India has nearly 39,000 unfilled cybersecurity positions, and the situation is only getting worse.
The maximum shortage is in areas like IoT (internet of things), blockchain, and crypto security — where there are nearly twice as many job openings as there are people to fill them, according to HR firm Careernet's latest report, India's Cybersecurity Talent Outlook 2026.
The report looked at talent across 14 areas of cybersecurity. India has close to 3 lakh cybersecurity professionals, roughly 5% of the world's total. After IoT and blockchain, the biggest gaps are in application and data security, and protection against future threats like quantum computing attacks.
One in five cybersecurity professionals switches jobs every year. But this isn't growing the talent pool, it's just the same people moving from one company to another, the report said.
"Security is becoming far more specialised. And specialised talent takes time to build. That's why attrition is so high — the industry grows at around 9–10%, but people are leaving their jobs at nearly double that rate, 19%," Anshuman Das, CEO of Careernet, told ET. He added that most open roles require mid-to-senior-level experience.
IT companies employ the largest chunk of cybersecurity talent, which makes other industries heavily dependent on them. Banks and financial firms pull professionals from other sectors.
Telecom companies are hiring fast but can't find enough people. Manufacturing barely has any dedicated security staff at all.
In fields like security operations, the report said that IT companies have around 60% of the talent, followed by telecom at 15%, product companies at 9%, manufacturing 5%, and banking and finance just 4%.
This talent crunch comes at a time when cyberattacks in India are increasing rapidly. CERT-In — the government body that tracks and responds to cyber incidents — recorded over 2 million incidents in 2023, up from just over 4 lakh in 2019. By 2025, that figure is estimated to have crossed 30 lakh.
New regulations are also making things harder. Laws like the Digital Personal Data Protection Act 2023, along with Sebi and RBI guidelines, are tightening what companies must do to stay compliant. Further, firms that work with international clients also have to meet global standards, the report said.
Rajeet Singh Narang, vice president, Careernet, believes colleges need to step up. Building cybersecurity into regular undergraduate and postgraduate courses would help train more people and raise general awareness, he said.
Careernet doesn't think AI will solve this — at least not on its own. AI can help spot and respond to threats, but it's expensive, and it can't replace human judgement.
"Who's going to check whether what AI flags is actually a real threat? You still need an experienced professional to watch over it," said Das.
