Organizations are struggling more than ever with hiring and retaining qualified cybersecurity professionals and managing skills gaps, according to ISACA’s new survey report, State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations, 

The eighth annual survey features insights from more than 2,000 cybersecurity professionals around the globe and examines cybersecurity staffing and skills, resources, cyberthreats and cybersecurity maturity.

Hiring and retention challenges

As in past years, filling cybersecurity roles and retaining talent continues to be a challenge for many enterprises:

• 63% of respondents indicate they have unfilled cybersecurity positions, up 8% from 2021.
• 62% report that their cybersecurity teams are understaffed. 
• One in five say it takes more than six months to find qualified cybersecurity candidates for open positions.
• 60% of respondents report difficulties retaining qualified cybersecurity professionals, up 7% from 2021.

The top reasons that cybersecurity professionals are leaving their jobs include:

1. Recruited by other companies (59%)
2. Insufficient salary or bonus (48%)
3. Limited advancement opportunities (47%)
4. High-stress levels (45%)
5. Poor management support (34%)

“The Great Resignation is compounding the long-standing hiring and retention challenges the cybersecurity community has been facing for years, and systemic changes are critical,” says Jonathan Brandt, ISACA Director, Professional Practices and Innovation. “Flexibility is key. From broadening searches to include candidates without degrees to providing support, training and flexible schedules that attract and retain qualified talent, organizations can move the needle in strengthening their teams and closing skills gaps.”

The report examined four other trends:

1. Skills gaps and mitigation:

• Respondents note that the top skills gaps they see in today’s cybersecurity professionals are soft skills (54%), cloud computing (52%) and security controls (34%). Soft skills also top the list of skills gaps among recent graduates, at 66%.
• To address these skills gaps, respondents note that cross-training of employees and increased use of contractors and consultants (up 5% from the year prior) are the main ways they mitigate technical skill gaps. Just over half (52%) say their enterprises require university degrees, a 6% decrease from 2021.

2. Budgets Leveling: 

• 42% say their cybersecurity budgets are appropriately funded — the highest percentage in eight years, up 5% from 2021, and the most favorable report since ISACA began this survey. 
• 55% of respondents expect their enterprises to have budget increases, while 38% expect no change, and multiyear data suggest budgets are leveling.

3. Threat Landscape:

• This year, 43% of respondents indicate that their organization is experiencing more cyberattacks, an 8% increase from 2021.
• Enterprise reputation (79%), data breach concerns (70%) and supply chain disruptions (54%) are the top concerns related to cyberattacks for respondents.
• Despite the threats they face, 82% of respondents — an all-time high and a 5% increase from last year — indicate they are confident in their cybersecurity team’s ability to detect and respond to cyberthreats.
• While ransomware attacks top the headlines, the survey found that ransomware attacks have remained virtually unchanged from last year, at 10%.

Other top types of cyberattacks experienced in the past year include:

1. Social engineering (13%)
2. Advanced persistent threat (12%)
3. Security misconfiguration (10%)
4. Ransomware (10%)
5. Unpatched system (9%)
6. Denial of service (9%)

4. Cyber maturity:

• Regarding cyber risk assessments, 41% of survey respondents say their enterprises conduct them annually, up 2% from last year.
• One-third of respondents say their enterprise conducts assessments more than annually.