The case for cybersecurity as a career in 2026 is, in most respects, stronger than it has ever been. ISC2's 2024 Cybersecurity Workforce Study estimates a global workforce gap of approximately 3.5 million unfilled positions. The US Bureau of Labor Statistics projects 32% employment growth for information security analysts from 2022 to 2032 -- far exceeding the 15% average across all occupations and significantly outpacing most other technology roles. Median salaries exceed $120,000 nationally, with specialist and senior roles well above that. The regulatory environment is tightening globally, creating structural compliance-driven demand that persists regardless of economic conditions. The threat landscape is worsening, not improving. By almost every conventional metric, cybersecurity is an excellent career choice.
But the conventional metrics do not capture the full picture. The 3.5 million gap is real, but so is the paradox that many entry-level professionals struggle to find their first role despite the supposed talent shortage. The high salaries are real, but so is the burnout problem that ends many cybersecurity careers earlier than expected. The variety of specialisations is a strength, but navigating that variety without a clear map leads to years of misdirected credential accumulation. And the persistent skills gap -- the fact that despite enormous interest in the field, qualified candidates remain scarce -- deserves more honest examination than it usually receives.
This article provides the balanced assessment that the field deserves in 2026: the genuine strengths of a cybersecurity career, an honest account of the structural problems that make entry harder than headlines suggest, the hottest specialisations by demand and compensation, and the real downsides that professionals already in the field know well.
"We have a workforce problem in cybersecurity, but it is not primarily a numbers problem. It is a skills and structure problem. There are many people who want to work in cybersecurity and cannot find a role, and many organisations that claim they cannot find qualified candidates. Both things are true simultaneously, and that tells you something important about the hiring process." -- Clar Rosso, CEO, ISC2, 2024 Workforce Study Commentary
Key Definitions
Workforce Gap: The difference between the number of cybersecurity professionals needed and the number currently employed globally. ISC2 estimated this at 3.5 million in 2024. The gap represents unmet demand rather than simply unfilled job postings.
Skills Gap: The mismatch between the skills that entry-level cybersecurity candidates actually possess and the skills that employers require. The workforce gap and skills gap coexist -- there are both unfilled positions and underqualified candidates who cannot fill them.
NIS2 (Network and Information Security Directive 2): The EU's updated cybersecurity framework, effective October 2024, that expands mandatory cybersecurity requirements to thousands of organisations across 18 critical sectors. Creates direct compliance-driven hiring demand across Europe.
OT/ICS Security: Operational Technology and Industrial Control Systems security -- protecting manufacturing equipment, power grids, water treatment, and critical infrastructure from cyber attacks. One of the most in-demand and underpopulated specialisations.
SEC Cybersecurity Disclosure Rules: Regulations effective December 2023 requiring US public companies to disclose material cybersecurity incidents within four business days and to include cybersecurity risk management descriptions in annual filings. Creates sustained demand for CISOs and GRC professionals at public companies.
The Job Market in Numbers
| Metric | Figure | Source |
|---|---|---|
| Global workforce gap | ~3.5 million unfilled positions | ISC2 Workforce Study 2024 |
| US active cybersecurity job openings | ~470,000 at any given time | CyberSeek 2024 |
| Projected US employment growth (2022-2032) | 32% | Bureau of Labor Statistics |
| US median salary (information security analyst) | $120,360 | BLS Occupational Outlook 2024 |
| Cloud security architect typical salary | $160,000-$200,000+ | LinkedIn Salary Data 2024 |
| OT/ICS security specialist typical salary | $130,000-$180,000 | CyberSeek / Lightcast 2024 |
| AppSec engineer typical salary | $140,000-$175,000 | Levels.fyi / ISACA 2024 |
| Year-over-year growth in job postings (2023) | +18% | LinkedIn Workforce Report 2024 |
| % of professionals spending personal time on skills | 61% | ISC2 2023 Survey |
The Real Size of the Opportunity
The 3.5 million unfilled positions figure deserves context before it is used as a career planning input. ISC2 derives this estimate from surveying organisations about their ideal staffing versus actual staffing -- it represents what organisations say they want, not what they are actively recruiting for with funded headcount.
The more operationally useful data points are job posting volumes and hiring velocity:
LinkedIn's 2024 Workforce Report found cybersecurity job postings increased 18% year-over-year through 2023, making it one of the fastest-growing technology job categories by posting volume. In comparison, software engineering postings declined 8% over the same period as post-pandemic tech sector rightsizing affected engineering hiring at large companies.
CyberSeek tracks real job postings in the US cybersecurity field. Their 2024 data shows approximately 470,000 active cybersecurity job openings in the US at any given time, with the supply of qualified workers to fill those roles running at roughly 72% -- meaning about 130,000 perpetually unfilled positions in the US alone.
The disconnect between the 3.5 million figure and the 130,000 active US opening figure illustrates the difference between latent demand (organisations that would hire if qualified candidates existed) and funded demand (positions with approved headcount). Both are real, but only funded demand results in job offers.
The regulatory tailwind is structural and growing. NIS2 in the EU mandates cybersecurity governance across 18 critical sectors including energy, transportation, healthcare, and financial services, effective October 2024. The SEC's disclosure rules, DORA (Digital Operational Resilience Act) for financial services in the EU, and HIPAA enforcement intensification in healthcare all create compliance-driven demand that does not evaporate during economic downturns. Organisations can defer discretionary technology spending; they cannot defer regulatory compliance.
Why the Skills Gap Persists
The persistence of the skills gap despite high interest in the field and substantial investment in certification programmes deserves direct examination.
The catch-22 of entry-level requirements: Job postings for 'entry-level' cybersecurity roles routinely list 2-5 years of experience, relevant certifications (Security+, CySA+), and specific tool experience (Splunk, CrowdStrike). These requirements evolved partly from genuine capability needs (security mistakes have immediate consequences), partly from defensive HR practices (hiring managers filtering risk), and partly from the absence of structured apprenticeship pathways. The result is a hiring market that simultaneously says the talent pool is insufficient and rejects candidates who lack experience they can only get from being hired.
Certification accumulation without practical skill: The cybersecurity education market generates over $10 billion annually, much of it from certification programmes that test knowledge without validating practical competence. Candidates accumulating certifications without hands-on lab work, CTF (Capture the Flag) participation, or real-world projects often fail to demonstrate the applied skill employers need.
Underinvestment in junior development: Organisations that claim they cannot find experienced security talent often have not invested in growing their own junior talent. The companies that do invest in structured entry-level programmes (government agencies, large financial institutions, major MSSPs) consistently succeed in filling their pipelines. The gap is partly a self-fulfilling prophecy of insufficient junior investment.
The Hottest Specialisations in 2026
Demand is not evenly distributed across cybersecurity. The highest-demand and highest-compensation specialisations in 2026:
Cloud Security
Every major cloud migration creates new security architecture requirements. The shortage of professionals who combine deep AWS, Azure, or GCP knowledge with security expertise is severe. Cloud security architects consistently command $160,000-$200,000+ and face minimal competition from unqualified candidates because the technical bar is genuinely high. The growth trajectory is strong: cloud adoption continues to expand and the security function expands proportionally.
Relevant credentials: AWS Certified Security Specialty, Google Professional Cloud Security Engineer, Microsoft Azure Security Engineer, CCSP (Certified Cloud Security Professional). The most effective preparation combines certification with hands-on lab work in cloud environments -- theory alone does not produce hirable cloud security engineers.
AI Security
Securing AI systems, defending against AI-powered attacks, and implementing AI governance are all nascent fields with rapidly growing demand. Supply of qualified professionals is essentially zero at present -- the field is too new for an established talent pool. This creates unusual opportunity for professionals who develop AI security skills now, before the credential ecosystem catches up.
The AI security role is currently being built by practitioners who combine traditional security skills (threat modelling, red teaming, vulnerability research) with enough AI/ML knowledge to understand model architecture, training data risks, and inference-time attacks. No standardised credential pathway exists yet; demonstrated practical work is the differentiator.
OT/ICS Security (Industrial Control Systems)
Critical infrastructure protection has become a national security priority in the US, EU, and UK following a series of high-profile incidents (Colonial Pipeline 2021, attacks on European water utilities 2023, Volt Typhoon activity in US critical infrastructure 2024). OT/ICS security requires rare combinations of traditional IT security knowledge and operational technology expertise -- understanding PLCs, SCADA systems, and industrial network protocols alongside conventional cybersecurity skills.
Professionals with this combination command $130,000-$180,000 and face virtually no qualified competition at hiring. The GICSP (Global Industrial Cyber Security Professional) certification from GIAC is the primary recognised credential. The supply shortage is severe enough that even candidates with partial OT/ICS backgrounds are competitive for roles.
Identity and Access Management (IAM)
Identity is the new perimeter. 80%+ of breaches involve compromised credentials (Verizon DBIR 2024). IAM engineers and architects who can design and implement Zero Trust architectures, manage Privileged Access Management (PAM) systems, and secure Active Directory and cloud IAM are in sustained high demand. Roles at specialised IAM vendors and large enterprises pay $130,000-$170,000.
The IAM specialisation is accessible to professionals with IT or systems administration backgrounds who develop targeted security skills. The transition from Active Directory administration to IAM security is a well-established path.
Application Security (AppSec)
Every software-building organisation needs application security capabilities. The shortage of AppSec engineers who can genuinely review code, understand vulnerability classes at the code level, and work effectively with development teams is one of the largest skills gaps within security. Salaries of $140,000-$175,000 are standard, with some senior AppSec engineers commanding $200,000+ at large technology companies.
The AppSec path is particularly accessible for software developers who pivot into security -- they bring the programming knowledge that pure security professionals often lack, and the security skills can be built through structured study and certification (GWEB, OSCP for web application testing).
Governance, Risk, and Compliance (GRC)
The regulatory expansion driven by NIS2, SEC rules, DORA, and HIPAA enforcement creates sustained demand for professionals who understand cybersecurity risk management frameworks and regulatory requirements. GRC roles pay $100,000-$150,000 at mid-career and are more accessible to non-technical professionals who build regulatory and framework knowledge.
The downside -- discussed in the honest downsides section below -- is compliance fatigue and the risk of performing security theatre rather than genuine risk reduction.
The Honest Downsides
On-Call and Shift Work
Anyone considering a SOC analyst, incident response, or security engineering role should understand what on-call and shift coverage actually means in practice. 24/7 SOC environments operate on rotating shifts including nights, weekends, and holidays. Incident response roles carry on-call responsibilities where a major breach at 2am on a Saturday requires immediate, sustained engagement.
The impact on personal life is real and frequently underdiscussed in cybersecurity career content. Shift rotation disrupts sleep, social calendars, and family logistics. Recovery from a major incident response engagement takes days. Professionals who enter the field expecting predictable business hours and discover the operational reality often leave within 12-24 months.
Compliance Fatigue
GRC and compliance-heavy roles carry a specific burnout risk: the sensation of performing security theatre rather than genuine risk reduction. When compliance with frameworks becomes an end in itself -- producing documentation and audit artefacts that satisfy requirements without improving actual security -- skilled professionals find the work intellectually demoralising. This is most acute in large regulated organisations where security spending is dominated by compliance activities rather than capability investment.
The Perpetual Skills Treadmill
Cybersecurity changes faster than almost any other technical field. New attack techniques, new platforms, new tooling, new regulatory requirements, and new threat actors emerge continuously. The skills you develop today will require refreshing within 3-5 years.
ISC2's 2023 survey found that 61% of cybersecurity professionals spend personal time (outside of work hours) maintaining technical skills, compared to 38% of IT professionals generally. The field effectively requires ongoing personal investment as a condition of career sustainability. This is not a temporary condition for new entrants -- it is a permanent feature of the profession.
Imposter Syndrome and Breadth Anxiety
The cybersecurity field is so broad that no individual can genuinely master all of it. Experienced professionals regularly encounter domains where colleagues have deep expertise they lack. This creates persistent imposter syndrome even at senior levels -- the feeling that you do not know enough, that the specialist in the next role over is more qualified, that the field's breadth makes genuine mastery impossible.
This is a structural feature of the discipline, not a personal failure, but it is experienced personally. Professionals who need to feel comprehensively expert across their entire field will find cybersecurity persistently uncomfortable.
The Psychological Weight of the Adversarial Environment
Working in defence against motivated, creative, well-funded adversaries -- and occasionally losing -- carries psychological weight that most careers do not impose. Security professionals who respond to data breaches, ransomware deployments, and infrastructure attacks are dealing with genuine crises that affect real people and organisations. The inability to prevent every incident, combined with the public scrutiny that major breaches attract, creates stress that is qualitatively different from typical engineering work.
ISC2's 2023 mental health findings within the workforce study found that cybersecurity professionals reported significantly higher rates of stress and burnout than the general technology workforce, with incident response professionals showing the highest rates of work-related psychological strain.
Entry Paths That Work in 2026
The entry barrier that stops many aspiring cybersecurity professionals is real, but there are paths through it:
Hands-on lab work: Platforms including TryHackMe, HackTheBox, PentesterLab, and LetsDefend provide practical environments for developing verifiable skills. Completing and documenting lab work creates a portfolio of applied competence that distinguishes candidates from those who only hold certifications.
Home lab and CTF participation: Building a home lab environment -- a small network of virtual machines to practice offensive and defensive techniques -- demonstrates genuine commitment and technical engagement. CTF (Capture the Flag) competition participation provides real problem-solving experience that resonates with technical hiring managers.
Adjacent IT roles as a bridge: Helpdesk, systems administration, network administration, and IT operations roles build the foundational technical knowledge that cybersecurity roles require. The transition from IT operations to security is more manageable than transitioning from a non-technical career directly to security.
Government and MSSP programmes: The US federal government, CISA, and major Managed Security Service Providers (MSSPs) run structured entry-level programmes explicitly designed to develop junior talent. These pathways do not require prior security experience and provide the structured environment that direct private sector hiring often lacks.
The Bottom Line for 2026
Cybersecurity is a good career in 2026 for people who go in with clear eyes about both the opportunity and the demands. The employment outlook is genuinely strong, the compensation is competitive, the variety of specialisation paths accommodates a wide range of working styles, and the work is meaningful in a way that few professions match.
The field is not, however, a guaranteed or easy path. The entry barrier is real. The burnout risk in operational roles is significant. The skills treadmill is a permanent feature. And the gap between 'I have a Security+ certification' and 'I am genuinely competitive for cybersecurity jobs' remains wide enough that candidates who do not close it with hands-on practice are going to struggle regardless of certification count.
The professionals who thrive long-term embrace the adversarial nature of the field as interesting rather than exhausting, invest consistently in skills development as a professional norm rather than a temporary catch-up measure, and choose specialisations that match their working style as well as their technical interests.
References
- ISC2. (2024). Cybersecurity Workforce Study 2024. isc2.org/research/workforce-study
- US Bureau of Labor Statistics. (2024). Occupational Outlook: Information Security Analysts. bls.gov/ooh
- CyberSeek. (2024). Cybersecurity Supply/Demand Heat Map 2024. cyberseek.org
- Verizon. (2024). Data Breach Investigations Report 2024. verizon.com/business/resources/reports/dbir
- LinkedIn. (2024). Workforce Report: Cybersecurity Jobs 2024. linkedin.com/pulse
- CompTIA. (2024). State of the Tech Workforce 2024. comptia.org
- EU. (2022). NIS2 Directive (Directive 2022/2555). eur-lex.europa.eu
- EU. (2022). Digital Operational Resilience Act (DORA). eur-lex.europa.eu
- SEC. (2023). Cybersecurity Risk Management Final Rules, July 2023. sec.gov
- ISACA. (2024). State of Cybersecurity 2024. isaca.org
- CISA. (2024). Critical Infrastructure Security: Key Sectors. cisa.gov/topics/critical-infrastructure-security
- ISC2. (2023). Cybersecurity Workforce Study 2023: Mental Health and Burnout Findings. isc2.org/research
Frequently Asked Questions
How many cybersecurity jobs are unfilled globally?
ISC2's 2024 study estimates a global workforce gap of approximately 3.5 million unfilled positions. The US alone has around 470,000 active job openings at any given time, with qualified supply covering only about 72% of funded demand.
Why does the cybersecurity skills gap persist despite high interest?
Most entry-level postings require 2-5 years of experience, creating a catch-22 for newcomers. Certification accumulation without hands-on lab work produces candidates who cannot demonstrate applied competence, while many organisations refuse to invest in developing junior talent.
What are the hottest cybersecurity specialisations in 2026?
Cloud security, AI security, OT/ICS security, application security (AppSec), and identity and access management (IAM) are the highest-demand and highest-compensation specialisations. Threat intelligence and DFIR remain perennially in demand.
What are the downsides of a cybersecurity career?
On-call rotations and night shifts in SOC/incident response roles, compliance fatigue in GRC functions, the perpetual skills treadmill requiring ongoing personal study, and the psychological weight of working against persistent motivated adversaries.
Is cybersecurity a stable career long-term?
Yes -- it is among the most stable tech career paths. Regulatory expansion (NIS2, SEC disclosure rules, DORA) and a worsening threat landscape create structural demand that does not evaporate during economic downturns the way discretionary tech spending does.