Professional Documents
Culture Documents
ABSTRACT
State of Cybersecurity 2020 reports the results of the annual ISACA ® global
State of Cybersecurity Survey, conducted in the fourth quarter of 2019.
This Part 1 survey report highlights current trends in cybersecurity workforce
development, staffing, budgeting and gender diversity. The report
echoes—and reaffirms—key findings of prior years: Enterprises are still
short-staffed in cybersecurity, struggle to find sufficient talent for open
positions and expect their cybersecurity budgets to grow. Efforts to
increase the number of women in cybersecurity roles progressed slightly,
and more enterprises established gender diversity programs.
CONTENTS
4 Executive Summary
4 Survey Methodology
22 Acknowledgments
Executive Summary
This year’s global State of Cybersecurity Survey combat the cyberthreats they face. However, the
asked respondents to identify current and anticipated factors influencing whether candidates are viewed
challenges and trends in cybersecurity. This report as well qualified shifted, which calls into question
analyzes survey results specific to cybersecurity traditional pathways to cybersecurity careers. While
workforce development, resources and diversity. hiring remains challenging, respondents indicate that
In a second (forthcoming) report, ISACA® examines retaining cybersecurity talent is even more difficult this
survey results relating to security operations, year, highlighting the criticality of skills gap mitigations—
cyberattacks and threats, and organizational especially when the workforce shortage continues to
cybersecurity and governance. rise. Gender diversity efforts are helping to bring more
women into the cybersecurity workforce—albeit slowly.
The latest State of Cybersecurity Survey results are Cybersecurity budgets in 2020 are forecast to be higher
consistent with findings from the previous two years. than 2019 budgets but show signs of leveling off when
Enterprises continue to lack the staff required to compared to prior years.
Survey Methodology
In the final quarter of 2019, ISACA sent online survey • Security operations
invitations to a global population of cybersecurity
• Cybersecurity budgets
professionals who hold ISACA’s Certified Information
Security Manager® (CISM®) certification or have • Cyberattacks and threats
information security job titles. Survey data were • Organization cybersecurity and governance
collected anonymously via SurveyMonkey. A total of
2,051 respondents completed the survey in its entirety, The survey’s target population consists of individuals
and their responses are included in the results. 1 who have cybersecurity job responsibilities. Of the
2,051 respondents, 913 indicate that their primary
The survey presented respondents with multiple-choice professional area of responsibility is cybersecurity.
and Likert scale-format questions organized into six Figure 1 captures key demographic norms across a
major sections: diverse set of survey respondents.
1 Certain questions included the option to choose “Don’t know” from the list of answers. Where appropriate, “Don’t know” responses were removed
from the calculation of findings. Result percentages are rounded to the nearest integer.
REGIONS
NORTH
IS ACA
M EM BER
50% 18% 18%
INDUSTRIES
3%
3%
MIDDLE
24 % L AT I N
EAST
A M E R I CA A F R I CA
3% 4%
OCE ANIA
T EC H N O LOGY
S ERV IC E S/C O NS U LT ING
MAIN AREA OF RESPONSIBILITY
22 % 61%
33%
CY BER S EC U R I T Y
M A N AGEM EN T
37% EM PLOY ED IN
A N EN T ER PR IS E
WITH
AT L E A S T
14 % I T R IS K
12% 1,500
M A N AGEM EN T,
AU DI T,
GOV ER N A N C E,
GOV ER N M EN T/MIL I TA RY— CY BER S EC U R I T Y C O M PL I A N C E E M PLOY E E S
N AT IO N A L /S TAT E /LO CA L PR ACT I T IO N ER
Financial/Banking 22%
Government/Military–
14%
National/State/Local
Other 9%
Manufacturing/Engineering 6%
Healthcare/Medical 5%
Insurance 5%
Telecommunications/ 4%
Communications
Retail/Wholesale/Distribution 3%
Mining/Construction/
2%
Petroleum/Agriculture
Transportation 2%
Utilities 2%
Advertising/Marketing/Media 1%
Aerospace 1%
Legal/Law/Real Estate 1%
Pharmaceutical 1%
Public Accounting 1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Challenges Persist in
Cybersecurity Resourcing
The demand for cybersecurity talent2 has steadily is appropriately staffed increased from 25 percent last
risen, which is good news for new and aspiring year to 31 percent this year.
practitioners. Although this year’s survey results
on staffing are largely consistent with prior-year The industry remains a seller’s market and,
data, current data reveal a sizeable shift away consequently, enterprises face resourcing and retention
from assessments of significantly understaffed to issues. Analysis of this year’s responses confirms that
appropriately staffed (figure 3). Last year, 21 percent understaffed organizations are significantly more likely
of respondents reported that their cybersecurity team to have retention issues. Additionally, understaffed
was significantly understaffed; only 15 percent report teams are significantly more likely to have experienced
the same perception this year. The percentage of more cyberattacks during the last year—a point
respondents who believe that their cybersecurity team supported by other cyberworkforce data.3
FIGURE3–CYBERSECURITY
FIGURE 3—CYBERSECURITY STAFFING
STAFFING
How would
How wouldyou
youdescribe
describe the
the current
current staffing
staffing of your
of your organization’s
organization’s cybersecurity
cybersecurity team?team?
Somewhat overstaffed 2%
Significantly overstaffed 1%
Don’t know 3%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2 (ISC)2® estimates a global shortage of 4.07 million cybersecurity staff, which represents a 26-percent increase from 2018. Fifty-one percent of
respondents to the 2019 (ISC)² Cybersecurity Workforce Study “say their organization is at moderate or extreme risk due to cybersecurity staff
shortage.” See (ISC)2, (ISC)² Cybersecurity Workforce Study, 2019: Strategies for Building and Growing Strong Cybersecurity Teams, www.isc2.org/-/
media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx?la=en&hash=D087F6468B4991E-
0BEFFC017BC1ADF59CD5A2EF7.
3 Ibid.
FIGURE 4—UNFILLED
FIGURE 4–UNFILLED POSITIONS
POSITIONS
Does your organization have unfilled
Does your organization have unfilled (open)
(open) cybersecurity
cybersecurity positions?
positions?
Yes 57%
No 33%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE 5—TIMETO
FIGURE 5–TIME TOFILL
FILL A CYBERSECURITY
A CYBERSECURITY POSITION
POSITION
On average,
average,how
howlong
longdoes
does it take
it take your
your organization
organization to filltoafill a cybersecurity
cybersecurity position
position with awith a qualified
qualified candidate?
candidate?
< 2 weeks 1%
1 month 5%
2 months 12%
3 months 30%
Not applicable 6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Technical cybersecurity positions remained the generally anticipate no change in the coming
top vacancy again this year (figure 6); however, year, except for growth in individual contributor/
all but executive-level positions declined from last technical cybersecurity positions (for which 78
year. Figure 7 represents three-year reporting data percent expect increased demand). Figure 9 charts
regarding unfilled positions. three-year trends regarding future demand across
When asked about future demand (figure 8), respondents various position categories.
FIGURE 6—PERCENTAGES
FIGURE 6–PERCENTAGES OFOF UNFILLED
UNFILLED POSITIONS
POSITIONS AT GIVEN
AT GIVEN ORGANIZATIONAL
ORGANIZATIONAL LEVELS
LEVELS
How many
manyof
ofyour
yourunfilled
unfilled (open)
(open) cybersecurity
cybersecurity positions
positions are
are at atfollowing
the the following
levels?levels?
9%
37%
Individual contributor/ 25%
Technical cybersecurity
10%
19%
2%
11%
Individual contributor/ 29%
Nontechnical cybersecurity
23%
34%
3%
10%
Cybersecurity manager 21%
23%
44%
2%
7%
Senior manager/ 12%
Director of cybersecurity
22%
57%
3%
5%
Executive or
C-suite cybersecurity 7%
(e.g., CISO) 14%
71%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
100%
90%
92%
80%
82% 81%
70% 75%
60% 66%
63% 63%
50% 55% 56%
40% 47%
43%
30% 36%
28% 29%
20%
19%
10%
0%
Executive or
Senior manager/ Individual contributor/ Individual contributor/
C-suite cybersecurity Cybersecurity manager
Director of cybersecurity Nontechnical cybersecurity Technical cybersecurity
(e.g., CISO)
FIGURE 8—FUTUREHIRING
FIGURE 8–FUTURE HIRING DEMAND
DEMAND
In the next
In the nextyear,
year,do
doyou
yousee
see the
the demand
demand for for
thethe following
following cybersecurity
cybersecurity position
position levels levels increasing,
increasing, decreasing
decreasing or
or remaining
remaining
the same? the same?
78%
Individual contributor/ 20%
Technical cybersecurity
1%
47%
Individual contributor/ 48%
Nontechnical cybersecurity
5%
46%
Cybersecurity manager 51%
3%
33%
Senior manager/ 62%
Director of cybersecurity
4%
Executive or 29%
C-suite cybersecurity 67%
(e.g., CISO) 4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
4 Figure 7 compares unfilled position data aggregated from 2018–2020 State of Cybersecurity reports. Percentages represent all categories
of vacancies less “none.”
100%
Individual contributor/
Technical cybersecurity
90%
Individual contributor/
80%
Nontechnical cybersecurity
70%
Cybersecurity manager
60%
Senior manager/
50% Director of cybersecurity
40% Executive or
C-suite cybersecurity
30% (e.g., CISO)
20%
10%
0%
2018 2019 2020
FIGURE 10—PERCENTAGE
FIGURE 10–PERCENTAGE OFOF CYBERSECURITY
CYBERSECURITY APPLICANTS
APPLICANTS WHOWHO ARE WELL
ARE WELL QUALIFIED
QUALIFIED
On average,how
On average, howmany
manycybersecurity
cybersecurity applicants
applicants are are
wellwell qualified
qualified forposition
for the the position for which
for which they
they are are applying?
applying?
26–50% 37%
51–75% 23%
76–100% 7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
As shown in figure 11, prior hands-on cybersecurity gap among cybersecurity professionals (figure 12),
experience remains the primary factor in followed closely by IT knowledge and skills gaps—
determining whether a candidate is considered qualified. specifically networking, infrastructure and IT operations.
However, when asked about the largest skills gaps, Respondents also indicate a lack of knowledge and/or
the responses somewhat contradict this point. experience with various technologies and applications
Respondents largely view soft skills as the primary as skills gaps.
FIGURE 11—CANDIDATE
FIGURE 11–CANDIDATE QUALIFICATIONS
QUALIFICATIONS
How important are each of the following
How important are each of the following factors
factors in determining
in determining if a cybersecurity
if a cybersecurity candidate
candidate is qualified?
is qualified?
73%
22%
Prior hands-on 2%
cybersecurity experience
0%
3%
35%
54%
Credentials 7%
1%
3%
25%
56%
Hands-on training 14%
2%
3%
22%
48%
Employer recommendation 22%
4%
4%
20%
47%
University degree 23%
7%
3%
7%
36%
Association membership 38%
15%
4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Very important Somewhat important Not very important Not at all important Don’t know
A deficit of soft skills may also be to blame in another Relatively higher degrees of understanding between
area—recruitment. Survey data shown in figure 13 hiring managers and HR departments correlate highly
illustrate a significant misunderstanding between to filling open positions faster. Of those respondents
hiring managers and those who identify and prescreen who report that HR always fully understands their
candidates. Seventy-two percent of respondents feel that cybersecurity hiring needs, 29 percent hire in less than
their HR departments do not understand their needs. two months (which is quicker than most).
FIGURE 12—QUANTIFIED
FIGURE 12–QUANTIFIED SKILLS
SKILLS GAPS
GAPS 5 5
What arethe
What are thebiggest
biggestskill
skillgaps
gaps you
you seesee in today’s
in today’s cybersecurity
cybersecurity professionals?
professionals?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE 13—HRNEEDS
FIGURE 13–HR NEEDS COMPREHENSION
COMPREHENSION
How oftendo
How often doyou
youfeel
feelyour
your HR
HR department
department fullyfully understands
understands your your cybersecurity
cybersecurity hiring hiring
needs needs to properly
to properly
prescreen candidates?
prescreen candidates?
Always 6%
Frequently 22%
Occasionally 37%
Rarely 30%
Never 5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
5 ISACA normalized and aggregated certain survey responses to clarify respondents’ views on skills gaps. The aggregate category ‘IT knowledge
and skills gaps’ in figure 12 includes the following survey responses defining particular/discrete gaps: "different types of technologies and/or
applications," "IT operations knowledge and skills" and "networking and/or other infrastructure knowledge and skills." The aggregate category ‘Soft
skills’ combines the following discrete gaps: “insufficient soft skills” and “inability to collaborate between IT and the business units.”
Strongly agree 4%
Agree 23%
Disagree 21%
Strongly disagree 7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE15–UNIVERSITY
FIGURE 15— UNIVERSITY REQUIREMENT
REQUIREMENT
Does your
Does yourorganization
organization typically
typically require
require a university
a university degree
degree to fillto fill entry-level
your your entry-level cybersecurity
cybersecurity positions?
positions?
Yes 55%
No 35%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
position, while only 37 percent of those responding bachelor-degree level or higher.6 The value of
from Oceana indicate requiring a university degree. formal education is beyond the scope of this paper
Respondents from other geographies fall somewhere in and arguably varies by region. However, given the
between regarding the university degree requirement— cybersecurity human capital crisis that threatens
with Asia at 62 percent, Europe at 46 percent, Latin global markets—and, when it comes to personal
America at 64 percent, North America (including the privacy, for example, jeopardizes the reputations of
Caribbean and Central America) at 54 percent and the everyday citizens, or even continuity of life in hospitals
Middle East at 67 percent. or other healthcare settings—it becomes clear
that not only enterprises, but the public in general,
Reporting shows that a large majority of cybersecurity would benefit from greater numbers of cybersecurity
professionals do have a degree. According to the applicants. Mandating degrees—especially via
(ISC) Cybersecurity Workforce Study, 2019, 88 percent
2 automated recruiting platforms—unnecessarily
of practitioners have a degree—most at the constrains talent pools.
6 Op cit (ISC)2
FIGURE16—WHY
FIGURE 16—WHYCYBERSECURITY
CYBERSECURITY PROFESSIONALS
PROFESSIONALS LEAVELEAVE
THEIR THEIR
JOBSJOBS
Which, if any, of the following factors do you feel are causing cybersecurity professionals to leavetotheir
Which, if any, of the following factors do you feel are causing cybersecurity professionals leave their jobs?
current current jobs?
Select
Select
the top the top 5 factors.
5 factors.
Retirement 9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Increased reliance on
credentials to attest to actual 20%
subject matter expertise
Organization has no 3%
skills gaps
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE18—PROPORTION
FIGURE 18—PROPORTION OFOFMENMEN VS.VS. WOMEN
WOMEN IN CYBERSECURITY
IN CYBERSECURITY ROLES ROLES
How would you describe the current proportion of men versus women in cybersecurity roles inroles
How would you describe the current proportion of men versus women in cybersecurity your in your organization?
organization?
Somewhat more
2%
women than men
Significantly more
< 1%
women than men
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE19–GENDER
FIGURE 19—GENDER DISPARITY
DISPARITY
Do you
Do youbelieve
believethat
thatwomen
womenareare offered
offered thethe same
same opportunities
opportunities for career
for career advancement
advancement as menas men
are are offered
offered in the
in the field of
field of cybersecurity
cybersecurity in your organization?
in your organization?
Yes 81%
No 19%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
FIGURE20–ORGANIZATIONAL
FIGURE 20—ORGANIZATIONAL PROGRESS
PROGRESS TOWARD WOMEN
INCREASING INCREASING WOMEN
IN CYBER IN CYBER ROLES
ROLES
How would
How wouldyou
youdescribe
describe the
the progress
progress thatthat
youryour organization
organization has made
has made in increasing
in increasing the number
the number of women
of women
in cybersecurity
in cybersecurityroles?
roles?
No progress 14%
FIGURE21–DIVERSITY
FIGURE 21—DIVERSITY PROGRAMS
PROGRAMS
Does your organization have in in
Does your organization have place
place specific
specific diversity
diversity programs
programs to support
to support womenwomen cybersecurity
cybersecurity professionals?
professionals?
Yes 49%
No 51%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Signs of Leveling in
Cybersecurity Funding
Cybersecurity budgets are projected to bounce increase of three percentage points from last
back in 2020; however, the increase remains less than year. This increase is notable because the data in
the 64 percent reported two years ago. Specifically, 7
figures 22 and 23 suggest spending may be
58 percent of respondents anticipate an increase leveling out, given the five-year trend represented
in cybersecurity budgets (figure 22), which is an in figure 24.
FIGURE22–ENTERPRISE
FIGURE 22—ENTERPRISE SECURITY
SECURITY BUDGET
BUDGET OUTLOOK
OUTLOOK
How, ififany,
How, any,will
willyour
yourorganization’s
organization’s cybersecurity
cybersecurity budget
budget change
change in theinnext
the 12
next 12 months?
months?
4%
Significantly increase
8%
54%
Somewhat increase
47%
29%
Remain unchanged
34%
11%
Somewhat decrease
9%
2%
Significantly decrease
3%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2020 2019
FIGURE23–CYBERSECURITY
FIGURE 23—CYBERSECURITY FUNDING
FUNDING PERCEPTION
PERCEPTION
Do you
Do youfeel
feelyour
yourorganization’s
organization’s cybersecurity
cybersecurity budget
budget is currently…
is currently…
17%
Significantly underfunded
19%
41%
Somewhat underfunded
41%
38%
Appropriately funded
34%
4%
Somewhat overfunded
3%
1%
Significantly overfunded
2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
2020 2019
100%
90%
80%
70% 64%
61%
58%
60% 55%
50%
50%
40%
30%
20%
10%
0%
2016 2017 2018 2019 2020
Acknowledgments
ISACA would like to recognize:
Gabriela Reynaga
CISA, CRISC, COBIT 5 Foundation, GRCP
Holistics GRC, Mexico
Gregory Touhill
CISM, CISSP
AppGate Federal Group, USA
Asaf Weisberg
CISA, CRISC, CISM, CGEIT
introSight Ltd., Israel
About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
talent, expertise and learning in technology. ISACA equips individuals with 1700 E. Golf Road, Suite 400
knowledge, credentials, education and community to progress their careers Schaumburg, IL 60173, USA
innovation through technology. It has a presence in 188 countries, including Web: www.isaca.org
more than 220 chapters worldwide.
State Of Cybersecurity 2020, Part 1: Global Update On Workforce Efforts And Resources