ISACA: Two-Thirds of Cybersecurity Teams Are Understaffed

Nearly two-thirds (62%) of cybersecurity teams are understaffed, and 63% have unfilled vacancies. This is according to ISACA’s State of Cybersecurity 2022 report, which highlighted organizations’ ongoing struggles to hire and retain skilled cybersecurity professionals.

This year’s survey included insights from over 2000 cybersecurity professionals worldwide. A fifth of respondents admitted it takes more than six months to find qualified cybersecurity candidates for open positions. The top three factors used to determine whether a candidate is qualified are prior hands-on cybersecurity experience (73%), credentials (36%) and hands-on training (25%).

Additionally, three in five (60%) respondents admitted facing difficulties in retaining cybersecurity staff, representing a rise of 7% from ISACA’s 2021 report. A range of factors was cited for cybersecurity professionals leaving their roles, the most prominent of which was being recruited by other companies (59%), poor financial incentives in terms of salary or bonus (48%), limited promotion and development opportunities (47%), high work stress levels (45%) and lack of management support (34%).

Interestingly, soft skills (54%) was cited as the top missing skill type in cybersecurity teams, followed by cloud computing (54%) and security controls (34%). According to the respondents, the most important soft skills are communication (57%), critical thinking (56%) and problem-solving (49%).  

Organizations’ primary methods to mitigate their cyber skills gaps are cross-training of employees (up 2%) and increased use of contractors and consultants (up 5%). Additionally, there was a 6% decline (52%) in enterprises that require their cybersecurity staff to have university degrees, indicating an increasing number are widening their search for candidates to a broader range of backgrounds and experiences.

The study also found a significant 8% rise (43%) in organizations that are experiencing more cyber-attacks compared to 2021. The most common attacks listed by respondents were social engineering (13%), advanced persistent threats (12%), security misconfiguration (10%), ransomware (10%), unpatched systems (9%) and denial of service (9%).

Encouragingly, there was a 5% rise (42%) in the number of respondents who said their cybersecurity budgets are appropriately funded, with 55% expecting budget increases. Additionally, 82% expressed confidence in their cybersecurity team’s ability to detect and respond to attacks.

Jonathan Brandt, ISACA director, professional practices and innovation, commented: “The Great Resignation is compounding the long-standing hiring and retention challenges the cybersecurity community has been facing for years, and systemic changes are critical.

“Flexibility is key. From broadening searches to include candidates without traditional degrees to providing support, training and flexible schedules that attract and retain qualified talent, organizations can move the needle in strengthening their teams and closing skills gaps.”

During a keynote talk at the Infosecurity Magazine Spring Online Summit – North America 2022 this week, privacy & cybersecurity attorney Leeza Garber outlined ways organizations can revamp their cybersecurity hiring strategies.

Leave a Reply