- 69 percent of those surveyed have difficulty retaining qualified cybersecurity professionals
New cybersecurity data hones in on where cybersecurity pros come up short, with soft skills, cloud computing, and security controls emerging as the biggest skills gaps in today’s cybersecurity professionals globally and in India, according to ISACA’s annual research report, State of Cybersecurity 2023, Global Update on Workforce Efforts, Resources and Cyberoperations.
Forty percent of Indian respondents say their cybersecurity teams are understaffed, according to the ninth annual survey—which explores the latest cybersecurity threat landscape, hiring challenges and opportunities, and budgets, with insights from 113 security leaders in India. The report, sponsored by Adobe, also shows that 54 percent of respondents indicated that they have job openings for non-entry level roles, compared to 20 percent with job openings for entry-level positions.
Staffing and Skills
The research indicates some strides have been made in addressing employee retention, but it continues to be a challenge. Sixty-nine percent of survey respondents in India say they have difficulty retaining qualified cybersecurity professionals.
Globally, continuing to reduce retention woes may be difficult given that benefits offered to cybersecurity pros have been declining—potentially driven by economic uncertainty. According to respondents worldwide, university tuition reimbursement dropped five percentage points to 28 percent, recruitment bonuses fell two percentage points, and reimbursement of certification fees dropped by a percentage point, compared to 2022.
When hiring, India-based respondents say they are looking for the following top five technical skills in cybersecurity pros:
- Cloud Computing: 46%
- Penetration Testing: 42%
- Forensics: 38%
- Identity and access management: 38%
- Data protection: 38%
When looking at soft skills, critical thinking (59 percent), problem solving (51 percent), decision making (49 percent), communication (47 percent), and leadership qualities (33 percent) come in as the top five skills global employers in India are seeking in cybersecurity job candidates.
Respondents in India examined where cybersecurity professionals are lacking—cloud computing (50 percent), soft skills (43 percent), security controls (43 percent), network related topics (41 percent), and pattern analysis (35 percent) as being the biggest skills gaps they see today.
To mitigate these technical skills gaps, respondents indicate their top five approaches are training non-security staff who are interested in moving into security roles (55 percent), increasing use of reskilling programs (46 percent), using performance-based training (33 percent), leveraging AI/automation (32 percent), and increasing usage of contract employees or outside consultants (30 percent). When addressing nontechnical skills gaps, organizations are leveraging online learning websites (62 percent), corporate training events (50 percent), mentoring (49 percent), and academic tuition reimbursement (21 percent).
“The soft skills gaps we see among cybersecurity professionals are part of a concerning systemic issue that our industry needs to take seriously,” says Jon Brandt, ISACA Director, Professional Practices and Innovation. “While there is no simple solution, addressing these needs with a collaborative approach that goes beyond traditional academia to involve hands-on training, mentorship, and other learning pathways can make an impact not only on individual skillsets and enterprise security outcomes, but also on the integrity of the profession as a whole.”
When looking at the cybersecurity threat landscape, nearly 55 percent of Indian respondents indicate that their organization is experiencing more cyberattacks compared to a year ago. Despite the difficult threat landscape, 63 percent are very or completely confident in their cybersecurity team’s ability to detect and respond to cyber threats.
Globally, the top three attack concerns remain the same as last year—enterprise reputation (79 percent), data breach concerns (69 percent) and supply chain disruptions (55 percent). Respondents worldwide also indicated that social engineering (15 percent) remains the main type of cyberattack they experience, an increase of two percentage points. This is followed by:
- Advanced persistent threats (11 percent)
- Ransomware (10 percent)
- Security misconfiguration (10 percent)
- Unpatched system (10 percent)
- Denial of service (9 percent)
- Sensitive data exposure (9 percent)
92 percent of India-based survey respondents say demand for technical cybersecurity individual contributors will increase in the next year, and 67 percent expect an increased demand for cybersecurity managers. Sixty-five percent believe that cybersecurity budgets will at least somewhat increase as well next year.
“The evolving threat landscape and the continuing cybersecurity skill shortage are a potent combination requiring a concerted approach to address these issues. Enterprises should take proactive steps to leverage available human resources to upskill and reskill staff so that combined with investments in technologies, an effective cybersecurity posture can be established and sustained,” said RV Raghu, ISACA Ambassador in India and past ISACA board director.
A complimentary copy of the State of Cybersecurity 2023 survey report can be accessed at www.isaca.org/state-of-cybersecurity-2023, along with related resources. Additional cybersecurity resources can be found at www.isaca.org/resources/cybersecurity.