In a survey of more than 2,000 cyber security professionals globally, ISACA found that 63% of respondents have unfilled cyber security positions, up eight percentage points from 2021.
A further 62% reported understaffed cyber security teams, with one in five saying it was taking over six months to find qualified candidates to fill open positions.
ISACA previously found that 46% of organisations were struggling to fill legal and compliance roles, and 55% technical privacy roles, as part of its Privacy in practice 2022 report.
In its latest report – State of cybersecurity 2022: Global update on workforce efforts, resources and cyberoperations – ISACA noted that 60% of survey respondents also reported difficulty in retaining qualified cyber security professionals, a 7% increase on 2021.
The top reasons for cyber security professionals leaving their jobs included being recruited by other companies (59%), poor financial incentives in terms of salary or bonus (48%), limited promotion and development opportunities (47%), high levels of work-related stress (45%), and lack of management support (34%).
Respondents indicated they were looking for a range of skills in potential candidates, with the biggest gaps being noted in soft skills such as communication, problem solving or leadership (54%), along with cloud computing (52%).
Cross-training of employees and the increased use of contractors and consultants were cited as the main ways enterprises were attempting to mitigate these skills gaps.
The report also noted that while universities remain the primary source of talent in the cyber security pipeline, with 52% of organisations requiring a degree to fill entry-level positions, their importance is appearing to wain as that percentage was 6% lower than in 2021.
However, it added that opinion remains split on whether recent university graduates with a degree are well prepared for the cyber security challenges that enterprises face.
“The great resignation is compounding the long-standing hiring and retention challenges the cyber security community has been facing for years, and systemic changes are critical,” said Jonathan Brandt, ISACA director, professional practices and innovation.
“Flexibility is key. From broadening searches to include candidates without traditional degrees, to providing support, training and flexible schedules that attract and retain qualified talent, organisations can move the needle in strengthening their teams and closing skills gaps,” he added.
In terms of the threat landscape, 43% of respondents said their organisation was experiencing a higher volume of cyber attacks than the same time last year, with the three top-of-mind concerns being enterprise reputation (79%), data breaches (70%) and supply chain disruption (54%).
Despite the challenges reported, an all-time high of 82% still indicated they were confident in their cyber security team’s ability to detect and respond to cyber threats.
“This confidence is remarkable, considering that 46% of respondent enterprises have a security staff of just two to 10 individuals,” said the report.
However, it further noted that despite some optimism, including in expectations that budgets will increase over the coming year, the cyber security skills shortage is not going away any time soon, and, if anything, appears to be getting worse.
“Given the ongoing seller’s market for cyber security professionals, enterprises are encouraged to focus on competitive total benefits packages as opposed to competitive salaries alone. Salary expectations vary, but it is likely that many small to medium-sized enterprises simply cannot compete with larger enterprises on salary,” the report stated.
“With the likelihood that budgets will continue to level, enterprises may find themselves constrained with respect to additional headcount salaries and should therefore identify other ways to remain competitive in sourcing and retaining talent,” it said.