Respondents indicate they are looking for a range of skills in candidates.

The Great Resignation is plaguing industries across the board—but it’s especially challenging within in-demand fields like cybersecurity. According to ISACA’s new survey report, State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyber Operations, organisations are struggling more than ever with hiring and retaining qualified cybersecurity professionals and managing skills gaps.

The eight annual survey features insights from more than 2,000 cybersecurity professionals around the globe, and examines cybersecurity staffing and skills, resources, cyberthreats and cybersecurity maturity.

Hiring and retention challenges

As in past years, filling cybersecurity roles and retaining talent continues to be a challenge for many enterprises. Sixty-six per cent of respondents in ANZ indicate they have unfilled cybersecurity positions, up seven percentage points from 2021. Sixty-six per cent report that their cybersecurity teams are understaffed. Almost 50 per cent say it takes three to six months to find qualified cybersecurity candidates for open positions. The top factors hiring managers use to determine whether a candidate is qualified are prior hands-on cybersecurity experience (67 per cent), recommendation from previous employer (32 per cent) and credentials (20 per cent).

Sixty-two per cent of respondents report difficulties retaining qualified cybersecurity professionals. The top reasons that cybersecurity professionals are leaving their jobs include:

• Recruited by other companies (71 per cent vs 59 per cent globally)
• Poor financial incentives in terms of salary or bonus (57 per cent vs 48 per cent globally)
• High work stress levels (42 per cent vs 45 per cent globally)
• Limited promotion and development opportunities (40 per cent vs 47 per cent globally)
• Lack of management support (30 per cent vs 34 per cent globally)
• Poor culture/work environment (30 per cent, and the same globally)

Jo Stewart-Rattray, member of ISACA’s Information Security Advisory Group said it is concerning, but not surprising, that 66 per cent of survey respondents in ANZ report unfilled cybersecurity positions on their teams. “The pandemic certainly put a strain on organisations that saw vulnerabilities appear in security systems during the migration to support remote working,” said Stewart-Rattray. “Demand increased rapidly for security professionals in a time that international and state border restrictions were imposed, creating lack of access to this essential workforce and a reduced talent pool.”

Skills gaps and mitigation

Respondents indicate they are looking for a range of skills in candidates, noting the top skills gaps they see in today’s cybersecurity professionals are soft skills (62 per cent), cloud computing (47 per cent)—a new response option for this question—and security controls (35 per cent). Soft skills also top the list of skills gaps among recent graduates, at 73 per cent. Among the top soft skills deemed important are communication (71 per cent), critical thinking (61 per cent) and problem solving (56 per cent).

To address these skills gaps, respondents note that increased reliance on AI or automation (up five per centage points from last year) and increased use of reskilling programs (up five percentage points from last year) are the main ways they mitigate technical skill gaps. Additionally, a smaller percentage of respondents, 27 per cent (52 per cent globally), indicate that their enterprises require university degrees.

“The Great Resignation is compounding the long-standing hiring and retention challenges the cybersecurity community has been facing for years, and systemic changes are critical,” says Jonathan Brandt, ISACA Director, Professional Practices and Innovation. “Flexibility is key. From broadening searches to include candidates without traditional degrees to providing support, training and flexible schedules that attract and retain qualified talent, organisations can move the needle in strengthening their teams and closing skills gaps.”

Budget increases slowly declining

Only 29 per cent of ANZ respondents say their cybersecurity budgets are appropriately funded – a stark comparison to the 42 per cent reported by global counterparts – down four per centage points from 2021. Forty-two per cent of respondents also expect their enterprises to have budget increases, while 29 per cent expect no change, and multiyear data suggests that budgets increases are slowly declining.

Threat Landscape 

This year, 40 per cent of respondents indicate that their organisation is experiencing more cyberattacks, virtually unchanged from last year.

When asked about their main concerns related to cyberattacks, enterprise reputation (89 per cent), data breach concerns (76 per cent) and supply chain disruptions (58 per cent) are top of mind for respondents. While ransomware attacks top the headlines, the survey found that ransomware attacks have remained virtually unchanged from last year, at 8 per cent. Other top types of cyberattacks experienced in the past year include:

• Social engineering (15 per cent)
• Advanced persistent threat (12 per cent)
• Security misconfiguration (12 per cent)
• Unpatched system (11 per cent)
• Third-party (11 per cent)
• Sensitive data exposure (9 per cent)
• Ransomware (8 per cent)
• Denial of service (8 per cent)

Despite the threats they face, 78 per cent of respondents—a six-percentage-point increase from last year—indicate they are confident in their cybersecurity team’s ability to detect and respond to cyberthreats.

Cyber Maturity

When it comes to cyber-risk assessments, 36 per cent of survey respondents indicate that their enterprises conduct them annually. Forty per cent of respondents say their enterprise conducts them more often than annually.

“It’s important to understand the trends across the community over time as well as how one’s organisation compares. This is necessary information to help advance the field, and we’re proud to be a part of sharing and disseminating these insights,” says Mary Yang, Chief Marketing Officer at LookingGlass Cyber Solutions. “LookingGlass is thrilled to support the cybersecurity community by partnering with ISACA on this report.”

Tags: Cyber Security