The Great Resignation is plaguing industries across the board—but it’s especially challenging within in-demand fields like cybersecurity. According to ISACA’s new survey report, State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations, organisations are struggling more than ever with hiring and retaining qualified cybersecurity professionals and managing skills gaps.
The eight annual survey features insights from more than 2,000 cybersecurity professionals around the globe, and examines cybersecurity staffing and skills, resources, cyberthreats and cybersecurity maturity.
HIRING AND RETENTION CHALLENGES
As in past years, filling cybersecurity roles and retaining talent continues to be a challenge for many enterprises. Sixty-six percent of respondents in ANZ indicate they have unfilled cybersecurity positions, up seven percentage points from 2021. Sixty-six percent report that their cybersecurity teams are understaffed. Almost 50 percent say it takes three to six months to find qualified cybersecurity candidates for open positions. The top factors hiring managers use to determine whether a candidate is qualified are prior hands-on cybersecurity experience (67 percent), a recommendation from a previous employer (32 percent), and credentials (20 percent).
Sixty-two percent of respondents report difficulties retaining qualified cybersecurity professionals. The top reasons that cybersecurity professionals are leaving their jobs include:
- Recruited by other companies (71 percent vs 59 percent globally)
- Poor financial incentives in terms of salary or bonus (57 percent vs 48 percent globally)
- High work stress levels (42 percent vs 45 percent globally)
- Limited promotion and development opportunities (40 percent vs 47 percent globally)
- Lack of management support (30 percent vs 34 percent globally)
- Poor culture/work environment (30 percent, and the same globally)
Jo Stewart-Rattray, member of ISACA’s Information Security Advisory Group said it is concerning, but not surprising, that 66 percent of survey respondents in ANZ report unfilled cybersecurity positions on their teams. “The pandemic certainly put a strain on organisations that saw vulnerabilities appear in security systems during the migration to support remote working,” said Stewart-Rattray. “Demand increased rapidly for security professionals in a time that international and state border restrictions were imposed, creating lack of access to this essential workforce and a reduced talent pool.”
SKILLS GAPS AND MITIGATION
Respondents indicate they are looking for a range of skills in candidates, noting the top skills gaps they see in today’s cybersecurity professionals are soft skills (62 percent), cloud computing (47 percent)—a new response option for this question—and security controls (35 percent). Soft skills also top the list of skills gaps among recent graduates, at 73 percent. Among the top soft skills deemed important are communication (71 percent), critical thinking (61 percent) and problem-solving (56 percent).
To address these skills gaps, respondents note that increased reliance on AI or automation (up five percentage points from last year) and increased use of reskilling programs (up five percentage points from last year) are the main ways they mitigate technical skill gaps. Additionally, a smaller percentage of respondents, 27 percent (52 percent globally), indicate that their enterprises require university degrees.
“The Great Resignation is compounding the long-standing hiring and retention challenges the cybersecurity community has been facing for years, and systemic changes are critical,” says Jonathan Brandt, ISACA Director, Professional Practices and Innovation. “Flexibility is key. From broadening searches to include candidates without traditional degrees to providing support, training and flexible schedules that attract and retain qualified talent, organisations can move the needle in strengthening their teams and closing skills gaps.”
BUDGET INCREASES SLOWLY DECLINING
Only 29 percent of ANZ respondents say their cybersecurity budgets are appropriately funded – a stark comparison to the 42 percent reported by global counterparts – down four percentage points from 2021. Forty-two percent of respondents also expect their enterprises to have budget increases, while 29 percent expect no change, and multiyear data suggests that budgets increases are slowly declining.
THREAT LANDSCAPE
This year, 40 percent of respondents indicate that their organisation is experiencing more cyberattacks, virtually unchanged from last year.
When asked about their main concerns related to cyberattacks, enterprise reputation (89 percent), data breach concerns (76 percent) and supply chain disruptions (58 percent) are top of mind for respondents. While ransomware attacks top the headlines, the survey found that ransomware attacks have remained virtually unchanged from last year, at 8 percent. Other top types of cyberattacks experienced in the past year include:
- Social engineering (15 percent)
- Advanced persistent threat (12 percent)
- Security misconfiguration (12 percent)
- Unpatched system (11 percent)
- Third-party (11 percent)
- Sensitive data exposure (9 percent)
- Ransomware (8 percent)
- Denial of service (8 percent)
Despite the threats they face, 78 percent of respondents—a six-percentage-point increase from last year—indicate they are confident in their cybersecurity team’s ability to detect and respond to cyberthreats.
CYBER MATURITY
When it comes to cyber-risk assessments, 36 percent of survey respondents indicate that their enterprises conduct them annually. Forty percent of respondents say their enterprise conducts them more often than annually.
“It’s important to understand the trends across the community over time as well as how one’s organisation compares. This is necessary information to help advance the field as a whole, and we’re proud to be a part of sharing and disseminating these insights,” says Mary Yang, Chief Marketing Officer at LookingGlass Cyber Solutions. “LookingGlass is thrilled to support the cybersecurity community by partnering with ISACA on this report.”
You can read the full report here.
