New ISACA Study: Despite Understaffed Cybersecurity Teams, Fewer Enterprises Are Training Staff for Security Roles

SCHAUMBURG, Ill.--(BUSINESS WIRE)--Though more than half (55 percent) of cybersecurity teams are understaffed, and 65 percent have unfilled cybersecurity positions, fewer enterprises are training non-security staff to move into security roles, according to ISACA’s 2025 State of Cybersecurity Report. The research finds that just 29 percent of enterprises provided this training, compared with 41 percent last year.

ISACA’s State of Cybersecurity 2025 survey report finds that 70 percent of security professionals expect the demand for technical cybersecurity pros to rise in the next year.

Share

This is despite almost half (46 percent) of respondents indicating that more than half of their current cyber staff transitioned from roles outside of the field, reveals the eleventh annual global survey report—which explores insights into cybersecurity skills, hiring, budgets, cyber risk, and the role of AI.

Challenges persist with staffing, resources

Survey respondents indicate there is a high demand for technical cybersecurity professionals, but challenges with hiring and retention persist. Thirty-eight percent say it takes three to six months to hire for entry-level roles, and 39 percent say the same for non-entry-level roles. Half of respondents admit their organizations struggle to retain cyber talent. However, 70 percent expect demand for technical contributors to rise.

Though fewer are indicating their budgets are underfunded (53 percent compared with 59 percent last year), only 41 percent expect budget increases (down from 47 percent).

Adaptability, soft skills in demand

In an environment in which technology and threats are constantly changing, the top qualifications in demand have adjusted as well—adaptability is now the top qualification factor (61 percent), with prior cybersecurity experience closely following behind (60 percent). Respondents also note that of the skills gaps they see in cybersecurity professionals, soft skills come in at the top (59 percent)—specifying that the key soft skills needed include critical thinking (57 percent), communication (56 percent) and problem-solving (47 percent).

A greater voice in AI implementation, policy

Respondents indicate that they are increasingly using AI in their work, as well as playing a larger role in AI policy at their organizations. Forty-seven percent say they have helped develop AI governance (up from 35 percent last year) and 40 percent have been involved in AI implementation (up from 29 percent). They note they use AI in security operations for 1) threat detection (32 percent), 2) endpoint security (30 percent) and 3) routine task automation (28 percent).

Complex threat landscape, high stress

The report finds that today’s complex threat landscape is dominated by social engineering attacks, with 44 percent of respondents noting this as the top attack type used against their organization, followed by exploited vulnerabilities (37 percent) and malware (26 percent). Though slightly down from last year, over a third of cybersecurity professionals (35 percent, down from 38 percent) report increased attacks this year.

While 43 percent of cybersecurity professionals believe an attack on their organization is likely or very likely in the next year, only 41 percent are confident in their team’s incident response capabilities. Additionally, 39 percent believe cybercrime is underreported, even when reporting is required.

It may not come as a surprise, then, that 66 percent of the cybersecurity professionals surveyed also said that their role is more stressful now than five years ago, with 63 percent citing the complex threat landscape as their top stressor. Nearly half (47 percent) indicated that high stress is the top reason for attrition.

“Cybersecurity professionals are navigating an increasingly complex threat landscape, marked by the rapid evolution of cyber threats and an uptick in the frequency and sophistication of attacks. More cyberattacks in the coming year is likely to exacerbate pressure on cybersecurity staff making it even more important to routinely evaluate support systems and training resources to improve their cybersecurity capabilities and resilience,” says Chris McGowan, ISACA principal, information security professional practices. “It’s imperative that organizations not only bolster their defenses but also prioritize the well-being of their cybersecurity teams.”

Additional security resources

McGowan and Safia Kazi, ISACA principal, privacy professional practices, will discuss the findings from the report in an upcoming free ISACA webinar. Learn more and register at https://store.isaca.org/s/community-event?id=a33VQ000001SN4LYAW.

ISACA offers a range of other cybersecurity credentials, resources and training for cybersecurity professionals at every stage in their career, including its recently introduced Certified Cybersecurity Operations Analyst (CCOA) and Advanced in AI Security Management (AAISM) credentials, and AI and cybersecurity-focused online courses, including AI Threat Landscape.

Access the free State of Cybersecurity 2025 report at www.isaca.org/state-of-cybersecurity. Explore additional ISACA cybersecurity resources at www.isaca.org/resources/cybersecurity.

About ISACA

ISACA^® (www.isaca.org) champions the global workforce advancing trust in technology. For more than 55 years, ISACA has empowered its community of 185,000+ members with the knowledge, credentials, training and network they need to thrive in fields like information security, governance, assurance, risk management, data privacy and emerging tech. With a presence in more than 190 countries and with nearly 230 chapters worldwide, ISACA offers resources tailored to every stage of members’ careers—helping them to thrive in a rapidly changing digital landscape, drive trusted innovation and ensure a more secure digital world. Through the ISACA Foundation, ISACA also expands IT and education career pathways, fostering opportunities to grow the next generation of technology professionals.

LinkedIn: www.linkedin.com/company/isaca
Facebook: www.facebook.com/ISACAGlobal
Instagram: www.instagram.com/isacanews/