Cyber resilience has dominated headlines this year as major outages impacting people, businesses, and public services hit the headlines,
But what about the cyber security professionals working behind the scenes? Although they often receive little media attention, the importance of their role in safeguarding day-to-day life has never been clearer. As AI technologies become more integrated across businesses and cyber threats grow increasingly sophisticated, demands on cybersecurity teams are higher than ever.
The key question remains: are businesses doing enough to support them?
Cyber attacks aren't going away – and cyber teams are feeling the strain
New research from ISACA's latest State of Cybersecurity report reveals that 41% of cyber security professionals say they are experiencing more cyber attacks this year than last. This is a growing issue which will only worsen if businesses do not act immediately. Indeed, not only are attacks increasing in number, but also in complexity. GenAI technologies are becoming more accessibleallowing bad actors to make their attacks harder to detect by more accurately simulating real human speech patterns and behaviours.
And cyber security professionals are feeling the strain. 68% of those surveyed report that their role is more stressful now than a year ago, with 79% attributing this rise to the increasingly complex threat landscape. With a worrying 58% of professionals expecting to experience an attack within the next year, it is no longer a matter of if businesses are going to be attacked, but rather when. Organizations must invest in their workforce to ensure they have the people with the right skills and expertise needed to combat these escalating threats and protect people and assets.
Yet cyber teams are underskilled, underfunded, and stressed
Despite this imminent threat to businesses, not enough organizations are making it a priority. Over half (52%) of professionals say that their organizations' cyber security budget is underfunded, leaving them vulnerable to attacks. This is especially concerning because businesses do not exist within a vacuum — as we have seen in cases such as the CrowdStrike outage, weakness in one organization can put entire digital ecosystems and supply chains at risk.
The issue of chronic underfunding is directly impacting staffing of cyber security professionals, too. 53% report that employees are leaving positions due to poor financial incentives, which is why a further 61% say that their organizations' teams are understaffed. It is imperative that businesses take action by financially prioritizing their cyber security teams as only these crucial investments can improve retention and fix the understaffing crisis. Without doing so, professionals' stress levels will continue to increase and they will be ill-prepared to tackle mounting external threats.
Job role criteria is holding the cyber industry back
In addition to the problem of retaining staff, cyber security teams are also struggling to recruit. 19% of professionals say that their organization has unfilled and open entry-level positions available, rising to almost half (48%) having unfilled open positions which require experience, a university degree, or other credentials. These numbers are concerning and suggest that businesses must take a broader approach to recruitment by diversifying the types of candidates they are considering and then offering sufficient training.
Our research shows that this will not only help with numbers of staff, but that it will have a positive impact on the quality of teams, too. When surveyed, over half (52%) of professionals highlighted soft skills as those most lacking amongst their current peers. If businesses choose to recruit staff from a wider pool, this skills gap can be effectively addressed, increasing the overall strength and efficacy of their teams. When enthusiastic candidates with the right soft skills are recruited, they can receive training to become adept cyber professionals while bringing an additional wealth of knowledge to the role.
Among these soft skills, communication stands out, with 54% of respondents identifying it as an area of concern. This is a critical issue for the cyber security field, as effective communication enables professionals to advocate for themselves within their organizations and externally, strengthening the visibility of cyber security's value and enhancing public understanding. Given the data on underfunding, it's evident that businesses often overlook cyber security, so it is vital to diversify employee skills and help integrate cyber security more closely into daily operations.
Hire beyond the traditional cyber security professional
When looking for candidates, businesses must invest in encouraging candidates from a wide range of backgrounds, including those who have developed these soft skills in another field and are now looking to make a career change. If applicants show a willingness and aptitude to learn, financial backing must be provided to allow them to upskill within the role. Training must also be offered to current employees to upskill them and ensure they have the knowledge and skills to match hackers, especially as new emerging technologies exacerbate the tactics used by these groups.
Investing in the ongoing professional development of new and existing employees isn't just a strategy, it's a necessity in closing the cyber skills gap. As external threats continue to worsen, businesses must adopt this proactive approach to build a resilient, future-ready workforce that stands as the first line of defense in protecting people and assets.
Chris Dimitriadis is global chief strategy officer at ISAC