Latest News

State of the cybersecurity workforce: New research shows highest retention difficulties in years

Written on Oct 21, 2022

The Great Resignation is plaguing industries across the board—but it’s especially challenging within in-demand fields like cybersecurity. According to ISACA’s new survey report, State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations, organizations are struggling more than ever with hiring and retaining qualified cybersecurity professionals and managing skills gaps. 

The eighth annual survey features insights from more than 2,000 cybersecurity professionals around the globe, and examines cybersecurity staffing and skills, resources, cyberthreats and cybersecurity maturity. 

As in past years, filling cybersecurity roles and retaining talent continues to be a challenge for many enterprises. Sixty-three percent of respondents indicate they have unfilled cybersecurity positions, up eight percentage points from 2021. Sixty-two percent report that their cybersecurity teams are understaffed. One in five say it takes more than six months to find qualified cybersecurity candidates for open positions. The top factors hiring managers use to determine whether a candidate is qualified are prior hands-on cybersecurity experience (73%), credentials (36%) and hands-on training (25%). 

Sixty percent of respondents report difficulties retaining qualified cybersecurity professionals, up seven percentage points from 2021. The top reasons that cybersecurity professionals are leaving their jobs include: 

  • Recruited by other companies (59%) 

  • Poor financial incentives in terms of salary or bonus (48%) 

  • Limited promotion and development opportunities (47%) 

  • High work stress levels (45%) 

  • Lack of management support (34%) 

Respondents indicate they are looking for a range of skills in candidates, noting the top skills gaps they see in today’s cybersecurity professionals are soft skills (54%), cloud computing (52%)—a new response option for this question—and security controls (34%). Soft skills also top the list of skills gaps among recent graduates, at 66%. Among the top soft skills deemed important are communication (57%), critical thinking (56%) and problem solving (49%). 

To address these skills gaps, respondents note that cross training of employees (up two percentage points from last year) and increased use of contractors and consultants (up five percentage points from the year prior) are the main ways they mitigate technical skill gaps. Additionally, a smaller percentage of respondents, 52%, indicate that their enterprises require university degrees, a six-percentage-point decrease from last year. 

Forty-two percent say their cybersecurity budgets are appropriately funded—the highest percentage in 8 years, up five percentage points from 2021, and the most favorable report since ISACA began doing this survey. Fifty-five percent of respondents also expect their enterprises to have budget increases, while 38% expect no change, and multiyear data suggests that budgets are leveling. 

This year, 43% of respondents indicate that their organization is experiencing more cyberattacks, an eight-percentage-point increase from last year. 

When asked about their main concerns related to cyberattacks, enterprise reputation (79%), data breach concerns (70%) and supply chain disruptions (54%) are top of mind for respondents. While ransomware attacks top the headlines, the survey found that ransomware attacks have remained virtually unchanged from last year, at 10%. Other top types of cyberattacks experienced in the past year include: 

  • Social engineering (13%) 

  • Advanced persistent threat (12%) 

  • Security misconfiguration (10%) 

  • Ransomware (10%) 

  • Unpatched system (9%) 

  • Denial of service (9%) 

Despite the threats they face, 82% of respondents—an all-time high, and a five-percentage-point increase from last year—indicate they are confident in their cybersecurity team’s ability to detect and respond to cyberthreats. 

When it comes to cyberrisk assessments, 41% of survey respondents indicate that their enterprises conduct them annually, up two percentage points from last year. One-third of respondents say their enterprise conducts them more often than annually.