Security pros are seeing the threat of layoffs and budget cuts leveling off after a rough 2023 and 2024, but cybersecurity budgets remain tight and are fueling staff shortages, which is heightening the risk to their organizations of data breaches.
Such conditions are also driving job stress and burnout among overwhelmed security professionals, who, despite the challenges, are overall satisfied with – and passionate about – jobs that they believe are important and will always be needed, according to the
International Information System Security Certification Consortium (ISC2)
2025 Cybersecurity Workforce Study released this month.
The combination of job stress, strained budget resources, and staff shortages highlights the growing opportunity for MSSPs and MSPs, which are already providing all or some security functions to a growing number of clients and transforming from delivering technology to being a trusted security adviser.
Kevin McGrail, cloud fellow and principal evangelist with
Google Cloud security partner
DitoWeb, told MSSP Alert, “MSSPs are well aligned to bring best-of-breed solutions and scale of economies because, for example, not every company can set up a SOC [security operations center] even if they should have one."
According to the ISC2 report, the top concern of cybersecurity professionals shifted this year from staffing levels to skills shortages, which can increase the security risks to organizations and challenge their resilience. Almost 90% of survey respondents said their organization sustained at least one significant cybersecurity incident due to a shortage of skills, with 69% experiencing more than one.
Budget and Job Cuts Slow
About 95% said they have at least one skill need, and 59% pointed to critical or significant skill needs, both increased from last year’s results. Meanwhile, 36% of respondents reported budget cuts at their organizations, and 24% said there were layoffs, both a drop of 1% compared with 2024. Hiring and promotions freezes also essentially remained flat.
“The ability to operate an effective cybersecurity program is reliant on two primary assets: skills and qualified people,” the report’s authors wrote. “Traditionally, we have reported cybersecurity professionals’ view that the shortage of qualified people in the field was the most prominent factor impacting their ability to effectively defend their organizations. This outlook seems to be evolving as respondents to the 2025 study have highlighted that the need for critical skills within the workforce is outweighing the need to increase headcount.”
That shift from staff levels to skill shortages, with AI skill noted by 41% as being most pressing, followed by cloud security, risk assessment, and application security, according to the survey. ISC2 is working to bolster such skills, most recently
announcing its Cloud Security Architecture Strategy Certificate to help cybersecurity pros develop strategies for creating and managing secure cloud environments.
The Job is Important, Stressful
The report also found that cybersecurity pros tend to see their jobs as important (87%) and that the profession will remain strong (81%). In addition, 68% are satisfied with the job, and 80% say they’re passionate about it. Three-quarters said they’re likely to stay with their current organization over the next year, and 66% said they’d do so over two years.
That said, the job isn’t easy. According to the survey, 48% of respondents said they feel exhausted from trying to keep up with the latest threats and emerging technologies, and 47% are overwhelmed by the workload.
Burnout a Danger
The results echo what other studies have found. According to a study by
Fusion Cyber, an AI-powered cyber training and career-development firm, about 90% of professionals cite
unsustainable workloads as the top source of burnout, followed by expectations and a lack of adequate resources and support.
“Cyber is hard,” DitoWeb’s McGrail said. “It is stressful. It takes people with good compensatory techniques. For example, I start every cyber meeting with a ‘dad joke’ because the rest of the meeting is usually discussing bad things, bad people, and general badness.”
Recent studies have also found that
such stressors can
reach all the way to the CISO’s office.
AI is the Top Skill Need
As with every other part of IT and business, AI is making its presence felt, with security pros “taking a pragmatic approach,” the authors wrote. “Security professionals are optimistic about AI and its short- and longer-term implications for them. Rather than replacing jobs, cybersecurity personnel expect roles to emerge and evolve in order to manage this new, increasingly complex landscape.”
They’re prioritizing the development and qualification of AI skills, they wrote. About 28% have integrated AI tools into their operations, and 69% are in the process of adopting the technology through integration, testing, or early evaluation. They also feel AI will create a need for new skills and perspectives.
It makes sense, McGrail said.
“AI is a blessing and a curse, but most of all, it's a reality,” he said. “Start honing your ‘Prompt-Fu,’ which is how you interact with AI, similar to how you honed your ‘Google-Fu’ ... to learn how to search when Google started some 25 years ago. You need new skills and new thinking in the AI age.”
