Trade body (ISC)² finds lack of viable candidates despite increased investment.
The cybersecurity industry is set to suffer a staff shortage of 1.5 million people by 2020, according to industry forecasts by the trade body (ISC)².
In a broad survey of worldwide industries conducted by the consultancy Frost & Sullivan, two-thirds of respondents believed their employers had too few security workers, an increase from just over half in 2013.
Whilst the last survey attributed this shortfall to a lack of funding, those questioned this year reported a lack of skilled candidates for the vacancies, a trend which other parts of the computing sector will empathise with.
"While the ceaseless advancement in variety and sophistication of cyber-threats and a broadening footprint that requires security oversight are contributors to rising workforce demand and a workforce with a broader range of qualifications, other contributors are self-inflicted due to decisions organizations make on security priorities," the report said.
"For example, vulnerable software applications continue to be placed into production and end-users continue to be duped by phishing exploits. Even though application vulnerability scanning conducted throughout the software development cycle and periodically in production would mitigate this exposure, this practice is far from routine in the vast majority of organisations."
Given the lack of skilled candidates security spending is expected to rise, with half of those surveyed by (ISC)² expecting increased investment in security tools and technologies.
However two-thirds warned that such spending ran the risk of inducing "security technology sprawl", depleting the effectiveness of the IT department in combating cybercrime and espionage.
Such a prediction tallies with industry warnings that security was fragmenting, which is thought likely to create the conditions for consolidation among vendors or the development of collaborative frameworks between rivals.
Another tactic to eliminate sprawl is an increased use of managed security services, predicted by nearly a third of those Frost & Sullivan spoke to, as well as the use of cloud services.
"In a bit of a dichotomy, cloud adoption relieves in-house security professionals of certain security operations that are entrusted to the cloud providers," the analysts said.
"But lingering concerns about security in cloud environments contribute to the need for in-house security professionals to invest in cloud security education and training, and be active in managing security and compliance in cloud environments."