The global cybersecurity workforce gap sits at 4.8 million unfilled positions, according to the 2025 ISC2 Cybersecurity Workforce Study. In the United States alone, the shortfall is 750,000 roles.
Hiring managers in this space will tell you it's impossible to find people. They are wrong about why.
The problem is not that qualified candidates do not exist. The problem is that organizations have made a series of self-inflicted hiring decisions that have created the appearance of a talent crisis while leaving actual talent on the sideline. The latest ISC2 data makes this explicit in a way it never has before.
The Budget Inversion Nobody Is Talking About
For the first time in the study's history, ISC2 found that budget constraints have surpassed talent availability as the primary driver of cybersecurity staffing shortages.
That is a significant shift. For years, the story was simple: not enough people with the right skills. The 2025 study finds something different. Thirty-three percent of respondents say their organizations do not have the resources to adequately staff their security teams. Another 29% say they cannot afford to hire people with the skills they actually need.
Add those together and you have more than 60% of organizations whose security staffing shortfalls are driven primarily by what they are willing to spend, not what the market can supply.
Meanwhile, 88% of respondents experienced at least one significant security event over the past 12 months that was directly tied to skills shortages on their team. The organizations that decided they could not afford the headcount are now paying for it in incidents.
The math is not complicated. The cost of a breach exceeds the cost of the hire. But the hire is a line item on a budget request. The breach is somebody else's problem until it is not.
The Requirements Problem Is Self-Inflicted
Budget is the systemic issue. Job descriptions are the tactical one. Both are fixable. Most organizations are not fixing either.
A large share of cybersecurity job postings describe entry-level positions while listing requirements that would screen out most mid-career professionals. Three to five years of required experience for roles titled "junior analyst" is not unusual. Lists of certifications that individually take months to obtain pile up in the qualifications section, and automated screening tools eliminate candidates who lack a specific degree or job title before a human sees the resume.
ISC2's April 2026 research identified a related problem at the senior end: hiring managers building "unicorn" searches. The target profile combines deep cybersecurity fundamentals with the ability to configure, train, and interpret advanced AI systems. That person exists, but not in volumes that can fill the thousands of open security roles at mid-size enterprises. Holding out for the unicorn while 88% of teams report breach-adjacent incidents is not a talent strategy. It is a prioritization failure.
The fix is not complicated: strip the job description down to what the role actually needs in the first 90 days. A SOC analyst learning cloud security on the job is a known, manageable training problem. An unfilled SOC seat for 11 months is a breach risk.
The Speed Gap Is Killing Your Pipeline
Cybersecurity roles take 21% longer to fill than standard IT positions, according to hiring data from multiple staffing firms active in this market. This is not because the candidate pool is smaller. It is because the hiring process is longer.
Security hiring routinely involves four to six rounds, multiple technical assessments, and background clearance processes that can add weeks. In a market where candidates for cloud security and identity roles are managing three or four concurrent processes at once, the organization that reaches an offer in three to four weeks wins. The organization that takes three months is training candidates to accept a competitor's offer.
Speed is not a courtesy to the candidate. In a market with a 4.8 million-role global gap and candidates who know their options, speed is the single clearest competitive differentiator a hiring organization controls entirely on its own.
What Is Actually Hot Right Now
The cybersecurity market is not uniformly hot. It is hot in specific pockets, and softer in others.
Cloud Security is the clearest growth signal. Job growth exceeds 30% with a decade-long runway driven by enterprise cloud migration that is still far from complete. Cloud misconfiguration accounts for 65% of major cloud security incidents, and most organizations are significantly understaffed to address it.
Identity and Access Management is close behind. Zero-trust architectures require IAM expertise at scale, and the practitioners who can design and implement these environments are in short supply across every sector.
Penetration Testing has roughly 12,000 open roles with 29% year-over-year growth. Demand is driven by regulatory compliance requirements and a wave of mid-market organizations that are now facing mandatory pen test cycles for the first time.
Incident Response shows 10,000 open roles with 25-30% growth. The combination of increasing breach frequency and new mandatory disclosure timelines is forcing organizations to staff IR capacity that they previously contracted out or assumed they did not need.
Roles showing softer demand: general-purpose security analyst positions at large enterprises that have been filled and refilled multiple times, and legacy network security roles written for on-premises environments that have not been updated to reflect cloud and software-defined networking realities.
What the Market Will Actually Pay
Compensation in cybersecurity has not softened despite the broader tech market correction.
CISOs average $385,165 in total cash compensation as of early 2026, with top packages at large enterprises well above $400,000. Mid-level cybersecurity analysts sit between $113,000 and $140,000 in total compensation, with the top 10% in finance and technology exceeding $160,000. Entry-level SOC analysts and security analysts range from $70,000 to $100,000.
Fifty-three percent of U.S. employers say they will increase starting compensation to secure candidates with in-demand skills. Forty-one percent will move on cloud security specifically. If you are opening a cloud security role at market rate and wondering why you cannot close candidates, the compensation may not be the problem. The process probably is.
AI-adjacent security roles command a premium of 35% or more. If your organization is building out AI security capability, that premium is real. Budgeting at standard security rates will not close candidates in that specialty.
Three Things to Do This Week
One: Audit your job descriptions against actual first-90-days requirements. Run every active cybersecurity requisition through one test: what does this person need to do in their first 90 days on the job? If the requirement list does not map directly to that answer, remove it. Certifications that will take three months to obtain should not be screening requirements for a role you need filled in the next 30 days.
Two: Set a 30-day close target. Map every step in your current security hiring process and identify where time accumulates. Panel scheduling, assessment administration, and clearance processing each add days. None of them require the candidate to do anything useful while they wait. Compress the process to 30 days maximum, with a goal of 21 days for priority roles.
Three: Get a real number on what unfilled seats cost. If you cannot get a budget increase for compensation or headcount, get your CISO to calculate the annual risk exposure from each unfilled security seat using your organization's own breach cost data. Budget committees respond to risk quantification in ways they do not respond to "we cannot find the talent."
The 4.8 million number is real. So is the fact that most of it is being manufactured by organizations that are either unwilling to spend what the market requires or unwilling to move at the speed it demands. Both are solvable problems.
If you are staffing a security team and want to see what the passive candidate pipeline looks like for your specific target roles, Blue Line can surface talent you're not reaching through job boards. Start here.