Cybersecurity Skills Gaps Now Outpace Headcount Shortages, ISC2 Workforce Study Finds

A new 2025 ISC2 Cybersecurity Workforce Study finds that while economic pressures such as budget cuts and layoffs affecting cybersecurity teams appear to be stabilizing, the profession faces a more pressing challenge: widening skills shortages that directly threaten organizational security readiness.

The annual study, based on responses from more than 16,000 cybersecurity professionals and decision-makers worldwide, highlights how the nature of workforce risk has shifted, with skills gaps now eclipsing pure headcount concerns.

The study indicates that macroeconomic pressures impacting cybersecurity teams have not intensified in 2025. Budget cuts were reported by 36% of respondents, while 24% said their organizations had implemented layoffs. Hiring and promotion freezes also remained steady, suggesting that while cost controls persist, conditions have not worsened materially.

Despite this relative stabilization, workforce risk remains high. According to the report, 33% of respondents said their organizations lack sufficient budget to staff cybersecurity operations effectively, and 29% said they cannot afford to hire candidates with the skills needed to adequately secure their organizations. A majority of respondents (72%) agreed that reducing cybersecurity staff significantly increases the likelihood of a breach.

Shift from headcount to skills needs

While headcount shortages remain an issue, the study underscores a growing consensus that skills shortages are now the more critical problem impacting cybersecurity effectiveness. Reflecting this shift, ISC2 did not publish a global workforce gap estimate in the 2025 study, stating that respondents consistently emphasized specific skills needs over workforce size.

Skills gaps are nearly universal. The study found that 95% of respondents reported at least one skills gap within their teams, and 59% described those gaps as critical or significant, compared with 44% in 2024. Technical and nontechnical competencies are both in demand, though shortages are most acute in emerging technical areas.

“Respondents to the 2024 and 2025 studies have prioritized the need for critical skills as more important than the need for more people,” the report states.

Demand is particularly high for artificial intelligence (AI) and cloud security expertise. AI skills were cited by 41% of respondents as the most pressing need, followed by cloud security at 36%. Other areas frequently identified include risk assessment, application security, security engineering, and governance, risk and compliance.

Real-world consequences and workforce strategies

The consequences of these skills gaps are tangible. According to the study, 88% of respondents experienced at least one cybersecurity incident or operational issue linked to a skills shortage, and 69% said they encountered multiple consequences. Common outcomes included misconfigured systems, oversights in security processes, and assigning underqualified personnel to critical roles.

To mitigate these risks, organizations are increasingly focused on developing existing staff. Common strategies include investing in professional development, allocating time for training, cross-training employees from other departments, and using external contractors or service providers to supplement internal capabilities.

AI is also reshaping cybersecurity work. While AI-driven tools and automation are becoming more prevalent across security operations, respondents generally viewed AI as an opportunity to enhance effectiveness rather than a threat to jobs, though it continues to drive demand for new skills.

Workforce sentiment and outlook

Despite ongoing pressures, job satisfaction among cybersecurity professionals remains relatively strong. The study found that 68% of respondents reported being satisfied in their current roles, and 80% said they remain passionate about working in cybersecurity.

However, the report cautions that dissatisfaction with organizational leadership and limited advancement opportunities could pose retention challenges if left unaddressed.

As organizations prepare for the threat landscape of 2026 and beyond, the study emphasizes the growing importance of investing in skills development and long-term workforce planning.

“Organizations must find ways to widen their skills base and talent pools — including investing in existing personnel through multiskilling and skills investment — despite budgetary constraints, to bolster cybersecurity capability and meet demand,” the report states.