The security workforce cannot keep up with the threat. The global gap reached a record 4.8 million unfilled roles, and the United States alone carries about 470,000 open positions. The shortage has also changed shape, moving from a pure headcount gap toward a skills gap, with almost six in ten practitioners reporting critical shortfalls in areas such as AI security and operational-technology defence.
This report treats the roles as the unit of analysis. It profiles each designation, sets demand against supply, benchmarks pay across the United States, Germany and the United Kingdom, shows where the openings concentrate, and names the employers hiring the most.
Security work splits into three layers: the defensive roles that detect and respond, the offensive roles that test and secure, and the governance and operational-technology roles that manage risk and protect the plant floor. The newest scarcity sits in operational-technology security.
The SOC analyst is the largest single role by volume, at roughly 28 percent of postings, and the main entry route into the field. The scarcity sits above it, in the security engineers, cloud-security specialists and architects who need years of experience that the pipeline cannot produce quickly.
Supply is growing fast but from behind. The US Bureau of Labor Statistics projects 29 percent growth for information-security analysts through 2034, about seven times the average across all jobs, yet the gap persists because demand for experienced and specialist skills grows faster than the mid-level pipeline can mature.
US pay leads across the board. A security engineer earns around USD 135,000 at median base and a security architect around USD 158,000, while a chief information security officer clears USD 240,000. Germany pays strongly for architects and operational-technology specialists as NIS2 compliance drives demand, and the United Kingdom sits below both for most roles.
The table sets year-over-year demand and median base pay for each designation across the three markets, so an offer can be calibrated by role and country.
| Role | Demand, YoY | US median | Germany median | UK median |
|---|---|---|---|---|
| CISO | +12% | $240,000 | €150,000 | £125,000 |
| Security Architect | +15% | $158,000 | €105,000 | £85,000 |
| Security Engineer | +20% | $135,000 | €80,000 | £65,000 |
| OT / ICS Security Engineer | +18% | $130,000 | €88,000 | £70,000 |
| Penetration Tester | +14% | $120,000 | €78,000 | £60,000 |
| Incident Responder | +16% | $110,000 | €75,000 | £60,000 |
| GRC / Compliance Analyst | +14% | $100,000 | €72,000 | £55,000 |
| SOC Analyst | +12% | $90,000 | €62,000 | £42,000 |
Median base pay, mid-level, in local currency. US figures anchored to CyberSeek and BLS; Germany and UK to regional recruiter benchmarks. Operational-technology security carries a premium as IT and OT converge. Demand is the Talenbrium year-over-year posting change. Source: Talenbrium posting intelligence and compensation model; CyberSeek; US Bureau of Labor Statistics; European recruiter benchmarks 2025-2026
The steepest growth is in energy and utilities, where critical-infrastructure rules and the convergence of information and operational technology have made control-system security a board-level concern. Technology and managed security providers follow, then finance, healthcare and manufacturing.
The push is toward operational-technology and AI security, the two areas the 2025 workforce study flags as the hardest to staff. Both ask for a rare mix of security depth and domain knowledge that few candidates hold.
Hiring concentrates in the public sector and the largest cloud and advisory firms. Government, defence and intelligence agencies are the single largest source of security roles, followed by cloud providers such as Amazon, the federal contractors, the Big Four advisory firms running managed security services, and the product-security teams at Microsoft and Google.
For a private employer outside this group, the implication is clear. The largest security hirers offer clearances, mission and scale, so a commercial firm competes on the interest of the work, on flexibility and on speed.
The United States runs the deepest security workforce at about 1.46 million, yet still carries 470,000 open roles. Europe holds around 1.3 million, with the United Kingdom near 367,000 and Germany above 200,000 and rising fast as NIS2 obligations take effect. Against these totals the global gap stands at 4.8 million unfilled roles.
Depth does not remove scarcity. A large workforce still competes for the same senior and specialist skills, so even the deepest markets report long time-to-fill for architects, cloud-security and operational-technology roles.
Three forces hold the security shortage in place. The threat surface keeps expanding with cloud, AI and connected devices, which lifts demand faster than the workforce grows. The required skills are shifting toward AI security and specialist domains that few candidates yet hold. And the convergence of information and operational technology has opened a new front on the plant floor that the traditional pipeline was never built to fill. None of these eases inside a hiring cycle.
The report turns the role-level pattern into a security hiring and reskilling plan across the United States, Germany and the United Kingdom.
Year-over-year demand and median pay for every security designation across the US, Germany and the UK.
Median and senior pay by role in USD, EUR and GBP, including the specialist premium.
Full employer league table of who hires the most, by role and market.
Country and metro talent depth mapped to competition and pay.
Shortest reskilling routes into each role, with cost and duration.
Cost comparison of hiring, contracting and internal reskilling by role.
Projected demand and time-to-fill by role, from live pipeline data.
Every exhibit supplied as an Excel workbook.
The report is built on Talenbrium's four-layer data method: real-time job-posting intelligence, a proprietary skills taxonomy of more than 8,000 skills, employer hiring tracking, and a quarterly Workforce Pulse Survey, triangulated against external benchmarks. Role demand comes from posting analysis. Pay is drawn from posted and surveyed compensation and market salary data, and is reported at median and at the 90th percentile.
Purchase directly, enquire first, or tailor the study to your market, role, geography, or benchmark needs.