| Share

ISACA’s Cybersecurity Study Reveals Struggles with Hiring and Retention Persist, More Diversity Progress Needed

57 per cent say they currently have unfilled cybersecurity positions on their team.

Sydney, Australia (25 February 2020) – Cybersecurity teams continue to struggle with hiring and retention, and very little improvement has been achieved in these areas since last year, according to new global research from ISACA that identifies current workforce challenges and trends in the cybersecurity field.

Part 1 of ISACA’s 2020 State of Cybersecurity report finds that enterprises are short-staffed, have difficulty identifying enough qualified talent for open positions and don’t believe their HR teams adequately understand their hiring needs. Additionally, while slight progress is reported in the effort to increase the number of women in cybersecurity roles and in established diversity programs, most cybersecurity teams still indicate they have significantly more men than women, and most report that progress is minimal.

“Cybersecurity jobs are in huge demand but, as many organisations are all too aware, it continues to be a real struggle to find the right candidates with the right skills and experience to meet the demands of these roles,” says retired Brigadier General Greg Touhill, ISACA board director, and President of the AppGate Federal Group. “Better understanding the nature of the skills gaps and issues with hiring and retention can help the industry more effectively drive innovative strategies and tactics to address and overcome these long-standing challenges.”

Some key findings include:
  1. 62 per cent say their organisations’ cybersecurity team is understaffed, and 57 per cent say they currently have unfilled cybersecurity positions on their team.
  2. 70 per cent say that fewer than half of their cybersecurity applicants are well qualified.
  3. 72 per cent of cybersecurity professionals believe their HR departments do not regularly understand their needs.
  4. 58 per cent of respondents anticipate an increase in cybersecurity budgets, an increase of three percentage points from last year, but less than the 64 per cent reported two years ago, signaling that spending may be leveling out.

Finding staff with the right skillsets continues to be difficult for cybersecurity teams. Survey respondents expressed that having a degree does not necessarily indicate that a candidate is ready for the job, with only 27 per cent saying that recent graduates in cybersecurity are well-prepared. They also indicated that candidates are not measuring up in either technical or soft skills, citing as the top five skills gaps being soft skills (32%), IT knowledge and skills gaps (30%), insufficient business insight (16%), cybersecurity technical experience (13%) and insufficient hands-on training (10%). However, when asked about the factors they consider when determining if a cybersecurity candidate is qualified, they place emphasis on technical skills, ranking the top three qualifications as hands-on cybersecurity experience (95%), credentials (89%) and hands-on training (81%).

Once teams achieve the difficult task of finding the right professionals, they then struggle to retain them, with 66 per cent saying it’s difficult to retain cybersecurity talent, a slight increase from last year. They cite the main reasons for staff leaving as recruitment by other companies (59%), limited promotion and development opportunities (50%), poor financial incentives (50%), high work stress levels (40%, a 10% increase from the year prior) and a lack of management support (39%).

As part of efforts to retain women in cybersecurity teams and increase representation in the field, organisations have been making slight progress in putting diversity programs in place, with 49 per cent of respondents indicating that they have these programs—an increase of five percentage points from last year. Sixty-four per cent indicate some progress toward increasing the number of women in cybersecurity roles, though only 13 per cent say that progress is significant. Respondents indicated that 86 per cent of cybersecurity teams still have significantly more men than women or consist of all men; though, on a more positive note, the number of teams reporting equal number of men and women increased by three percentage points this year.

“Diversity in this field is crucial—not only for enterprises to address hiring challenges to bring qualified, skilled talent onto their teams, but also to ensure that different viewpoints are reflected that strengthen their cybersecurity strategies and functions.  It will be imperative to have these different viewpoints to address the newest, toughest challenges in cybersecurity,” says Brennan P. Baybeck, ISACA board chair; vice president and CISO, customer services, Oracle. “It is encouraging to see even slight advances being made; however, it is clear that more significant progress is needed to increase diversity in cybersecurity, including representation of women in these roles.”

State of Cybersecurity 2020 is available as a complimentary download at www.isaca.org/state-of-cybersecurity-2020. The report is the latest research from ISACA’s Cybersecurity Nexus, which offers credentials, training, guidance and research for security professionals.


About the State of Cybersecurity Study

More than 2,000 cybersecurity professionals who hold ISACA’s Certified Information Security Manager (CISM) credential or have information security job titles participated in the online survey. The findings will be issued in two reports in 2020. For a free download of the first report, visit www.isaca.org/state-of-cybersecurity-2020.


For more than 50 years, ISACA® (www.isaca.org) has advanced the best talent, expertise and learning in technology. ISACA equips individuals with knowledge, credentials, education and community to progress their careers and transform their organisations, and enables enterprises to train and build quality teams. ISACA is a global professional association and learning organisation that leverages the expertise of its 145,000 members who work in information security, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including 223 chapters worldwide.

Twitter: www.twitter.com/ISACANews
LinkedIn: www.linkedin.com/company/isaca
Facebook: www.facebook.com/ISACAGlobal
Instagram: www.instagram.com/isacanews

Julie Fenwick, jfenwick@daylightagency.com.au +61 468 901 655
Lauren Graham, lgraham@daylightagency.com.au +61 432 614 401