The ninth annual ISACA® global State of Cybersecurity Survey continues to identify current challenges and trends in the cybersecurity field. For the second consecutive year, ISACA fielded questions to gain deeper insight into persistent issues in cybersecurity workforce skill sets and staffing for entry-level positions. The State of Cybersecurity 2023 report analyzes the survey results on cybersecurity skills and staffing, resources, cyberthreats and cybersecurity maturity.
The survey findings are largely consistent with the findings from previous years, with any shifts likely linked to economic uncertainty, technological advances and the timing of well-known cybersecurity incidents. Uncertainty of any kind appears to be driving fewer job changes, and while vacancies persist, the survey results indicate that enterprises appear to be tightening budgets and compensation aids ahead of a potential recession.
Key findings of the survey include the following:
- The percentage of respondents who manage security staff with less than three years of work experience remains unchanged from prior years, while demographic information among respondents indicates an aging workforce.
- Seventy-one percent of survey respondents have unfilled cybersecurity positions, with unfilled non-entrylevel positions outnumbering entry-level positions by twofold. Those stating that their organization had no open positions grew by six percentage points.
- Employer benefits are tightening with notable declines in tuition reimbursement and recruitment bonuses. Paid volunteer time off increased.
- Soft skills remain the largest skill gap among cybersecurity professionals and university graduates,
though views on the former have worsened. Among current practitioners, cloud computing skills improved by five percentage points from 2022. Technical skills among university graduates largely resembled 2022 data, with slight improvements in security controls and network operations; of concern with this group is the four-percentage-point drop in networking-related competency.
- Cross-training of employees and increased use of contractors and consultants remain primary mitigation approaches to address the workforce shortage. While the percentage of employers requiring a university degree for entry-level cybersecurity positions remains at 52 percent, differences across geographical regions are notable—Europe and Africa saw decreases, Asia
and North America remained unchanged, and Latin America and Oceania reported large increases in this requirement.
Respondents’ views on the appropriateness of cybersecurity program funding are statistically the same as in 2022. Last year’s optimism surrounding cybersecurity budgets was short-lived; now, the prominent view is that the next budget cycle will result in the expectation of doing more with less.
Annual cyberrisk assessments continue, with data pointing to smaller improvements being made more frequently.