October 5, 2022 By Jonathan Reed 2 min read

According to a new survey, it keeps getting harder to hire and retain a cybersecurity workforce. The ISACA report revealed that 63% percent of surveyed security workers indicate they have unfilled positions. That’s an 8% increase compared to 2021. Meanwhile, 62% report that their teams are understaffed.

In a world where threats are becoming more complex, these numbers are sobering. The eighth annual survey features insights from more than 2,000 workers around the globe. The results reveal important trends in staffing and skills, resources, threats and security maturity.

The great resignation

Part of the problem for short-staffed security teams is that many people have left the profession. Talent retention is a major hurdle for 60% of respondents, a rise of 7% from last year.

The report states the top reasons cybersecurity workers leave their jobs include:

  • Recruited by other companies (59%)
  • Poor financial incentives, salaries or bonuses (48%)
  • Limited promotion and development (47%)
  • High work stress levels (45%)
  • Lack of management support (34%).

While many workers are leaving, 20% of respondents said it can take more than six months to find qualified candidates for open positions. The survey states that 63% say it takes longer than three months on average to fill. The result is a near-constant need for talent. This sets up the potential for employee churn, which consumes company time and resources.

Filling the skills gap

Once security workers are hired, the lack of skills is another challenge companies face, according to ISACA. Common skills gaps respondents see in the field today are soft skills (54%), cloud computing (52%) and security controls (34%). The report also found the most important soft skills were communication (57%), critical thinking (56%) and problem-solving (49%).

To address these skills gaps, respondents say they implement cross-training of employees and the use of contractors and consultants more often. Given the talent shortage, it’s not surprising that many companies turn to managed cybersecurity services.

No degree required

In the past, companies preferred to hire security workers with university degrees. Now, fewer respondents (52%) require them, a 6% decrease from 2021.

The tight labor market is one factor behind this trend. Other factors may be the increase of non-university platforms for education as well as the rise of the self-taught worker.

Willing to pay the price

The ISACA report also reveals that more companies are willing to allocate funds to support cybersecurity efforts. The highest percentage in eight years (42%) feel that their cybersecurity budgets are adequately funded. Meanwhile, 55% of those surveyed expect their companies to increase cybersecurity spending.

Let’s hope that more funding, flexible hiring standards and outsourcing security services will be enough to face the security challenges of tomorrow.

More from News

White House cements CISA’s role as national coordinator for cybersecurity

2 min read - In 2013, the Obama Administration rolled out "The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience", a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created "to strengthen and maintain secure, functioning and resilient critical infrastructure."The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President…

Debate rages over DMCA Section 1201 exemption for generative AI

3 min read - The Digital Millennium Copyright Act (DMCA) is a federal law that protects copyright holders from online theft. The DMCA covers music, movies, text and anything else under copyright. The DMCA also makes it illegal to hack technologies that copyright owners use to protect their works against infringement. These technologies can include encryption, password protection or other measures. These provisions are commonly referred to as the “Anti-Circumvention” provisions or “Section 1201”. Now, a fierce debate is brewing over whether to allow…

CISA Malware Next-Gen Analysis now available to public sector

2 min read - One of the main goals of the Cybersecurity and Infrastructure Security Agency (CISA) is to promote security collaboration across the public and private sectors. CISA firmly believes that partnerships and effective coordination are essential to maintaining critical infrastructure security and cyber resilience. In faithfulness to this mission, CISA is now offering the Malware Next-Generation Analysis program to businesses and other organizations. This service has been available to government and military workers since November 2023 but is now available to the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today