Experts: Why Germany’s cyber talent is a hidden export hit

8 Min. Reading Time

Germany has a cybersecurity problem. 149.000 IT positions are vacant, 7,7 months on average it takes to fill a position. At the same time, the country produces some of the best security researchers in the world. The CISPA in Saarbrücken is, according to CSRankings, number one worldwide in Computer Security. This is not a contradiction – it is Germany’s biggest wasted chance. And the key to the reboot.

Key Takeaways

• Global Shortage: 4,76 million cybersecurity professionals are missing worldwide, trend rising by 19 percent compared to the previous year (ISC2 2024)
• EU Gap: Just under 300.000 cybersecurity professionals are missing in the EU, only 3,100 graduates per year (ENISA)
• Germany: 439.243 active cybersecurity professionals, but 149.000 open IT positions in total (ISC2/Bitkom)
• World Elite: CISPA Saarbrücken is number 1 worldwide in Computer Security, HGI Bochum is Europe’s largest IT security institute
• Salary Gap: Senior security roles are paid 30 to 50 percent more in the USA than in Germany

The Paradox: World-class research meets record shortage

149.000 IT positions are vacant in Germany – a record high according to Bitkom. Five years ago it was 82.000. Only 2 percent of companies consider the talent supply sufficient – the previous year it was still 8 percent. The forecast for 2040: 663.000 missing IT professionals if no countermeasures take effect. And 77 percent of companies expect the situation to worsen further.

That’s one side. The other: Germany trains some of the world’s best cybersecurity experts. The CISPA Helmholtz Center in Saarbrücken ranks number one worldwide in Computer Security and cryptography – measured by publications at the four leading conferences (IEEE S&P, ACM CCS, USENIX Security, NDSS) over a ten‑year period. These are not just any rankings. They are the toughest peer‑reviewed conferences in the field. In 2025 CISPA received an “Outstanding” rating in all categories in the international Helmholtz evaluation.

How does this fit together? The answer is uncomfortable: Germany produces world‑class talent but loses it to international employers, other industries, and the bureaucracy of its own education system. The research is excellent. The transfer to industry is not. And this is where the biggest reboot opportunity lies: if Germany solves the transfer bottleneck, cybersecurity will shift from a cost factor to an export champion.

Sources: ISC2 Cybersecurity Workforce Study 2024, Bitkom 2024, CSRankings

The Four Pillars of German Security Education

What sets Germany apart from other countries: there isn’t just one or two good security programs, but an entire ecosystem. Four locations form the backbone of German cybersecurity research – and each has its own profile.

CISPA Helmholtz Center, Saarbrücken: Worldwide number one in computer security and cryptography. Over 800 researchers work on topics from post‑Quantum cryptography to privacy engineering. The cooperation with Stanford (CISPA‑Stanford Center for Cybersecurity) demonstrates its international standing. As a Helmholtz Center, CISPA enjoys long‑term federal funding – a structural advantage over project‑based research clusters in other countries, which have to fight for follow‑up funding every three to five years.

Horst Görtz Institute (HGI), Ruhr‑University Bochum: Europe’s largest IT‑security institute with over 150 scientists and 36 professors. Since 2000 Bochum has offered the first German diploma program in IT security – a pioneering achievement at the time, now a quality standard. Around 900 students, over 200 publications at top conferences and 16 Best Paper Awards. The Excellence Cluster CASA (“Securing the Digital Society”) has been, since 2019, the only German excellence cluster in the IT‑security field. The proximity to G DATA CyberDefense illustrates the Bochum approach: research and industry on the same campus.

TU Darmstadt (CROSSING/CYSEC): The DFG‑funded Collaborative Research Centre CROSSING has been working since 2014 with over 65 researchers on cryptographic solutions for the post‑Quantum era. 17 core research groups from six departments are united under the CYSEC umbrella. TU Darmstadt combines cryptography, software engineering and usability – an interdisciplinary approach that only a few locations worldwide offer. The question of how people can actually use secure systems is treated here not as an afterthought but as a core research area.

KIT Karlsruhe (KASTEL): The Competence Center for Applied Security Technology was founded in 2011 as one of three national cybersecurity competence centers. Since 2021 KASTEL has been a permanent institution in the Helmholtz research program “Engineering Digital Futures”. The focus is on transferring basic research into industrial applications – exactly the bridge Germany needs most.

Fraunhofer: The Bridge Between Research and Industry

What sets the German model apart is the Fraunhofer Society as an institutionalized technology transfer entity. No other country has a comparable structure that systematically moves application‑oriented research into the economy. Fraunhofer AISEC employs around 230 security experts and runs ten specialized IT‑security labs – for automotive, hardware, Industry 4.0, IoT, software and cloud. These are test environments where companies can have their products evaluated under real attack conditions.

The Fraunhofer Cybersecurity Training Lab, funded with six million Euro per year by the BMBF, offers part‑time training on a 90 square‑metre practice area with real attack and defence scenarios. For companies that want to upskill their existing staff without releasing them for a full‑time degree, this is the most pragmatic solution on the market. In a world where, according to ENISA, 76 percent of cybersecurity personnel lack formal certification, this type of training is not a nice‑to‑have but a necessity.

Made in Germany: When security firms emerge from the university

The top German security companies trace their roots to exactly this research ecosystem. Three examples illustrate how the transfer can work – and how varied the models are.

secunet Security Networks from Essen is the IT‑security partner of the Federal Republic and the first German cybersecurity company to surpass the 400‑million‑Euro mark. In 2024 revenue was 406,4 million Euro (up 4 percent), the international business grew 14 percent to 40,1 million Euro. With over 1.000 employees and eleven years of uninterrupted revenue growth, secunet demonstrates that Cybersecurity Made in Germany is a scalable business model – not just a research project.

G DATA CyberDefense from Bochum – in direct neighbourhood to the HGI – developed the world’s first antivirus program for the Atari ST in 1987. Almost 40 years later the company operates in more than 90 countries and bears the ECSO label “Cybersecurity Made in Europe”. The partnership with Ruhr‑University Bochum as a research partner remains close to this day. What Bochum shows: continuity and tight integration of campus and company create a self‑reinforcing cycle.

Cure53 from Berlin, founded in 2007 by security researcher Mario Heiderich, is a counter‑model: 30 specialists with PhD and master’s degrees who conduct deep source‑code audits and cryptography reviews for international clients such as Proton, Coinbase, Mozilla, Threema and Bitwarden. Cure53 shows that German security know‑how does not have to migrate to be internationally relevant. Clients come to Berlin because the expertise resides there. The model: small, highly specialised, globally networked.

The Salary Gap: Why Talent Leaves

According to the Optima Europe Cybersecurity Salary Guide 2026, a Senior Cybersecurity Engineer in Germany earns between 100.000 and 140.000 Euro. In the USA the comparable salary starts at 180.000 Dollar and up. A CISO in the German mid‑market earns 140.000 to 190.000 Euro, in large corporations up to 260.000 Euro. In the US market it reaches 245.000 Dollar and beyond. The gap ranges from 30 to 50 percent depending on the role.

This is the structural reason why German cybersecurity talent is in international demand. Google, Microsoft and Amazon have offices in Munich and Berlin that deliberately recruit from the German security ecosystem. It isn’t a classic brain drain – people often remain physically in Germany. Yet they work for foreign firms, and their expertise flows into American products instead of building a German security ecosystem.

The implication for NIS2 compliance: 89 percent of organisations need, according to ENISA, additional staff to meet the new requirements. At the same time, 76 percent of existing cybersecurity personnel lack formal certification. The supply of qualified talent is shrinking relative to demand, which will surge dramatically over the next two years due to NIS2, DORA and the AI Act.

What Germany does right – and what’s missing

Right: The Cyber Security Strategy 2021 (valid until 2026) set important course. The Agency for Innovation in Cybersecurity funds ambitious research projects. The University of the Bundeswehr Munich trains officers and federal agencies in cybersecurity, creating a talent pool that moves into the private sector after service. The BSI certification is internationally recognised via SOGIS-MRA (Europe) and CCRA (worldwide) – this is the basis for exporting German IT security products and a unique selling point that no other European country offers at this breadth.

Wrong: There is no coordinated national strategy to translate research excellence into economic strength. Israel achieved this with Unit 8200 – former intelligence officers start security startups, and the state actively and systematically supports the transfer. Germany has four top research institutes, but no comparable mechanism to incentivise spin‑offs. The EXIST funding is too slow, the venture‑capital landscape for security startups is too thin, and the regulatory hurdles for spin‑offs from Helmholtz centres are too high.

Even the training capacity falls far short: Across the EU, ENISA reports only 3.100 cybersecurity graduates are produced each year – a 25 percent increase over two years, yet with a shortfall of 300.000 professionals in Europe alone, it’s a mathematical impossibility. Germany would need to multiply its training capacity, not just increase it incrementally.

The export opportunity: BSI seal as a gateway

There is a lever that Germany has barely used so far: the BSI certification as an international quality seal. The BSI’s Common Criteria certification is recognised in more than 30 countries. German security products can be exported to any CCRA member state with this seal, without local re‑certification. secunet uses it for its international growth (plus 14 percent, 40 million Euro international revenue), but most German security firms waste this advantage because they simply don’t know it or shy away from the certification process.

The incident‑response apparatus around BSI and CERT‑Bund is another export good. German incident‑response methodology – systematic, documented, compliance‑conform – is in international demand because it meets the requirements of GDPR, NIS2 and industry‑specific regulations. No other country has generated comparable regulatory pressure while also developing the methodology to withstand it. That is no accident. It is a competitive advantage that now simply needs to be marketed.

What needs to happen now: Three Levers

Lever 1: Founding support from the research ecosystem. Every CISPA-, HGI- and KASTEL project that shows commercial potential needs a fast track to spin‑off. Not via EXIST applications with an 18‑month lead time, but through a dedicated security‑accelerator with direct BSI certification support. Israel has shown that the state can be not only a funder but also the first customer.

Lever 2: Competitive remuneration in the public sector. The BSI, the Bundeswehr and state authorities compete for the same talent as Google and Amazon. As long as public salaries are 40 to 60 percent below market wages, the state will not be able to staff its own cybersecurity. Special rates for security professionals are overdue — not as an exception but as a systematic solution.

Lever 3: Multiply training capacity. 3,100 cybersecurity graduates per year across the EU are not sustainable against 300,000 open positions. Germany needs to triple the study places at existing excellence sites and launch parallel programmes for part‑time qualification via the Fraunhofer infrastructure. The six million Euro BMBF grant for the Cybersecurity Training Lab is a start — but, relative to the problem, only a fraction of what is needed.

Frequently Asked Questions

How many cybersecurity professionals are missing in Germany?

According to ISC2, there are 439.243 cybersecurity professionals working in Germany. Bitkom estimates the total number of open IT positions at 149.000 with an average filling time of 7,7 months. Across the EU, ENISA reports a shortfall of roughly 300.000 cybersecurity specialists.

Which German universities are leading in cybersecurity?

CISPA Saarbrücken (ranked #1 worldwide by CSRankings), HGI Bochum (Europe’s largest IT‑security institute with 150+ researchers), TU Darmstadt (CROSSING/CYSEC, DFG‑funded) and KIT Karlsruhe (KASTEL, Helmholtz program). In addition, the Fraunhofer institutes SIT and AISEC serve as application‑oriented research partners.

Why are German security talents emigrating?

The salary gap is 30 to 50 percent between Germany and the USA for comparable senior positions. International technology giants with locations in Munich and Berlin actively recruit from the German research ecosystem. The talents often remain physically in Germany but work for foreign employers.

What is the BSI certification and why is it an export advantage?

The BSI’s Common-Criteria certification is recognized via SOGIS‑MRA and CCRA in more than 30 countries. German security products can therefore be exported internationally without local re‑certification. secunet leverages this for 40 Millionen Euro international revenue.

How many cybersecurity graduates does Europe produce per year?

According to the ENISA CyberHEAD database, only about 3.100 per year across the entire EU. With a gap of 300.000 specialists, this is wholly insufficient. The number of graduates has risen by 25 percent in the last two years, but the shortfall is growing faster than training capacity.

Source cover image: Pexels / Tima Miroshnichenko (px:5380649)

About the author: Tobias Massow

More articles by Tobias Massow