The cost of cybercrime continues to rise. At the same time, the cybersecurity industry suffers from an unprecedented talent shortage. According to the "2024 Cybersecurity Workforce Study" from ISC2, the global cybersecurity workforce must grow by 3.4 million professionals to meet demand. Despite this issue, the job market remains challenging for candidates. CyberSeek states that there were 457,433 cybersecurity job openings in the United States from September 2023 through August 2024, with employers struggling to find workers with the necessary skills.

One of the reasons for that is the rapidly evolving nature of cyber threats. With cyberattacks becoming more sophisticated each year, professionals must stay updated on a constantly shifting set of vulnerabilities and tactics. A 2024 report from IBM notes that 60% of organizations have struggled to fill cybersecurity roles due to the high degree of specialized skills needed to counteract these threats effectively.

There is a significant mismatch between the supply and demand for active and defensive cybersecurity specialists. Many professionals entering the field are primarily trained in offensive techniques, such as penetration testing, even though the industry does not require such a large number of specialists in this area. As a result, some are forced to leave the industry or shift their focus to defensive techniques. Those who transition to defensive roles often struggle, as they face extensive paperwork and routine tasks, which can lead to faster burnout compared to their colleagues.

Regulatory and compliance demands in some regions (the US, UK, and EU, particularly) add another layer of complexity, especially in fields like finance, healthcare, and defense, and become another limiting factor. Many cybersecurity positions, particularly those in government or sectors handling sensitive data, require not only technical skills but also local (such as basic legal) expertise.

Professionals must often be familiar, at least superficially, with specific regulatory frameworks, such as the General Data Protection Regulation (GDPR) in Europe, the National Institute of Standards and Technology (NIST) in the United States, or ISO standards globally. These cybersecurity roles can also require citizenship or security clearances to be invited for a job, making it difficult to relocate talent from abroad — countries such as India, Philippines, etc. — or engage outsourcing staff. A report from Deloitte confirms that many organizations struggle to hire for compliance-focused roles, as they cannot simply fill these positions with remote or outsourced staff, as more than 40% of cybersecurity roles in compliance cannot be outsourced.

The job market for junior cybersecurity professionals is particularly challenging right now. While not all positions require highly specialized or experienced candidates, companies are currently reluctant to hire entry-level specialists who have less hands-on experience with cyber threats.

Ghost Jobs and High Expectations

There is, however, one significant issue that causes frustration for specialists at any level. That is the prevalence of "ghost jobs." Cybernews highlights that they account for nearly half of cybersecurity job postings.

Many HR departments publish these listings merely to build a pool of potential candidates for future openings. Unfortunately, this approach wastes candidates' time, leads to frustration, and creates a misleading sense of job availability in the market. In addition, these job offerings often come with inflated or overly broad requirements. A single listing might require skills in penetration testing, network defense, and regulatory compliance — competencies that are typically spread across distinct roles. 

How to Act

Every year, the cybersecurity field produces only a limited number of new specialists, yet few companies actively invest back into this pipeline. Instead, many rely on this small talent pool without supporting educational initiatives, internships, or junior programs that could grow a larger, more skilled base of professionals. 

According to a 2024 report from ISACA, less than half of companies have a structured approach to developing cybersecurity talent internally, preferring to seek "ready made" experts rather than contribute to nurturing new ones. This lack of industry commitment only worsens the talent shortage, as companies struggle to find candidates with the right expertise and hands-on experience.

To bridge this gap, companies must rethink their approach to talent cultivation. Investing in junior professionals, providing more resources to make security roles effective, and partnering with educational institutions to build a steady pipeline of skilled talent is crucial. As long as businesses continue overlooking these efforts, they'll face an ongoing cycle of unfilled roles and heightened cyber-risk. Only with a stronger commitment to nurturing talent can the industry help build a robust, sustainable cybersecurity workforce for the future.