There are 4.8 million unfilled cybersecurity roles globally across every sector, every geography, and every level of seniority from junior SOC analysts to Chief Information Security Officers that organisations cannot fill because the professionals qualified to occupy them do not exist in sufficient numbers.
In almost any other context, a supply shortage of this magnitude would be a crisis. In the context of your career, if you are reading this as someone considering entering cybersecurity or accelerating within it, it is an opportunity of a kind that most professional fields will never offer you.
The skills gap is not a problem for candidates. It is the fastest, most well-evidenced route into a £90,000-plus role that exists in the current labour market — and unlike most routes to that salary level, it does not require a decade of seniority or a postgraduate credential from a prestigious institution. It requires the right skills, demonstrated in the right way, to employers who are already primed to hire on capability rather than pedigree.
Here is how that works, and what it means for your next move.
Why the Shortage Is Real and Why It Will Not Resolve Quickly
Before laying out the opportunity, it is worth understanding why the shortage exists — because the reasons are structural, not cyclical, and understanding them tells you exactly what employers are looking for and why they have become so willing to hire without traditional gatekeeping credentials.
Demand has outpaced supply for a specific reason: the threat landscape has expanded faster than the talent pipeline could possibly keep up with. Every organisation that moved to the cloud, adopted SaaS platforms, connected operational technology to IT networks, or accelerated digital transformation during and after the pandemic simultaneously increased its attack surface. The number of potential entry points for malicious actors — misconfigured cloud storage, unpatched APIs, compromised supply chain vendors, phishing-vulnerable remote workers — has grown by orders of magnitude faster than the number of professionals trained to defend them.
Simultaneously, the regulatory environment has sharpened. DORA — the Digital Operational Resilience Act — took effect across EU financial services in January 2025, creating mandatory requirements for penetration testing, incident response planning, and third-party risk management that organisations cannot meet without qualified security professionals. The UK’s Cyber Resilience Act, NIS2 across European critical infrastructure, and SEC cybersecurity disclosure rules in the United States have all added compliance-driven demand to the existing operational demand. Organisations are not hiring security professionals because they want to. In many cases, they are hiring because the alternative is regulatory breach.
Supply has not kept pace because the discipline evolves too quickly for traditional education systems to track. A computer science degree provides foundational value, but the specific tooling, attack vectors, and defensive frameworks that matter in a Security Operations Centre in 2026 were not the ones that mattered in 2022. The practitioner knowledge that employers need is current, hands-on, and practical — and it is built through doing, through lab environments, through certifications designed by practitioners, and through exposure to real threat activity. This is knowledge that formal degree programmes struggle to deliver at the pace the field demands.
The result is a hiring market that has, out of necessity, become radically skills-first.
What Skills-First Hiring Actually Means in Cybersecurity
Skills-first hiring in cybersecurity means employers now prioritise demonstrated technical capability over degrees and years of experience, because traditional signals have proven unreliable predictors of performance.
Hiring leaders in 2026 regularly see candidates with strong academic backgrounds who cannot complete basic penetration testing, alongside candidates from unconventional paths who can. As a result, they assess ability directly rather than inferring it from education or job titles.
In practice, this shift shows up in three key ways:
Certifications now carry real hiring weight. Unlike many industries where certifications are secondary, in cybersecurity they often function as primary filters. Security+ is widely used for entry-level roles, while CEH and OSCP signal offensive capability. CISSP is a senior-level benchmark for security leadership. Employers understand these signals and actively screen for them.
Portfolios often matter more than CVs. Hiring managers want evidence of practical work: CTF results, bug bounty activity, GitHub labs, TryHackMe or Hack The Box profiles, and vulnerability disclosures. These demonstrate real-world capability and motivation in ways qualifications alone cannot.
Specialisation accelerates career progression. Cybersecurity spans multiple disciplines — including cloud security, penetration testing, SOC operations, forensics, incident response, GRC, application security, and OT/ICS security. Candidates who specialise early and build depth in one area progress faster and tend to reach higher salaries than generalists.
The Salary Architecture: Where £90K Lives and How to Get There
The £90,000+ threshold is not limited to senior roles in cybersecurity. For the right specialisms and locations, it is achievable at mid-career level — and in some cases earlier. Understanding this salary structure is key to progressing deliberately rather than opportunistically.
Entry level (0–2 years, relevant certifications): £35,000–£55,000
Junior SOC analysts, penetration testers, and GRC assistants in London and other major UK cities typically start here. Pay sits lower in structured graduate programmes and higher where employers need immediate operational capability backed by certifications.
Mid-level (3–6 years, specialism established): £55,000–£85,000
This is where salary growth accelerates for specialists. A penetration tester with OSCP and consulting experience typically sits in the upper range. Cloud security engineers with AWS or Azure security certifications and regulated industry experience earn similarly. GRC professionals with CISM or CRISC credentials often reach the top end in finance, insurance, and healthcare.
Senior and specialist (6+ years, or accelerated via niche expertise): £85,000–£130,000+
Security architects, senior penetration testers, OT/ICS specialists, and incident response leads routinely exceed £90,000 in the UK. The highest-paid areas in 2026 include cloud security architecture, industrial/OT security driven by critical infrastructure regulation, and emerging AI security roles focused on protecting machine learning systems.
CISO and leadership: £150,000–£250,000+
CISO roles remain constrained by experience requirements, combining technical depth, executive communication, and regulatory responsibility. This makes them one of the most undersupplied roles in the market.
Overall trajectory
Reaching £90,000+ within 5–7 years is realistic for candidates who specialise early, earn relevant certifications, and target high-demand sectors. In offensive security and cloud security, this timeline can be even shorter.
The Six Specialisms With the Strongest Hiring Markets in 2026
Not all cybersecurity specialisms are equally in demand. The following six combine the strongest shortage levels, salary ceilings, and accessible entry pathways for candidates building or shifting their careers.
1. Cloud Security Engineering
Cloud security faces one of the most acute talent shortages in cybersecurity. Ongoing enterprise cloud migrations across Europe and North America require security expertise embedded from architecture through to operations.
Key tools such as AWS Security Hub, Microsoft Defender for Cloud, and Google Security Command Center are accessible via self-study and vendor certifications. Employers increasingly hire candidates who can demonstrate practical cloud security skills without long enterprise experience.
Entry pathway: AWS Certified Security Specialty or Microsoft SC-100, plus hands-on cloud experience.
Salary (UK entry): £45,000–£55,000 in London.
2. Penetration Testing & Offensive Security
Penetration testing has one of the clearest skill-based entry routes. Candidates can demonstrate capability through CTFs, bug bounty platforms, and certifications such as OSCP and PNPT.
It is also one of the few cybersecurity fields where strong self-taught portfolios can outperform traditional credentials. Demand remains high at every level.
Entry pathway: Security+, then eJPT or CEH; OSCP as the key mid-level benchmark. Active use of TryHackMe, Hack The Box, and bug bounty platforms (HackerOne, Bugcrowd).
3. OT and ICS Security (Operational Technology)
OT security protects industrial systems such as power grids, manufacturing plants, and water infrastructure. It is one of the most undersupplied cybersecurity areas globally.
Regulations such as NIS2 are driving mandatory hiring across energy, utilities, manufacturing, and transport. The field draws talent from both IT security and engineering backgrounds.
Entry pathway: IT security or engineering background; GICSP certification. Strong demand in the UK, Germany, Netherlands, and Nordics.
4. GRC (Governance, Risk & Compliance)
GRC is often underestimated but offers one of the fastest routes to senior salaries for candidates with strong communication and regulatory skills.
Demand is rising due to frameworks like DORA, NIS2, the UK Cyber Resilience Act, and the EU AI Act, all of which require structured risk and compliance expertise.
Entry pathway: CISM or CRISC; ISO 27001 Lead Auditor/Implementer. Legal, audit, and risk backgrounds transition well into this area.
5. Incident Response & Digital Forensics
Incident response is essential in every organisation exposed to cyber threats. When breaches occur, IR teams are responsible for containment, investigation, and remediation.
The role requires both technical skill and the ability to communicate findings clearly to executives and boards.
Entry pathway: GCIH or GCFE certifications; SOC experience is highly beneficial. Strong demand in finance, healthcare, and the public sector.
6. Application Security (AppSec)
AppSec focuses on securing software during development rather than after deployment. As organisations adopt “shift-left” security practices, demand for AppSec specialists has grown significantly.
It sits at the intersection of development and security, making it ideal for developers moving into cybersecurity.
Entry pathway: Development experience preferred; GWEB or CAP certifications. Familiarity with tools like Burp Suite and SAST/DAST pipelines is expected. Coding ability (Python, JavaScript, Go) increases salary potential.
How to Build the Career in 2026: A Practical Sequence
This sequence is not a rigid roadmap. The right path depends on your starting point, available time, and target specialism. It is instead a structured set of decisions that consistently separates candidates who progress quickly from those who remain in entry-level roles longer than necessary.
Step 1: Choose a specialism early
Start by selecting a specialism before focusing on credentials. While broad competence is useful in most careers, in cybersecurity it often slows progression. The market rewards clear, demonstrated capability in a defined area, especially at mid-level where salary increases accelerate.
Choose a direction that matches both your strengths and current demand, then build directly toward it.
Step 2: Gain a foundational certification
For most pathways, CompTIA Security+ is the entry point. It signals baseline knowledge across core domains such as network security, cryptography, incident response, and identity management.
It functions as a hiring threshold for many employers and should generally be completed before moving into specialist certifications.
Step 3: Build a practical portfolio alongside study
Hands-on experience is essential. Time spent on TryHackMe, Hack The Box, or a home lab should translate into visible proof of ability.
Document work on GitHub and use LinkedIn to share learning and projects. This serves two purposes: it provides evidence for employers and reinforces applied learning beyond theory.
Step 4: Earn a specialist certification
Once a direction is chosen, invest in credentials that signal mid-level capability:
- OSCP for offensive security
- AWS or Azure security certifications for cloud roles
- CISM or CRISC for GRC
- GICSP for OT security
These certifications are often the key differentiator for accessing higher-paying roles in shortage areas.
Step 5: Target high-pressure sectors
Focus on industries where regulation and risk drive urgent hiring: financial services, healthcare, critical infrastructure, and defence-adjacent sectors.
These environments tend to offer higher budgets, faster hiring decisions, and greater flexibility on experience when candidates have the right skills and certifications.
Step 6: Negotiate from a position of scarcity
The current cybersecurity talent shortage means strong candidates often receive multiple offers. This shifts negotiation power toward applicants.
Avoid accepting the first offer by default. Understand market rates, compare opportunities, and be transparent about competing interest. In a shortage-driven market, this directly influences final compensation.
The Career You Build in a Shortage Market
There is a quality of career that only becomes available in a genuine talent shortage: the quality of being consistently in demand regardless of economic conditions, of being recruited rather than applying, of having compensation negotiated from strength rather than accepted from necessity.
Cybersecurity in 2026 offers this quality. The 4.8 million vacancy figure will not resolve in the next two years. The regulatory pressure driving demand will intensify. The threat landscape will not become simpler. The organisations dependent on digital infrastructure — which is, increasingly, every organisation — will continue to need qualified professionals to defend it, and will continue to compete for them.
The candidates who enter or accelerate within this field now, who specialise deliberately, who build demonstrable capability rather than waiting for credential accumulation to carry them, and who understand how to navigate a market that is, unusually, working in their favour — these candidates are building something more durable than a well-paying first job.
They are building careers that the market will continue to want for a very long time.
