ISC2 Cybersecurity Workforce Study

(ISC) 2
CYBERSECURITY
WORKFORCE STUDY
A critical need for cybersecurity
professionals persists amidst a year
2022
of cultural and workplace evolution
Table of Contents
3 Executive Summary
5 Cybersecurity Workforce Gap & Estimate
18 Cybersecurity Team Culture
49 Career Pathways
67 Data Breaches, War and Modern Threats
73 Future of Cybersecurity Work
79 Conclusion
80 Appendix A – Workforce Gap and Estimate Methodologies
83 Appendix B – Study Participant Demographics

Executive Summary
2022 is a highly formative year for the cybersecurity profession. Shaped

and defined by geo-political and macroeconomic turbulence, the obstacles
of the modern cybersecurity landscape have galvanized passion and
persistence within its workforce - which continues to change and evolve
with the world around it. The global cybersecurity workforce is growing,
but so is the gap in professionals needed to carry out its critical mission.
We estimate the size of the global cybersecurity workforce at 4.7

million people – the highest we’ve ever recorded. According to our
research, however, the cybersecurity field is still critically in need of
more professionals. To adequately protect cross-industrial enterprises
from increasingly complex modern threats, organizations are trying to
fill the worldwide gap of 3.4 million cybersecurity workers. To fully
contextualize the state of cybersecurity in 2022, we’ll analyze the field
through multiple lenses.
At an enterprise level, the executive spotlight is pointed directly at

cybersecurity teams, who are expected to adapt and protect their
own organizations from mounting risks while complying with emerging
technology and regulatory requirements. Employees are adapting their
working style and routines to meet these modern challenges, but they
themselves are also evolving from cultural, emotional, and educational
perspectives, and these differences paint a nuanced picture of the values
and motivations that drive their careers.
As individuals, cybersecurity professionals are passionate about what they

do, and their organizations need to recognize this and bolster them with
the tools they need to succeed and continue charting a path forward for the
entire profession. It is clear in our study that corporate culture can be very
impactful on an employee’s experience and happiness on the job, which in
turn affects the efficacy of their work.
(ISC)2 Cybersecurity Workforce Study, 2022 3

The future of cybersecurity is defined by professionals evolving and
persisting through the volatility of today’s threat landscape. Traditional
habits are being broken and diverse perspectives are entering the field,
as the next generation uses new pathways to jump-start their careers.
In this report, the fifth annual (ISC)2 Cybersecurity Workforce Study, we

surveyed 11,779 international practitioners and decision-makers to gain
their unique perspectives and experiences about working in the modern
cybersecurity profession. This report highlights hiring and recruiting trends,
corporate culture and job satisfaction, career pathways, certifications,
professional development, how the workforce is adapting to current events
and what the future of cybersecurity work looks like.

Cybersecurity Workforce Gap & Estimate
Before we can analyze the nuances and trends fueling change within the
modern cybersecurity profession, it is paramount for us to understand the
holistic nature of the field itself – how it is growing and scaling to meet the
needs of organizations worldwide. Calculating a global workforce estimate
and gap are crucial to framing the remainder of this report.
To understand the scope of cybersecurity professionals worldwide, (ISC)2

introduced the cybersecurity workforce estimate in 2019. This proprietary
methodology integrates a wide array of primary and secondary data
sources to extrapolate the number of workers responsible for securing their
organizations (see Appendix A for details).
(ISC)2 estimates the global cybersecurity workforce in 2022 at 4.7 million, an

11.1% increase over last year, representing 464,000 more jobs. We saw gains
across all regions, with Asia-Pacific (APAC) registering the greatest growth
(15.6%) and North America the least (6.2%) (see figures 1-A and 1-B).
Our study estimates the cybersecurity workforce of 14

countries in 4 regions (see Appendix A for more details).
FIGURE 1-A
2022 Global Cybersecurity Workforce Estimate
4,656,084
+11.1% YoY
NORTH LATAM EMEA APAC

AMERICA
1,344,538 1,230,365 1,222,154 859,027
+6.2% +12.2% +12.5% +15.6%

FIGURE 1-B
2022 Global Cybersecurity Workforce Estimate
4,656,084
+11.1% YoY
U.S. CANADA MEXICO BRAZIL
1,205,812 138,726 542,418 687,947
+5.5% +12.2% +5.2% +18.3%
UK FRANCE GERMANY IRELAND
339,145 189,733 464,749 17,687
+13% +29.2% -.01% +17.7%
SPAIN NETHERLANDS AUSTRALIA JAPAN
153,167 57,672 143,680 388,402
+23.2% +64.3% +6.7% +40.4%
SINGAPORE SOUTH
KOREA
77,425 249,520
-16.5% +4.4%

While the cybersecurity workforce is growing rapidly, demand is growing
even faster. (ISC)2’s cybersecurity workforce gap analysis revealed that
despite adding more than 464,000 workers
in the past year, the cybersecurity workforce
gap has grown more than twice as much as
the workforce with a 26.2% year-over-year Despite adding more
increase, making it a profession in dire need
than 464,000 workers
of more people (see figures 2-A and 2-B).
in the past year, the
cybersecurity workforce
gap has grown more
than twice as much as
the workforce.
Our study estimates the cybersecurity workforce gap for 16

countries in 4 regions (see Appendix A for more details).
FIGURE 2-A
2022 Global Cybersecurity Workforce Gap
3,432,476
+26.2% YoY

AMERICA
436,080 515,879 317,050 2,163,468
+8.5% -26.4% +59.3% +52.4%

FIGURE 2-B
2022 Global Cybersecurity Workforce Gap
3,432,476
+26.2% YoY
U.S. CANADA MEXICO BRAZIL
410,695 25,385 203,027 312,852
+9.0% +1.6% -21.8% -29.0%
UK FRANCE GERMANY IRELAND
56,811 60,859 104,197 8,481
+73.4% +120.6% +52.8% -19.0%
SPAIN NETHERLANDS AUSTRALIA JAPAN
60,436 26,265 39,496 55,809
+57.5% +21.5% +57.5% +37.9%
SINGAPORE SOUTH CHINA INDIA

KOREA
6,071 16,643 1,482,085 563,364
-61.7% -52.0% +20.9% +630.9%

The workforce gap is not going unnoticed by cybersecurity workers – nearly
70% feel their organization does not have enough cybersecurity staff to
be effective. The shortage is particularly severe in aerospace, government,
education, insurance and transportation. A cybersecurity workforce gap
jeopardizes the most foundational functions of the profession like risk
assessment, oversight and critical systems patching. More than half of
employees at organizations with workforce shortages feel that staff deficits
put their organization at a “moderate” or “extreme” risk of cyberattack.
And that risk increases substantially when organizations have a significant
staffing shortage (see figure 3).
In your opinion, to what degree does this shortage of cybersecurity staff

FIGURE 3
put your organization at risk of experiencing a cybersecurity attack?

Organizations with Organizations with
significant staff shortage slight staff shortage
Extreme risk
20%
4%
Moderate risk
54%
41%
Slight risk
15%
36%
Low risk
7%
16%
No risk
3%
1%
Base: 4,967 global cybersecurity professionals whose teams have staff shortages

In many areas, our study found that the workforce gap is being felt by
employees more than ever. Compared with last year, far more cybersecurity
professionals indicated that their organization had experienced issues
like lacking proper time for assessment and oversight of processes, slow
patching of critical systems and inadequate time and resources for training
as a consequence of staffing shortages (see figure 4).
Which of the following have you experienced that you feel would
FIGURE 4
have been mitigated if you had enough cybersecurity staff?

2021 2022
Not enough time for 31%

proper risk assessment 48%
and management
Oversights in process 29%

and procedure 43%
Slow to patch 29%

critical systems 39%
Not enough time to 23%

adequately train each 38%
cybersecurity team member
Misconfigured 32%
systems 35%
Not enough resources to 23%

adequately train our staff 32%

ADDRESSING THE WORKFORCE GAP
Why does this workforce gap exist? How can organizations best
mitigate it? Some factors are certainly out of an organization’s control
– demand for cybersecurity employees is bound to increase as the
threat landscape continues to grow in complexity and supply can’t
always keep up. Indeed, the inability to find qualified talent was cited
most frequently as a challenge by organizations with cybersecurity
staff shortages (see figure 5). Yet while this may be the most common
challenge, it is not necessarily the most impactful.
To better understand what challenges are linked to the biggest

staffing shortages, we examined what percentage of employees at
organizations with those issues had significant staffing shortages. This
analysis suggests that the most negatively impactful issues are ones
that organizations can indeed control: not prioritizing cybersecurity,
not sufficiently training staff, and not offering opportunities for
growth or promotion. Being unable to find qualified talent was
actually the least impactful problem based on this analysis.

You indicated that your organization has a shortage of cybersecurity staff.
FIGURE 5
What do you think are the biggest causes for this shortage?
My organization can’t find enough qualified talent

43%
My organization is struggling to keep up with turnover/attrition

33%
My organization doesn’t pay a competitive wage

31%
My organization doesn’t have the budget

28%
My organization can’t offer opportunities for growth/promotion for security staff

24%
My organization doesn’t put enough resources into training non-security IT staff

to become security staff
23%
Leadership misaligns staff resources (i.e., we have too much staff in some areas
and not enough in others)
22%
My organization doesn’t prioritize security

19%
My organization doesn’t have plans in place for backfill roles

16%
My organization doesn’t sufficiently train staff

16%

When we take a look at what is actually being done to address worker
shortages, we can see that organizations are indeed putting in the effort
to mitigate staff shortages (see figure 6). However, what they are doing
is not always what is most effective. Although almost all initiatives had a
positive impact on staffing, we found that organizations with initiatives to
train internal talent – rotating job assignments, mentorship programs and
encouraging employees outside of cybersecurity to join the field – were
least likely to have shortages (see figure 7). These initiatives are particularly
impactful for larger companies – only 49% of companies with 1,000 or
more employees who had implemented all three of these internal training
initiatives had staffing shortages compared with 77% of those who had
implemented none.
These were not, however, the most commonly adopted initiatives. In fact,
many of the most effective initiatives had the lowest implementation levels.
The initiative with by far the lowest impact is outsourcing. Respondents at
organizations who were outsourcing cybersecurity were actually slightly
more likely to see a shortage in staff.
Automation is becoming more prevalent in cybersecurity as well – 57%

have adopted it today and an additional 26% plan to adopt it in the
future – and while it isn’t likely to take the place of cybersecurity workers at
any time in the foreseeable future, automating processes that are consistent
and repeatable frees up workers to focus on higher-level tasks. This may
reduce staffing shortage issues without requiring additional staff.

Which of the following is your organization doing or planning to do to help
FIGURE 6
prevent or mitigate cybersecurity staff shortages at your organization?
Provide more flexible working conditions

(e.g., Work From Home / Work From 64%
Anywhere)
71% of companies with
Invest in training 64% 10,000+ employees are
doing these 3 things
Recruiting, hiring, and onboarding 62%
of new staff
Invest in certifications 58%
Invest in diversity, equity, and

inclusion initiatives (e.g., attract more 57%
women and minorities to enter the
cybersecurity profession) 26% of all respondents'
Use technology to automate organizations are
57%
aspects of the security job planning to do this in
the future
Hire for attitude and aptitude, 50%
and train for technical skills
Use of outsourcing / services 48%

(broadly defined)
Mentorship programs 45%
Hire from outside the geographic regions

we typically have hired from because of 42%
WFH (Work From Home) trends
Encourage employees at your organization
outside IT and security to consider a career 41%
in cybersecurity
Address pay and promotion gaps, 39%

if they exist
Implement rotational job assignments 33%

(e.g., different roles within cybersecurity)
De-emphasis on technical degrees 30%

and certifications for new hires
Base: 11,525 global cybersecurity professionals on cybersecurity teams

Which of the following is your organization doing or planning to do to help
FIGURE 7
prevent or mitigate cybersecurity staff shortages at your organization?

IMPLEMENTATION LEVEL % WITH STAFFING
SHORTAGES
Provide more flexible working conditions (e.g., Work From
Home/Work From Anywhere)
64% 68%
Invest in training
64% 66%
Recruiting, hiring, and onboarding of new staff
62% 67%
Invest in certifications
58% 67%
Invest in diversity, equity and inclusion initiatives (e.g., attract
more women and minorities to enter the cybersecurity profession)
57% 67%
Use technology to automate aspects of the security job
57% 65%
Hire for attitude and aptitude, and train for technical skills
50% 63%
Use of outsourcing/services (broadly defined)
48% 70%
Mentorship programs
45% 63%
Hire from outside the geographic regions we typically have
hired from because of WFH trends
42% 66%
Encourage employees at your organization outside IT
and security to consider a career in cybersecurity
41% 61%
Address pay and promotion gaps, if they exist
39% 60%
Implement rotational job assignments (e.g., different
roles within cybersecurity)
33% 56%
De-emphasis on technical degrees and certifications for new hires
30% 63%

When it comes to hiring, cybersecurity Cybersecurity hiring
managers can’t work alone. The
study finds that cybersecurity hiring managers who had
managers who had a strong working a strong working
relationship with their HR department
were far less likely to have significant
relationship with their HR
staffing shortages at their organizations department were far less
(see figure 8). However, only 52% of
likely to have significant
respondents said that hiring managers
have a strong working relationship with staffing shortages at their
HR, and 40% of hiring managers said organizations.
that the HR department at their
organization does not add value
to the recruiting process.
Which of the following best describes how you feel about the number of
FIGURE 8
cybersecurity employees your organization currently employs to prevent

and troubleshoot security issues at your organization?
Organizations where HR and cybersecurity Organizations where HR and cybersecurity
hiring managers collaborate very poorly hiring managers collaborate very well
My organization has a significant shortage of cybersecurity

staff to prevent and troubleshoot security issues
49%
18%
My organization has a slight shortage of cybersecurity

37%
37%
My organization has the right amount of cybersecurity

13%
38%
My organization has a surplus of cybersecurity staff

to prevent and troubleshoot security issues
1%
6%
Base: 7,529 global cybersecurity professionals on in-house cybersecurity teams

WHAT IT MEANS FOR ORGANIZATIONS
THE CYBERSECURITY WORKFORCE GAP
Cybersecurity workers are in greater demand than they’ve ever been before
and supply can’t keep up. The global workforce gap increased by over 25%
this year and nearly 70% of organizations say they have a worker shortage.
Combatting staffing shortages is no easy task but findings from our research
yield some key places where organizations can focus:
• Understand what your gap is. Senior-level practitioners in our study

were more likely than managers or executives to say their organization
had a staffing shortage. This suggests that those making decisions
may not always have a full appreciation of what front-line cybersecurity
professionals are experiencing. Decision-makers should make sure they
are actively listening to employees to understand if and where there are
staffing shortages.
• Emphasize internal training. Our study found that the most impactful
organizational initiatives in reducing worker shortages were those that
took advantage of internal talent with programs like rotational job
assignments, mentorship and encouraging non-IT employees at the
organization to learn about cybersecurity. This was particularly true for
larger organizations that may have more internal talent; it’s just a matter
of finding and honing it. The challenges that were most associated
with high staffing shortages were a lack of emphasis organization-wide
on cybersecurity, insufficient staff training and a lack of pathways for
growth.
• Work with HR, not against them when hiring for cybersecurity. Hiring
is a challenging process. While cybersecurity hiring managers likely
know best what kinds of candidates to look for, HR managers are more
likely to have the expertise on finding and attracting those candidates.
Therefore, it's crucial for cybersecurity organizations to build effective
working relationships with HR. Those who don’t were more than 2.5x
as likely to have significant staffing shortages compared with those who
have built a strong relationship with HR.

Cybersecurity Team Culture
Company culture heavily defines employee experience. It shapes the social

environment that employees operate in. It impacts how they communicate
and collaborate with colleagues within their own team and across the
organization. And it can influence how satisfied and supported they feel by
their employer at large, ultimately influencing answers to the question of
“should I stay, or should I go?”
Staff shortages are a common challenge in the post-pandemic cybersecurity

environment. Many cybersecurity employees are being given increased
flexibility and the freedom to choose where and how they work. People
are seeking out work cultures that fit their lifestyles the best, and this has
led to increased turnover. 21% of respondents from North America have
switched organizations in the last 12 months; this is up from 13% in the
previous year.
For modern cybersecurity professionals, the definition of “corporate

culture” is changing as pre-pandemic norms are being shattered and
geographical lines are being blurred. In this critical area of our research, we
analyzed employee experience within cybersecurity, and particularly how
workplace trends and cultural nuances impact motivations, social values
and employee satisfaction. Although overall satisfaction with cybersecurity
work continues to be high, organizations may not be doing all they can to
maximize employee experience. For example, cultural divides between
junior and senior employees are widening, especially when it comes to the
perceptions of diversity, equity and inclusion.

UNDERSTANDING CYBERSECURITY EMPLOYEE EXPERIENCE
Amidst a year of great change, we examined the cultural landscape

of modern cybersecurity professionals and found:
FOR MANY, JOB SATISFACTION REMAINS HIGH.
Respondent satisfaction was lower, however, with their specific

teams (68%), departments (62%), and overall organization (60%).
Unhappiness tended to come from workplace culture and issues,
rather than from cybersecurity work itself. Many who left their
jobs over the past two years cited higher pay and more growth
opportunities. But, concerningly, the next three reasons for leaving a
job are all related to workplace conditions: negative culture, burnout
and poor work/life balance (see figure 9). Overall, only 50% of those
polled saw a high likelihood they would remain at their current
organization for the next five years.
Roughly 75% of those surveyed report being

“somewhat satisfied” or “very satisfied” with
their job and passionate about their work.

You indicated that you left a job within the past two years,
FIGURE 9
what were the biggest reasons behind you making this move?
I found a higher paying position somewhere else
OPPORTUNITIES
31%
GROWTH
I found a job with a better title/promotion
31%
Lack of opportunities for advancement/career growth

30%
I thought the work culture was negative/unhealthy

25%
NEGATIVE
CULTURE
I felt burnt out
21%
Bad work/life balance

19%
My previous team lacked resources/budget

14%
I changed industries/career focus

13%
My previous team was too short-staffed

13%
Moving locations (e.g., family move, spouse has a new work arrangement)
10%
I left for emotional health reasons

10%
Lack of representation/support from a DEI perspective

6%
Health issues
5%
Need to care for a family member

5%
Lack of childcare options

4%
Base: 5,102 global cybersecurity professionals who have worked in their current role for 2 or fewer years

RATING EMPLOYEE EXPERIENCE
To better understand what affects the satisfaction and overall

experience of cybersecurity workers, we developed a rating system
that examines a variety of key factors, including engagement in work,
feeling worn out at the job, sense of being fairly evaluated, and
more. The Employee Experience (EX) rating system uses a scale from
100 (excellent) to 0 (terrible). For ease of evaluation, we grouped
respondents into three categories based on their scores – “High EX,”
“Medium EX” and “Low EX.” In this study, we will mainly evaluate the
extremes, that is, high versus low. We’ll use the EX rating throughout
this report to quantify results and provide a valuable data foundation
for our recommendations.
Employee Experience Rating
Respondents fall into three overall categories

based on their employee experience levels:
SCORE N
Employees with high level 62 and 3,822
HIGH EX of happiness at their work above (32.6%)
Employees with a medium level 4,175

42 - 61
MEDIUM EX of happiness at their work (35.6%)
Employees with a low level of 41 and 3,716

LOW EX happiness at their work below (31.7%)
• EX scores are based on aggregated responses

from a series of employee experience questions
• Scores were indexed on a 100-point scale

for ease of analysis

Defining Employee Experience Rating
5.7%
4.6%
4.4%
4.2%
4.1% 4.0% 4.0%
3.9% 3.8%
3.7% 3.7% 3.7%
3.4%
3.3% 3.3%
2.9% 2.8% 2.8%

2.6%
2.1% 2.0% 2.0%

1.9% 2.0% 1.9% 1.9%
1.8% 1.8%
1.5% 1.5%
1.3% 1.3%
1.2%
0.7% 0.7%
0.3%
0.2%
LOW EX MEDIUM EX HIGH EX
MOST RESPONDENTS LIKE CYBERSECURITY WORK, BUT UNHAPPINESS

WITH ORGANIZATIONS FUELS STAFFING SHORTAGES
The analysis of responses on corporate culture, through the lens of EX

ratings, provides evidence on what drives poor employee experience and
satisfaction. We found:
• Low scores were generally driven by organizational issues, not with

the cybersecurity work itself. High EX employees expressed greater
passion for cybersecurity work, as compared to their Low EX colleagues.
The differences between the groups became far greater when it came to
satisfaction with their teams, organizations and departments (see figure
10). In fact, 60% of Low EX workers agreed that they like cybersecurity
work but are not satisfied with their team/organization; this is compared
with just 16% of their High EX counterparts (see figure 12).
• Low EX is very harmful to organizations. The data suggests that

poor EX is a major contributor to staffing shortages. Compared to
their higher-scoring peers, Low EX employees indicate they are far less
motivated and productive at work and are much less likely to remain at
their organizations for long (see figure 11).

Please rate your feelings for each following item on a scale
FIGURE 10
from very low to very high.
(Percentage showing High/Very High responses)
High EX Low EX
Passion for cybersecurity 85%

work in general 68%
Satisfaction 84%
with my team 57%
Satisfaction with 82%

my department 47%
Overall satisfaction 81%

with my organization 44%
Level of productivity
FIGURE 11
in my day-to-day 76%
work (compared with 54%
previous roles)
Likeliness to stay at 81%
my organization for
48%
the next 2 years
Motivation in my day- 80%

to-day work (compared
44%
with previous roles)
Likeliness to stay at 67%

my organization for
40%
the next 5 years
Base: 11,086-11,779 global cybersecurity professionals

TOP FACTORS INFLUENCING How much do you
FIGURE 12
EMPLOYEE EXPERIENCE agree or disagree
with the following
Our survey results strongly suggest that EX and statements about your
satisfaction are closely tied to organizational security team’s culture
culture. But what are the most impactful factors in general?
driving both high and low scores? To identify and
(Percentage showing
understand these, we first looked at the most
Agree/Completely Agree
common issues faced by respondents, as well as responses)
the initiatives their organizations have put in place High EX Low EX
to respond to these challenges. We then examined
the average EX rating of respondents who selected 60%
each issue to see what resulted in the lowest and 16%
highest ratings. We found:
• Not inviting and valuing worker input I like security work but
significantly contributes to poor EX. I’m not satisfied with
my team/organization
Respondents were asked what issues negatively
impacted their job satisfaction. The most
common answer was having “too many emails/
tasks.” This is unsurprising, considering the
prevalence of staffing shortages. However,
Base: 11,525 global cybersecurity
professionals on cybersecurity teams
employees being overworked, whether that’s

related to inadequate staffing or not, did not
negatively affect EX scores nearly as much as
a variety of cultural and organizational issues.
The most significant factor of poor EX was the failure of organizations

to listen to or value employee input (see figure 13). Cybersecurity
professionals are passionate about their work, so while overwork is not
a positive thing, it is not as negative as feeling like their expertise and
knowledge are not being valued or asked for. The data shows that this
impact is felt particularly with older workers who may feel like their
experience has earned them the right to have a voice in the industry and
their organization. When these employees are not listened to, they do
not feel valued.

Which of the following are issues in your current role
FIGURE 13
that negatively impact your job satisfaction?

AVERAGE EX
FREQUENCY RATING
Too many emails/tasks

30% 46.5
Lack of support from executives/managers
24% 41.1
Pay is too low
23% 44.5
I get stressed out from the weight of responsibility I feel
as a security professional
22% 44.3
The organization is not realistic in the way they measure
success of security
22% 42.2
Poor security policies/standards at my company create extra
work for me
19% 43.2
I am expected to work long hours
16% 42.4
Negative culture
15% 40.1
I feel like my job exists only to prevent breaches and I will
be blamed if one occurs
13% 40.4
My employer does not value or listen to my input
13% 35.8
Poor relationship with team members or managers
12% 39.2
Securing a remote workforce has added more stress to my role
10% 44.6
There is no flexibility or remote work option
10% 43.1

• Organizations that make employees feel heard have
happier personnel. On the flip side, the most common initiatives
that organizations have implemented to improve employee EX are
centered around work flexibility, including remote work. However,
such programs, while now considered essential accommodations by
many workers, are not the most impactful. Instead, efforts to value
the input of all employees produced the highest average EX rating
(see figure 14). This is unfortunately not common, as only 28% report
their organizations actively listen to and value the input of all staff.
The next most beneficial initiative, proactively soliciting feedback

on employees’ needs, is similarly not widespread with only 35%
reporting their organizations doing so.
According to respondents, the addition of extra vacation days

and recognizing birthdays and other special events were the least
impactful initiatives. Additionally, the institution of robust parental
leave policies was also near the bottom in terms of average EX,
though it was far more impactful for cybersecurity workers in their
30s, especially women.

Which of the following has your organization done
FIGURE 14
in an effort to create a positive work culture?

AVERAGE EX
ORGANIZATION IMPLEMENTATION LEVEL RATING
Implemented flexible work arrangements (e.g., employees

can work remote or at home)
49% 55.2
Encourages flexible work hours (i.e., not strictly
working from 9 a.m. to 5 p.m.)
42% 55.9
Promoted cybersecurity awareness to the whole organization
36% 56.4
Implemented mental health support programs/resources
35% 54.8
Diversity, equity and inclusion (DEI) training/initiatives
35% 55.5
Team building/bonding exercises/activities (e.g., office happy
hour, company outings/trips)
32% 56.0
Recognizes special events (e.g., holidays, birthdays etc.)
29% 53.3
Proactively solicits feedback on employees’ needs
28% 57.6
The organization values and listens to the input of all staff
28% 59.8
Implemented technology to make security professionals’ jobs easier
23% 56.8
Added extra vacation days
20% 53.8
Instituted robust parental leave policies
18% 54.0
Management and staff have created realistic KPIs
16% 57.3

Which of the following has your organization done in an effort to create a positive
FIGURE 15
work culture?
Implemented flexible work

arrangements (e.g., employees can Proactively solicits feedback
work remote or at home) on employees’ needs
49% 28%
Encourages flexible work hours

(i.e., not strictly working from 9 The organization values and listens
a.m. to 5 p.m.) to the input of all staff
42% 28%
Promoted cybersecurity awareness Implemented technology to make

to the whole organization security professionals’ jobs easier
36% 23%
Implemented mental health support

programs/resources Added extra vacation days
35% 20%
Diversity, equity, and inclusion (DEI)

training/initiatives Instituted robust parental leave policies
35% 18%
Team building/bonding exercises/

activities (e.g., office happy hour, Management and staff have created
company outings/trips) realistic KPIs
32% 16%
Recognizes special events They have not done anything

(e.g., holidays, birthdays etc.) to promote positive work culture
29% 5%

WILDLY POPULAR, REMOTE WORK DOUBLES TO 55% ADOPTION
As previously noted, the most common initiative

organizations have implemented to create a
positive work culture is changing where and when Over half of
employees work (see figure 15). In the wake of respondents would
COVID-19, flexible work arrangements have
become the norm. Prior to the pandemic, only
consider switching
23% of cybersecurity professionals worked jobs if they were no
remotely or had the flexibility to choose where
longer allowed to
they worked. Today, this number has surged to
55% (see figure 16). work remotely.
Remote work has a substantial impact on employee
experience. The average EX ratings of respondents
working fully remote (54.4) and flexible work (53.4) are higher than those
required to be full time in the office (48.0). Some 59% said they always
prefer to work remotely. Over half would consider switching jobs if they
were no longer allowed to work remotely.
Suspicion around remote work is still widespread, especially among

organizational leaders. 62% of non-manager cybersecurity professionals
say they are more productive when working from home; this is compared
to only 35% of managers who said remote staff are not as productive as
onsite staff.

Which of the following best describes how you were working prior to the
FIGURE 16
COVID-19 pandemic? Which best describes how you are working today?
How do you think you’ll be working two years from today?
Designated fully Flexible work (i.e., flexibility to

remote worker choose where I work and when)
Required to work in-office a Required to work

certain number of days per week in-office full time
57%
34% 35%
27%
19% 21% 20%
17% 18% 16%
15%
8%
Prior to the Today Two years from today

COVID-19 pandemic
COMBATTING BURNOUT AT WORK STARTS AT HOME
The ability to avoid burnout was another key factor in EX ratings.

The move to remote work has allowed people to proactively combat
feelings of burnout that would otherwise weigh down their day-to-
day experiences. The traditional workday is now broken up with non-
work activities in between tasks, such as physical exercise and pursuing
hobbies and other passions after work hours. The average EX rating for
respondents using these tactics was higher than it was for those who tried
to avoid burnout by changing work environments, seeking mentorship,
passing responsibilities to others or changing jobs. Figure 17 shows the
relative effectiveness of each activity based on the average EX score of
respondents pursuing it. Remote workers engaged in the most effective
activities, i.e., physical exercise and taking breaks, much more than in-
office workers (see figure 18).

What have you personally done to help combat/avoid burnout?
FIGURE 17
AVERAGE EX
ACTIONS RATING
Physical exercise
53% 53.7
Took breaks during the workday

47% 53.3
Pursued hobbies and other passions

45% 53.2
Used PTO/leave
40% 52.2
Set boundaries around/reduced work hours

36% 51.8
Passed off responsibilities to others

19% 48.1
Ask my manager for support

18% 47.5
Changed companies
15% 49.3
Volunteered/got involved with the community

14% 49.1
Changed positions
13% 47.7
Sought mentorship
12% 46.8

What have you personally done to help combat/avoid burnout?
FIGURE 18
In-office full-time workers Fully remote workers
37%
Took breaks during
the workday 58%
48%
Physical
exercise 56%
41%
Pursued hobbies
and other passions 49%
28%
Set boundaries around/
reduced work hours 41%
Base: 11,779 global cybersecurity professionals
CYBERSECURITY IS BEGINNING TO SEE A GENERATIONAL DIVIDE
Attention and attitudes toward organizational culture in the cybersecurity

industry have changed considerably over the last five years. Today, many
cybersecurity workers – especially younger ones – consider issues like
diversity, equity and inclusion (DEI), emotional health and having a louder
voice to be a greater priority (see figure 19).
Many of these younger individuals have concerns about a perceived

cultural divide between junior and senior employees. They feel that
longer-tenured colleagues, their employer and the cybersecurity
profession have created a “gatekeeping” culture that limits opportunity
and advancement. (In the survey, “gatekeeping” was defined as an
artificial or unnecessary barrier such as requirements for education,

certifications or specific skills). Nearly 25% of respondents below the age
of 30 considered gatekeeping and generational tensions as their top-five
challenges for the next two years; this is compared to just 6% of workers
who are 60 or older (see figure 20).
Findings suggest a connection between these hot-button issues and EX

scores. In our survey, workers who voiced the strongest concerns in these
areas had the lowest average ratings; the least concerned workers had the
highest ratings (see figure 21).
To what extent do you agree with each of the following

FIGURE 19
statements related to how the security industry’s culture

has changed in the past five years?
(Percentage showing Somewhat/Completely Agree responses)
60 or older 50-59 39-49 30-38 Under 30
67%
58% 60% 60%
54%
Emotional health is a greater priority compared with 5 years ago
63% 64% 66%

57% 61%
Diversity, Equity and Inclusion (DEI) are more important today than 5 years ago
54% 58%
48% 50%
43%
Employees have more of a voice than they did 5 years ago


How much do you agree or disagree with the following
FIGURE 20
statements about your security team’s culture in general?
(Percentage showing Agree/Completely Agree responses)
60 or older 50-59 39-49 30-38 Under 30
45% 44%
40%
31% 32%
There is a gatekeeping culture within the security profession
42% 43%
34%
25% 26%
There is a cultural divide between experienced and junior employees on our security team
39% 40%
35%
24% 27%
I like security work but I’m not satisfied with my team/organization
36% 36%
30%
20% 21%
There is a gatekeeping culture within my team
Base: 10,683-11,347 global cybersecurity professionals on cybersecurity teams

To what extent do you agree that there is a gatekeeping
FIGURE 21
culture within your team?
(Showing Average EX Rating)
Completely agree
40.0
Somewhat agree
45.8
Neutral
50.0
Somewhat disagree
54.2
Completely disagree
62.0

CYBERSECURITY TEAM CULTURE
Cybersecurity team culture is crucial to reducing employee turnover and

increasing productivity. Our study found that cybersecurity personnel
generally love cybersecurity work but that does not mean they are always
happy in their particular organization or team. Unhappy employees are less
productive and more likely to leave, costing organizations valuable time and
resources to replace them. Our study found that Low EX workers were more
than twice as likely to be employed at organizations with significant staffing
shortages. This suggests a vicious cycle: organizations with poor EX lose
staff, and this creates staffing shortages which harms EX even further. On
top of retention issues, 68% of Low EX employees say that workplace
culture impacts their effectiveness in responding to cybersecurity
incidents.
The key findings for organizations that are looking to prevent issues with
employee experience are as follows:
• Value your employee’s voice. Respondents not feeling as if their

voices are being heard resulted in the lowest EX rating on average.
Consequently, those at organizations that implemented initiatives to
listen to and value the expertise of all cybersecurity staff had the highest
EX rating of any organizational initiative. Therefore, it’s crucial that
cybersecurity leadership listens to and values the voice of all employees.
• EX initiatives pay off. While some initiatives to improve organizational

culture have a greater impact, it’s worth noting that all have a net
positive effect on EX. Organizations should not discount the importance
of these initiatives to improve the morale of cybersecurity teams.

• Flexible work options have become the norm. The pandemic changed
the way in which employees expect to work. 55% of respondents
currently have the flexibility to choose where they work on a daily basis,
and 84% have the ability to work at home at least part time. Over half
of workers say they would consider switching jobs if they were no
longer allowed to work remotely. Organizations that are not offering
flexible work arrangements are going to fall behind their competition
and lose workers.
• Prepare for a changing workforce. Younger workers note that they

are frequently feeling a cultural divide; this extends to the idea that
many organizations have a “gatekeeping” culture. Organizations need
to understand how the workforce at large is changing and begin to
adapt. Fostering collaborative relationships between junior and senior
employees can go a long way in creating a more productive and
harmonious transition to a new generation of cybersecurity workers.
68% of Low EX employees say

that workplace culture impacts
their effectiveness in responding
to cybersecurity incidents.

DIVERSITY, EQUITY AND INCLUSION
Across the world, the cybersecurity profession is rapidly changing

and experiencing profound demographic shifts in age, gender, race
and ethnicity. The divide between younger and older cybersecurity
professionals is the greatest within DEI. This gap is the result of both
generational changes in culture and in demographics themselves. For
example, in our study, women accounted for 30% of global cybersecurity
workers who are under the age of 30; additionally, they accounted for just
14% of those 60 or older. Dramatic shifts are happening even faster in race
and ethnicity demographics (see figures 22-A and 22-B). In this study, we
looked at racial and ethnic differences among cybersecurity professionals
in the U.S., Canada, the United Kingdom and Ireland. In each country, the
cybersecurity workforce has historically been dominated by white men,
who comprise nearly 70% of the 60 or older respondents but only 40%
of those under 30 (see figure 23). Cybersecurity professionals expect this
demographic shift to increase even further, with 55% saying the workforce
will be more diverse two years from today.
Age Group By Race

FIGURE 22-A
Non-white White
60 or older
19% 81%
50-59
22% 78%
39-49
32% 68%
30-38
42% 58%
Under 30
49% 51%
Base: 6,110 cybersecurity professionals in the United States, Canada, United Kingdom and Ireland
Note: The demographic distributions of gender, race and ethnicity should be considered a representation of the survey sample and not necessarily
reflective of the cybersecurity industry as a whole.

Age Group by Gender
FIGURE 22-B
Women Men
60 or older
14% 84%
50-59
12% 85%
39-49
13% 85%
30-38
24% 74%
Under 30
30% 69%

Age Group By Race And Gender

FIGURE 23
White men White women Non-white men Non-white women
60 or older
69% 13% 15% 3%
50-59
68% 10% 19% 3%
39-49
61% 7% 26% 6%
30-38
48% 10% 30% 12%
Under 30
40% 10% 27% 22%
Base: 4,266 cybersecurity professionals in the United States, Canada, United Kingdom and Ireland

Gender and race were defined in the following ways for this study:
Gender: Respondents self-identified their gender as being either

male, female or non-binary. Respondents who identified as non-binary
represented a sample that was too small to statistically analyze, so
results are not shown.
Race: Respondents were able to select any racial or ethnic group to

which they felt they belonged. For the purposes of analysis, we defined
“White” as any respondent who selected both “White/Caucasian”
and no other racial/ethnic group. “Non-White” respondents are
defined as those who selected a racial/ethnic group other than “White/
Caucasian.” “Non-White” respondents also include mixed-race
respondents who might have also selected “White/Caucasian.”
WHO’S THE BOSS? IT MAY BE CHANGING
Our survey found that higher positions are much less diverse than lower
ones, e.g., only 23% of C-level cybersecurity executives identified as being
non-white; this is compared with 47% of entry-level staff. It generally
follows that the non-White population in cybersecurity tends to be much
younger and less likely to be in executive positions.
In terms of gender, we’re seeing more women, especially younger ones,

holding managerial positions. In our study, women made up only 10%
of C-level executives who are 50 or older, but they account for 35% of
all executives in their 30s. Interestingly, women across the board remain
underrepresented in advanced, non-managerial positions, where they
make up only 17% of our respondent base.

Women Men
COUNTRIES INDUSTRIES
MOST Nigeria Retail/wholesale

GENDER-
DIVERSE 34% 66% 26% 74%
Mexico Entertainment/media
34% 66% 23% 77%
Ireland Engineering
33% 67% 22% 78%
Brazil Non-security software/

hardware development
31% 69%
22% 78%
India
Security software/
30% 70% hardware development
19% 81%
LEAST Netherlands Healthcare

GENDER-
DIVERSE 16% 84% 17% 83%
United Kingdom Insurance
16% 84% 15% 85%
United States Transportation
13% 87% 15% 85%
Germany Financial services
13% 87% 14% 86%
Japan Consulting
10% 90% 13% 87%


YOUNGER WORKERS HIGHLY VALUE DEI
As demographics and cultural forces change, so do attitudes toward

DEI. Younger employees placed far greater value on DEI than their older
colleagues. For workers under 30, organizational diversity initiatives had
the second-highest impact on EX ratings; this is behind organizations
valuing and listening to their input. For those over 60, DEI had the lowest
impact on EX.
Younger employees also have different expectations. When asked to

rate their organization on a scale from 1 to 10 for their efforts in diversity
with age, disability, gender, sexual identity and race/ethnicity, younger
employees judged their organizations much lower than their senior
colleagues did in all five categories (see figure 24). Age divides are more
dramatically intersected with gender and race/ethnicity. For example,
younger women and non-White employees were far more likely than any
demographic to agree with the following statements: “It’s important that
my security team is diverse” and “Diversity has contributed to my security
team’s success” (see figures 25 and 26). Additionally, many agreed with
this statement: “I don’t feel like I can be authentic and fully myself at
work.” It’s troubling that 30% of women and 18% of non-White employees
worldwide say they feel discriminated against at work.
30% of women and 18% of non-

white employees worldwide say they
feel discriminated against at work.

How would you rate your organization in terms of diversity in each of the
FIGURE 24
following categories?
(Respondents ranked their responses on a scale of 1-10 where 1 is “not at all

diverse” and 10 is “very diverse”)
60 or older 50-59 39-49 30-38 Under 30
6.49
6.14
Ability level (including
neurodiverse and those 6.17
with a disability) 6.17
5.95
7.30
7.09
Gender 6.83
6.90
6.76
7.11
6.79
Sexual identity 6.80
6.86
6.70
7.57
7.29
Race and ethnicity 7.11
7.20
7.18

Who agreed most with these statements related to DEI?
FIGURE 25
Green — strongest agreement Yellow/orange — medium agreement Red — strongest disagreement
NON-WHITE
Under 30 30-38 39-49 50-59 60 or older
Promoting diversity is a part of my
organization’s culture
It’s important that my security team is diverse
I don’t feel like I can be authentic and fully

myself at work
My company is not doing enough to address
DEI issues
I feel discriminated against at my workplace
My organization’s DEI initiative has had a

significant impact on my daily work life
Diversity within the security team has
contributed to my security team’s success
The employees at my company care more
about DEI than my organization does
We are not given a sufficient amount of
training related to DEI
WHITE
Under 30 30-38 39-49 50-59 60 or older

myself at work
DEI issues

Base: 4,360 cybersecurity professionals on cybersecurity teams in the United States, Canada, United Kingdom and Ireland

Who agreed most with these statements related to DEI?
FIGURE 26
Green — strongest agreement Yellow/orange — medium agreement Red — strongest disagreement
WOMEN
Under 30 30-38 39-49 50-59 60 or older

myself at work
DEI issues

MEN
Under 30 30-38 39-49 50-59 60 or older

myself at work
DEI issues


DEI has a big impact on workplace culture. For many,
especially young women and young people of color,
this impact is focused on the employee experience. Not
surprisingly, cybersecurity workers who say they feel on-the-
job discrimination and the inability to be themselves at work
report significantly lower EX ratings (see figure 27).
To what extent do you agree To what extent do you agree

FIGURE 27
with the following statement: with the following statement:

“I don't feel like I can be “I feel discriminated against
authentic and fully myself in my workplace.”
at work.”
(Numbers showing Average (Numbers showing Average

EX Rating of respondents) EX Rating of respondents)
Completely agree Completely agree

39.4 35.5
Somewhat agree Somewhat agree

41.5 36.9
Neutral Neutral
46.8 45.1
Somewhat disagree Somewhat disagree

54.4 50.8
Completely disagree Completely disagree

62.9 59.8

DEI
For both individual employees and organizations, DEI is an important issue.

Our study found that DEI programs play a significant role in preventing
or aggravating workforce shortages. Just 19% of organizations that have
implemented DEI initiatives reported significant shortages of cybersecurity
staff; this is compared to 34% of those who haven’t and don’t plan to do so.
Our research also discovered organizations that offered more DEI initiatives
had higher average EX ratings. This makes sense considering that nearly
two-thirds of respondents said an inclusive environment is essential for their
team’s success.
What types of programs/initiatives/tools does your company

FIGURE 28
use to promote DEI and accessibility?

DEI training for employees 40%
HR team that supports employees who feel discriminated

38%
against in the workplace
Skills-based hiring (evaluating talent objectively based
35%
on skills and potential)
Anonymous and clear pathways to report discrimination 34%
Accessible workplace design (Remote-work option,

34%
technology for persons with disabilities, etc.)
DEI events 30%
DEI employee groups or affinity groups 29%
DEI council or committee 27%
Job descriptions that refer to DEI programs/goals 22%
Don’t know/does not apply 17%
We do not have any DEI initiatives 6%

However, despite wide employee support, our study found that DEI-
related initiatives are not widespread. Only 40% of respondents said their
organizations offered employee DEI training (see figure 28). Countries
in North America and Europe (except France) tended to offer more DEI
initiatives; Asian countries offered the fewest.
Countries with fewer initiatives tended to have more racially and

ethnically homogenous populations. Given that DEI extends beyond
race and ethnicity to address gender, age, sexual identity and ability, the
discrepancies are noteworthy.
DEI is an opportunity available to executive leaders. Social politics and

ideologies aside, organizations should take a pragmatic look and consider
the real, increasingly clear connection between DEI initiatives and
cybersecurity staffing.
COUNTRIES/ECONOMIES WITH COUNTRIES/ECONOMIES WITH

MOST DEI INITIATIVES: FEWEST DEI INITIATIVES
1 United States 1 Hong Kong
2 Ireland 2 Japan
3 Sweden 3 South Korea
4 United Kingdom 4 France
5 Canada 5 China

Career Pathways
As corporate cybersecurity culture evolves to define the employee

experience, career pathways are being carved out by the next generation.
New trends and perspectives are emerging, i.e., evolution is motivating
people and organizations to value education, certifications and practical
skills differently than they have in the past.
We surveyed respondents from all walks

of life who are using their own education The primary driver for
(both institutional and personal) and
professional experience (both in and out earning certifications in
of IT) as starting blocks to break into the the future is fueled by a
industry. Here’s what we learned:
need to improve skills for
• For younger workers, more roads
lead to cybersecurity. Nearly half of
a specific position (64%).
respondents under the age of 30 move
into cybersecurity from a career outside
of IT. Younger professionals are more likely to use their education in
cybersecurity or a related field (23%) as a stepping stone to either enter
the profession or move from a totally different field (13%) outside the IT
or cybersecurity landscape. Some are even recruited after their own self-
education within cybersecurity (12%). As respondents approach ages 50
to 54, we observed a peak in the number of employees who have used
a career in IT as their pathway into the field (74%), demonstrating that
this very popular practice is no longer the primary source for recruiting
younger cybersecurity talent (see figure 29).

Which of the following best describes your pathway into a job in cybersecurity?
FIGURE 29
Started in IT then Started in another field then

moved to cybersecurity moved to cybersecurity
Pursued education in cybersecurity or related Explored cybersecurity concepts on my own
field then got my first job in cybersecurity and was recruited for a job in cybersecurity
Other
65 or older
70% 20% 3%3% 4%
60-64
73% 18% 3% 5%
2%
55-59
74% 15% 4% 3%3%
50-54
77% 13% 4% 4%
2%
45-49
72% 13% 9% 6%
1%
39-44
66% 14% 13% 6%
1%
35-38
59% 15% 16% 9%
1%
30-34
53% 17% 20% 10%
1%
Under 30
50% 14% 23% 12%
Base: 11,347 global cybersecurity professionals 1%

• Cybersecurity professionals are highly educated. Out of those
surveyed, 39% have attained a bachelor’s degree as their highest
form of education, 43% have earned a master’s degree, and 5%
have attained a doctorate (3%) or post-doctoral (2%) degree (see
figure 30).
What is the highest level of education you have completed?

FIGURE 30
Post-doctoral (or equivalent)
2%
Doctorate (or equivalent)
3%
Master’s degree (or equivalent)
43%
Bachelor’s degree (or equivalent)
39%
Two-year associate's degree (or equivalent)
6%
High school diploma (or equivalent)
6%
As we look deeper into the different perspectives and demographics

present within our research, we can extract some interesting findings.
For example, women in cybersecurity are more likely to hold master’s
degrees than men (49% compared with 42%). In addition, 55% of
non-White cybersecurity professionals hold a master’s, doctorate or
post-doctoral degree; this is compared to 44% of White respondents
(see figures 31-A and 31-B).

FIGURE 31-A
Non-white professionals White professionals

2%
1%

3%
2%

50%
41%

36%
41%

4%
8%

4%
6%
6,110 cybersecurity professionals on cybersecurity teams in the United States, Canada, United Kingdom and Ireland

FIGURE 31-B
Women Men

4%
2%

4%
3%

49%
42%

36%
39%

4%
7%

3%
7%

Most of the surveyed cybersecurity professionals focused their
education on computer and information sciences, with 51% of
bachelor’s degrees and 56% of master’s degrees having been
earned within this field. Engineering was the next most common
background, with 19% of bachelor’s degrees and 15% of master’s
degrees coming from engineering. The remaining 30% are
comprised of a mix of business, communications, social sciences,
mathematics, economics, biological and biomedical sciences and
other degrees outside of IT (see figure 32).
Which of the following best describes the focus of your education?

FIGURE 32
Computer and information sciences Engineering/engineering technologies Other area of study
Bachelor’s degree
51% 19% 30%
Master’s degree
56% 15% 30%
Doctorate
47% 13% 40%
Post-doctoral
44% 11% 45%
Base: 281-10,302 global cybersecurity professionals who hold these degrees

• For new hires, experience and practical skills are growing in
importance. From 2021 to 2022, practical skills and experience
have grown into being more important qualifications for those
considering employment in the cybersecurity profession. In
particular, more emphasis is being placed on relevant IT work
experience (29% to 35%), strong problem-solving abilities (38% to
44%) and relevant cybersecurity work experience (31% to 35%).
The ubiquitous importance of certifications
was less prioritized this year (29% vs. 32%), as
were cybersecurity qualifications or trainings
(17% vs. 23%), graduate degrees (10% vs. 13%) From 2021 to 2022,
and undergraduate degrees (10% vs. 14%) (see practical skills and
figure 33).
experience have
Interestingly, when we look at how different
genders responded to this data, we can see
grown into being
that women value cybersecurity degrees more more important
than men, and men place significantly more
qualifications for
emphasis on practical skills like problem-solving
and communication. This is in line with the those considering
fact that a greater percentage of women in employment in
the cybersecurity field hold degrees in higher
education (see figure 31-B). the cybersecurity
profession.

What are the most important qualifications for cybersecurity professionals
FIGURE 33
seeking employment?
(Showing top 6 increasing and decreasing trends)

2021 2022
INCREASING TRENDS DECREASING TRENDS
Relevant IT work experience Cybersecurity certifications

35% 29%
29% 32%
Strong problem-solving abilities Attending conferences

44% 4%
38% 7%
Knowledge of advanced cybersecurity Cybersecurity or related graduate

and cybersecurity concepts (i.e., Master’s or Doctorate) degree
10%
31%
13%
25%
Internships/apprenticeships
Knowledge of basic cybersecurity
4%
and cybersecurity concepts
7%
33%
28%
Cybersecurity or related undergraduate

(i.e., two- or four-year college) degree
Relevant cybersecurity work experience 10%
35% 14%
31%
Cybersecurity qualifications (e.g., trainings,

Strong strategic thinking skills etc.) other than certifications or a degree
27% 17%
23% 23%

• Despite a high level of work, cybersecurity is a rewarding
profession that is growing in recognition. When all is said and
done, cybersecurity professionals feel passionate about their work.
While they often feel overworked (70%), an even higher number
stated that it is a rewarding profession (78%). 76% agree that
there is more appreciation for it than in the past, with another 74%
of respondents saying that they love their job. It’s important to
note that there are hardly any differences within these categories
when we compared respondents in their current positions with
those who were at the same organization for a year or less, vs.
those who were with a company for more than two years. This
suggests that cybersecurity professionals are passionate about
their work, regardless of age or experience (see figure 34).
To what extent do you agree or disagree with the following statements about
FIGURE 34
the security profession?
(Showing Somewhat/Completely Agree responses)
Cybersecurity is a rewarding profession Cybersecurity professionals are valued at my organization

78% 73%
There is more appreciation for cybersecurity
professionals than there has been in the past Cybersecurity employees are often overworked
76% 70%
Certifications are more important earlier

I love my cybersecurity job on in a security career than later
74% 60%
There are hardly any differences Our organization is increasing its cybersecurity
amongst the top three categories professional development, training, and
regardless of the respondent’s education over the next 12 months
years in their current position 55%

or years at their organization.
It is easier now to get into cybersecurity
than when I entered the profession
55%
43% of hiring
Certifications are easier to get today
than they used to be managers say this
compared to 29% of
37%
Base: 11,779 global cybersecurity professionals non-hiring managers.
• Twice as many people view internal promotion as their next
career milestone vs. changing jobs. Despite cybersecurity’s high
turnover in 2022, respondents indicated that they would generally
prefer internal promotion (30%) over getting a new job (15%); this
is compared to moving to a new field within cybersecurity (12%),
becoming an independent contractor (6%) or starting a business
(6%) (see figure 35).
When we look deeper, those who seek promotion are also more
likely to be happier at their jobs. 36% of those with High EX want
to progress their career through internal promotion vs. just 24%
with Low EX. In addition, women (34%) are more likely to view
promotion as their next career step, compared to men (29%).
How do you see your cybersecurity career progressing in the next five years?
FIGURE 35
Significantly more people with High EX

Get promoted (36%) want to progress their career through
promotion vs. Low EX employees (24%). Women
30%
respondents (34%) are also more likely to view
career progression via promotion vs. men (29%).
I expect to be in the same role I want to start my own

in five years security business
20% 6%
Move to a new job Don’t know/ does not apply
15% ? 6%
Move to a new field within cybersecurity Move out of cybersecurity
12% 3%
I would like to work as an independent Other (please specify)

security contractor for a different company
than the one I’m working at now 3%
6%

• Those who enter the field to be challenged by an evolving
landscape often have a better experience. Motivations to enter
the cybersecurity field play a big role in the satisfaction that people
get out of it. Although the cybersecurity field is a challenging
profession that can lead to lots of work, those who dive in headfirst
looking for a continuously evolving landscape displayed the highest
EX rating; this is compared to those who selected any other reason.
Consequently, those who chose the profession simply for “job
stability” had the lowest EX rating on average (see figure 36).
Which of the following best describes why you originally entered

FIGURE 36
the cybersecurity profession?
(Showing respondents' top three responses)

Career advancement opportunities
32%
High demand for skills
32%
I did some cybersecurity work while in another role (e.g., general IT) and enjoyed it
31%
I thought I would enjoy the work
31%
Ability to solve problems
29%
Ability to work in a continuously evolving field
28%
Those who got into
It fit my skill set/education cybersecurity to work in
28%
a continuously evolving
Potential for high compensation/salary field have the highest EX
27% rating. Those who got
into it for job stability are
Personal/emotional satisfaction
more likely to have the
23%
lowest EX rating.
Job stability/low unemployment
17%
Ability to help people/society
15%

CERTIFICATIONS
• Certifications are evolving as an instrument for skills growth,

as opposed to a career launchpad. 96% of respondents within our
sample have earned at least one type of certification. In the past,
most cybersecurity professionals chose certifications as a means
of career progression and professional development (53%). The
primary driver for earning certifications in the future is fueled by a
need to improve their skills (64%) and stay current with cybersecurity
trends (53%). Cybersecurity professionals are now tailoring their
need for certifications based on their personal growth, with most
choosing to begin their certification journey within the first year
at a new company. Those with one year of experience or less at
their organization are even more eager to use certifications as a
means to improve their skills (69%) vs. those who have been at their
companies for more than two years (62%) (see figure 37).
96% of respondents
within our survey
have at least one
certification.

You indicated you have plans to get a certification in the future.
FIGURE 37
What is your motivation for doing so?

To improve my skills
64%
To stay current with security trends

53%
Certifications are an important part of my career and

New employees
professional development
47%
Those at
organizations for
I enjoy the challenge and the accomplishment
one year or less
42%
are more eager to
improve skills (69%)
To expand and demonstrate my experience to employers
with certifications
39%
vs. those at
organizations for
To expand and demonstrate my experience to peers more than two
32% years (62%).
To improve my organization’s security posture

31%
It is required for a job that I’m applying to/want

to apply to outside of my organization
15%
It is required in order for me to get a promotion

14%
My organization asked me to do it to fill a skills gap

12%
To meet the requirements of clients/potential clients

1%
Base: 9,626 global cybersecurity professionals who plan to earn a certification in the future

• Organizations are supporting employees to get certifications
– but don't always require them to. Companies are stepping
up their support of cybersecurity professional development, with
more than half offering reimbursements for third-party certification
exams (51%). This creates an environment where certifications are
encouraged but not required. 22% of respondents stated that, in the
past, certifications were required for promotion. Only 14% say that
this is driving a future need for certifications.
• Both vendor-neutral and vendor-specific certifications are

popular. 89% of our respondents stated that they earned at least
one vendor-neutral certification, e.g., (ISC)2, ISACA or CompTIA.
92% have earned a vendor-specific certification, e.g., Microsoft,
Amazon, CISCO. 50% of respondents have earned a vendor-neutral
certification within the last three years vs. 52% who’ve earned one
from a vendor in the same timeframe (see figure 38).
Do you have any vendor-neutral or vendor-specific cybersecurity

FIGURE 38
certifications? If so, when was the last time you earned one?
Vendor-neutral certifications (e.g., (ISC)2, ISACA, CompTIA) Vendor-specific certifications (e.g., Cisco, Microsoft)
I last earned a certification more than 10 years ago (and not since)
5% 5%
I last earned a certification six to 10 years ago

13% 12%
I last earned a certification four to five years ago

21% 23%
I last earned a certification one to three years ago

31% 30%
I earned a certification within the last year

19% 22%
I do not have any cybersecurity certifications

12% 8%
Note: For questions related to certifications, the data shown represents data from a third-party survey panel. Part of this survey includes respondents
from (ISC)2’s member base. They were excluded from these questions as to not skew the data.

66% are currently pursuing another vendor-specific certification or
planning to earn one within the next year, and 62% are currently
pursuing vendor-neutral certifications or planning to earn one within
the next year (see figure 39).
Which of the following best describes your plans to pursue any vendor-neutral
FIGURE 39
or vendor-specific cybersecurity certifications in the future?

Vendor-neutral certifications (e.g., (ISC)2, ISACA, CompTIA) Vendor-specific certifications (e.g., Cisco, Microsoft)
Currently pursuing
20% 20%
Planning to pursue within the next six months

25% 22%
Planning to pursue six to 12 months from now

21% 20%
Planning to pursue one to two years from now

15% 16%
Planning to pursue more than two years from now

6% 8%
Planning to pursue at some point, but not sure when

6% 7%
No plans to pursue any additional security certifications

7% 7%

Note: For questions related to certifications, the data shown represents data from a third-party survey panel. Part of this survey includes respondents
from (ISC)2’s member base. They were excluded from these questions as to not skew the data.

Vendor-neutral certifications are more in demand from employers;
55% of which require their employees to have them. This is
especially true for military personnel (82%). Comparatively, vendor-
specific requirements have dropped within the last three years at an
organizational level. In 2019, 55% of employers required them, vs. 38%
in 2022 (see figure 40).
Which of the following types of cybersecurity certifications

FIGURE 40
does your organization require you to have?
Vendor-neutral
Vendor-neutral cybersecurity certifications certifications are
(e.g. (ISC)2, ISACA, CompTIA, etc.) particularly ubiquitous
55% among military (82%)
personnel.
Requirements have
Vendor-specific cybersecurity certifications dropped significantly
(e.g., Cisco, Microsoft, etc.) in the past three years
38% (55% in 2019 vs.
38% in 2022).
None, my organization doesn’t require

me to have any type of certification
32%

HOW MUCH DO CYBERSECURITY
PROFESSIONALS MAKE?
We examined salaries by region and education level.
($) MEDIAN SALARY BY REGION

AMERICA
$134,800 $22,185 $93,535 $59,379

U.S.
$135,000
($) U.S. - EDUCATION-LEVEL
DOCTORATE/ MASTER’S BACHELOR’S ASSOCIATE’S

DEGREE/HIGH
POST-DOC DEGREE DEGREE SCHOOL DIPLOMA
$150,000 $142,000 $130,000 $127,750

PATHWAYS AND CERTIFICATIONS
The workforce is changing from the bottom up, and we have observed
that the next generation of cybersecurity employees is replacing traditional
expectations with new pathways and skill sets garnered from a broad range
of educational backgrounds, experiences and certifications.
Certifications define some of the most prominent and interesting trends

within the industry. In some cases, cybersecurity professionals are using
them and valuing them differently than their organizations are.
Our key takeaways for organizations that are defining their requirements
and expectations for a new generation of employees are as follows:
• Pathways: Recruit for a more diverse range of skills and

perspectives. Broadening your team’s recruiting efforts beyond
just those with IT experience is an opportunity to improve your risk
mitigation strategy. Almost half of employees under 30 are coming
into the cybersecurity profession with a background outside of IT, and
those who do can add value and perspective to your organization’s
cybersecurity mission through different skills and experiences.
Organizations that solely focus on recruiting for IT experience are
narrowing their ability to evolve alongside the modern workforce.
• Certifications: Use them as career builders, not barriers.

Cybersecurity professionals are not treating certifications as they used
to: 64% of respondents seek new certifications for skills growth, rather
than as a requirement for a job. In order to nurture new skills and
passionate work within employees, don’t use certifications as a barrier
to entry. Do more to incentivize them. This trend has already begun,
with more than half of organizations offering reimbursements for third-
party certifications and others easing their requirements around vendor-
specific certifications – this represents a decrease from 55% in 2021 to
38% in 2022. Almost half of employees under 30 are coming into the
cybersecurity profession with a background outside of the IT industry.
Embrace this trend by diversifying recruiting efforts.

Data Breaches, War and Modern Threats
Global cybersecurity professionals are reacting and adapting to more

than just a fast-growing shift to remote work. The first half of 2022 was
marked by both high-profile data breaches and the Russia-Ukraine war.
Organizations big and small are measuring their own cybersecurity efficacy
in the wake of corporate risk and military conflict. These heightened threats
have increased corporate attention on organizations’ cybersecurity teams,
thus raising the bar for expectations and creating more work for employees.
Despite a volatile threat landscape and increased corporate and

macroeconomic pressure, cybersecurity professionals are evolving and
adapting to meet modern challenges head-on.
Here is what we learned about the impact of current events on the

cybersecurity profession:
• High-profile data breaches increase organizational focus on

cybersecurity, but often at employees’ expense. In the wake of a
highly publicized cybersecurity breach, the general public turns their
attention to the cybersecurity profession. But how does it react to this
spotlight? We found that the most common impact, which was felt by
41% of respondents, is an increase in work. This is amplified in certain
industries, such as financial services (54%), aerospace (54%), government
(53%) and military (51%).
Although increased workloads and more attention from executive staff

are common reactions to a data breach, there is also a lack of top-
down support, which puts more pressure on employees. Only one in
five respondents stated that their organization would increase their
cybersecurity budget in response to a high-profile data breach. And an
even smaller minority (16%) stated that their organizations would hire
additional staff.

Similarly, executives pay more attention to their enterprise-wide
cybersecurity vulnerabilities after a newsworthy data breach or attack
takes place. 40% of our respondents state that they have experienced
an increased interest in their cybersecurity team following a data
breach – and this is even more significant within financial services (50%)
and insurance (49%) industries (see figure 41).
How have recent high-profile security breaches and

FIGURE 41
High Impact Industries:

vulnerabilities (e.g., Okta, Log4J, SolarWinds) affected Financial services – 54%
your security team? Aerospace – 54%
Increased work for security employees Government – 53%
41% Military – 51%
Increased attention on the security team from a corporate level High Impact Industries:
40% Financial services – 50%
Insurance – 49%
Increase in security and/or privacy discussions at executive levels
34%
Increased security requirements for employees (e.g. added

required two-factor authentication for all employees)
29%
Increased expectations for security employees

28%
Increased spending on new technologies to combat breaches

22%
Increased security budget

20%
Switched or re-evaluated security vendors, service providers or IT auditors

18%
Hired additional IT security staff

16%
I’ve requested budget for more staff

11%
We have not made any changes as a result of these breaches

8%

Within our research, we learned that dissatisfaction within the
workplace often stems from an organizational level, and this is a prime
example of why that might be. Organizations need to support their
employees by giving them the tools they need to defend themselves
and their organizations. By doing so, the scope and scale of future
data breaches may be mitigated by professionals who are not only
more prepared, but more satisfied with where they work and who
they work for.
• The Russia-Ukraine war is galvanizing action within specific

industries. Global organizations across all industries have been
impacted in different ways by the Russia-Ukraine war. On average,
the most significant impact across all organizations has been an
increased focus on business continuity and resiliency (29%), followed
by an increase in cyberattacks (22%), more focus on handling crisis
communications (22%) and increased investment in cybersecurity
(19%) (see figure 42). However, regional, industrial and employee size
differences create a more detailed impact analysis.
EMEA (31%) and North America (30%) have been more focused on
business continuity and resiliency (31%) when compared with APAC
(26%). Smaller organizations are not as concerned with business
continuity and resiliency (selected by 18% of companies with less than
100 employees), as compared to larger organizations (22% response
from companies with less than 100 employees).
Travel-related organizations have been especially spurred into

defensive action. 27% of respondents within the transportation and
food/beverage/hospitality/travel industries are already increasing their
cybersecurity investments as a result of the war. Some of this response
is contextualized by the fact that more than 25% of transportation,
automotive, energy, power and utilities organizations have
experienced an increase in cyberattacks as a result of the war. The
most significant industrial impact is an increased focus on business
continuity and resiliency, which is felt within the energy, power and
utilities (40%), financial services (38%), manufacturing (33%) and
healthcare (31%) sectors.

What impact has your organization experienced as a result of the war in Ukraine?
FIGURE 42
HIGH IMPACT INDUSTRIES

Energy, power and utilities: 40%
Financial services: 38%
Increased focus on business continuity and resiliency 29% Manufacturing: 33%
Healthcare: 31%
There has been no impact to our organization

as a result of the war in Ukraine 23%
Energy: 30%
Increase in cyberattacks on us/our third-party
partners and suppliers 22% Auto: 26%
Transportation: 26%
Increased focus how we handle crisis communications 22%
Transportation: 27%
Increase investment in security 19% Food/beverage/
hospitality/travel: 27%
Concern over security attack retribution as a result from 19%

making a corporate public statement about the war
Improved relationships with government contacts and

information sharing groups (e.g., local CSIRT or CERT, 19% Energy: 26%
InfraGard, etc.)
Invested in secure communications tools to address

risks like eavesdropping, metadata exposure, data loss, 17%
noncompliance (e.g., encrypted chat and voice calling)
Exit of our business operations in Russia 16%
Disruptions to our innovation roadmap due to

employees or contractors located in regions, 13%
and in locations affected by sanctions
Discussions with our insurance provider

about cyber insurance coverage 13%
Misinformation and disinformation sowing confusion

among executives and the board about cyber risks 13%
Migrated/transferred data out of the region 12%

• Despite the challenges of the modern cybersecurity landscape,
most feel confident in their ability to mitigate risks. At an industry
level, our research is meant to get a pulse on those that are most
prepared to defend themselves from future attacks. We found that
cybersecurity professionals in the following industries are the most
confident in their organizations’ ability to do so: food/beverage/
hospitality/travel (81%), security software/hardware development
(75%), insurance (72%), construction (72%) and engineering (71%)
sectors. Cybersecurity professionals in the five industries with the
lowest confidence levels (e.g., transportation, education, healthcare,
military/military contractors and government) were still more than 60%
confident in their organizations’ abilities to mitigate cybersecurity risks
(see figure 43).
"Despite a challenging threat landscape, we are able to adequately

FIGURE 43
mitigate risks."
(Percentages showing Agree/Strongly Agree responses)
TOP 5 BOTTOM 5
81% Food/beverage/ 65% Transportation

hospitality/travel
64% Education
75% Security software/
hardware 63% Healthcare
development
62% Military/military
72% Insurance contractor
72% Construction 61% Government

71% Engineering
Base: 115-1,220 global security professionals

DATA BREACHES, WAR AND MODERN THREATS
Each year, news of high-profile data breaches and geopolitical strife make
their way to the executive desks at organizations across the world. These
individuals raise their cybersecurity alarms in an attempt to mitigate the
impact that something like this could have on their company and its assets.
However, effective mitigation relies not only on employees carrying out the
work but also on the support that those employees have. Our key takeaway
is as follows:
• Provide employees with top-down support to effectively mitigate

risks. As we have learned in our study, the most common impact felt by
our respondents after a high-profile data breach has been an increase in
work (41%). This burden falls directly on the shoulders of employees on
the front lines of defense. This responsibility needs to be a top-down,
bottom-up mission in which those on the front lines are armed with the
support and tools they need to holistically defend their organizations.
EX suffers when employees don’t feel supported, so the way to retain
staff and mount up for a potential cyberattack is to support the people
who defend you.

Future of Cybersecurity Work
While it is important to evaluate the landscape of the current

cybersecurity profession, it is also critical to look to the future. Amidst the
geopolitical conflict, macroeconomic turbulence and high-profile data
breaches, cybersecurity has become an intensely important function for
organizations worldwide. So, what waits on the horizon? We asked our
respondents to identify the challenges, improvements and trends they will
face going forward as well as their organizations’ preparedness to handle
new, anticipated risks. Here is what we learned:
• Future challenges are rooted in emerging technology, the changing

regulatory landscape and skills shortages. Our research shows
that over the next two years, 61% of cybersecurity professionals are
primarily concerned by the potential risks of emerging technology
(e.g., blockchain, AI, VR, quantum computing, etc.). This is closely
followed by the 60% who are concerned about keeping up with
regulatory requirements (e.g., PCI DSS v4, GDPR, AI regulations, etc.)
and those who consider worker/skill shortages to be a continued risk
(60%) (see figure 44).

What are the biggest challenges that cybersecurity
FIGURE 44
professionals will have to face over the next two years? APAC is most
concerned about this,
particularly in China
Risks of emerging technologies like blockchain, AI, (68%) and South
VR, quantum computing, intelligent automation, etc. 61%
Korea (65%).
Keeping up with changing regulatory requirements North America (69%)

(e.g. PCI v4.0, GPDR, AI regulations, breach disclosure 60% is most concerned
requirements etc.)
about this.
Worker/skill shortages in the workforce 60%
Adapting to risks from advances in

employee computing technologies (e.g., 55%
increased prevalence of sensors, AI, etc.)
Cyber-attacks stemming from cyber operations

as a precursor to military conflict, tactic of 53%
military operations, or tool of retaliation
Insider threats 49%
Addressing risks from an employee’s

home environment
43%
Misinformation and disinformation sowing

confusion among executives and the board 38%
about cyber risks
Keeping up with environmental

regulatory requirements
28%
Addressing the impact of cyber insurance premium 27%

increase on the security program and practices
Tension between tenured and junior

security employees 16%

These risks vary across regions, and when we look closer at our
research, we can see that the cybersecurity professionals in the
APAC region (65%) – primarily China (68%) and South Korea
(65%) – are much more concerned about the cybersecurity risks
of emerging technology within the next two years, compared
with LATAM (62%), North America (60%) or EMEA (59%).
Not all risks are concentrated in APAC. North American

cybersecurity professionals are significantly more concerned
about skill shortages than others, with 69% of respondents
saying that this will be a future challenge. As we learned in our
corporate culture research, the turnover rate in the US and
Canada grew from 13% to 21% year-over-year, and this may
explain some of the regional significance in skills shortage,
especially since skills shortages are considered much less of a risk
in EMEA (56%), APAC (50%) and LATAM (47%).
• Despite risks and regional differences, cybersecurity

professionals expect staff to grow at a much higher rate in
the future. Within the next 12 months, 72% of respondents
expect staff to increase somewhat or significantly. This is
the highest predicted growth rate over the last three years,
compared to 53% in 2021, and 41% in 2020. It suggests an
optimistic outlook on the future of the cybersecurity profession’s
growth, despite current and near-term risks. The question is,
will the supply of new workers be able to keep up with the
increase in demand? Regionally, LATAM (81%) and EMEA (76%)
respondents are significantly more confident of an increase in
staffing levels, whereas APAC (71%) and North America (68%) are
still positive but a bit below the average (see figure 45).

How do you expect your organization’s total staffing for cybersecurity
FIGURE 45
to change 12 months from now compared to current levels?

2020 2021 2022
10% 41% 53% 72%

Significantly increase 15%
19%
31%
Somewhat increase 38%
52%
43%
No change 36%
23%
13%
Somewhat decrease 9%
4%
3%
Significantly decrease 2%
1%
• Across industries, some have the skills and tools needed

to mitigate long-term risks, and some don’t. We asked our
respondents how much they agreed that their organization
has the tools and people needed to respond to cybersecurity
incidents over the next two to three years. The most confident
responses we received were comprised of 66% of cybersecurity
professionals working at cybersecurity software/hardware
development companies. In addition, 65% of respondents
working within construction, food/beverage/hospitality/travel
and retail/wholesale agreed or strongly agreed that they have the
tools and people they need to mitigate future risks. IT services
(61%) was also within the top five most confident industries.
Respondents within the public sector and government-related

industries were least confident in their ability to mitigate long-
term risks based on their current staff and tools; aerospace (50%),
education (47%), healthcare (47%), military/military contractors
(43%) and government (42%) were the lowest we observed (see
figure 46).
“My organization has the tools and people we need to ensure
FIGURE 46
we are prepared to respond to cyber incidents over the next

two to three years.”
(Percentages showing Agree/Strongly Agree responses)
TOP 5 BOTTOM 5
66% Security software/ 50% Military/military

hardware contractor
development
47% Healthcare
65% Construction
47% Education
65% Food/beverage/
hospitality/travel 43% Aerospace
65% Retail/wholesale 42% Government
61% IT services
Base: 115-1,220 global cybersecurity professionals
• The future of cybersecurity is growing more diverse. Our

research has shown that pathways are opening for educated
professionals with diverse backgrounds and cultures, but will
this continue in the future? We asked respondents this very
question and received their predictions about the next few
years. We particularly wanted to know how their own team
is likely to evolve. 55% believe that their team will become
more diverse two years from now. Five years into the future,
there is an even greater confidence in diversity, with 60% of
respondents predicting more diversity (30% of which say it
will be much more diverse) (see figure 47).

When thinking about how your cybersecurity team is likely to
FIGURE 47
evolve, please tell us how more or less diverse you expect it to

be in the next few years (e.g., increased representation across
age groups, gender, race, sexual identity, disabilities, etc.).
Much more
diverse
30% 16%
A bit more
diverse
39%
31%
Five years from today Two years from today
Base: 8,092 global cybersecurity professionals who have worked at the same organization for two or more years
• In a post-pandemic world, the normalcy of remote

work continues to spread. The pandemic has left a
lasting impact on this profession, as it has with many
others – changing workers’ expectations and their
satisfaction levels around their commutes and flexibility.
This is putting pressure on organizations to now adapt
and provide their employees with what makes them
the most satisfied and productive, in order to prevent
attrition. This has had a clear impact on the expectations
of our respondents. When asked if they expected to be
working remotely or on a flexible basis, the same amount
of people who are working fully remote now or have
the flexibility to do so (55%) expect to stay that way two
years from now.

Conclusion
The need for more cybersecurity professionals is increasing. As the global

landscape of geopolitical and economic risks evolves, so does a steadfast
field of multi-cultural and multi-generational workers. We have heard
from cybersecurity professionals with a wide range of perspectives across
the world, and they are telling us that they are rewarded by their careers
and adaptable to internal and external challenges in the workplace.
Our research suggests that the cybersecurity workforce is driven by a

passion for what they do; and they have the best experience when they
are able to chart their path and progression in the field. However, this
experience is diluted when employees do not feel supported by the
groups they work for. Individual employees need to be supported by
their collective teams and organizations. Staff retention continues to
be an issue, and although there is optimism about hiring/recruiting in
the future, companies need to take more action to inspire loyalty and
mitigate attrition. Showing employees that they are valued and listened
to will improve their experience within the workplace (whether it’s remote
or on-site).
To improve, more organizations need to follow the example that

others have set by supporting their employees’ career growth through
certification reimbursements, professional development offerings and
mentoring programs. Improving the employee experience and giving
professionals the tools they need to succeed is key to reducing the global
gap in skilled cybersecurity staff.

Appendix A: Estimation Methodology
This year, our method compiles a variety of secondary data sources in

combination with proprietary survey data to create a single, holistic
estimate. This tactic of combining multiple different methodological
approaches keeps any single number from disproportionately influencing
the final estimate.
WORKFORCE ESTIMATE METHODOLOGY
The estimate of the global cybersecurity workforce begins with estimates

of the U.S. workforce, as the U.S. provides a crucial combination of a
robust sample and reliable secondary data sources. The U.S. estimate is
derived from three main methodological groups:
1. Survey-based estimates. Survey data on the number of cybersecurity

professionals who are employed by organizations is combined with
secondary data estimates of the number of U.S. business entities in
various size strata. These secondary sources include: the U.S. Bureau
of Labor Statistics's Quarterly Census of Employment and Wages;
the U.S. Census’s Statistics of U.S. Businesses Survey; and the U.S.
Census’s County Business Patterns study.
2. Third-party estimates. Various estimates of related populations

were modified based on survey findings to match our estimation
criteria. This includes the U.S. Bureau of Labor Statistics' estimate of
cybersecurity analysts.
3. Trending estimates. Previous years’ estimates were trended using

multiple methodologies to provide expected estimates for this year’s
numbers.

The U.S. estimate provides a baseline for the estimates of the rest of
the world. Estimates for other countries used similar methods except
replacing third-party estimates for estimates derived from the U.S.
baseline; most countries did not have reliable third-party estimates.
The secondary data estimates for countries outside of the U.S. came
primarily from the Organisation for Economic Co-operation and
Development (OECD). China and India, while included in the gap
estimate, were excluded from the workforce estimate due to a lack
of reliable secondary sources.
U.S. ESTIMATE REST OF WORLD ESTIMATE
• Survey-based estimates • Survey-based estimates
• Third-party estimates • U.S. baseline estimates
• Trending estimates • Trending estimates

GAP ESTIMATE METHODOLOGY
The workforce gap used similar approaches to the estimate of the total
cybersecurity workforce. A combination of survey-based, trending and
third-party methodologies provided the U.S. estimate, which was then
used as the baseline for the rest of the world. The basic calculation for
the workforce gap comes down to: gap equals demand minus supply.
• Demand is defined as the number of cybersecurity jobs organizations

would like to employ over the next year minus the number of current
workers.
• Supply is defined as the number of workers that will enter the field
over the next 12 months minus the number of workers that will leave
the field.
In total, this makes the equation for calculating the gap: workforce
gap equals (total demand over the next 12 months minus the current
workforce) minus (number of workers entering the field minus number of
workers leaving the field).
WORKFORCE
GAP
= DEMAND - SUPPLY
TOTAL
DEMAND - CURRENT
WORKFORCE
NUMBER
OF NEW
CYBERSECURITY -
NUMBER OF
WORKERS
LEAVING
WORKERS CYBERSECURITY

(ISC)2 Cybersecurity Workforce Survey Respondents
Appendix B: Study Participant Demographics
COMPANY SIZE INDUSTRY (TOP 10 SHOWN)
20,000 or more 23% IT Services 25%
10,000-19,999 6% Financial Services 11%
5,000-9,999 9% Military/Military Contractor 9%
2,500-4,999 9% Government 8%
1,000-2,499 12% Consulting 6%
500-999 10% Healthcare 4%
250-499 7% Telecommunications 4%
100-249 7% Manufacturing 4%
50-99 5% Security Software/Hardware

4%
Development
20-49 3%
Education 3%
10-19 2%
5-9 1%
2-4 1%
1 (independent contractor
2%
or self-employed) RESPONDENT LEVEL
C-level executive 4%
Executive management 7%
ROLE Director/Middle manager 21%
IT Manager 9% Manager 22%
IT Security Manager 7% Non-managerial mid or advanced

38%
level staff
Security Engineer 6%
Entry/junior-level staff 3%
IT Director 6%
Independent contractor/consultant 4%
Security Consultant/Advisor 5%
Security Architect 4%
IT Specialist 4%
IT Security Director 4%
Security Analyst 4%
CISO 4%

(ISC)2 Cybersecurity Workforce Survey Respondents
DEPARTMENT FULL TIME/PART TIME
IT 42% Employed/self-employed full time 97%
Security/privacy 58% Employed/self-employed part time 3%
INTERNAL/EXTERNAL TIME SPENT ON SECURITY
Internal security staff for my 100% of a typical week 17%

64%
organization
75% - 99% 23%
Security consultant or consultancy 20%
50% - 74% 26%
External security service provider
(e.g., MSSP, external SOC, 10% 25% - 49% 23%
independent contractor etc.) 1% - 24% 12%
Other 5%
AREA OF FOCUS (NICE FRAMEWORK) AGE
Analyze 11% 74 or older 0.1%
Collect and operate 6% 65-73 1.3%
Investigate 4% 60-64 3.9%
Operate and maintain 14% 55-59 7.7%
Oversee and govern 30% 50-54 11.7%
Protect and defend 12% 45-49 15.5%
Securely provision 18% 39-44 21.3%
35-38 16.8%
30-34 14.7%
HIRING AUTHORITY
23-29 6.8%
I make final decisions
29%
about hiring Under 23 0.2%
I am part of a team that
26%
makes hiring decisions
I interview candidates and

influence decisions but do 24%
not make final decisions
I do not have hiring authority

or influence over decisions 21%
about hiring

COUNTRY STATE (TOP 20 SHOWN)
United States (US) 38% Virginia 11%
United Kingdom (UK) 7% California 9%
Japan 5% Texas 7%
Canada 5% Maryland 6%
China 3% Florida 4%
Germany 3% Colorado 4%
Netherlands 3% New York 4%
India 3% Pennsylvania 3%
Singapore 3% Georgia 3%
Australia 3% Washington 3%
Brazil 2% Illinois 3%
France 2% North Carolina 3%
Spain 2% Ohio 3%
South Korea 2% Massachusetts 2%
Republic of Ireland 2% New Jersey 2%
Mexico 2% Arizona 2%
United Arab Emirates 1% Alabama 2%
Saudi Arabia 1% Minnesota 2%
Nigeria 1% Michigan 2%
Other 9% Utah 1%
Base: 11,779 global cybersecurity professionals on cybersecurity teams Base: 4,507 global U.S. cybersecurity professionals on cybersecurity teams
GENDER OF RESPONDENTS
Female 17%
Male 78%
Intersex 0.2%
Transgender 0.3%
Non-binary 0.3%
Prefer to self-describe 0.2%
Prefer not to say 4%

ABOUT (ISC)2
ISC)² is an international nonprofit membership association focused

on inspiring a safe and secure cyber world. Best known for the
acclaimed Certified Information Systems Security Professional (CISSP®)
certification, (ISC)² offers a portfolio of credentials that are part of a
holistic, pragmatic approach to security. Our association of candidates,
associates and members, more than 235,000 strong, is made up
of certified cyber, information, software and infrastructure security
professionals who are making a difference and helping to advance the
industry. Our vision is supported by our commitment to educate and
reach the general public through our charitable foundation – The Center
for Cyber Safety and Education™. For more information on (ISC)², visit
www.isc2.org, follow us on Twitter or connect with us on Facebook and
LinkedIn.
ABOUT THE (ISC)² CYBERSECURITY WORKFORCE STUDY
(ISC)² conducts in-depth research into the challenges and opportunities

facing the cybersecurity profession. The (ISC)² Cybersecurity Workforce
Study is conducted annually to assess the cybersecurity workforce
gap, to better understand the barriers facing the cybersecurity
profession, and to uncover solutions that enable individuals to excel
in their profession, achieve their career goals and better secure their
organizations’ critical assets.
The 2022 (ISC)² Cybersecurity Workforce Study is based on online

survey data collected in collaboration with Forrester Research, Inc. in
May and June 2022 from 11,779 individuals responsible for cybersecurity
at workplaces throughout North America, Latin America (LATAM),
the Asia-Pacific region (APAC), and Europe, Africa & The Middle East
(EMEA). Respondents in non-English speaking countries completed
a locally translated version of the survey. The sample size within each
country was controlled to ensure a mix of company sizes and industries.
Learn more at www.isc2.org/research.

ISC2 Cybersecurity Workforce Study

Uploaded by

Copyright:

Available Formats

ISC2 Cybersecurity Workforce Study

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISC2 Cybersecurity Workforce Study

Uploaded by

Copyright:

Available Formats

(ISC) 2

5 Cybersecurity Workforce Gap & Estimate

18 Cybersecurity Team Culture

67 Data Breaches, War and Modern Threats

73 Future of Cybersecurity Work

80 Appendix A – Workforce Gap and Estimate Methodologies

83 Appendix B – Study Participant Demographics

2022 is a highly formative year for the cybersecurity profession. Shaped

We estimate the size of the global cybersecurity workforce at 4.7

At an enterprise level, the executive spotlight is pointed directly at

As individuals, cybersecurity professionals are passionate about what they

(ISC)2 Cybersecurity Workforce Study, 2022 3

In this report, the fifth annual (ISC)2 Cybersecurity Workforce Study, we

(ISC)2 Cybersecurity Workforce Study, 2022 4

To understand the scope of cybersecurity professionals worldwide, (ISC)2

(ISC)2 estimates the global cybersecurity workforce in 2022 at 4.7 million, an

Our study estimates the cybersecurity workforce of 14

2022 Global Cybersecurity Workforce Estimate

NORTH LATAM EMEA APAC

1,344,538 1,230,365 1,222,154 859,027

+6.2% +12.2% +12.5% +15.6%

(ISC)2 Cybersecurity Workforce Study, 2022 5

2022 Global Cybersecurity Workforce Estimate

U.S. CANADA MEXICO BRAZIL

1,205,812 138,726 542,418 687,947

+5.5% +12.2% +5.2% +18.3%

UK FRANCE GERMANY IRELAND

339,145 189,733 464,749 17,687

+13% +29.2% -.01% +17.7%

SPAIN NETHERLANDS AUSTRALIA JAPAN

153,167 57,672 143,680 388,402

+23.2% +64.3% +6.7% +40.4%

(ISC)2 Cybersecurity Workforce Study, 2022 6

Our study estimates the cybersecurity workforce gap for 16

2022 Global Cybersecurity Workforce Gap

NORTH LATAM EMEA APAC

436,080 515,879 317,050 2,163,468

+8.5% -26.4% +59.3% +52.4%

(ISC)2 Cybersecurity Workforce Study, 2022 7

2022 Global Cybersecurity Workforce Gap

U.S. CANADA MEXICO BRAZIL

410,695 25,385 203,027 312,852

+9.0% +1.6% -21.8% -29.0%

UK FRANCE GERMANY IRELAND

56,811 60,859 104,197 8,481

+73.4% +120.6% +52.8% -19.0%

SPAIN NETHERLANDS AUSTRALIA JAPAN

60,436 26,265 39,496 55,809

+57.5% +21.5% +57.5% +37.9%

SINGAPORE SOUTH CHINA INDIA

6,071 16,643 1,482,085 563,364

-61.7% -52.0% +20.9% +630.9%

(ISC)2 Cybersecurity Workforce Study, 2022 8

In your opinion, to what degree does this shortage of cybersecurity staff

put your organization at risk of experiencing a cybersecurity attack?

(ISC)2 Cybersecurity Workforce Study, 2022 9

have been mitigated if you had enough cybersecurity staff?

Not enough time for 31%

Oversights in process 29%

Slow to patch 29%