October 5, 2022 By Jonathan Reed 2 min read

According to a new survey, it keeps getting harder to hire and retain a cybersecurity workforce. The ISACA report revealed that 63% percent of surveyed security workers indicate they have unfilled positions. That’s an 8% increase compared to 2021. Meanwhile, 62% report that their teams are understaffed.

In a world where threats are becoming more complex, these numbers are sobering. The eighth annual survey features insights from more than 2,000 workers around the globe. The results reveal important trends in staffing and skills, resources, threats and security maturity.

The great resignation

Part of the problem for short-staffed security teams is that many people have left the profession. Talent retention is a major hurdle for 60% of respondents, a rise of 7% from last year.

The report states the top reasons cybersecurity workers leave their jobs include:

  • Recruited by other companies (59%)
  • Poor financial incentives, salaries or bonuses (48%)
  • Limited promotion and development (47%)
  • High work stress levels (45%)
  • Lack of management support (34%).

While many workers are leaving, 20% of respondents said it can take more than six months to find qualified candidates for open positions. The survey states that 63% say it takes longer than three months on average to fill. The result is a near-constant need for talent. This sets up the potential for employee churn, which consumes company time and resources.

Filling the skills gap

Once security workers are hired, the lack of skills is another challenge companies face, according to ISACA. Common skills gaps respondents see in the field today are soft skills (54%), cloud computing (52%) and security controls (34%). The report also found the most important soft skills were communication (57%), critical thinking (56%) and problem-solving (49%).

To address these skills gaps, respondents say they implement cross-training of employees and the use of contractors and consultants more often. Given the talent shortage, it’s not surprising that many companies turn to managed cybersecurity services.

No degree required

In the past, companies preferred to hire security workers with university degrees. Now, fewer respondents (52%) require them, a 6% decrease from 2021.

The tight labor market is one factor behind this trend. Other factors may be the increase of non-university platforms for education as well as the rise of the self-taught worker.

Willing to pay the price

The ISACA report also reveals that more companies are willing to allocate funds to support cybersecurity efforts. The highest percentage in eight years (42%) feel that their cybersecurity budgets are adequately funded. Meanwhile, 55% of those surveyed expect their companies to increase cybersecurity spending.

Let’s hope that more funding, flexible hiring standards and outsourcing security services will be enough to face the security challenges of tomorrow.

More from News

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations. Both reports shed light on the persistent and growing threat of…

CISA launches portal to simplify cyber incident reporting

2 min read - Information sharing just got more efficient. In August, the Cybersecurity and Infrastructure Security Agency (CISA) launched the CISA Services Portal. “The new CISA Services Portal improves the reporting process and offers more features for our voluntary reporters. We ask organizations reporting an incident to provide information on the impacted entity, contact information, description of the incident, technical indications and steps taken,” a CISA spokesperson said in an email statement. “Reported incidents enable CISA and our partners to help victims mitigate…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today