A growing number of global organizations have major cyber-skills shortages, which in turn are worsening security posture, a new report from ISC2 has revealed.
The cybersecurity certifications provider polled over 16,000 industry professionals to produce its 2025 ISC2 Cybersecurity Workforce Study.
It revealed that 59% have “critical or significant” skills shortages, up from 44% last year. Although technical and non-technical skills are in short supply, the former are more pressing.
AI topped the list (41%), followed by cloud security (36%), risk assessment (29%), and application security (28%). Governance, risk and compliance (GRC) and security engineering came next (both at 27%).
The two biggest drivers of these shortages are a dearth of talent (30%) and lack of budget (29%). The share of respondents reporting budget cuts (36%) and layoffs (24%) remained virtually unchanged from 2024.
The impact of these shortages is stark: 88% of respondents said they led to at least one significant cybersecurity incident, with 69% experiencing more than one. A further 26% said shortages led to oversight in processes and procedures, and similar numbers noted misconfigurations, unsecured systems and a failure to harness emerging security tech (all 24%).
Read more on security skills: ISC2 Survey Reveals Critical Gaps in Cybersecurity Leadership Skills.
This year saw a departure from the traditional Cybersecurity Workforce Study in that ISC2 didn’t attempt to estimate the global industry workforce gap. That’s because of feedback from respondents.
“Traditionally, we have reported cybersecurity professionals’ view that the shortage of qualified people in the field was the most prominent factor impacting their ability to effectively defend their organizations,” the report noted.
“This outlook seems to be evolving as respondents to the 2025 study have highlighted that the need for critical skills within the workforce is outweighing the need to increase headcount.”
In fact, headcount appears to be stabilizing somewhat. The share of respondents reporting significant staff shortages was down 2% to 19%, while the percentage claiming they have the right number of professionals grew from 30% to 34% annually.
AI a Friend Not a Foe
Cybersecurity professionals appear more comfortable with AI as adoption increases, with most now viewing it in positive, career-enhancing terms. Some 69% of respondents said they are integrating, testing or evaluating the tech, while 73% claimed AI will create more specialized cybersecurity skills.
Nearly half (48%) said they are working to gain generalized AI knowledge and skills, and over a third (35%) are educating themselves on potential vulnerabilities and exploits related to AI solutions.
“We are seeing emerging technologies like AI are perceived as less of a threat to the workforce than anticipated,” said ISC2 acting CEO Debra Taylor. “Instead, many cybersecurity professionals view AI as an opportunity for career advancement. They are using AI tools to automate tasks, and they are investing their time to learn more and demonstrate their expertise in using and securing AI systems.”
Although nearly half of respondents reported exhaustion and an overwhelming workload, 87% said they believe there will always be a need for cybersecurity professionals, and 81% are confident the profession will remain strong.