ISC2 2025 Workforce Study: Skills Shortages Drive 88% of Security Incidents

The cybersecurity industry faces a fundamental shift from headcount concerns to critical skills deficits, according to the 2025 ISC2 Cybersecurity Workforce Study released this month. Based on responses from 16,029 cybersecurity professionals across North America, Latin America, Asia Pacific, and EMEA regions, the research reveals that skills shortages are now the primary driver of security incidents and workforce burnout.

The study's most striking finding: 88% of organizations experienced at least one significant cybersecurity consequence in the past year directly attributed to skills shortages, with 69% reporting multiple incidents. This marks a critical evolution in how the industry must approach workforce development and security resilience.

Economic Pressures Continue

Global economic disruption continues to impact cybersecurity teams through multiple channels. While cost-cutting measures have steadied compared to previous years, they remain widespread across the industry. Large organizations bore the brunt of economic pressures, with 32% reporting layoffs, 46% experiencing budget cuts, 49% facing hiring freezes, and 41% seeing promotion freezes.

These financial constraints create a challenging environment for organizations attempting to address security needs. The data suggests that while economic conditions have not necessarily worsened year-over-year, the ongoing uncertainty prevents meaningful investment in workforce development and team expansion.

Skills Crisis Trumps Headcount Concerns

The 2025 study represents a fundamental shift in how ISC2 measures workforce challenges. For years, the research focused on the "workforce gap"—the difference between current headcount and the number of additional people needed. This year, the emphasis moved decisively toward skills deficits within existing teams and the broader talent pool.

According to participants, organizations now recognize that simply adding more people will not address operational challenges without ensuring those individuals possess relevant, current skills. The rapid adoption of artificial intelligence, cloud technologies, and evolving threat vectors have created multi-faceted skills needs that traditional hiring approaches cannot solve.

Even organizations actively recruiting report struggling to find candidates with required skills or afford those who possess them. A disconnect between what hiring managers seek and what cybersecurity professionals prioritize further complicates the talent acquisition challenge.

AI: Opportunity and Challenge

Artificial intelligence emerged as both a catalyst for career development and a new risk vector. Over two-thirds of respondents (69%) are either currently using AI security tools or planning implementation in the near future. The reception remains broadly positive, with professionals viewing AI as support for time-consuming and repetitive tasks rather than a replacement for human expertise.

Cybersecurity professionals are taking proactive approaches to developing AI knowledge and capabilities. Rather than viewing AI as a threat to job security, participants see it as an opportunity for skill development and career advancement.

However, AI-based attacks represent new threat vectors that most professionals had not encountered until recently in their careers. This creates an urgent need for training and skill development to defend against AI-powered threats while leveraging AI tools for defensive purposes.

Is Cybersecurity Hard? The Honest Truth for Beginners

If you’ve ever wondered whether cybersecurity is too hard to get into, you’re not alone. It’s one of the most common questions people ask before considering this field. The truth? Cybersecurity can be challenging, but it’s not impossible — and it may not be as intimidating as

Security Land | Decoding the Cyber Threat LandscapeEditorial Team

Workforce Wellbeing Under Strain

Despite economic challenges impacting advancement opportunities and investment in professional development, 68% of cybersecurity professionals report satisfaction with their current roles. However, signs of strain are increasingly visible beneath this overall contentment.

Staff report feeling overworked and burned out as they attempt to cover shortfalls in needed cybersecurity skills and personnel. The combination of skills gaps, economic pressures limiting hiring, and increasing threat complexity creates unsustainable workloads for many teams.

Retention data reveals the impact of these pressures. While 75% of respondents indicated they were likely to stay at their current organization for the next 12 months, this drops to 66% when considering a two-year timeframe. The decline suggests that while professionals remain committed in the short term, longer-term retention faces significant challenges.

Frustration with employer demands for increased in-office or hybrid working arrangements adds additional pressure. Only one-third of participants said their organizations prioritize cybersecurity as a critical business function—a concerning indicator of how security teams are valued within broader organizational structures.

Investment Gaps

Participants expressed clear desires for increased organizational investment in skills development. They want more focus on upskilling existing team members, budget allocations for professional development, and broader cybersecurity awareness training across organizations.

Cross-training employees outside dedicated cybersecurity teams emerged as a priority. Participants recognize that distributing basic security knowledge and responsibilities across the organization can help mitigate risk and reduce pressure on specialized security teams.

The study emphasizes that investing in skills development is essential for lowering organizational risk, reducing staff turnover, and maintaining long-term engagement among cybersecurity professionals. Organizations that continue treating professional development as discretionary spending risk both increased security incidents and accelerated talent loss.

Four Critical Challenges

The research identifies four interconnected challenges facing the cybersecurity workforce:

Economic Uncertainty continues disrupting careers through layoffs, hiring freezes, promotion freezes, and budget reductions. While these measures have stabilized, persistent economic caution prevents meaningful forward progress.

Skills and Staff Shortages directly impact security posture, with 88% of organizations experiencing security consequences due to skills gaps. The shortage extends beyond simple headcount to encompass critical capabilities needed for modern security operations.

AI Adoption disrupts traditional workflows while offering opportunities for efficiency gains and career development. Organizations must balance implementing AI tools with defending against AI-powered threats.

Job Satisfaction remains broadly positive but shows warning signs. Overwork, burnout, and lack of organizational recognition threaten long-term retention despite current contentment levels.

These four areas illustrate fundamental links between skills shortages, investment gaps, increased security risk, and workforce discontent.

The Path Forward

The study makes clear that cybersecurity resilience depends on agility, capability, and continual skill development rather than simple headcount expansion. Organizations must prioritize upskilling and multi-skilling existing personnel while recruiting for specific capabilities rather than generic security roles.

Professional development programs, cross-training initiatives, and investments in emerging technology skills become critical for maintaining both security posture and workforce engagement. Organizations that view cybersecurity as a critical business function and invest accordingly will be better positioned to address both security challenges and talent retention.

For cybersecurity professionals, the study underscores the importance of continuous learning, particularly in emerging areas like AI security. Taking proactive approaches to skill development positions individuals for career advancement while helping organizations address critical capability gaps.

Conclusion

The 2025 ISC2 Cybersecurity Workforce Study reveals an industry at a critical inflection point. The shift from headcount concerns to skills deficits reflects the increasing complexity of modern security challenges. With 88% of organizations experiencing security incidents due to skills shortages, the path forward requires fundamental changes in how organizations approach workforce development and retention.

Economic pressures, AI disruption, and workforce wellbeing challenges create a complex environment requiring sustained investment in people and capabilities. Organizations that prioritize skills development, recognize cybersecurity as a critical function, and invest in their teams will be better positioned for long-term security resilience and talent retention.

For complete analysis, detailed regional breakdowns, and comprehensive workforce data, security professionals should review the full 2025 ISC2 Cybersecurity Workforce Study.