A little over a year ago, we asked where all of the cybersecurity jobs were. At that time, the picture being painted by a number of authoritative sources showed a pretty competitive job market, especially for early-career applicants. So how do things look in 2026?
The Growth Narrative#
When you look across the internet, cybersecurity is still relayed as one of the most promising careers out there. Many cite the Bureau of Labor Statistics (BLS) and by extension the Bureau’s Occupational Employment and Wage Statistics (OEWS) data.
Indeed, the growth projections of the BLS estimates can be found echoed in YouTube videos, third-party reports, university degree incentives programs, and many other online resources. Below is a sample of places where the data appears.
Within the US, Cyberseek estimates that approximately 1 in 4 cybersecurity jobs remain unfilled. Globally, Accenture estimates that the gap is nearly double that. The oft-cited 2024 ISC2 Cybersecurity Workforce Study (which itself built its estimates off of the BLS data) projected a 4.8 million headcount shortfall worldwide.
Total Online Job Openings
Job postings for cybersecurity-related positions
514,359
National, current data
Total Employed Workforce
Estimated number of workers employed in cybersecurity-related jobs
1,337,400
National, current data
Source: CyberSeek Cybersecurity Supply and Demand Heat Map.
Long-term job growth in the professional domain is still projected to remain strong; the BLS estimates cybersecurity workers (which it generalizes as “Information Security Analysts”) to be the fifth fastest growing roletype in the US overall, lagging behind only data scientists, nurse practitioners, and green-energy roles.
Alternate data sources likewise back these estimations in the near-term. The 2026 Fortinet Cybersecurity Skills Gap Report found 87% of respondents expect their cybersecurity team to grow in the next 12 months (and 39% expect to increase significantly).
Cause for Doubt#
Despite this, there are reasons to be speculative that professional cybersecurity is tantamount to greener pastures for all.
A Rose By Any Other Name#
It’s worth examining what these upstream data sources consider as a “cybersecurity” job. Different sources classify what constitutes a “cybersecurity” job differently, with some adopting really broad definitions (inclusive of roles that may include security functions as ancillary/incidental responsibilities such as sytems administrators, network engineers, and project managers) and others choosing more narrow definitions (those whose core job functionality is strictly cybersecurity). The difference between the two is substantial - the 2024 NCSES Cybersecurity Workforce Supply and Demand Report estimated “between 164,000 (narrowest definition) and 2,430,000 (broadest definition) cybersecurity workers [were] employed” at the time of conducting the survey. The report’s broader definition is inclusive of more generalized roles like “Computer support specialists”, “database administrators”, and “Other computer information science occupations”, which no doubt contribute to overinflating the number of roles.
This amount of overrepresentation is found in other datasets as well. Cyberseek provides a “Job Openings by NICE Cybersecurity Workforce Framework Category” widget which allows users to drill down into various types of job openings that are being tracked. By stepping into some of the NICE workforce subcategories, one can observe that the numbers are inclusive of such roles as “Secure Software Development”, “Product Support Management”, “Program Management”, and “Systems Administration” in addition to roles that might typically be considered as “core” security roles.
In previous years, Cyberseek included a disclaimer which noted how individual job openings could map to multiple categories (and - to use their words - “The data shown here are not intended to be aggregated”). This 2024 change is a subtle change, but further contributes to the sense of overinflation by obfuscating the mappings to the end user.
The point here is that the real number of narrowly-defined cybersecurity jobs - those roles whose primary job functions relate to cybersecurity - are likely substantially lower (as much as 10x less) than the millions some report.
What’s Old is New#
When employers are reporting that they don’t have the cybersecurity talent to meet their needs, it’s understandable that a lot of people might construe such assertions as being tied to headcount. This is at least partially true and observable: one way to close a skills gap in an organization’s workforce is to hire there are at least some jobs listings for open, unfilled cybersecurity roles.
However, organizations have drifted in the last year to reclassify the problem not as an issue with headcount but a matter of skill:
“In 2025, for the first time, organizations identified skills gaps as a greater concern than headcount shortages - 52% cited ’not having the right staff,’ compared with 48% pointing to ’not enough staff.’”
“While some surveys suggest overall headcount pressures may be easing in certain markets, the underlying challenge is shifting rather than resolving…[The] true constraint is not just the number of cybersecurity professionals available, but also if they have the right mix of technical and soft skills to operate effectively…”
“Traditionally, we have reported cybersecurity professionals’ view that the shortage of qualified people in the field was the most prominent factor impacting their ability to effectively defend their organizations. This outlook seems to be evolving as respondents…have highlighted that the need for critical skills within the workforce is outweighing the need to increase the headcount.”
“The rapid growth in the cybersecurity workforce pipeline and the large number of new graduates suggest that the workforce gap cited by industry leaders is due to factors other than quantity of potential workers”
Multiple years of layoffs, budget cuts, and hiring freezes in the professional space have limited teams from considering direct hires as a means for solving their organization’s skill gap issues. Instead, per the 2025 ISACA State of Cybersecurity report, the top tactics for mitigating the skill gaps are:
- Contracting out
- Internal training
- AI or other forms of automation
Ultimately, this means that while organizations may outwardly express a need for qualified talent, they are not necessarily generating new jobs to meet that need. In fact, there’s instances where the opposite it true: existing teams are left to do more with less.
The Unemployment Illusion#
Cybersecurity has popularly been reported (wrongly) by some as having a 0% unemployment rate. While we know this not to be true (for all the real-world implications that such level of unemployment would entail that are not observable to this day), optimistic estimates still have that number as being quite low: The BLS estimates cybersecurity unemployment (read: a person actively seeking work and available for a job but unable to find one) at 2.1% (under the reported national unemployment rate at the time of writing this of 4.3%).
However, there’s reason to believe that this masks some nuance. Early-career applicants have voiced significant trouble in finding work, with some purportedly submitting hundreds of applications over many months (or even years) with few or no interviews. Because the BLS data defines industry unemployment based on the last prior job held, the data suppresses the reality of those who are trying to break into the space: students, new graduates, career-changers, military service members, etc.
“Because the occupation and industry for the unemployed are determined by their prior job, the CPS occupational and industry unemployment data reflect only the subset of total unemployed that have past job experience.”
This suggests that the level of unemployment is actually higher, perhaps much more so. This year, the UK’s Department for Science, Innovation & Technology (DSIT) released a Cyber Security skills in the UK labour market 2025 report which supports that assertion; in it, they disclosed that the unemployment rate for cybersecurity graduates was as high as 9%. Moreover, less than 1 in 3 graduates who did find work 15 months after graduating actually attained full time employment in a dedicated cybersecurity role. By comparison, the report showed that less than 1% of graduating computer science graduates pursued similarly-coded roles (i.e. it’s not that other degrees were necessarily more favored; rather, graduates from other related disciplines generally did not elect to pursue cybersecurity work). Put another way: most new graduates whose major area of study was cybersecurity were not able to attain cybersecurity work over a year after graduating.
Years of Experience#
Compounding the early-career job seekers’ struggle is the fact that most unfilled jobs are not aligned to them. Overwhelmingly, organizations this year are primarily trying to staff jobs at higher levels of seniority.
Consistently across all forms of reporting, organizations have reported that it’s harder for them to find qualified job applicants to fill these more senior roles. Consequentially, these roles remain listed/unfilled for longer stretches of time.
The preference for more experienced applicants is reflected in the age of the cybersecurity workforce at-large. Within the US Federal Government, only about 10% of cybersecurity employees are under the age of 35. In the commercial space, the numbers are similar:
- On one end, ISACA’s data showed only 8% of cybersecurity staff are below the age of 35.
- ISC2 offered the highest estimate at 20%.
