The increasing digitization of the business world has led to a surge in the demand for cybersecurity professionals at a time when the emerging technology and threat landscape is making the job more and more challenging. The good news is there are tangible steps organizations can take to position themselves to build the security teams they need to protect their organizations’ critical assets and brand reputations.

New global research from ISACA reinforces that stubborn workforce dynamics on the cybersecurity landscape remain problematic. That starts with still not having enough qualified people to do the work. The majority of cybersecurity leaders (59%) report that their teams are understaffed. The pursuit of talent could become even more of an uphill climb in the coming year, particularly for technical experts, as 78% of respondents expect demand for technical individual contributors to increase.

The difficulty of hiring sufficient security talent puts even more emphasis on holding onto the team members that are already onboard, but there, too, the data tells a concerning story. High turnover rates and burnout also contribute to enterprises’ personnel pain points. Although the Great Resignation trend cooled in 2023 with changing economic winds, the majority of organizations (56%) still indicate they are having difficulty retaining qualified cybersecurity professionals. Competition is intense for high-performing professionals, and it can be especially difficult for smaller companies with more budgetary constraints to hang onto security talent.

While it is important for organizations to be as competitive as they can from a pay standpoint, a commitment to providing the ongoing professional development today’s security professionals need can go a long way. This can include funding team members’ professional certifications, organizing team trainings, supporting attendance at industry conferences and encouraging team members to grow their leadership skills by championing cross-functional work throughout the organization. This organizational commitment to supporting ongoing learning is especially essential as the rapidly evolving threat landscape requires professionals to continually update their skills and knowledge to stay effective.

Inadequate workforce diversity also continues to hamper the industry. Until women are welcomed into the profession in greater numbers, it will be impossible to fully remedy the shortage of cybersecurity professionals. Currently, women in the cybersecurity profession tend to be over-mentored but under-sponsored by senior-level champions who believe in and are willing to advocate for women. There are some bright spots, however — groups such as the SheLeadsTech program, Women in Technology International (WITI) and Women4Cyber, to name a few, provide networks and resources for women in the field.

Beyond more support for women currently in the field, we need to encourage newcomers. Some of the solutions require a longer runway — such as the education system more vigorously and proactively encouraging girls to explore STEM coursework and university degree programs — but there are opportunities for quicker impact, such as bootcamps and training opportunities for women who do not yet have the ideal experience, as well as working with the Human Resources team to make sure job postings do not — intentionally or otherwise — include language that might deter women from applying. In addition to attracting more women to cybersecurity, former military members, neurodiverse professionals and underrepresented minority groups can not only help fill in-demand roles, but add diverse life experiences and problem-solving skills that allow teams to perform at a higher level.

Although many of the dynamics referenced above are not new, the explosive progression of artificial intelligence (AI) creates new context and heightened urgency around workforce challenges. AI can be a powerful tool both for cybercriminals and cybersecurity professionals, but to emerge victorious in this struggle, security leaders need to invest in the needed training and tools that will set up their security teams for success. The State of Cybersecurity report shows identity and access management, cloud computing, data protection, incident response and DevSecOps as the cybersecurity skills that are needed most, but a strong familiarity with how AI can be used by security professionals and adversaries alike must be increasingly top-of-mind for security teams to succeed as AI continued to complicate the threat landscape.

It is hardly breaking news that it is difficult for enterprises to find and retain the cybersecurity talent that they need. However, just because these workforce pain points have proven difficult to counteract does not mean enterprise leaders can give up hope that they can find the needed solutions. Without robust, well-resourced cybersecurity teams, organizations are unable to protect their precious assets or prevent high-profile cyber incidents that erode user trust. By prioritizing team members’ professional development, identifying the most important skills that are needed and investing accordingly, and intentionally pursuing a diverse set of prospective employees, organizations can nurture and sustain the security teams they need to be successful.