ISC2 released its 2025 Cybersecurity Workforce Study on December 4, marking a notable shift in how the organization frames the profession’s core challenge. For the first time, ISC2 dropped its annual workforce gap headcount estimate entirely, with study participants indicating that a shortage of critical skills now outweighs the need for simply more people. The study drew responses from a record 16,029 cybersecurity practitioners and decision-makers globally.
Previous editions of the study — including 2024’s report, which tallied a workforce gap of 4.8 million professionals — tracked the raw difference between available security workers and organizational demand. The 2025 edition deliberately steps away from that figure. ISC2 explained the decision in the report itself: respondents have shifted their view, with the need for specific, advanced skills now registering as a more pressing concern than headcount alone.
What the Study Actually Found
The numbers still point to ongoing strain. According to the 2025 ISC2 Cybersecurity Workforce Study, 88% of respondents said their organizations experienced at least one significant cybersecurity consequence in the last year because of a skills shortage. Sixty-nine percent reported multiple such consequences. Those figures track with what certified professionals working in understaffed teams report anecdotally — the problem isn’t just vacancy counts, it’s the gap between what teams can do and what the threat environment demands.
Job satisfaction ticked upward after a difficult 2024. The study reports 68% of participants satisfied with their current positions, a 2% improvement over last year and a reversal of the 4% decline recorded between 2023 and 2024. Among satisfied respondents, 30% described themselves as “very satisfied,” up 3 points from 2024. The study attributes some of this improvement to stabilizing workloads and a slight easing of the worst budget constraints.
AI Adoption and the Skills Shift
AI adoption continues to reshape what skills teams actually need. Sixty-nine percent of respondents said they are either already using AI security tools or actively planning for implementation. The study frames this as broadly positive — AI handling repetitive and time-consuming tasks rather than replacing human judgment on complex decisions. But it also widens the skills gap in a different direction: teams that lack AI proficiency risk falling further behind as the technology becomes standard in both attack and defense.
For CISSP candidates, the study’s skills-over-headcount framing reinforces the value of credentials that demonstrate broad, strategic security knowledge. Organizations increasingly need professionals who understand security architecture, risk management, and governance — the domains CISSP covers — rather than specialists in single tools or platforms.
Staffing shortage reports did improve modestly year-over-year. Those reporting significant shortages were down 2%, with slight shortages down 3%. The share of respondents saying their organizations have the right level of cybersecurity staffing rose 4 points to 34% — the highest that figure has reached, though it still means nearly two-thirds of organizations fall short. The full study is available at no charge on ISC2’s website.