There are basically two types of organizations when it comes to cyber risk: those that have suffered a breach and those that will. This warning applies to hospitals as well, as shown by last Sunday’s attack on Hospital Clinic in Barcelona, described as a sophisticated and persistent form of cyber aggression. In a world full of fraud and digital kidnappings, cybersecurity is rising as a critical concern for both public administration and the private sector. Yet the challenge remains: there are not enough qualified experts to meet the demand.
In 2021 Spain counted roughly 149,774 cybersecurity professionals. Yet there was a parallel talent shortage, with ObservaCiber estimating about 24,119 unfilled positions. As a result, the country faced a gap of more than 63,000 specialists, a shortfall expected to exceed 83,000 by 2024. The ISC2 study shows a 23.22% rise in the cybersecurity workforce from 2021 to 2022, but the professional gap widened by 57.5%, underscoring the growing mismatch between supply and demand.
More organizations are hiring information security professionals, yet the pace isn’t matching the speed at which threats evolve. The shortage isn’t only national; the global pool of qualified experts is estimated at around 3.4 million. The situation intensified after geopolitical tensions and conflicts, including Russia’s invasion of Ukraine, which accelerated cyberattacks worldwide. Even so, Spain still ranks as a significant cybersecurity power in the Global Cybersecurity Index 2020 by the ITU, reflecting ongoing regulatory and strategic commitments in telecommunications governance.
Lack of investment?
The persistent lack of personnel may stem from cybersecurity not being treated as a strategic priority by many organizations for years. Demand for cybersecurity skills has risen, but budgets have not always kept pace, notes Miguel López, Spain’s managing director for Barracuda Networks. He explains that slow investment can generate stress within teams when growth does not match needs.
Nevertheless, a shift is underway as digitization becomes central to more businesses. A SecureIT study reveals that 51.3% of Spanish companies intend to boost their investment in protecting systems. And 90% of national firms report having faced some form of cyber threat, highlighting the high exposure across sectors.
Brain drain and opportunity
Industry insiders warn that the talent squeeze is amplified by brain drain. Many cybersecurity professionals seek opportunities outside Spain, driven by higher salaries and better career prospects abroad. Experts like Orejón Forest, CEO of the cyber research firm onBRANDING, point to harsh working conditions and salary gaps that push talent overseas. Miguel López further laments the perceived lack of appreciation for the field’s critical work.
ObservaCiber’s findings indicate that private companies are the primary recruiters of cybersecurity specialists, though public administration also needs more expertise. Salary ranges reflect sector and seniority: private-sector roles typically span from 25,000 to 60,000 euros, while public administration positions can run from 23,000 euros for project technicians to around 90,000 euros for senior managers, depending on the hierarchy and responsibilities.
On a broader scale, the United Nations and other international bodies emphasize cyber resilience as a cornerstone of modern governance. National and regional authorities are increasingly aligning with best practices in risk management, incident response, and workforce development to close the talent gap and strengthen critical infrastructure alike.
As the cyber threat landscape grows more complex, organizations in Canada and the United States face similar dynamics: strong demand for skilled defenders, rising incident costs, and the urgent need for scalable training and retention programs. The cross-border relevance of these insights lies in shared challenges such as talent scarcity, investment prioritization, and the ongoing tension between rapid digitization and robust security culture. Observers recommend a mix of enhanced recruitment, accelerated training pipelines, competitive compensation, and stronger public‑private collaboration to build resilient systems that can withstand evolving threats.
Beyond local markets, the global cybersecurity ecosystem benefits from transparent benchmarking, practical certifications, and a workforce that can adapt to diverse regulatory landscapes. Companies are urged to view cybersecurity not as a cost center but as a strategic asset that protects reputations, enables growth, and sustains trust in digital services. The message is clear: invest now, train continually, and recognize the pivotal role of security professionals in safeguarding critical operations across nations and sectors. In this light, the path forward becomes a shared priority for nations, businesses, and communities alike, underscoring the universal value of strong cyber defense.