According to a new survey, it keeps getting harder to hire and retain a cybersecurity workforce. The ISACA report revealed that 63% percent of surveyed security workers indicate they have unfilled positions. That’s an 8% increase compared to 2021. Meanwhile, 62% report that their teams are understaffed.

In a world where threats are becoming more complex, these numbers are sobering. The eighth annual survey features insights from more than 2,000 workers around the globe. The results reveal important trends in staffing and skills, resources, threats and security maturity.

The Great Resignation

Part of the problem for short-staffed security teams is that many people have left the profession. Talent retention is a major hurdle for 60% of respondents, a rise of 7% from last year.

The report states the top reasons cybersecurity workers leave their jobs include:

  • Recruited by other companies (59%)
  • Poor financial incentives, salaries or bonuses (48%)
  • Limited promotion and development (47%)
  • High work stress levels (45%)
  • Lack of management support (34%).

While many workers are leaving, 20% of respondents said it can take more than six months to find qualified candidates for open positions. The survey states that 63% say it takes longer than three months on average to fill. The result is a near-constant need for talent. This sets up the potential for employee churn, which consumes company time and resources.

Filling the Skills Gap

Once security workers are hired, the lack of skills is another challenge companies face, according to ISACA. Common skills gaps respondents see in the field today are soft skills (54%), cloud computing (52%) and security controls (34%). The report also found the most important soft skills were communication (57%), critical thinking (56%) and problem-solving (49%).

To address these skills gaps, respondents say they implement cross-training of employees and the use of contractors and consultants more often. Given the talent shortage, it’s not surprising that many companies turn to managed cybersecurity services.

No Degree Required

In the past, companies preferred to hire security workers with university degrees. Now, fewer respondents (52%) require them, a 6% decrease from 2021.

The tight labor market is one factor behind this trend. Other factors may be the increase of non-university platforms for education as well as the rise of the self-taught worker.

Willing to Pay the Price

The ISACA report also reveals that more companies are willing to allocate funds to support cybersecurity efforts. The highest percentage in eight years (42%) feel that their cybersecurity budgets are adequately funded. Meanwhile, 55% of those surveyed expect their companies to increase cybersecurity spending.

Let’s hope that more funding, flexible hiring standards and outsourcing security services will be enough to face the security challenges of tomorrow.

More from News

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

Costa Rica State of Emergency Declared After Ransomware Attacks

In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack. Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The…

Ransomware-as-a-Service Transforms Gangs Into Businesses

Malware-as-a-Service is getting easier and easier to access, according to a recent threat report. Self-named the ‘Eternity Project’, this cyber threat group offers services from a Tor website and on their Telegram channel. They sell a wide variety of malware in an organized fashion, including stealer, clipper, worm, miner, ransomware and distributed-denial-of-service bot services. This alarms many security professionals. With Eternity, even inexperienced cyber criminals can target victims with a customized threat offering. Eternity sells malware for $90 to $490.…

UK Health System Email Accounts Hijacked to Steal Microsoft Logins

Last summer, I noticed password reset notices in my email account that I didn’t send. I quickly realized that I was the victim of an account takeover. This happens when someone illegally gains access to your account, typically through compromised credentials. I changed my email password right away and learned that my passwords to other accounts had already been changed. To make cleanup even more fun, I found out that the attackers had created new accounts using my credentials. Account…