of respondents are offered professional development incentives from their organizations.More than half of cybersecurity professionals r�������eceive these inc
298、entives in the form of certification exam reimbursements(54%),which continues to b������e the top mode of educational assistance year over year.Certification reimbursements arent the only form of professional development incentive,however.Companies also include reimbursements for conferences/events(43%),i
299、n-house training(42%),career pathing/planning for advancement(32%)and tuition assistance(32%)(see figure 47).FIGURE 47Which of the following does your organization offer in terms of professional development initiatives/incentives?Base:14,009 global cybersecurity professionalsNote:“Dont know/d����oes not
300、 apply”responses were removed from the sample base.Payment/reimbursement for third-party certification exams54%Payment/reimbursem�����ent for third-party certification courses49%Payment/reimbursement for conference/event attendance(i.e.,reimbursement for expenses/tickets)43%Time for professional developm
301、ent during work hours42%In-house training courses42%Tuition assistance for undergraduate/graduate degree programs32%Career pathing/planning for advancement32%Mentoring program29%Bring in outside consultants/third-party training organi����zations����� to train internal staff23%My organization does not offer p
302、rofessional development initiatives or incentives4%Job shadowing18%64ISC2 Cybersecurity Workforce Study,2023 Certification reimbursement can shrink skills����� gaps.Professional development incentives could be a not-so-secret weapon in the fight against the global cybersecurity gap.47%of organizations th
303、at do not offer reimbursements for certification courses or exams have significant skills gaps in cybersecurity,com���������pared to only 38%that do offer reimbursements.If more organizations encouraged certifications,this could organically nurture core cybersecurity skills without requiring more outside hir
304、ing.Employees are taking action t�������o fill the������se gaps.56%of cybersecurity professionals at organizations with critical skills gaps plan to get a vendor-neutral certification within the next year.Regions with organizations offering payment/reimbursement for third-party certification examsIndustries with
305、 organizations offering payment/reimbursement for third-party certification exams62%52%North AmericaEurope67%Consulting36%Construction33%Latin Amer�����ica48%35%Asia-PacificMiddle East/Africa40%Automotive63%Financial services65ISC2 Cybersecurity Workforce Study,2023Expand Your Definition of Professional
306、Development Certifications are a foundational aspect of skills ������deve����lopment,and organizations play a crucial role in making them accessible and available to their employees,especially in an uncertain economic environment.To encourage development from within and close skills gaps,organizations need to
307、 ensure their employees know that they are serious about their certification development enough to dedicate time for them to focus on it.Here is a key takeaway for companies that want to show their dedication to emp�����loyees professional development:Organizations need more than ju�������st money to promote sk
308、ills growth.Even amid corporate cutbacks like hiring freezes and layoffs,more than half of professionals are still offered reimbursements for certification exams by their organizations.This is an important step toward encouraging sk������ills development,but to truly signal to your employees that you care
309�����、 about their growth,you need to give them time to earn it.Reserving specific blocks of study time for certification or professional development seminars on a biweekly or even monthly basis will help to signal to your employees that you care about their skills growth.It will also provide breathing ro
310、om for employees who feel overworked or those without the ability to dedicate time outside thei��������r workday to focus on training rather than emails or personal responsibilities.What It Means for Organizations66ISC2 Cybersecurity Workforce S�����tudy,2023Three out of four cybersecurity professionals view the
311、 current landscape as the most challenging its been in the pas�����t five ��������years.The modern economic environment has increased the risk of malicious insiders,and staff/skill shortages impede the ability of cybersecurity teams to properly secure their organizations.As professionals adapt to todays challeng
312、es,they are also looking to the horizon for emerging threats and opportunities.The topic of AI is unavoidable in a conversation about the po������sitive and negative imp��������acts of tomorrows technology.Speculation about its use commands global attention:Will it become a tool for more efficient threat response
313、 or a door to more sophisticated attacks?Cybersecurity professionals are weighing these potential futures�������� with cautious optimism to understand and adopt the emerging technology while at the same time preparing for the potential risks that it could create.Here is what we learned from cybersecurity pr
314、ofessionals who are adapting to todays challenges while preparing for the future of work:For most,the threat landscape has reached a peak.75%of �������all respondents view the current threat landscape as the most challenging its been in the past five years(see figure 48),and this varies by industry.Respond
315、ents from some industries indicated more sensitivity than others to the modern environment:those in healthcare(79%),mili�����tary(79%),energy/power/utilities(79%),government(78%)and manufacturing(77%)industries agree/strongly agree that they have reached their peak threat level since 2018.Even those that
316、 are less sensitive like automotive(64%),construction(65%)and telecom(69%)still mostly agree with this sentiment(see figure 49).Cybersecurity Landscape:Present&Future67ISC2 Cybersecurity Workforce Study,2023FIGURE 48How strongly do you agree with the followin�������g statem�����ents related to the state of cybe
317、rse�������curity work?(Showing Agree/Strongly Agree responses)Base:13,048-14,093 global cybersecurity professionalsNote:“Dont know/does not apply”responses were removed from the sample base.During times of economic uncertainty,I feel pressure to come to the office rather than work from home in ord������er to be
318、seen43%The threat landscape is the most challenging its been in the last five yearsWe are more carefully evaluating all third-party software and hardware on our network(including ����open sourc������e)Im worried about our cybersecurity teams ability to keep our organization secure during times of economic unc
319、ertainty75%70%5��������2%My organization has the tools and people we need to ensure we are prepared to respond to cyber incidents over the next two to three yearsTimes of economic uncertainty have negatively impacted my business as an independent security contractor52%52%68ISC2 Cybersecurity Workforc��������e Study
320、,2023FIGURE 49The threat landscape is the most challenging its been in the past five years.(Showing Agr������ee/Strongly Agree responses)Base:130-1,239 global cybersecurity professionals in listed industriesNote:“Dont know/does not apply”responses were removed from the sample base.HealthcareTransportation
321、79%70%Military/military contractorFood/beverage/hospital�������ity/travel79%70%Energy/power/utilitiesTelecommunications79%69%GovernmentConstruction78%65%ManufacturingAutomotive77%64%TOP FIVE INDUSTRIESBOTTOM FIVE INDUSTRIESContextualizing the modern threat landscape is key to understanding how to prepare f
322、or it.Ultimately,only 52%of cybersecurity professionals say that their organization has the tools and people to ensure that th������ey are prepared to respond to cyber incidents over the next two to three years.The same proportion say that they worry about keeping their organization secure during times of
323、 economic uncertainty.This uncertainty is more significant among companies who have had cybersecurity layoffs in the past 12 months(63%)versu������s those who havent had any layoffs(47%),which prompts the question of whether the security risks of cybersecurity layoffs are worth the cost savings.������Staff and
324、skill shortages have shaped the current threat landscape.In the���� past 12 months,w������orker/skills shortages(45%)have been the number one challenge faced by cybersecurity professionals(see figure 50).Geography is a key differentiator here,as respondents in North America(55%)have felt a more significant im
325、pact from these shortages than those in other parts of the world like Europe(42%),the Middle East and Africa(42%),Latin America(32%)and Asia-Pacific�������(31%).This cont�����extualizes the roughly 20%workforce gap increase within North America.69ISC2 Cybersecurity Workforce Study,2023FIGURE 50What were the big
326、gest ch�����allenges cybersecurity professionals faced in the past 12 months?Base:14,865 global cybersecurity pro������fessionalsWorker/skill shortages in the workforce45%Insider threats38%Keeping up with changing regulatory requirements(e.g.,PCI v4.0,GPDR,AI regulations,breach disclosure requirements,etc.)37%
327、Risks of emerging������ technologies like blockchain,AI,VR,quantum computing,intelligent automation,etc.36%Addressing risks from an employees home environment35%Cyberattacks stemming from cyber operations as a precursor to military conflict,tactic of military operations or tool of retaliation31%Adapting t
328、o risks from advances in employee computing technologie������s(e.g.,increased prevalence of sensors,AI,etc.)30%Misinformation and disinformation sowing confusion among executives and the board about cyber risks 30%Tension between tenured and junior security em����ployees15%Keeping up with environmental regula
329、tory requirements about cyber risks 19%Addressing the impact of cyber insurance premium increases on the security pr�������ogram and practices19%Two-thirds of respondents from organizations with significant staff shortages(67%)say they worry about their teams ability to keep their organization secure,and 6
330、3%of those with skills gaps agree with the same sentiment(see figure 51).In general,62%of cy�������bersecurity p���rofessionals say that corporate cutbacks like layoffs,budget cuts and hiring freezes reduce their ability to prepare for future threats.70ISC2 Cybersecurity Workforce Study,2023FIGURE 51Im worrie
331、d about our cybersecurity teams ability to keep our organization secure during times of economic uncertainty.Base:7,861-11,915 global cybersecurity professionalsNote:Total percentages may not equal separate values due to���� rounding.We do not have any skills gaps.We have one or more critical skills gap
332、s.Surplus of cybersecurity staffRight amount of cybersecurity staffSlight shortage of cybersecurity staffSignificant shortage of cybersecurity staffStrongly agreeStrongly agreeA����greeAgreeNeither agree or disagreeNeither agree or disagreeDisagreeDisagreeStrongly disagreeStrongly disagree26%15%11%22%32
333、%32%41%45%20%28%30%20%11%24%21%24%38%29%25%13%11%20%16%9%11%5%11%6%2%3%63%67%To future-proof themselves from new threats on the horizon,more organizations need to encourage and incentivize skills growth from within through certification programs.Malicious insiders are on the rise.71%of respondents agre����e that times of economic uncertainty increase the risk of malicious insiders,which next to staff/
sgpjbg002
工作日 8:30 - 17:30
报告分类
