Cybersecurity Skills Shortage: 104,000 Open Positions in Germany

⏱ 8 min Reading Time

The (ISC)² Workforce Study 2025 estimates the global cybersecurity skills gap at 4.8 million – a 19 percent increase from the previous year. In Germany, according to Bitkom, over 104,000 IT security positions remain unfilled. Meanwhile, regulatory demands from NIS2 and DORA are increasing. Companies that rely solely on the job market will not solve the problem.

TL;DR

4.8 million professionals missing globally: Over 104,000 IT security positions are unfilled in Germany – and the trend is rising ((ISC)², Bitkom 2025).
Upskilling beats recruiting: Training IT admins, developers, and network technicians to become security specialists is faster and more sustainable than external hiring.
Automation as a multiplier: SOAR, AI-driven triage, and managed detection reduce personnel needs by 30-40 percent.

Why the Market Won’t Solve the Problem

The cybersecurity job market is structurally imbalanced. Demand is growing faster than supply – and has been for years. Three factors will exacerbate the situation in 2026:

Regulatory Pressure: NIS2 requires 30,000 additional companies in Germany to implement cybersecurity measures. Each of these companies needs at least one information security officer. DORA is driving the demand for specialized compliance and resilience roles in the financial sector.

Demographic Shifts: The baby boomer generation is retiring. By 2030, around 140,000 positions in the IT sector will become vacant due to retirement – a significant portion of these in security-relevant roles.

Competition: Cybersecurity professionals are sought not only by companies but also by government agencies (BSI, BKA, Bundeswehr), consulting firms, and international tech corporations offering much higher salaries. A senior SOC analyst in Munich earns €75,000 to €95,000 – at a U.S. tech corporation with remote options, that figure can double.

“The shortage of cybersecurity professionals is not a temporary phenomenon – it is structural and will worsen without fundamental changes in education and automation.”
– Claudia Plattner, President of the BSI (2025)

What Works: Upskilling, Career Changers, Diversity

Companies actively addressing the skills shortage focus on three strategies:

Internal Upskilling: IT administrators, network technicians, and software developers already have the technical foundation. A structured training program (6-12 months, certifications like CompTIA Security+, CISSP, or SANS GIAC) can develop them into full-fledged security specialists. The success rate is much higher than external recruiting, and employees are already familiar with the company’s infrastructure.

Career Changers: Mathematicians, physicists, and engineers bring valuable analytical skills to security roles. Companies like Siemens and Deutsche Telekom have established their own cyber academies to train career changers in 6-9 months.

Diversity as a Talent Pool: Only 25 percent of cybersecurity professionals in Germany are women. Companies that actively target women – through mentoring programs, flexible work models, and inclusive job postings – tap into a significantly underutilized talent pool.

104.000

Unfilled IT Security Positions in Germany (2025)

Source: Bitkom Research, 2025

Automation and Managed Services as Scaling Levers

No company will meet its needs through recruiting alone. Automation is not a luxury but a necessity:

SOAR Platforms (Security Orchestration, Automation and Response): Automate routine SOC tasks – ticket creation, initial classification, standard responses to known attack patterns. This reduces the workload per analyst by 30 to 40 percent, allowing a smaller team to handle more alerts.

AI-Driven Triage: Machine learning models prioritize alerts based on severity and context. In a typical SOC, 80 percent of alerts are false positives or low-priority. AI triage filters these out automatically, allowing analysts to focus on the critical 20 percent.

Managed Detection and Response (MDR): For companies that cannot or do not want to operate their own SOC, MDR providers offer 24/7 monitoring as a service. This is not a surrender – it is a pragmatic response to a market that does not produce enough professionals. Providers like Arctic Wolf, Sophos MDR, and CrowdStrike Falcon Complete have established themselves as serious alternatives.

The combination of upskilling existing employees, targeted recruiting in underrepresented groups, and consistent automation is the only strategy that works in the current market situation.

Key Facts at a Glance

Frequently Asked Questions

Which Cybersecurity Certifications Are Most in Demand?

CompTIA Security+ for beginners, CISSP for experienced professionals, SANS GIAC for deep technical specialization, and CISM for management-oriented roles. For cloud security: CCSP or AWS Security Specialty. However, certification alone is never enough – practical experience is crucial.

What Does a Cybersecurity Professional Earn in Germany?

Entry-level salaries range from €45,000 to €55,000 (Junior SOC Analyst). Experienced security engineers earn €70,000 to €95,000. CISOs in medium-sized companies earn €100,000 to €140,000. In corporations and U.S. tech firms with remote options, salaries can reach €120,000 to €180,000.

How Long Does It Take to Retrain as a Security Specialist?

For IT professionals with prior knowledge: 6 to 12 months of structured training. For career changers without an IT background: 12 to 18 months in an intensive program. Cyber academies run by companies like Deutsche Telekom achieve this in 9 months.

Can AI Completely Compensate for the Skills Shortage?

No, but it can significantly reduce it. AI handles routine tasks (alert triage, log analysis, standard responses) but does not replace the judgment of experienced analysts in complex attacks. Realistically, expect a 30-40 percent efficiency gain – this does not replace professionals but makes existing teams more effective.

What Can Small Businesses Do That Don’t Have a SOC?

Managed Detection and Response (MDR) is the best option: 24/7 monitoring as a service, without needing to build your own team. Costs: €5,000 to €15,000 monthly, depending on the number of endpoints. Much cheaper than a three-person SOC (personnel costs: €250,000+ per year).

Further Articles on the Topic

→ Security Awareness 2025: Why Training Alone Isn’t Enough

→ Zero Trust for SMBs: Getting Started in 5 Steps