After a torrid 2024, the wider macroeconomic conditions affecting cyber security professionals showed signs of levelling off in 2025, with reports of budget cuts and layoffs to cyber teams dropping slightly this year after surging in the prior period. However, constrained budgets remain a key driver behind the ongoing cyber skills shortage.
This is according to the annual Cybersecurity workforce study produced by cyber professional association ISC2, which polled over 16,000 security professionals to produce this year’s report.
The Virginia, US-based non-profit reported that 33% of respondents said their organisations were inappropriately resourced to adequately staff their teams, and 29% said they couldn’t afford to hire the right people with the right skills to adequately secure their organisations.
As a result, said ISC2, 72% of security professionals now agree that reducing personnel significantly increases the breach risk to organisations; almost nine in 10 said they had experienced “at least one” significant security incident due to a skills shortage, and 69% more than one.
And approximately 95% said they had at least one skill need within their teams, up 5% from 2024, while 59% cited “critical or significant” skill needs, up 15%.
“A shift is happening,” said ISC2 acting CEO and chief financial officer Debra Taylor. “This year’s data make it clear that the most pressing concern for cyber security teams isn’t headcount, but skills. Skills deficits raise cyber security risk levels and challenge business resilience. At the same time, we are seeing emerging technologies like AI [artificial intelligence] are perceived as less of a threat to the workforce than anticipated.
“Instead, many cyber security professionals view AI as an opportunity for career advancement,” she said. “They are using AI tools to automate tasks, and they are investing their time to learn more and demonstrate their expertise in using and securing AI systems.”
With the potential of AI being positively received in the cyber security world, ISC2 found its members were steadily increasing their use of AI tools, with 28% having already integrated them into their daily operations and 69% at some point in their adoption journey, either evaluating, testing or implementing them.
The data also suggest that security pros believe AI will have an impact on both the skills and perspectives required to do the job. Almost three-quarters said cyber security skills would become more specialised as a result of AI adoption; a similar number said AI would create a need for more strategic security mindsets, and slightly fewer said broader skillsets would in fact be needed.
Perhaps unsurprisingly, AI skills emerged as the most in-demand skillset in the security trade for the second consecutive year, cited by 41%, with cloud security close behind at 36%. About half of respondents said they were already working on their own generalised AI knowledge and skills, and about 35% were going deeper on areas such as using AI to better understand vulnerabilities and exploits.
Love what you do
Headwinds notwithstanding, ISC2 found security pros tend to be positive about their jobs and the role they play in the wider industry, with 80% saying they were passionate about their work.
The vast majority, 87%, said they thought there would “always” be a need for security pros; 81% expressed confidence that the profession would remain strong; and 68% said they were satisfied in their current job, up 2% on 2024, with 75% planning to stay at their current job for at least another year.
But the passion and dedication of cyber pros continues to come at a cost, with stress and burnout still dogging many. Almost half said they found it exhausting trying to keep up, and 47% found the workload overwhelming at times.
