According to a new survey, it keeps getting harder to hire and retain a cybersecurity workforce. The ISACA report revealed that 63% percent of surveyed security workers indicate they have unfilled positions. That’s an 8% increase compared to 2021. Meanwhile, 62% report that their teams are understaffed.

In a world where threats are becoming more complex, these numbers are sobering. The eighth annual survey features insights from more than 2,000 workers around the globe. The results reveal important trends in staffing and skills, resources, threats and security maturity.

The great resignation

Part of the problem for short-staffed security teams is that many people have left the profession. Talent retention is a major hurdle for 60% of respondents, a rise of 7% from last year.

The report states the top reasons cybersecurity workers leave their jobs include:

• Recruited by other companies (59%)
• Poor financial incentives, salaries or bonuses (48%)
• Limited promotion and development (47%)
• High work stress levels (45%)
• Lack of management support (34%).

While many workers are leaving, 20% of respondents said it can take more than six months to find qualified candidates for open positions. The survey states that 63% say it takes longer than three months on average to fill. The result is a near-constant need for talent. This sets up the potential for employee churn, which consumes company time and resources.

Filling the skills gap

Once security workers are hired, the lack of skills is another challenge companies face, according to ISACA. Common skills gaps respondents see in the field today are soft skills (54%), cloud computing (52%) and security controls (34%). The report also found the most important soft skills were communication (57%), critical thinking (56%) and problem-solving (49%).

To address these skills gaps, respondents say they implement cross-training of employees and the use of contractors and consultants more often. Given the talent shortage, it’s not surprising that many companies turn to managed cybersecurity services.

No degree required

In the past, companies preferred to hire security workers with university degrees. Now, fewer respondents (52%) require them, a 6% decrease from 2021.

The tight labor market is one factor behind this trend. Other factors may be the increase of non-university platforms for education as well as the rise of the self-taught worker.

Willing to pay the price

The ISACA report also reveals that more companies are willing to allocate funds to support cybersecurity efforts. The highest percentage in eight years (42%) feel that their cybersecurity budgets are adequately funded. Meanwhile, 55% of those surveyed expect their companies to increase cybersecurity spending.

Let’s hope that more funding, flexible hiring standards and outsourcing security services will be enough to face the security challenges of tomorrow.