North America’s Cybersecurity Talent Shortage Reaches Critical Levels

The Numbers Behind the Crisis 

According to Cyberseek, by the end of 2024, the United States had over 265,000 unfilled cybersecurity positions. The demand is particularly pronounced in the field of “pentesting” (penetration testing). An estimated 1.25 million people are currently employed in the U.S. cybersecurity sector, but Cyberseek data shows that the workforce meets only 83% of the demand. “Cloud security, identity and access management, data security, and, of course, AI security are areas where the sector is underrepresented,” confirms Luke Cotterell, Principal Consultant at Cyberr, an international platform dedicated to cybersecurity professionals.

A More Holistic Approach 

Artificial intelligence has significantly reshaped the landscape in recent years, and training programs and candidates have struggled to keep pace with the rapid changes. Bridging this widening gap requires a shift in mindset. “The market is constantly evolving, with new breaches and threats hitting companies and institutions worldwide daily,” says Luke Cotterell. One solution advocated by recruiters is upskilling existing employees or those transitioning from other professions. While progress is being made, it will take time. “We need to adopt a more holistic approach. I’ve personally seen companies start to recognize that candidates from non-technical or non-cybersecurity backgrounds bring valuable cross-functional skills that our industry desperately needs,” Cotterell explains. He emphasizes the importance of diverse pathways, such as mentoring, as well as engaging potential candidates at earlier stages in their careers.

A Risky but Rewarding Strategy 

Aurélien Sille, a cybersecurity expert based in Montreal with the French cybersecurity services firm Advens, also advocates for reaching a broader pool of candidates. “Many young people are unemployed and unqualified,” he observes. “Among them, there are undoubtedly hundreds of potential cybersecurity talents. They represent an opportunity for an industry grappling with a lack of diversity to counter cyber attackers from all backgrounds. Understanding the attacker is sometimes more critical than analyzing the attack. Diversifying your teams and then training them can be a risky but rewarding strategy. By valuing candidates with rich life experiences and helping them discover a new passion, we can increase the number of cybersecurity experts worldwide: a win-win!”

Economic and Geopolitical Pressures 

The urgency to act is felt across North America. In Canada, for instance, Aurélien Sille notes high demand for positions like cloud security, incident detection and response (SOC/CSIRT), DevSecOps, and governance roles. “In Quebec, where I live and work, job postings for these roles are ever-present on employment platforms. Even without actively seeking them, we’re often approached to fill positions at other companies.” Advens has taken steps to address this issue by organizing workshops, such as one at Polytechnique Montreal, to introduce students to the role of SOC analysts.

This talent shortage is compounded by an increasing demand for cybersecurity professionals. According to the 2024 Cybersecurity Workforce Study by ISC2 Research, “Economic pressures, global geopolitical issues, supply chain disruptions, failed software updates, and the increasing automation and digitization of tasks have highlighted the critical nature of cybersecurity for businesses.”

A Workforce That Isn’t Growing 

Following the post-COVID economic crisis, businesses—whether multinational corporations or mid-sized enterprises—have often sidelined cybersecurity to prioritize what they consider more strategic areas. “This shortage is primarily due to barriers to entry,” explains Luke Cotterell. “Cybersecurity is a highly skilled field. Many professionals undergo months or years of training before landing their ideal role.” Despite rising demand, the global cybersecurity workforce has stagnated at around 5.5 million people, far below the nearly double that number required.

Moreover, the challenges differ depending on the size of the company. “Larger organizations, often more structured, are better positioned to attract talent,” says Aurélien Sille. “Smaller businesses, on the other hand, may not afford sizable cybersecurity teams. They often rely on outsourced SOC services (like Advens’ mySOC platform) or hire individual experts. However, with limited budgets, competing with larger organizations for top talent is tough.”