State of Cybersecurity 2020 Part 1 - Res - Eng - 0220 PDF

1 STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
State of Cybersecurity 2020

Part 1: Global Update on Workforce Efforts and Resources
© 2020 ISACA. All Rights Reserved.

Personal Copy of Immanuel Giulea (ISACA ID: 1157570)
ABSTRACT
State of Cybersecurity 2020 reports the results of the annual ISACA ® global
State of Cybersecurity Survey, conducted in the fourth quarter of 2019.
This Part 1 survey report highlights current trends in cybersecurity workforce
development, staffing, budgeting and gender diversity. The report
echoes—and reaffirms—key findings of prior years: Enterprises are still
short-staffed in cybersecurity, struggle to find sufficient talent for open
positions and expect their cybersecurity budgets to grow. Efforts to
increase the number of women in cybersecurity roles progressed slightly,
and more enterprises established gender diversity programs.

CONTENTS
4 Executive Summary
4 Survey Methodology
7 Challenges Persist in Cybersecurity Resourcing

8 / Vacancies
11 / Qualifications and Confidence Levels
14 / University Degree Programs Versus Training Programs
15 Retention Remains a Challenge
17 Gender Diversity Within Cybersecurity—Slow but Steady Improvement

17 / Gender Diversity and Disparity
19 / Gender Initiatives
20 Signs of Leveling in Cybersecurity Funding
21 Conclusion: Organizations Must Act on Talent Shortage
22 Acknowledgments

Executive Summary
This year’s global State of Cybersecurity Survey combat the cyberthreats they face. However, the
asked respondents to identify current and anticipated factors influencing whether candidates are viewed
challenges and trends in cybersecurity. This report as well qualified shifted, which calls into question
analyzes survey results specific to cybersecurity traditional pathways to cybersecurity careers. While
workforce development, resources and diversity. hiring remains challenging, respondents indicate that
In a second (forthcoming) report, ISACA® examines retaining cybersecurity talent is even more difficult this
survey results relating to security operations, year, highlighting the criticality of skills gap mitigations—
cyberattacks and threats, and organizational especially when the workforce shortage continues to
cybersecurity and governance. rise. Gender diversity efforts are helping to bring more
women into the cybersecurity workforce—albeit slowly.
The latest State of Cybersecurity Survey results are Cybersecurity budgets in 2020 are forecast to be higher
consistent with findings from the previous two years. than 2019 budgets but show signs of leveling off when
Enterprises continue to lack the staff required to compared to prior years.
Survey Methodology
In the final quarter of 2019, ISACA sent online survey • Security operations
invitations to a global population of cybersecurity
• Cybersecurity budgets
professionals who hold ISACA’s Certified Information
Security Manager® (CISM®) certification or have • Cyberattacks and threats
information security job titles. Survey data were • Organization cybersecurity and governance
collected anonymously via SurveyMonkey. A total of
2,051 respondents completed the survey in its entirety, The survey’s target population consists of individuals
and their responses are included in the results. 1 who have cybersecurity job responsibilities. Of the
2,051 respondents, 913 indicate that their primary
The survey presented respondents with multiple-choice professional area of responsibility is cybersecurity.
and Likert scale-format questions organized into six Figure 1 captures key demographic norms across a
major sections: diverse set of survey respondents.
• Hiring and skills

Respondents represent over 17 industries (figure 2) and
• Diversity hail from 102 countries.
1 Certain questions included the option to choose “Don’t know” from the list of answers. Where appropriate, “Don’t know” responses were removed
from the calculation of findings. Result percentages are rounded to the nearest integer.

FIGURE 1—RESPONDENT DEMOGRAPHICS
REGIONS
NORTH
94% A M E R I CA EUROPE ASIA
IS ACA
M EM BER
50% 18% 18%
INDUSTRIES
3%
3%
MIDDLE
24 % L AT I N
EAST
A M E R I CA A F R I CA
3% 4%
OCE ANIA
T EC H N O LOGY
S ERV IC E S/C O NS U LT ING
MAIN AREA OF RESPONSIBILITY
22 % 61%
33%
CY BER S EC U R I T Y
M A N AGEM EN T
FIN A N CI A L /BA N K ING
37% EM PLOY ED IN
A N EN T ER PR IS E
WITH
AT L E A S T
14 % I T R IS K
12% 1,500
M A N AGEM EN T,
AU DI T,
GOV ER N A N C E,
GOV ER N M EN T/MIL I TA RY— CY BER S EC U R I T Y C O M PL I A N C E E M PLOY E E S
N AT IO N A L /S TAT E /LO CA L PR ACT I T IO N ER

FIGURE 2—INDUSTRY SECTORS

FIGURE 2—INDUSTRY
Indicate your SECTORS
organization’s primary industry.
Indicate your organization’s primary industry.
Technology Services/ 24%

Consulting
Financial/Banking 22%
Government/Military–
14%
National/State/Local
Other 9%
Manufacturing/Engineering 6%
Healthcare/Medical 5%
Insurance 5%
Telecommunications/ 4%
Communications
Retail/Wholesale/Distribution 3%
Mining/Construction/
2%
Petroleum/Agriculture
Transportation 2%
Utilities 2%
Advertising/Marketing/Media 1%
Aerospace 1%
Legal/Law/Real Estate 1%
Pharmaceutical 1%
Public Accounting 1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Challenges Persist in
Cybersecurity Resourcing
The demand for cybersecurity talent2 has steadily is appropriately staffed increased from 25 percent last
risen, which is good news for new and aspiring year to 31 percent this year.
practitioners. Although this year’s survey results
on staffing are largely consistent with prior-year The industry remains a seller’s market and,
data, current data reveal a sizeable shift away consequently, enterprises face resourcing and retention
from assessments of significantly understaffed to issues. Analysis of this year’s responses confirms that
appropriately staffed (figure 3). Last year, 21 percent understaffed organizations are significantly more likely
of respondents reported that their cybersecurity team to have retention issues. Additionally, understaffed
was significantly understaffed; only 15 percent report teams are significantly more likely to have experienced
the same perception this year. The percentage of more cyberattacks during the last year—a point
respondents who believe that their cybersecurity team supported by other cyberworkforce data.3
FIGURE3–CYBERSECURITY
FIGURE 3—CYBERSECURITY STAFFING
STAFFING
How would
How wouldyou
youdescribe
describe the
the current
current staffing
staffing of your
of your organization’s
organization’s cybersecurity
cybersecurity team?team?
Significantly understaffed 15%
Somewhat understaffed 47%
Appropriately staffed 31%
Somewhat overstaffed 2%
Significantly overstaffed 1%
Don’t know 3%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2 (ISC)2® estimates a global shortage of 4.07 million cybersecurity staff, which represents a 26-percent increase from 2018. Fifty-one percent of
respondents to the 2019 (ISC)² Cybersecurity Workforce Study “say their organization is at moderate or extreme risk due to cybersecurity staff
shortage.” See (ISC)2, (ISC)² Cybersecurity Workforce Study, 2019: Strategies for Building and Growing Strong Cybersecurity Teams, www.isc2.org/-/
media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx?la=en&hash=D087F6468B4991E-
0BEFFC017BC1ADF59CD5A2EF7.
3 Ibid.

Vacancies The amount of time required to fill a cybersecurity

position (figure 5) moved little this year—which is not
Fifty-seven percent of respondents claim to have
surprising—given the industry’s widespread
unfilled cybersecurity positions (figure 4), which
reporting of insufficient candidates for an increasing
closely aligns with last year’s data (58 percent).
number of current and future human resource needs.
FIGURE 4—UNFILLED
FIGURE 4–UNFILLED POSITIONS
POSITIONS
Does your organization have unfilled
Does your organization have unfilled (open)
(open) cybersecurity
cybersecurity positions?
positions?
Yes 57%
No 33%
Don’t know 10%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE 5—TIMETO
FIGURE 5–TIME TOFILL
FILL A CYBERSECURITY
A CYBERSECURITY POSITION
POSITION
On average,
average,how
howlong
longdoes
does it take
it take your
your organization
organization to filltoafill a cybersecurity
cybersecurity position
position with awith a qualified
qualified candidate?
candidate?
< 2 weeks 1%
1 month 5%
2 months 12%
3 months 30%
6 months or more 29%
Cannot fill open positions 3%
Not applicable 6%
Don’t know 15%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Technical cybersecurity positions remained the generally anticipate no change in the coming
top vacancy again this year (figure 6); however, year, except for growth in individual contributor/
all but executive-level positions declined from last technical cybersecurity positions (for which 78
year. Figure 7 represents three-year reporting data percent expect increased demand). Figure 9 charts
regarding unfilled positions. three-year trends regarding future demand across
When asked about future demand (figure 8), respondents various position categories.
FIGURE 6—PERCENTAGES
FIGURE 6–PERCENTAGES OFOF UNFILLED
UNFILLED POSITIONS
POSITIONS AT GIVEN
AT GIVEN ORGANIZATIONAL
ORGANIZATIONAL LEVELS
LEVELS
How many
manyof
ofyour
yourunfilled
unfilled (open)
(open) cybersecurity
cybersecurity positions
positions are
are at atfollowing
the the following
levels?levels?
9%
37%
Individual contributor/ 25%
Technical cybersecurity
10%
19%
2%
11%
Nontechnical cybersecurity
23%
34%
3%
10%
Cybersecurity manager 21%
23%
44%
2%
7%
Senior manager/ 12%
Director of cybersecurity
22%
57%
3%
5%
Executive or
C-suite cybersecurity 7%
(e.g., CISO) 14%
71%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
All Most Some Few None

FIGURE 7–UNFILLED POSITION REPORTING (2018–2020)4

FIGURE 7—UNFILLED POSITION REPORTING (2018–2020)4
100%
90%
92%
80%
82% 81%
70% 75%
60% 66%
63% 63%
50% 55% 56%
40% 47%
43%
30% 36%
28% 29%
20%
19%
10%
0%
Executive or
Senior manager/ Individual contributor/ Individual contributor/
C-suite cybersecurity Cybersecurity manager
Director of cybersecurity Nontechnical cybersecurity Technical cybersecurity
(e.g., CISO)
2018 2019 2020
FIGURE 8—FUTUREHIRING
FIGURE 8–FUTURE HIRING DEMAND
DEMAND
In the next
In the nextyear,
year,do
doyou
yousee
see the
the demand
demand for for
thethe following
following cybersecurity
cybersecurity position
position levels levels increasing,
increasing, decreasing
decreasing or
or remaining
remaining
the same? the same?
78%
1%
47%
5%
46%
Cybersecurity manager 51%
3%
33%
Senior manager/ 62%
Director of cybersecurity
4%
Executive or 29%
C-suite cybersecurity 67%
(e.g., CISO) 4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Increasing Remaining the same Decreasing
4 Figure 7 compares unfilled position data aggregated from 2018–2020 State of Cybersecurity reports. Percentages represent all categories
of vacancies less “none.”

FIGURE 9—HIRING DEMAND TRENDING (2018–2020)

FIGURE 9—HIRING DEMAND TRENDING (2018–2020)
100%
Individual contributor/
90%
Individual contributor/
80%
70%
Cybersecurity manager
60%
Senior manager/
50% Director of cybersecurity
40% Executive or
C-suite cybersecurity
30% (e.g., CISO)
20%
10%
0%
2018 2019 2020
Qualifications and qualified. Although this datapoint alone does

not characterize deficiencies among applicants,
Confidence Levels it does help to explain delays in filling positions—
Survey results indicate that hiring manager not surprisingly, 73 percent of respondents who
confidence is low when it comes to applicants. reported less than 25 percent of their applicants
Figure 10 indicates that 70 percent of respondents are well qualified have unfilled positions longer than
generally do not believe their applicants are well three months.
FIGURE 10—PERCENTAGE
FIGURE 10–PERCENTAGE OFOF CYBERSECURITY
CYBERSECURITY APPLICANTS
APPLICANTS WHOWHO ARE WELL
ARE WELL QUALIFIED
QUALIFIED
On average,how
On average, howmany
manycybersecurity
cybersecurity applicants
applicants are are
wellwell qualified
qualified forposition
for the the position for which
for which they
they are are applying?
applying?
Less than 25% 33%
26–50% 37%
51–75% 23%
76–100% 7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

As shown in figure 11, prior hands-on cybersecurity gap among cybersecurity professionals (figure 12),
experience remains the primary factor in followed closely by IT knowledge and skills gaps—
determining whether a candidate is considered qualified. specifically networking, infrastructure and IT operations.
However, when asked about the largest skills gaps, Respondents also indicate a lack of knowledge and/or
the responses somewhat contradict this point. experience with various technologies and applications
Respondents largely view soft skills as the primary as skills gaps.
FIGURE 11—CANDIDATE
FIGURE 11–CANDIDATE QUALIFICATIONS
QUALIFICATIONS
How important are each of the following
How important are each of the following factors
factors in determining
in determining if a cybersecurity
if a cybersecurity candidate
candidate is qualified?
is qualified?
73%
22%
Prior hands-on 2%
cybersecurity experience
0%
3%
35%
54%
Credentials 7%
1%
3%
25%
56%
Hands-on training 14%
2%
3%
22%
48%
Employer recommendation 22%
4%
4%
20%
47%
University degree 23%
7%
3%
7%
36%
Association membership 38%
15%
4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Very important Somewhat important Not very important Not at all important Don’t know

A deficit of soft skills may also be to blame in another Relatively higher degrees of understanding between
area—recruitment. Survey data shown in figure 13 hiring managers and HR departments correlate highly
illustrate a significant misunderstanding between to filling open positions faster. Of those respondents
hiring managers and those who identify and prescreen who report that HR always fully understands their
candidates. Seventy-two percent of respondents feel that cybersecurity hiring needs, 29 percent hire in less than
their HR departments do not understand their needs. two months (which is quicker than most).
FIGURE 12—QUANTIFIED
FIGURE 12–QUANTIFIED SKILLS
SKILLS GAPS
GAPS 5 5
What arethe
What are thebiggest
biggestskill
skillgaps
gaps you
you seesee in today’s
in today’s cybersecurity
cybersecurity professionals?
professionals?
Soft skills 32%
IT knowledge and skills gaps 30%
Insufficient business insight 16%
Cybersecurity technical 13%

experience
Insufficient hands-on training 10%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE 13—HRNEEDS
FIGURE 13–HR NEEDS COMPREHENSION
COMPREHENSION
How oftendo
How often doyou
youfeel
feelyour
your HR
HR department
department fullyfully understands
understands your your cybersecurity
cybersecurity hiring hiring
needs needs to properly
to properly
prescreen candidates?
prescreen candidates?
Always 6%
Frequently 22%
Occasionally 37%
Rarely 30%
Never 5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
5 ISACA normalized and aggregated certain survey responses to clarify respondents’ views on skills gaps. The aggregate category ‘IT knowledge
and skills gaps’ in figure 12 includes the following survey responses defining particular/discrete gaps: "different types of technologies and/or
applications," "IT operations knowledge and skills" and "networking and/or other infrastructure knowledge and skills." The aggregate category ‘Soft
skills’ combines the following discrete gaps: “insufficient soft skills” and “inability to collaborate between IT and the business units.”

University Degree Programs Perceptions of university degrees in cybersecurity

remain mixed among survey respondents. Forty-six
Versus Training Programs percent report that they neither agree nor disagree that
The cybersecurity talent gap continues to spur the cybersecurity degrees prepare university graduates well
growth of new organizations and programs that aim for their future organizations’ challenges (figure 14).
to develop—and/or increase—the candidate pool. This represents an eight percentage-point increase from
There is no shortage of traditional academic programs a year ago. The percent of respondents who indicate
and training courses in the market—each with certain that cybersecurity university degrees do not prepare
advantages and disadvantages. Of the two, respondents graduates for today’s challenges dropped to 28 percent
regard hands-on training as more important than this year, down from 39 percent last year. Despite this
university degree programs (figure 11). Data represented sentiment, 55 percent report that their organizations
in figure 12 suggest, however, that neither security- require a degree (figure 15), though responses vary by
specific degree programs nor training courses provide geography. For example, 78 percent of those responding
sufficient IT knowledge and skills for those just entering from Africa indicate that their enterprises require a
the cybersecurity profession. university degree to fill an entry-level cybersecurity
FIGURE 14—CONFIDENCE INDEGREE

FIGURE 14–CYBERSECURITY UNIVERSITY DEGREES
CONFIDENCE
To what extent
To what extentdo
doyou
youagree
agreeoror disagree
disagree thatthat recent
recent university
university graduates
graduates in cybersecurity
in cybersecurity are wellare well prepared
prepared for the for the
cybersecurity challengesinin
cybersecurity challenges your
your organization?
organization?
Strongly agree 4%
Agree 23%
Neither agree nor disagree 46%
Disagree 21%
Strongly disagree 7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE15–UNIVERSITY
FIGURE 15— UNIVERSITY REQUIREMENT
REQUIREMENT
Does your
Does yourorganization
organization typically
typically require
require a university
a university degree
degree to fillto fill entry-level
your your entry-level cybersecurity
cybersecurity positions?
positions?
Yes 55%
No 35%
Don’t know 10%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

position, while only 37 percent of those responding bachelor-degree level or higher.6 The value of
from Oceana indicate requiring a university degree. formal education is beyond the scope of this paper
Respondents from other geographies fall somewhere in and arguably varies by region. However, given the
between regarding the university degree requirement— cybersecurity human capital crisis that threatens
with Asia at 62 percent, Europe at 46 percent, Latin global markets—and, when it comes to personal
America at 64 percent, North America (including the privacy, for example, jeopardizes the reputations of
Caribbean and Central America) at 54 percent and the everyday citizens, or even continuity of life in hospitals
Middle East at 67 percent. or other healthcare settings—it becomes clear
that not only enterprises, but the public in general,
Reporting shows that a large majority of cybersecurity would benefit from greater numbers of cybersecurity
professionals do have a degree. According to the applicants. Mandating degrees—especially via
(ISC) Cybersecurity Workforce Study, 2019, 88 percent
2 automated recruiting platforms—unnecessarily
of practitioners have a degree—most at the constrains talent pools.
Retention Remains A Challenge

This year, 66 percent of survey respondents indicate continue to address their respective skills gaps
difficulty retaining talent—a slight increase over this year (figure 17)—although different
last year’s 64 percent. Although justification varies, mitigation strategies surface more prominently in
respondents overwhelmingly feel that cybersecurity current-year results, compared to prior year.
professionals leave positions because they are actively Cross-training of organizational personnel and
recruited (figure 16). Like last year, respondents ranked increased use of contractors and consultants are the
limited promotion and development opportunities as a primary mitigations of survey respondents. Thirty
likely reason for professionals to leave current jobs. The percent of enterprises report using artificial intelligence
data further indicate that people leave positions not just (AI) in their security operations, which may explain the
on account of financial reasons—an encouraging result slight uptick in the reported use of AI or automation to
for enterprises with strained budgets. Forty percent of mitigate skills gaps. ISACA expects this implementation
respondents attribute departures to workplace stress, of AI to trend higher as strategies and solutions are
which marks a 10 percentage-point increase over the increasingly proven beneficial
year prior. Not surprisingly, organizations with unfilled within various industries.
cybersecurity positions are significantly more likely also
to have retention issues. Performance-based training and requiring credentials—
although viable and beneficial—do not uniformly
Enterprises recognize that there is no quick answer to mitigate skills gaps, nor do they decrease the workplace
their cybersecurity-resource woes. Accordingly, they stress that accompanies shorthanded teams.
6 Op cit (ISC)2

FIGURE16—WHY
FIGURE 16—WHYCYBERSECURITY
CYBERSECURITY PROFESSIONALS
PROFESSIONALS LEAVELEAVE
THEIR THEIR
JOBSJOBS
Which, if any, of the following factors do you feel are causing cybersecurity professionals to leavetotheir
Which, if any, of the following factors do you feel are causing cybersecurity professionals leave their jobs?
current current jobs?
Select
Select
the top the top 5 factors.
5 factors.
Recruited by other companies 59%
Limited promotion and 50%

development opportunities
Poor financial incentives 50%

(e.g., salaries or bonuses)
High work stress levels 40%
Lack of management support 39%
Poor work culture/environment 32%
Limited remote work 21%

possibilities
Limited opportunities to work 21%

with latest technologies (e.g., AI)
Inflexible work policies 17%
Desire to work in a new industry 14%
Family situation changes 11%

(e.g., children born, marriage)
Retirement 9%
Switching careers (e.g., leaving 8%

cybersecurity entirely)
Lack of workplace diversity 7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

FIGURE 17—MEANS OF MITIGATING SHORTFALLS

Which, if 17–MEANS
FIGURE any, of the following has your organization
OF MITIGATING SHORTFALLSundertaken to help decrease the perceived
cybersecurity
Which, if any, ofskills gaps? Select
the following all that
has your apply. undertaken to help decrease the perceived cybersecurity skills gaps?
organization
Training to allow nonsecurity

staff who are interested to move 40%
into security roles
Increased use of contract

employees or outside 40%
consultants
Increased use of performance-

based training to attest to actual 22%
skill mastery
Increased reliance on artificial 20%

intelligence or automation
Increased reliance on
credentials to attest to actual 20%
subject matter expertise
Nothing has been done 16%
Organization has no 3%
skills gaps
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Gender Diversity Within Cybersecurity—

Slow but Steady Improvement
Gender Diversity and Disparity percent—up one percentage point from the prior year
(figure 19). The number of women who believe that they
Overall, this year’s survey results extend the last two
are afforded the same opportunities as men increased 6
years’ reporting of a male-dominated workforce: Eighty-
percentage points (to 51 percent), and the gap between
six percent of recent respondents report the employment
the numbers of men and women who perceive equal
of more men than women in their enterprises’ security
opportunity for career advancement narrowed by 7
roles (figure 18). However, this figure represents a small
percentage points from a year ago.
decrease (three percentage points) from last year, while
the number of respondents indicating equal numbers of Forty-seven percent of respondents indicate that their
men and women increased three percentage points. enterprise has a goal to increase the number of women
in cybersecurity roles—a two-percentage point gain
Most respondents believe that women are afforded the from last year; the number of women making that claim
same opportunities for career advancement as men—81 increased five percentage points to 38 percent.

FIGURE18—PROPORTION
FIGURE 18—PROPORTION OFOFMENMEN VS.VS. WOMEN
WOMEN IN CYBERSECURITY
IN CYBERSECURITY ROLES ROLES
How would you describe the current proportion of men versus women in cybersecurity roles inroles
How would you describe the current proportion of men versus women in cybersecurity your in your organization?
organization?
All men 13%
Significantly more 48%

men than women
Somewhat more 25%

men than women
Equal numbers of 11%

men and women
Somewhat more
2%
women than men
Significantly more
< 1%
women than men
All women < 1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE19–GENDER
FIGURE 19—GENDER DISPARITY
DISPARITY
Do you
Do youbelieve
believethat
thatwomen
womenareare offered
offered thethe same
same opportunities
opportunities for career
for career advancement
advancement as menas men
are are offered
offered in the
in the field of
field of cybersecurity
cybersecurity in your organization?
in your organization?
Yes 81%
No 19%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Gender Initiatives progress—however slight—towards increasing the

number of women in cybersecurity roles (figure 20).
Despite an increasing number of global initiatives to The positive changes in this year’s data are promising.
boost the number of women in technology careers, According to the data, almost half of all enterprises—
expectations should be tempered as broad-scale 49 percent—have gender diversity programs in
workforce efforts take time to cultivate. That said, place, which is five percentage points higher than last
64 percent of those surveyed indicate some year (figure 21).
FIGURE20–ORGANIZATIONAL
FIGURE 20—ORGANIZATIONAL PROGRESS
PROGRESS TOWARD WOMEN
INCREASING INCREASING WOMEN
IN CYBER IN CYBER ROLES
ROLES
How would
How wouldyou
youdescribe
describe the
the progress
progress thatthat
youryour organization
organization has made
has made in increasing
in increasing the number
the number of women
of women
in cybersecurity
in cybersecurityroles?
roles?
Significant progress 13%
Some progress 32%
Minimal progress 19%
No progress 14%
Organization has no program

in place to change the 22%
proportion of women
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE21–DIVERSITY
FIGURE 21—DIVERSITY PROGRAMS
PROGRAMS
Does your organization have in in
Does your organization have place
place specific
specific diversity
diversity programs
programs to support
to support womenwomen cybersecurity
cybersecurity professionals?
professionals?
Yes 49%
No 51%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Signs of Leveling in
Cybersecurity Funding
Cybersecurity budgets are projected to bounce increase of three percentage points from last
back in 2020; however, the increase remains less than year. This increase is notable because the data in
the 64 percent reported two years ago. Specifically, 7
figures 22 and 23 suggest spending may be
58 percent of respondents anticipate an increase leveling out, given the five-year trend represented
in cybersecurity budgets (figure 22), which is an in figure 24.
FIGURE22–ENTERPRISE
FIGURE 22—ENTERPRISE SECURITY
SECURITY BUDGET
BUDGET OUTLOOK
OUTLOOK
How, ififany,
How, any,will
willyour
yourorganization’s
cybersecurity budget
budget change
change in theinnext
the 12
next 12 months?
months?
4%
Significantly increase
8%
54%
Somewhat increase
47%
29%
Remain unchanged
34%
11%
Somewhat decrease
9%
2%
Significantly decrease
3%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2020 2019
FIGURE23–CYBERSECURITY
FIGURE 23—CYBERSECURITY FUNDING
FUNDING PERCEPTION
PERCEPTION
Do you
Do youfeel
feelyour
yourorganization’s
cybersecurity budget
budget is currently…
is currently…
17%
Significantly underfunded
19%
41%
Somewhat underfunded
41%
38%
Appropriately funded
34%
4%
Somewhat overfunded
3%
1%
Significantly overfunded
2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2020 2019
7 ISACA, State of Cybersecurity 2018, Part 1: Workforce Development, https://cybersecurity.isaca.org/csx-resources/state-of-cybersecurity-2018

FIGURE 24–FORECASTED SECURITY BUDGET INCREASES (5 YEAR)

FIGURE 24—FORECASTED SECURITY BUDGET INCREASES (5 YEAR)
100%
90%
80%
70% 64%
61%
58%
60% 55%
50%
50%
40%
30%
20%
10%
0%
2016 2017 2018 2019 2020
Conclusion: Organizations Must

Act on Talent Shortage
The cybersecurity workforce shortage is not new, nor individuals—who already understand the organization’s
is it going away soon. Formal educational programs business drivers and culture—can help to satisfy
and industry cybersecurity training programs—despite some of the knowledge and skills gaps reported in this
their proliferation—cannot replicate cybersecurity year’s survey. Gender diversity programs are one
experience, which is the most sought-after criterion for vehicle to increase organizational talent, but they
filling a vacant job position. Organizations have difficulty cannot be the only solution to combat the talent
locating individuals with the desired experience, shortage. More can be done, but it requires commitment
and increasingly poach qualified talent from other and nontraditional recruiting. Formal education and
enterprises—a practice whose frequency is likely to industry training programs can be cost prohibitive
increase. The excessive time required to fill open for many aspiring practitioners. Mandating college
positions not only exacerbates workplace stress but degrees and certifications minimizes talent pools
is also associated with increased cyberattacks and and disadvantages those who could not afford to
retention issues. fulfill traditional requirements for cybersecurity jobs.
Government workforce development or employment
Most organizations have experienced a bad hire, which agencies may also be viable sources for displaced
can prove undesirable and costly in some instances. workers or career changers. The cybersecurity seller’s
However, that risk pales in comparison to any recently job market will not diminish anytime soon; with
documented cybersecurity incident. With so few budgets leveling out—and retention waning—traditional
qualified applicants, organizations are wise to cross- recruitment strategies may have to give way to new and
train existing employees. Investing in familiar, motivated inventive alternatives.

Acknowledgments
ISACA would like to recognize:
ISACA Board of Directors

Brennan P. Baybeck, Chair Rob Clyde
CISA, CRISC, CISM, CISSP ISACA Board Chair, 2018-2019
Vice President and Chief Information CISM
Security Officer for Customer Services, Board Director, Titus and Executive
Oracle Corporation, USA Chair, White Cloud Security, USA
Rolf von Roessing, Vice-Chair Chris K. Dimitriadis, Ph.D.

CISA, CISM, CGEIT, CISSP, FBCI ISACA Board Chair, 2015-2017
FORFA Consulting AG, Switzerland CISA, CRISC, CISM
INTRALOT, Greece
Tracey Dedrick
Former Chief Risk Officer with Hudson Greg Grocholski
City Bancorp, USA ISACA Board Chair, 2012-2013
CISA
Pam Nigro
Saudi Basic Industries Corporation, USA
CISA, CRISC, CGEIT, CRMA
Health Care Service Corporation, USA David Samuelson
Chief Executive Officer, ISACA, USA
R.V. Raghu
CISA, CRISC
Versatilist Consulting India Pvt. Ltd.,
India
Gabriela Reynaga
CISA, CRISC, COBIT 5 Foundation, GRCP
Holistics GRC, Mexico
Gregory Touhill
CISM, CISSP
AppGate Federal Group, USA
Asaf Weisberg
CISA, CRISC, CISM, CGEIT
introSight Ltd., Israel

About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
talent, expertise and learning in technology. ISACA equips individuals with 1700 E. Golf Road, Suite 400
knowledge, credentials, education and community to progress their careers Schaumburg, IL 60173, USA
and transform their organizations, and enables enterprises to train and

Phone: +1.847.660.5505
build quality teams. ISACA is a global professional association and learning
Fax: +1.847.253.1755
organization that leverages the expertise of its 145,000 members who work
in information security, governance, assurance, risk and privacy to drive Support: support.isaca.org
innovation through technology. It has a presence in 188 countries, including Web: www.isaca.org
more than 220 chapters worldwide.
Disclaimer Provide feedback:

ISACA has designed and created State of Cybersecurity 2020, Part 1: www.isaca.org/state-of-
Global Update on Workforce Efforts and Resources (the “Work”) primarily cybersecurity-2020
as an educational resource for professionals. ISACA makes no claim
Participate in the ISACA
that use of any of the Work will assure a successful outcome. The Work
Knowledge Center:
should not be considered inclusive of all proper information, procedures
www.isaca.org/knowledge-center
and tests or exclusive of other information, procedures and tests that
are reasonably directed to obtaining the same results. In determining the Twitter:
propriety of any specific information, procedure or test, professionals www.twitter.com/ISACANews

should apply their own professional judgment to the specific
LinkedIn:
circumstances presented by the particular systems or information
www.linkedin.com/company/isaca
technology environment.
Facebook:
RESERVATION OF RIGHTS www.facebook.com/ISACAGlobal
© 2020 ISACA. All rights reserved.
Instagram:
www.instagram.com/isacanews/
State Of Cybersecurity 2020, Part 1: Global Update On Workforce Efforts And Resources


State of Cybersecurity 2020 Part 1 - Res - Eng - 0220 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

State of Cybersecurity 2020 Part 1 - Res - Eng - 0220 PDF

Uploaded by

Copyright:

Available Formats

1 STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES

State of Cybersecurity 2020

© 2020 ISACA. All Rights Reserved.

© 2020 ISACA. All Rights Reserved.

7 Challenges Persist in Cybersecurity Resourcing

15 Retention Remains a Challenge

17 Gender Diversity Within Cybersecurity—Slow but Steady Improvement

20 Signs of Leveling in Cybersecurity Funding

21 Conclusion: Organizations Must Act on Talent Shortage

© 2020 ISACA. All Rights Reserved.

• Hiring and skills

© 2020 ISACA. All Rights Reserved.

FIGURE 1—RESPONDENT DEMOGRAPHICS

94% A M E R I CA EUROPE ASIA

FIN A N CI A L /BA N K ING

© 2020 ISACA. All Rights Reserved.

FIGURE 2—INDUSTRY SECTORS

Technology Services/ 24%

© 2020 ISACA. All Rights Reserved.

Significantly understaffed 15%

Somewhat understaffed 47%

Appropriately staffed 31%

© 2020 ISACA. All Rights Reserved.

Vacancies The amount of time required to fill a cybersecurity

Don’t know 10%

6 months or more 29%

Cannot fill open positions 3%

Don’t know 15%

© 2020 ISACA. All Rights Reserved.

All Most Some Few None

© 2020 ISACA. All Rights Reserved.

FIGURE 7–UNFILLED POSITION REPORTING (2018–2020)4

2018 2019 2020

Increasing Remaining the same Decreasing

© 2020 ISACA. All Rights Reserved.

FIGURE 9—HIRING DEMAND TRENDING (2018–2020)

Qualifications and qualified. Although this datapoint alone does

Less than 25% 33%

© 2020 ISACA. All Rights Reserved.

© 2020 ISACA. All Rights Reserved.

Soft skills 32%

IT knowledge and skills gaps 30%

Insufficient business insight 16%

Cybersecurity technical 13%

Insufficient hands-on training 10%

© 2020 ISACA. All Rights Reserved.

University Degree Programs Perceptions of university degrees in cybersecurity

FIGURE 14—CONFIDENCE INDEGREE

Neither agree nor disagree 46%

Don’t know 10%

© 2020 ISACA. All Rights Reserved.

Retention Remains A Challenge

© 2020 ISACA. All Rights Reserved.

Recruited by other companies 59%

Limited promotion and 50%

Poor financial incentives 50%

High work stress levels 40%

Lack of management support 39%

Poor work culture/environment 32%

Limited remote work 21%

Limited opportunities to work 21%

Inflexible work policies 17%

Desire to work in a new industry 14%