October 5, 2022 By Jonathan Reed 2 min read


According to a new survey, it keeps getting harder to hire and retain a cybersecurity workforce. The ISACA report revealed that 63% percent of surveyed security workers indicate they have unfilled positions. That’s an 8% increase compared to 2021. Meanwhile, 62% report that their teams are understaffed.

In a world where threats are becoming more complex, these numbers are sobering. The eighth annual survey features insights from more than 2,000 workers around the globe. The results reveal important trends in staffing and skills, resources, threats and security maturity.

The great resignation

Part of the problem for short-staffed security teams is that many people have left the profession. Talent retention is a major hurdle for 60% of respondents, a rise of 7% from last year.

The report states the top reasons cybersecurity workers leave their jobs include:

  • Recruited by other companies (59%)
  • Poor financial incentives, salaries or bonuses (48%)
  • Limited promotion and development (47%)
  • High work stress levels (45%)
  • Lack of management support (34%).

While many workers are leaving, 20% of respondents said it can take more than six months to find qualified candidates for open positions. The survey states that 63% say it takes longer than three months on average to fill. The result is a near-constant need for talent. This sets up the potential for employee churn, which consumes company time and resources.

Filling the skills gap

Once security workers are hired, the lack of skills is another challenge companies face, according to ISACA. Common skills gaps respondents see in the field today are soft skills (54%), cloud computing (52%) and security controls (34%). The report also found the most important soft skills were communication (57%), critical thinking (56%) and problem-solving (49%).

To address these skills gaps, respondents say they implement cross-training of employees and the use of contractors and consultants more often. Given the talent shortage, it’s not surprising that many companies turn to managed cybersecurity services.

No degree required

In the past, companies preferred to hire security workers with university degrees. Now, fewer respondents (52%) require them, a 6% decrease from 2021.

The tight labor market is one factor behind this trend. Other factors may be the increase of non-university platforms for education as well as the rise of the self-taught worker.

Willing to pay the price

The ISACA report also reveals that more companies are willing to allocate funds to support cybersecurity efforts. The highest percentage in eight years (42%) feel that their cybersecurity budgets are adequately funded. Meanwhile, 55% of those surveyed expect their companies to increase cybersecurity spending.

Let’s hope that more funding, flexible hiring standards and outsourcing security services will be enough to face the security challenges of tomorrow.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today