From an employment perspective, it’s never been a better time to be a cybersecurity professional. Organizations are struggling more than ever with hiring and retaining qualified cybersecurity professionals and managing skills gaps. ISACA’s newly released report, State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations, finds that 60% of respondents said they’d experienced difficulties retaining qualified cybersecurity professionals, up seven percentage points from 2021.
The top reasons cybersecurity professionals cited for leaving their jobs include:
- Recruited by other companies (59%)
- Poor financial incentives in terms of salary or bonus (48%)
- Limited promotion and development opportunities (47%)
- High work stress levels (45%)
- Lack of management support (34%)
Hiring and retention challenges: The numbers
Sixty-three percent of respondents indicated they have unfilled cybersecurity positions, up eight percentage points from 2021. Sixty-two percent reported that their cybersecurity teams are understaffed. One in five said it takes more than six months to find qualified cybersecurity candidates for open positions.
The top factors hiring managers use to determine whether a candidate is qualified are prior hands-on cybersecurity experience (73%), credentials (36%) and hands-on training (25%).
SEE: How to mitigate the effects of the Great Resignation via skill development (TechRepublic)
Skills gaps — and a growing desire for soft skills
Respondents indicated they are looking for a range of skills in candidates, noting the top skills gaps they see in today’s cybersecurity professionals are soft skills (54%), cloud computing (52%) — a new response option for this question — and security controls (34%). Soft skills also top the list of skills gaps among recent graduates, at 66%. Among the top soft skills deemed important are communication (57%), critical thinking (56%) and problem-solving (49%).
To address these skills gaps, respondents noted that cross-training of employees (up two percentage points from last year) and increased use of contractors and consultants (up five percentage points from the prior year) are the main ways they mitigate technical skills gaps, according to the report Additionally, a smaller percentage of respondents, 52%, indicated that their enterprises require university degrees, a six-percentage-point decrease from last year.
Budgets potentially leveling
Forty-two percent said their cybersecurity budgets are appropriately funded — the highest percentage in eight years, up five percentage points from 2021, and the most favorable report since ISACA began doing this survey.
Further, 55% of respondents also expect their enterprises to have budget increases, while 38% expect no change, and multi-year data suggests that budgets are leveling, according to the report.
Threat landscape continues to grow
This year, 43% of respondents indicate that their organization is experiencing more cyberattacks, an eight-percentage-point increase from last year.
When asked about their main concerns related to cyberattacks, enterprise reputation (79%), data breach concerns (70%) and supply chain disruptions (54%) are top of mind for respondents. While ransomware attacks top the headlines, the survey found that ransomware attacks have remained virtually unchanged from last year, at 10%.
Other top types of cyberattacks experienced in the past year include:
- Social engineering (13%)
- Advanced persistent threat (12%)
- Security misconfiguration (10%)
- Ransomware (10%)
- Unpatched system (9%)
- Denial of service (9%)
Despite the threats they face, 82% of respondents — an all-time high, and a five-percentage-point increase from last year — indicated they are confident in their cybersecurity team’s ability to detect and respond to cyberthreats, according to the ISACA report.
When it comes to cyber risk assessments, 41% of survey respondents indicated that their enterprises conduct them annually, up two percentage points from last year. One-third of respondents said their enterprise conducts them more often than annually.
SEE: What are mobile VPN apps and why you should be using them (TechRepublic Premium)
How companies must respond
Jonathan Brandt, ISACA director, professional practices and innovation, cited the Great Resignation as compounding the long-standing hiring and retention challenges the cybersecurity community has been facing for years.
“Flexibility is key. From broadening searches to include candidates without traditional degrees to providing support, training and flexible schedules that attract and retain qualified talent, organizations can move the needle in strengthening their teams and closing skills gaps,” he said.
Part of the problem may be the shiny new toy syndrome. “When it comes to protecting businesses, many are still drawn to the latest technology or vendor products, which may do more harm than good when not aligned to a strategy that addresses a myriad of unique business risks and dynamic threat landscape,’’ Brandt noted.
Despite the maturation of the cybersecurity industry, companies can do better, he stressed, especially in the areas of asset management, data protection (e.g., encryption and backups) and identity and access management.
“To protect anything, you must be aware of its presence and value and limit access by principles of least privilege and need to know,’’ Brandt said. “Accesses should be reviewed frequently and aligned to human resource activities,’’ such as onboarding, termination and position changes.
While attention is being paid to security awareness training, programs must continue to evolve to not only increase awareness of threats but more importantly, to give employees the skills and confidence to bolster organizational readiness and response, Brandt said.
He stressed that no business is immune to cyberthreats, and cross-functional collaboration is needed to consider the multitude of risk scenarios and vulnerabilities facing all aspects of business operations — including paying close attention to insider threats.
“Reputational damage remains a major concern for businesses and with cyber actors quick to organize and join movements, business leaders must consider first, second, third and subsequent effects of their decisions,” Brandt said.
ISACA said the 8th annual survey features insights from more than 2,000 global cybersecurity professionals and examines cybersecurity staffing and skills, resources, cyberthreats and cybersecurity maturity.