Organizations worldwide spend $200 billion a year on cybersecurity products and services. Yet they struggle to fill cybersecurity jobs, and the 28% vacancy rate for those positions is impeding their ability to address escalating threats.

Companies are adopting new technologies, including AI and GenAI, for cybersecurity functions such as predictive analytics and detecting anomalies. However, such innovations have created new vulnerabilities—making the need to attract and retain a full contingent of workers with up-to-date cybersecurity skills even more urgent,

These conclusions are among the highlights of new research by BCG and the Global Cybersecurity Forum on the global cybersecurity workforce. They are based on a survey of 6,000 respondents from 48 countries as well as workshops and interviews with cybersecurity and workforce experts. The complete findings are presented in a report, “2024 Cybersecurity Workforce Report: Bridging the Workforce Shortage and Skills Gap.”

The world’s move to digital has transformed industries, governments, and society. At the same time, it has led to an avalanche of cyberattacks and cyber-related crimes, with related costs rising to more than $2.2 trillion. AI is an aggravating factor: close to six out of ten (58%) cybersecurity leaders expressed concern over new adversarial techniques, including AI-enabled cyberattacks.

Protecting digital assets has increased the ranks of the world’s cybersecurity workforce to 7.1 million, but another 2.8 million jobs remain unfilled. The gap between supply and demand is biggest in the Asia-Pacific region, where the field is still relatively immature, accounting for more than half of the global shortage (56%).

Four industries account for close to two-thirds (64%) of the cybersecurity workforce shortage: financial services, materials and industrials, consumer goods, and technology. It’s not surprising, considering that seven out of ten attacks target those industries, and the cost per breach is among the highest.

Cybersecurity leaders cite the lack of candidates with desired skills and intense competition as the main challenges to filling open jobs. Lack of diversity in the profession is also a contributing factor: although women hold 36% of all technology industry jobs, they comprise only 24% of the cybersecurity workforce.

Recommendations

To fill the talent and skills gap, capitalize on opportunities, and address challenges, organizations need to embrace future-ready cybersecurity workforce practices. They must:

• Map skills training to existing threats and emerging trends, adopt skills-based hiring practices, and fill gaps before they get too big—or too much bigger.
• Offer the current workforce opportunities for upskilling as well as continuous learning, including sponsoring certifications and providing internal and external training.
• Provide clearer career paths and cultivate a supportive work environment to engage and retain workers.
• Attract new talent to the industry—including women and other previously untapped talent pools—through targeted, strategic outreach.
• Collaborate with government agencies on national campaigns that position cybersecurity as a top career choice.

If the talent shortage continues, it’s predicted to account for more than half of all significant cybersecurity incidents worldwide. The report explains the gaps in more detail and establishes a cybersecurity talent framework to address them.