Cybersecurity job market insights: Analyzing trends and statistics (2021-2023)

Unfortunately, there’s no completely foolproof way to protect your computer, server, or network. Attackers are always looking for new vulnerabilities and weak points to exploit, which means cybersecurity professionals have to be a step ahead at all times. The problem is that the real world is unpredictable, which is why digital security teams also have to deal with risk-mitigation, crisis management, and regular testing of existing defenses.

It doesn’t stop there, either. Thanks to the pandemic, there was a fundamental shift in the way we work and communicate. As we’ll see, this created a huge number of opportunities for hackers and scammers, adding to the average cybersecurity worker’s already high workload.

Here are some of the key statistics surrounding the cybersecurity job market in 2023:

1. Demand for cybersecurity staff continues to rise

According to the US Bureau of Labor and Services, there were 163,000 Information Security Analysts in 2021, with just 300 of these self-employed. Additionally, there was an almost unheard-of 100 percent employment rate in this sector. In fact, the BLS expects demand to increase by nearly 35 percent by 2031 – that’s an additional 56,500 positions to be filled.

It’s important to note that this is just one job title. Staff with similar roles may be called entirely different things from one company to another, which makes it difficult to get accurate numbers for the industry as a whole. That said, Cyber Seek estimates that there were around 1.1 million cybersecurity workers in the United States as of December 2022.

2. The average cybersecurity salary was over $110,000 in 2021

In 2021, cybersecurity staff made, on average, five percent more than the year previous, with an average salary of $113,270 per year. That said, where you are located makes a huge difference: workers in California average $135,200 annually while those in Puerto Rico make just $51,600.

There’s a reason for this: California actually has more infosec job vacancies than any other state, and accounts for roughly 10 percent of the country’s total cybersecurity workforce. Conversely, Wyoming only has around 850 openings across the whole state – that means it’s almost four times as difficult to land a cybersecurity job there than in Rhode Island, despite having 80 times the physical footprint.

3. Almost two-thirds of experts believe they are understaffed

In 2022, ISACA released its State of Cybersecurity report, which surveyed more than 2,000 cybersecurity professionals. Of these, 47 percent replied that their organization’s cybersecurity team was “somewhat understaffed”, with a further 15 percent saying that they were “significantly understaffed”. In contrast, just three percent replied that they were overstaffed.

So why is this? Well, there are several reasons, but essentially a lot of it boils down to money. The number of experts who feel that their department is significantly underfunded has increased since last year, and 39 percent still believe that they’re “somewhat underfunded”. On the plus side, 55 percent of respondents expect their security budget to increase in 2023, with just eight percent expecting a reduction in funding.

4. Keeping skilled staff can be a real problem

ISACA noted that in 2021, 60 percent of organizations surveyed reported difficulty retaining skilled cybersecurity employees. The three biggest concerns are that professionals are being recruited by other companies, leaving due to poor financial incentives, or believe that their promotional prospects are limited. Of course, we can’t write off high workplace stress levels, which 45 percent of respondents pointed to as a contributing factor.

In a bid to combat this problem, 45 percent of organizations surveyed have allowed staff from other areas of expertise to move into security roles. 42 percent, meanwhile, have increased their usage of outside consultants and/or contract employees, with a quarter relying more heavily on AI or automation to pick up the slack.

5. Most organizations take months to fill open vacancies

The staffing shortage isn’t helped by the amount of time it takes to complete the hiring process. Almost half of all organizations take between three and six months to hire a qualified candidate, with another 16 percent finalizing things in around two months. For context, just 30 percent needed 3–6 months in 2020, which could suggest that since the pandemic hit, organizations have been taking the time to vet candidates more thoroughly.

6. Women account for just a quarter of all cybersecurity jobs

It’s no secret that there’s a gender gap in STEM jobs, but this is particularly pronounced when it comes to cybersecurity. A 2021 analysis by BCG found that just 25 percent of all employees in this field were women. Unfortunately, when 2,000 female experts were surveyed, 87 percent reported experiencing unconscious discrimination, while 19 percent were overly discriminated against. There’s also a real mismatch in terms of earning power: only 18 percent of women in this industry earn between $50–100k annually, versus 32 percent of men.

While 54 percent of the experts who responded to this study had undergone STEM training specifically aimed at girls and young women, there are systemic problems preventing wider adoption of STEM disciplines. For instance, 37 percent said that cybersecurity was a field where achieving a good work/life balance was difficult. This is huge, given that it’s the #1 priority for workers in Asia-Pacific countries and North America.

7. You don’t always need a degree to get started

BCG’s study showed that 10 percent of women felt they didn’t have the technical knowledge required to obtain a cybersecurity job. However, it’s actually not as difficult to get into the field as it used to be. In fact, in 2021, the number of organizations that said a university degree was “not very important” actually outstripped those that said it was “very important” (25 percent vs 20 percent).

Instead, the number one priority for employers was prior hands-on cybersecurity experience. Of course, people need to get their first role at some point, which is why they also considered the credentials of a candidate and any hands-on training they might have had. Here’s a tip to prospective job-seekers, though: don’t rely on association memberships to beef up your resumé. 57 percent of organizations said they were unimportant and only eight percent considered them very important.

Of course, different areas have differing viewpoints. In Africa, for instance, the number of employers requiring a degree has actually increased two percent since 2020. However, in most of the world, the opposite is true. In 2021, 78 percent of Middle-Eastern businesses said a degree was required but this dropped to just 59 percent the following year. Oceania has the lowest rate of any region surveyed, with just over a quarter of employers requiring a degree.

8. Overall job satisfaction is very high

Around three-quarters of professionals surveyed by ISC2 reported being somewhat satisfied or very satisfied with their job. Rather than leaving due to the job itself, it seemed that the biggest source of stress was the actual workplace: respondents said that having too many tasks, a lack of respect from employers, and long working hours all contributed to their unhappiness.

One of the leading reasons for the industry’s high job satisfaction is that most employees are allowed to work remotely at least some of the time. 59 percent of professionals said that they prefer this to working the office, and more than half would consider leaving their current role if this privilege was removed.

It’s easy to see why this has such a large impact. Almost 60 percent of fully remote workers reported taking breaks during the workday, compared to just 37 percent of in-office staff. Additionally, fewer than one-third of in-office staff actively set boundaries around their working hours, versus 41 percent of remote workers. While management might have concerns about the productivity implications of working from home, there’s no denying it has a positive impact on employee wellbeing.

9. Cybersecurity staff value different incentives from other types of worker

WTW’s 2022 Global Benefits Attitudes Survey notes that in general, employees value retirement benefits the most, followed by flexible working arrangements, then healthcare benefits.

However, ISC2’s research shows that when it comes to cybersecurity workers, the average job satisfaction rating was highest in workplaces with realistic targets and management who valued the opinions of all staff. Unsurprisingly, organizations that offered flexible working, mental health support programs, and employee feedback systems tended to have higher levels of satisfaction.

The research indicates that some incentives are more effective than others, too. For instance, companies which introduced additional vacation days or recognized events like birthdays tended to have less satisfied staff overall. Interestingly, having “robust parental leave policies” barely impacted the average satisfaction level, perhaps because, as we’ve noted above, the employees who would benefit most (women) are grossly underrepresented in this industry.

10. Workplaces are rapidly becoming more diverse

As the ISACA study notes, “the cybersecurity workforce has historically been dominated by white men”. That said, the data shows that this is beginning to change. While minorities represented just 19 percent of cybersecurity workers over the age of 60 who were surveyed, later generations were much more likely to obtain a job in this field.

In fact, minorities accounted for 49 percent of all employees under 30, with this percentage gradually tapering off as age increases. There is still work to do, though: non-white women are still a relative rarity, accounting for just 22 percent of workers in a sample of 4,000+ people.

This problem isn’t limited to entry-level roles, either. Less than a quarter of executives identified as non-white, though this could be partially down to the fact that it has been more difficult for minorities to get hired in this industry, meaning they have less experience.

11. Basic cybersecurity training is needed for all staff members

Although several US states require government employees to undergo regular cybersecurity training, there are no such limitations imposed upon the private sector. This is especially problematic given that employee negligence was the number one cause of cybersecurity incidents in 2021, with each costing an average of $277,557.

This isn’t something that can be resolved quickly and easily, though; retention is just as important as the initial training. To illustrate this, TalentLMS asked employees who had recently undergone cybersecurity training to take a seven-question quiz on basic computer security. 60 percent failed (getting fewer than four questions correct), with seven percent of workers getting every single question wrong.

Here’s the really troubling part: 60 percent of the people who failed the quiz claimed that they felt safe from cybersecurity threats. Conversely, just under half of those who passed said the same.

12. In-office workers tend to be more relaxed about digital privacy

TalentLMS found that around 63 percent of people who worked in a physical office reported that they felt safe from threats. This is despite 19 percent not being familiar with their company’s security policies and 15 percent not even using a password on their work computer.

Remote workers seem to be more aware of the risks overall. A higher proportion rely on password managers (though at 32 percent, adoption is still way too low) and device encryption, plus they’re actually less likely to use personal devices for work tasks.

There are two main ways to combat this problem. First, regular refresher training on basic threat detection. This may sound pointless, but with 86 percent of workers being unable to define phishing or identify potentially dangerous file types, it would go a long way. In fact, Microsoft estimates that simple digital hygiene protects against 98 percent of threats.

Unfortunately, this is unlikely to help the 12 percent of staff who say that cybersecurity training “is boring, no matter what”. That’s why organizations also need periodic penetration testing and security reviews.

13. The sky’s the limit for cybersecurity workers at the moment

A Cybershark study of British cybersecurity workers found that more than 70 percent expected to change roles within a year, whether by moving to another company, gaining a promotion at their existing company, or simply by seeing which offers come their way.

The most important thing for staff looking to change roles was an increase in their base salary (29.06 percent), followed by career progression (23.77 percent) and flexible working (20 percent). Additionally, more than 50 percent professionals claimed they were able to find a new  role within one month. In other words, experienced employees know what they’re worth and aren’t afraid to find a company willing to give them it if their current employer falls short.

14. Soft skills remain a huge pain point for the industry

ISACA’s latest State of Cybersecurity report tells us that the biggest skill gap isn’t actually to do with lack of technical expertise. Instead, 54 percent of respondents considered a lack of soft skills such as leadership, flexibility, and communication to be the #1 issue. This has actually increased two percent year-over-year, pointing to a skill shortage that’s only getting worse.

So why does this matter? Simply put, poor soft skills contribute to low workplace morale, which is endemic in this industry. Companies can not only retain staff, but help them thrive simply by providing them with realistic goals and managers who value input from all employees.

On the plus side, the number of organizations concerned about specific technologies, like pattern analysis, network operations, and coding skills have all fallen since 2021. Notably, the number of companies who feel recent graduates need more software development skills has fallen by five percent.

15. British cybersecurity firms tend to have smaller teams

According to Crunchbase, there are around 8,400 cybersecurity firms in North America. ICS2 estimates that there are 1.3 million qualified professionals in the same region, meaning on average, each will employ around 159 people.

Things are very different in the UK, though. As of August 2021, the government had identified 1,838 cybersecurity companies operating in Great Britain (an increase of 355 from a year prior). What’s interesting is that almost 60 percent of these were classified as micro-businesses, meaning they employed fewer than 10 staff. In fact, just 18 percent of British cybersecurity organizations employed more than 50 people.

When we combine this information with Cybershark’s salary data, we can speculate about the general career path of the average digital security worker in the UK. Wages tend to start relatively low, as you would expect from a small business, but quickly ramp up as employees gain experience and presumably gravitate towards organizations with larger teams and deeper pockets.

16. Poor cybersecurity hurts everyone, from the company to the consumer

We already know that phishing and social engineering account for over 30 percent of all cyberattacks. However, even realizing that credentials have been stolen can take an extremely long time, during which an attacker can cause havoc, for instance by threatening to leak sensitive data or wipe your hardware.

According to Fortinet, just 49 percent of organizations surveyed said that they could detect a breach in 30 days or less. Nearly a quarter took up to three months, and that’s before we even consider the time needed to contain the threat! Proofpoint’s 2022 Cost of Insider Threats Report says that it takes, on average, 85 days to contain an incident caused by an insider, with a third of all events taking more than three months to deal with. Naturally, these were also the most costly overall, averaging $17.19 million USD per year.

Cybersecurity sector predictions for 2024 and beyond

Because of how quickly this industry can change, it’s difficult to predict anything with much accuracy. However, experts have agreed on a few likely scenarios, and we’ll list these below:

• The cybersecurity market will continue to grow. If it maintains its current pace, it would hit a global revenue of over $650 billion in 2030, though even conservative estimates have the market cap reaching $376 billion by 2029, which is average growth of 13.4 percent annually.
• We’ll continue to see rapid expansion of the workforce, with a predicted 3.5 million vacancies by 2025. This will help address the industry’s long-standing diversity problem by bringing in workers from a variety of backgrounds, which in turn, increases the likelihood of minority representation at higher levels of the organization.
• Organizations will invest heavily in AI-powered security tools and zero-trust systems. This not only reduces the mean incident detection time, it also takes some of the pressure off of staff, meaning they have more time to focus on their main duties.
• As fully-remote or hybrid working becomes the norm for these roles, we’ll start to see a shift away from urban centers, though employees will tend to remain within driving distance since they may have to appear in-person occasionally.

Cyber Security jobs: Frequently Asked Questions