The Numbers Are Staggering — and Getting Worse

4.8 million. That's how many cybersecurity positions sit unfilled worldwide right now, according to ISC2's 2024 report. That number grew 19% in a single year.

The active global cybersecurity workforce is 5.5 million strong — itself a record high. But the total workforce needed is 10.2 million. The math doesn't work.

In the United States alone, CyberSeek tracks over 470,000 open cybersecurity job listings as of 2025. The U.S. Bureau of Labor Statistics projects 33% employment growth for information security analysts from 2024 to 2034 — roughly seven times faster than average job growth across all occupations. That's approximately 17,300 new openings created every single year.

Median salary for U.S. information security analysts: $120,360, according to BLS 2024 data. These are serious, well-paying careers going unfilled.

AI Is Both the Cause and the Cure — Sort Of

AI is reshaping the problem on both fronts.

According to Fortinet's 2025 Cybersecurity Skills Gap report, 49% of cybersecurity leaders are worried AI will increase the volume and sophistication of cyberattacks. Agentic AI-based attacks — where automated systems probe, adapt, and breach defenses without human direction — are already reshaping the threat landscape, according to Spiceworks reporting on industry experts including Arthur F. Ream III, professor and assistant chair at Bentley University's Computer Information Systems Department.

At the same time, organizations are throwing AI at the defense side. The World Economic Forum reports that 97% of organizations are already using or planning to implement AI-enabled cybersecurity solutions. Companies that extensively use AI in security operations saw a $1.9 million average reduction in cost per breach, per WEF.

AI is a force multiplier for defenders. But it doesn't replace the human judgment required to run those systems, interpret results, and make strategic calls. The New York Times framed this as a jobs growth story. That's accurate, but incomplete.

The Entry-Level Trap

Employers are manufacturing this shortage themselves.

ISC2's 2024 data shows a significant percentage of organizations made zero entry-level cybersecurity hires — exact figures weren't disclosed in the aggregate, but the pattern is consistent and documented. Companies want five years of experience for a job that didn't exist five years ago in its current form.

Matthew Baden, managing director of tech recruitment at The Search Experience, told Spiceworks directly: "If you were advising a young person who wants to work in tech, you'd tell them to look at cybersecurity." The demand is real. But entry-level candidates are being screened out while the same HR departments file complaints about the talent shortage.

Ream III notes that organizations are chasing "precision hires in high-impact areas like cloud and AI security" — mid-to-senior specialists only. Entry-level professionals get left behind.

This is a hiring philosophy problem, not a pipeline problem.

What Companies Actually Need Now

According to Greg Fuller, VP of Skillsoft Codecademy Enterprise, employers in 2026 are prioritizing three things:

1. AI skills — specifically professionals who can use AI-driven threat detection tools AND defend against adversarial AI attacks.
2. Communication and leadership — cross-functional work with non-technical executives demands people who can explain a breach to a board room, not just a server room.
3. Governance and compliance expertise — frameworks like NIST, ISO 27001, and emerging AI governance standards are table stakes now.

Certifications still matter. According to EC-Council and ISC2 2025 data cited by StationX, CISSP holders earn a measurable salary premium over non-certified peers. Not a guarantee — but a real signal to employers.

What Mainstream Media Is Getting Wrong

The New York Times covered this as a feel-good AI jobs story. That framing misses critical context.

Two uncomfortable realities are being overlooked:

First, the federal government and large enterprises are partly responsible for this gap. Bureaucratic clearance requirements, credential inflation, and refusal to build internal training pipelines have kneecapped the entry-level market. Taxpayer-funded agencies can't staff their own cybersecurity desks while adversaries — China first among them — are running state-funded cyber operations at scale.

Second, the AI hype cuts both ways. The same AI tools companies are celebrating as defensive breakthroughs are being weaponized offensively. The Fortinet data makes that clear. Coverage about AI saving cybersecurity must acknowledge AI is also the new attack surface.

The Crisis and What's Next

The cybersecurity talent crisis is real, it's growing, and it's not getting fixed fast enough. The BLS projects 33% job growth through 2034. The gap is nearly 5 million positions and climbing. Meanwhile, companies refuse to hire entry-level candidates and then wonder why they can't find staff.

This isn't a mystery. It's a policy failure dressed up as a market problem.

For young people deciding on a career path — or parents advising them — cybersecurity is one of the few fields where demand is structurally guaranteed for the next decade. The jobs pay well, the work matters, and nobody's figured out how to offshore defending a domestic network.

But if employers don't fix their hiring culture, the shortage will keep growing — and every unfilled position is one more gap a hostile actor can walk through.