For security breaches, contact our team at 201-825-1255 ext. 7 or critical@stig.net.

The State of US Cybersecurity Employment: Analyzing Growth, Demand, and Retention Challenges

April 5, 2024

KEY TAKEAWAYS:

  • The growth of cyber-security headcount has slowed down in the past year, but is still comparable to growth for other positions;
  • Hiring for cyber-security jobs is substantially higher – but so is attrition. This may create issues and instability at companies which are trying to consolidate their cybersecurity workforce and operations;
  • US Cyber-security professionals earn on average 120k/year, 4.3% more than employees in comparable positions. Despite this, salary growth for cybersecurity positions has failed to keep up with inflation.
  • After peaking in 2022, job postings for cybersecurity roles remain 20% higher relative to pre-pandemic levels, showing that demand for these positions still remains strong;

INTRODUCTION

In the evolving landscape of the digital age, cybersecurity continues to emerge as a paramount concern, underscored by the escalating costs and frequencies of cyber incidents. In 2023, the United States saw a surge of cybersecurity incidents: the Internet Crime Complaint Center (IC3) reports an  unprecedented surge in complaints, with 880,418 grievances lodged by the American public, reflecting potential losses exceeding $12.5 billion—a near 10% hike in complaints and a 22% escalation in financial damages relative to 2022.[1] The costs and risks for businesses remain pronounced, as the global average cost of a data breach in 2023 soared to USD 4.45 million, marking a 15% increase over the previous three years.[2]

In this dynamic cyber environment, characterized by pervasive threats and vulnerabilities, the need for a strong pipeline of cybersecurity professionals cannot be understated. In this whitepaper, we analyze the latest trends in the cybersecurity job market, examining their implications for organizational security, workforce stability, and the broader cybersecurity ecosystem.

Our analysis reveals a nuanced picture: while the growth of cybersecurity headcount has decelerated in the past year, it is still on par with the growth of other organizational roles. This scenario is, however, complicated by a high attrition rate in cybersecurity positions, posing significant challenges for companies seeking to establish stable and effective cybersecurity teams. Finally, the demand for cybersecurity professionals remains strong: while job postings for cybersecurity jobs peaked in 2022, they still remain significantly higher than pre-pandemic levels.

[1] https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf

[2] https://www.ibm.com/reports/data-breach

KEY FINDINGS

In recent years, the growth rate of the US cybersecurity workforce has shown a noticeable deceleration, shifting from a robust expansion exceeding 5% pre-pandemic to a more modest growth rate of around 2% as of January 2024. This decline in growth is not entirely surprising, as it reflects a natural progression after a period of intensive capacity building within the cybersecurity profession. Throughout the previous decade (2010-2020), there was a surge in growth as organizations actively constructed their cybersecurity infrastructure and expanded their cybersecurity teams. During this period, hiring rates consistently exceeded 20%, indicating a rapid buildup of cybersecurity capabilities. However, as the profession matured and organizations reached a level of cybersecurity maturity, the need for exponential growth diminished. While hiring remains steady, it is now tapering off, which contributes to the overall slowdown in growth. Notably, despite sustained hiring efforts, attrition rates in the cybersecurity sector remain persistently high and have not decelerated at the same pace as hiring. This sustained attrition underscores ongoing challenges in talent retention within the cybersecurity field.

Delving deeper into the issue of attrition, it becomes evident that cybersecurity positions are experiencing significantly elevated attrition rates compared to other job sectors. The difference is striking, with attrition rates in cybersecurity nearly 8 percentage points higher than in other industries. While growth in cybersecurity roles has now aligned with other job sectors, both hiring and attrition rates persist at markedly higher levels. This discrepancy raises concerns regarding the sustainability of cybersecurity workforce management and points to potential organizational vulnerabilities.

The examination of salary trends among cybersecurity professionals offers a nuanced perspective on the factors contributing to the sector’s heightened attrition rate. On the one hand, salary growth for cybersecurity professionals has failed to keep up with the sustained post-Covid inflation, resulting in a 4.1% loss in real salary relative to January 2019. On the other hand, cybersecurity professionals still earn 4.3% more than counterparts with comparable roles and industries, averaging a salary of 120,000 USD per year. This mixed picture suggests that other factors, such as job satisfaction, career advancement opportunities, or workplace culture, may also be driving attrition in the field. Understanding these underlying factors is crucial for organizations seeking to address attrition challenges and foster a more stable and resilient cybersecurity workforce.

While growth of cybersecurity headcount has experienced a slowdown, the same does not seem to happen with demand, which remains strong across the board. The number of job postings for cybersecurity professionals at major US companies reached its peak in 2022, likely reflecting efforts to compensate for previous growth declines during the pandemic. Remarkably, as of January 2024, demand for cybersecurity professionals remains resilient, standing at 20% higher than pre-pandemic levels. This sustained demand underscores the critical role of cybersecurity in today’s digital landscape and highlights the ongoing need for skilled professionals to safeguard organizations against evolving threats.

Finally, despite notable improvements over the past year, the median time to fill cybersecurity job postings still exceeds that of other positions. The median time to fill cybersecurity positions stands at 28 days, compared to 25 days of other job postings. While this gap has narrowed relative to 2022 – when median time to fill stood at 35 for cybersecurity jobs and 29 for other jobs – it underscores the persistent challenges faced by organizations in recruiting and retaining cybersecurity talent. Addressing these challenges requires concerted efforts from both public and private sectors to enhance workforce development, streamline recruitment processes, and create an environment conducive to long-term career growth and retention within the cybersecurity field.

CONCLUSIONS

In the face of an increasingly complex cybersecurity environment, the US cybersecurity workforce continues to grow, albeit at a slower pace than in previous years. After a post-pandemic peak, demand for cybersecurity personnel has also slowed down, but remains well above pre-pandemic levels. Overall, trends in headcount and demand align with the natural progression of a maturing profession.

Despite this, some challenges remain. While in 2023 the median time to fill for cybersecurity jobs has decreased relative to 2022, it still remains higher than time to fill for other positions. Additionally, while salaries of cybersecurity employees are on average higher than those of other comparable employees, salary growth in the sector has failed to keep up with inflation, leading to a 4% loss in real salary since 2019. Most concerningly, the cybersecurity profession displays an above average attrition rate, which is almost 8 pp higher than that of other employees. Employee turnover poses a significant threat to the stability and effectiveness of cybersecurity teams within organizations. Addressing these challenges will be crucial in ensuring the resilience and longevity of cybersecurity efforts in the digital age.

METHODOLOGY

Headcount and salary

Our headcount and salary data is powered by Revelio Labs, a workforce intelligence company. Revelio Labs absorbs and standardizes hundreds of millions of publicly available employment records to create the world’s first universal HR database, allowing anyone to see the workforce dynamics and trends of any organization or industry.

Cybersecurity positions are identified using job titles and roles descriptions in the Revelio database. Headcount and salary are then estimated using Revelio’s proprietary methodology.

Job Postings

Job postings data is powered by Revelio Labs. Our main sample includes company websites job postings for 10,000 major public and private companies. Cybersecurity job postings are identified using job titles and the full text of each job ad.

Further information on Revelio’s data and methodology is available in their data dictionary.

Talk to an
Expert

Fill out the form below, and we will be in touch shortly.
Contact Information
Reason of Inquiry
How can We Help?

Please do not include confidential or sensitive information in your message. In the event that we are representing a party with opposing interests to your own, we may have a duty to disclose any information you provide to our client.
Preferred Date and Time Selection