Originally published January 2026. Updated May 2026 with the 2025 ISC2 Cybersecurity Workforce Study (which stopped publishing a single workforce gap number for the first time in its history), refreshed BLS salary data, and expanded sections on hiring practices, ATS screening, and what’s actually working.
Every conference I attend, someone says it. Every industry report repeats it. There’s a cybersecurity skills shortage. Millions of unfilled positions. Crisis mode. Existential threat.
I don’t buy it. I haven’t bought it for years, and the latest data from ISC2 itself just validated the argument I’ve been making to enterprise clients since the early 2020s.
We don’t have a skills shortage. We have a hiring problem. And in 2026, the cracks in the conventional narrative are finally too big to paper over.
What ISC2 Just Quietly Admitted
For more than a decade, the 4 million workforce gap number from ISC2’s annual Workforce Study has been the headline at every security conference and the lead bullet in every “we need more cyber talent” pitch. The 2024 study put the gap at 4.8 million globally, up 19 percent year over year.
Then something interesting happened. In December 2025, ISC2 released the 2025 study based on responses from 16,029 cybersecurity professionals worldwide. For the first time in the study’s history, they did not publish a workforce gap number. Their explanation, in their own words, was that the critical skills shortfall now eclipses pure headcount as the binding constraint. Skills over people. They quietly stopped repeating the line they had been leading with for years.
That’s a big shift, and it confirms what people doing actual hiring have been seeing on the ground. The bodies exist. What’s missing is alignment between the people who exist and what hiring managers are asking for, and what hiring managers are asking for is often unrealistic to begin with. Even more telling, the 2025 study reports that budget cuts have now overtaken talent scarcity as the primary driver of staffing shortages. Twenty nine percent of respondents flat out said they can’t afford to hire staff with the skills they need.
Read that one more time. The largest professional body in cybersecurity, the people who issue the CISSP, just told us that the binding constraint isn’t a shortage of qualified humans. It’s that organizations either won’t spend on the people available or can’t agree internally on what skills they actually need.
The Math Doesn’t Add Up
Look at the supply side. CompTIA reports thousands of new Security+ certifications every month. ISC2 has more than 265,000 certified members in 2026. Bootcamps are full. Cybersecurity degree programs are oversubscribed at most major universities. Career changers from networking, sysadmin, and software backgrounds are flooding into the field. Veterans transitioning out of military intelligence and cyber roles are arriving with clearances and skills already in hand.
So where are all these people going? Why aren’t they filling open positions?
Because the job postings are absurd, the interview pipelines are broken, and the budgets attached to those postings don’t match the experience being demanded. Mike McNelis interviewed 100 hiring managers about this exact problem last year. The patterns he documented in What I Learned Talking to 100 IT Hiring Managers About Certifications are the same patterns ISC2’s data is now exposing at scale.
Entry Level With 5 Years Experience
Open any job board right now. You’ll find listings like this within a few minutes of scrolling. “Entry level SOC analyst. Requirements: 3 to 5 years experience. CISSP preferred. Expertise in 15 different tools. Must know cloud, must know OT, must know application security.” For $65,000.
That’s not an entry level position. That’s a wishlist from someone who doesn’t understand the market they’re hiring in. The CISSP alone requires five years of paid cybersecurity experience. By definition, someone holding a CISSP is not entry level. Asking for one in an entry level posting is asking for a unicorn at a Honda Civic price.
In aviation, we don’t expect new pilots to have 5,000 hours before their first commercial job. We train them progressively. Private pilot, instrument rating, commercial, multi engine, ATP. Each step builds the next. The industry accepts that competence takes time and structured investment. Even in flight schools that run on tight margins, you don’t see a CFI job posting that requires 5,000 hours of military F-16 time for $19 an hour. Cybersecurity, for some reason, forgot how this works.
What an actual entry level SOC analyst posting should look like: foundational understanding of networking and operating systems, Security+ or willingness to earn one in the first six months, comfort with logs and command line basics, strong written communication, and a willingness to learn. Pay it $70,000 to $85,000 depending on geography. Provide a structured 90 day onboarding. Pair the new hire with a senior analyst as a mentor. That posting will fill. The problem isn’t candidates.
Companies Won’t Train, Then Complain There’s Nobody
The same companies crying loudest about talent shortages refuse to invest in developing talent. They want fully formed security professionals to appear out of thin air. Ready to hit the ground running on day one. Zero onboarding budget. Zero training spend. Zero patience for the eight to twelve weeks any real human being needs to learn an unfamiliar environment.
Then they complain they can’t find anyone.
Smart people with strong adjacent backgrounds get filtered out before a human ever reads their resume. Help desk veterans who would make excellent analysts never get interviews because they’re missing one specific certification that takes three months to earn. Network engineers with deep operational experience get passed over because their resumes don’t have “SIEM” written six times. Career changers, who tend to be motivated, mature, and good at adult learning, get told they need cybersecurity experience to enter cybersecurity. Mike McNelis broke down what that switch actually looks like in How to Switch Careers Into Cybersecurity at 40, and the answer involves a lot more open doors than the typical “skills shortage” rhetoric would suggest.
Compare this to what regulated industries with real workforce constraints actually do. Hospitals run residency programs because they accept that doctors need to be developed, not just hired. Power plants run apprenticeships because they accept the same about operators. Airlines pay for type ratings because qualified pilots don’t grow on trees and they know it. Cybersecurity has, for the most part, refused to build that kind of pipeline, then acts surprised when the pipeline doesn’t exist.
The Resume Screener Problem Nobody Wants to Talk About
There’s a layer of this problem that sits between the candidate and the hiring manager, and it’s increasingly broken. Applicant tracking systems, the automated platforms that filter resumes before any human reads them, are eliminating qualified candidates by the thousands. Most ATS platforms parse resumes for keyword matches against the job posting. The candidate either matches enough keywords or gets filtered out, often without the hiring manager ever knowing they applied.
When the job posting was written by an HR copy-paster who threw in every cyber acronym they’ve ever heard, the keyword filter becomes a brick wall. A network engineer with twelve years of hands on security work, who happens to use slightly different terminology on their resume, gets rejected. A SOC analyst from a smaller company whose tooling didn’t include the specific vendor mentioned in the posting gets rejected. A military veteran who used DoD nomenclature instead of commercial nomenclature gets rejected.
In 2026 it’s worse than ever because AI screening has been bolted on top of the keyword filter. Now you have a language model making a confidence judgment about whether someone’s experience “really matches,” based on the same poorly written posting that the keyword filter was already mangling. The result is that organizations are increasingly hiring from a tiny self filtered pool of resumes that happened to use the exact phrasing the posting did, while ignoring much larger pools of well qualified people whose resumes read slightly differently.
Then the hiring manager looks at the ten resumes their ATS surfaced, sees no fit, and reports back to leadership that there’s a talent shortage.
Three Problems Pretending to Be One
When you strip away the “skills shortage” framing, three distinct problems show up underneath it, and each one needs a different fix.
Unrealistic job requirements. HR teams copy and paste requirements without understanding what the role actually needs. CISO and security director input often never makes it into the posting. The job description becomes a Frankenstein assembly of every certification, tool, and buzzword the writer has ever heard, with no real prioritization of what actually matters in the first 90 days.
Unwillingness to train. Treating new hires as expenses instead of investments. The ISC2 2025 study found that 33 percent of organizations say they don’t have resources to adequately staff their teams. Translation, when training budgets get cut, security training is one of the first things to go, which means new hires arrive with general knowledge and never get sharpened on the specific environment they’re protecting.
Salary mismatch. Wanting senior talent at junior prices. The U.S. Bureau of Labor Statistics reported the median annual wage for information security analysts at $124,910 as of May 2024, with the 90th percentile above $186,000. Plenty of companies still believe they can hire experienced professionals for $70,000 and then wonder why positions stay open for nine months. The math doesn’t work, and candidates with options know it doesn’t work.
What Actually Works
The companies I see building strong security teams do things differently. They hire for aptitude and attitude, then train for skills. They build junior roles that actually function as on ramps. They promote from within IT, sysadmin, and networking. They partner with training providers to upskill existing employees rather than hunting outside for unicorns. Jeff Porch wrote up the reasons that approach works in Why Boot Camps Help Students Learn Faster.
A few specific patterns I’ve seen produce real results across our enterprise clients in defense, financial services, and federal government.
Build internal cyber tracks from IT. Help desk technicians, sysadmins, and network engineers already understand the environment. They know where the bodies are buried. They’ve been the first line of defense for years without being called that. Give them a six month structured training path through Security+, CySA+, and a mentor pairing, and you’ve created a SOC analyst with operational context that no external hire can match in their first year.
Rewrite the job postings. Have the CISO or hiring manager write the posting, not HR. List two or three must haves, not fifteen. Distinguish between things someone needs on day one and things they can learn in the first 90 days. Drop required certifications that the role doesn’t actually need. CISSP is not required to do tier one SOC work. It’s nice to have on a senior analyst. Stop treating them as the same job.
Pay market rate. If you want experienced security analysts, pay them like experienced security analysts. The BLS data is public. The salary surveys are public. Pretending you can hire $125,000 talent for $80,000 because “everyone’s desperate to break into cyber” is the kind of myth that keeps positions open for nine months while your existing team burns out covering the gap.
Invest in retention. The 2025 ISC2 study found that 75 percent of cybersecurity professionals plan to stay at their current organization in the next year, but only 66 percent plan to be there in two years. That’s a quiet exit wave forming. Stagnant wages, lack of advancement, and burnout from short staffed teams are pushing experienced people out the door. Plug those leaks first. Keeping a senior analyst is always cheaper than replacing them.
Audit your ATS. Run your job postings through your own automated screener. Submit a few resumes of known qualified internal employees and see if they make it through. You will be shocked at how often they don’t. The screener is filtering out your future hires before anyone gets to see them.
If You’re Trying to Break In
The flip side of all this is, if you’re a job seeker trying to land your first or second cybersecurity role, understanding the hiring problem helps you work around it instead of getting frustrated by it.
Get the certifications that pass ATS filters and DoD 8140 requirements. Security+ is the entry level cybersecurity standard for most US federal and defense contractor roles. CySA+ for SOC and analyst tracks. Network+ if you don’t already have networking depth. We covered the practical pathway in Entry-Level Cybersecurity Certifications for Beginners, and Nora Grace walked through specific SOC tier one expectations in What Does a SOC Analyst Actually Do All Day?
Tailor your resume to the job posting. Don’t lie. Do match the language. If the posting says “SIEM,” your resume should say “SIEM,” not “log aggregation platform.” If the posting says “incident response,” your resume should say “incident response,” not “handled security events.” The ATS isn’t trying to be fair. It’s trying to find words. Give it the words.
Network around the filter. The single most effective way past a broken ATS is a referral. A real person inside the company can put your resume in front of a hiring manager directly. Show up at local ISACA and ISC2 chapter meetings, attend free industry events, get active in security communities online. You’re not networking to be social. You’re networking because the formal hiring channel is filtering you out.
Target companies that train. Some employers are still committed to building people up from junior roles, even in 2026. Federal contractors with cleared workforces tend to invest more in training because losing a cleared employee is expensive. Larger companies with structured cyber rotations through their IT organization often have more patience. Apply where the on ramps are real.
Frequently Asked Questions
Is there really a cybersecurity skills shortage?
The numbers commonly cited come from the ISC2 Cybersecurity Workforce Study, which estimated a 4.8 million global gap in 2024. However, the 2025 ISC2 study, released in December 2025, did not publish a single gap number for the first time in the study’s history. ISC2 stated that critical skills shortages now eclipse pure headcount as the binding constraint, and that budget cuts have overtaken talent scarcity as the primary driver of staffing shortages. The data points to a hiring and budget problem more than an absolute shortage of qualified people.
Why do entry level cybersecurity jobs require 3 to 5 years of experience?
Most of those postings are written by HR teams without input from the actual hiring manager, and they pile on requirements as a way to reduce applicant volume. The result is unrealistic postings that filter out qualified candidates and leave positions open for months. An actual entry level SOC analyst role should require foundational networking and operating system knowledge, Security+ or equivalent, and the ability to learn on the job. The companies that hire that way fill their open roles in weeks instead of staring at the same posting for nine months.
What is the median salary for an information security analyst?
The U.S. Bureau of Labor Statistics reports the median annual wage for information security analysts at $124,910 as of May 2024, the latest published federal data. The 10th percentile earns $69,660 or less. The 90th percentile earns more than $186,420. Employment is projected to grow 29 percent between 2024 and 2034, much faster than the average for all occupations.
Why does ISC2 no longer publish a workforce gap number?
According to ISC2’s December 2025 announcement, the 2025 Cybersecurity Workforce Study shifted away from the workforce gap framing because skills shortages now outweigh raw headcount needs. Their data showed 95 percent of respondents reporting at least one skill need, 88 percent experiencing significant security events caused by skill gaps, and 33 percent of organizations saying they lack the resources to staff their teams adequately. The framing changed to reflect what hiring managers were actually telling them.
How can job seekers get past automated resume screening?
Tailor your resume to the language of each specific job posting. If the posting uses a specific term like “SIEM” or “incident response,” use that exact phrasing on your resume rather than synonyms. Get referrals through professional networks like ISACA and ISC2 chapter meetings to bypass automated screening entirely. Hold the certifications that match DoD 8140 baselines if you’re targeting federal or defense contractor work. The system is built on keyword matching, so meeting the keywords is half the battle.
What’s the best way for companies to actually fill cybersecurity roles?
Build internal pipelines from IT, sysadmin, and networking. Rewrite job postings with hiring manager input and realistic must haves. Pay at or above market rate using BLS data as a floor. Invest in onboarding and structured 90 day mentorship. Audit your automated screening tools to make sure they aren’t rejecting qualified candidates. Companies following this pattern report shorter time to fill and better retention. Companies that don’t keep posting the same job for nine months and blaming the market.
CEO | Training Camp
Christopher D. Porter is a dynamic marketing executive and visionary leader, celebrated as an early adopter of internet technologies for innovative lead generation strategies. Continuing his career as the CEO of one of the leading IT and Cybersecurity Certification Training companies, he has consistently harnessed digital innovation to drive business growth and market transformation.