Professional Documents
Culture Documents
Abstract
State of Cybersecurity 2019 reports the results of the annual ISACA global State of Cybersecurity Survey, conducted
in November 2018. While some findings pointed to unforeseen trends, many survey results reinforce previous
years’ findings—specifically that the need for trained and experienced cybersecurity professionals vastly outweighs
the supply. State of Cybersecurity 2019 provides a distinctive view of cybersecurity from the perspective of those
who define the field—cybersecurity managers and practitioners. This is the first report based on the survey, which
focuses on the current trends in cybersecurity workforce development, staffing, budget and gender diversity.
CONTENTS
3 Executive Summary
3 / Key Findings
4 Survey Methodology
14 Gender Diversity Programs Are Declining, and Their Effectivity Is Directionally Lower
14 / Gender Diversity and Disparity
15 / Gender Gap Mitigation
16 / Enterprise Implications
19 Acknowledgments
Executive Summary
This year’s global State of Cybersecurity Survey the field is business acumen. Currently, the most-
identifies several challenges in the maturing prized hire in a cybersecurity team is a technically
cybersecurity field. This white paper analyzes the proficient individual who also understands business
survey findings regarding cybersecurity workforce operations and how cybersecurity fits into the
development, staffing, retention, budget implications greater needs of the enterprise.
and gender diversity. In a second white paper, ISACA
• Retaining cybersecurity professionals is
examines the survey results relating to cyberattacks,
exceptionally difficult, and the current
cybersecurity awareness training programs, and
enticement of employer-paid training and
organizational cybersecurity and governance.
certification are not ensuring retention.
Cybersecurity personnel are leaving most often
Key Findings for greater pay, career advancement and perceived
Because enterprises continue to struggle with healthier work environments.
cybersecurity staffing, it is important to analyze in
• Gender diversity programs may be declining, and
detail the factors contributing to the skills gap. This
their effectivity is directionally lower. Less than
year, ISACA research identifies missing talent and
half of the survey-respondent enterprises have a
expertise and pinpoints potential contributing factors.
gender diversity program. The perception of their
The truism “good help is hard to find” is exemplified effectiveness, when compared to previous years, is
in the cybersecurity field. This fact continues to be trending downwards.
reinforced by ISACA’s research and other third-party • Cybersecurity budget increases are expected to
research and analysis. slow slightly. Most survey respondents continue to
expect cybersecurity budgets to increase, but not
The following are key findings relating to the
as much as in the previous year.
cybersecurity workforce:
• Technically proficient cybersecurity professionals The struggle to fill open cybersecurity positions,
continue to be in short supply and difficult to especially technical roles, remains great. Additionally,
find. This fact is compounded when coupled with retention of qualified individuals is proving to be difficult,
the realization that the greatest skill needed in with traditional retention tactics seemingly less effective.
“While the number of high-profile cyberattacks are on the ascent on one side, so are the number
of cybersecurity vacancies going unfilled. The creation of industry and academic programs to
introduce the latest industry, technology, process and effective use of automation to address
the shortage of skilled resources will have to be taken on war-footing.”
RENJU VARGHESE, FELLOW & CHIEF ARCHITECT, CYBERSECURITY & GRC, HCL TECHNOLOGIES
Survey Methodology
In the final quarter of 2018, ISACA sent survey invitations • Cyberattacks and Threats
to a global population of cybersecurity professionals who
• Cyberawareness Training Programs
hold ISACA’s Certified Information Security Manager®
(CISM®) and/or Cybersecurity Nexus Practitioner™ (CSX • Organizational Cybersecurity and Governance
Practitioner™) designations and individuals in information
Due to the nature of the survey, the targeted population
security positions. The survey data were collected
consists of individuals who have cybersecurity job
anonymously via SurveyMonkey. A total of 1,576
responsibilities. Of the 1,576 respondents, 1,020
respondents completed the survey and their responses
indicate that their primary professional area of
are included in the results.1
responsibility is cybersecurity. Figure 1 shows
The survey, which used multiple-choice and Likert scale additional survey-respondent demographic norms.
formats, was organized into six major sections:
It is important to note some characteristics that
• Hiring and Skills reflect the survey population’s diversity. Among those
• Diversity in Cybersecurity surveyed, respondents hailed from over 17 industries
(figure 2).
• Cybersecurity Budgets
1 Certain questions included the option to choose “Don’t know” from the list of answers. Where appropriate, “Don’t know” responses were removed from the calculation of findings. Result
percentages are rounded to the nearest integer.
2 ISACA, State of Cybersecurity 2018, Part 1: Workforce Development, April 2018, https://cybersecurity.isaca.org/state-of-cybersecurity#0-part-1-april
3 Ibid.
REGIONS
NORTH
IS ACA
M EM BER
43% 25% 17%
INDUSTRIES
3%
3%
MIDDLE
28 % L AT I N
EAST
A M E R I CA A F R I CA
5% 5%
OCE ANIA
T EC H N O LOGY
S ERV IC E S/C O NS U LT ING
MAIN AREA OF RESPONSIBILITY
20 %
46 % CY BER S EC U R I T Y
M A N AGEM EN T
66%
25%
EM PLOY ED IN
A N EN T ER PR IS E
WITH
AT L E A S T
10
I T R IS K
%
1,500
M A N AGEM EN T,
19% AU DI T,
GOV ER N A N C E,
GOV ER N M EN T/MIL I TA RY— CY BER S EC U R I T Y C O M PL I A N C E E M PLOY E E S
N AT IO N A L /S TAT E /LO CA L PR ACT I T IO N ER
Technology Services/
28%
Consulting
Financial/Banking 20%
Government/Military–
10%
National/State/Local
Other 6%
Manufacturing/Engineering 6%
Health Care/Medical 6%
Insurance 5%
Telecommunications/
5%
Communications
Education/Student 3%
Utilities 2%
Retail/Wholesale/
2%
Distribution
Mining/Construction/ 2%
Petroleum/Agriculture
Transportation 1%
Aerospace 1%
Advertising/Marketing/ 1%
Media
Public Accounting 1%
Pharmaceutical < 1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes 58%
No 35%
Don’t know 7%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
< 2 weeks 1%
1 month 5%
2 months 11%
3 months 30%
Not applicable 5%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
the survey respondents note that less than one quarter Examining the makeup of these types of unfilled
of applicants have the sufficient qualifications to be cybersecurity positions aids in identifying the type of
considered for open cybersecurity positions (figure 5). talent which is missing within the cybersecurity field
Compared to data from last year’s survey, these overall. The majority of survey respondents report
statistics are basically unchanged and indicate a static that most vacancies are in technical cybersecurity
state of struggle in attracting qualified applicants. positions—52 percent of respondents indicate that
25 - 50% 30%
50 - 75% 16%
75 - 100% 4%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
8%
25%
37%
47%
Cybersecurity manager
13%
3%
53%
72%
most cybersecurity open positions at their enterprises cybersecurity technical personnel is still strong and
are technical cybersecurity positions at the individual growing across enterprises.
contributor level (figure 6). Conversely, few cybersecurity
executive or C-suite positions are unfilled—72 percent of More Business Acumen Needed
respondents indicate that their enterprises have no Although the cybersecurity field has a great need for
cybersecurity executive position openings (figure 6). technical competence and qualifications, it also suffers
from a lack of business comprehension. Specifically, the
Adding to these hiring needs, 75 percent of survey
biggest skill gap in the average cybersecurity
respondents expect an increase in hiring demand for
professional that survey respondents identified is the
technical professionals, with no specific role or level
ability to understand the business. Forty-nine percent of
experiencing a noteworthy decline in demand (figure 7).
respondents identify this ability as the biggest skill gap,
This is relatively inline with the 77 percent response
and 34 percent report that the biggest skill gap is
from last year’s survey, showing a minimal change.
technical skills (figure 8). This data, combined with the
Comparing this year’s survey responses to the previous
large need for technically skilled individuals, helps to
year’s data for the same question reveals negligible
determine the ideal cybersecurity professional in today’s
changes in trends, indicating that the need for
75%
44%
42%
3%
29%
21%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Ability to understand
49%
the business
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
environment—a technically proficient cybersecurity that recent university graduates in cybersecurity are
professional who is able to understand an enterprise’s well prepared for challenges within an enterprise;
business strategy. Indeed, an individual who can 39 percent of respondents disagree or strongly
successfully apply his or her technical cybersecurity disagree; and 38 percent neither agree nor disagree
skillset to effectively enhance business goals and who (figure 9). Analysis of this data can create multiple
can articulate that connection to counterparts at multiple interpretations. First, like many fields of study, formal
organizational levels has a bright future in the field. education alone does not necessarily provide turn-
key-ready professionals. Second, although some
Discovering and hiring individuals to meet this great academic institutions are implementing successful
need within the cybersecurity field has received some technical programs, most are still perceived as
help from more traditional academic institutions; training cybersecurity in abstraction, rather than
however, additional work is required. Twenty-four training it as a technical, hands-on field, which, by its
percent of survey respondents agree or strongly agree very nature, requires some business intelligence.
Strongly agree 2%
Agree 22%
Disagree 30%
Strongly disagree 9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Other reasons 9%
Retirement 8%
These findings indicate that a seller’s market currently some organizations mitigate the retention issue by
exits in the cybersecurity field. Enterprises are offering requiring training agreements that include post-training
higher pay, career advancement and appealing work term requirements, ensuring that employees do not
environments to lure proven cybersecurity talent away leave immediately after receiving training; otherwise,
from other enterprises. These incentives are impactful they experience stiff financial penalties.
for any work field; however, in the context of the large
skill and capability gap in the cybersecurity field, it is Other retention efforts utilized by respondents include
understandable that the contributing factors are more increased use of contract employees and outside
prevalent when compared to other professions’ trends consultants (36 percent) and increased reliance on
in retaining skilled staff. certification to attest to actual skill mastery (23
percent) (figure 11). These methods are also proven
Strategies to Combat Loss and commonplace in other professions. Leveraging a
third party for cybersecurity purposes shifts the
Enterprises are implementing multiple strategies to
staffing requirements, including recruiting and
retain cybersecurity professionals. One frequently used
retaining staff, to another organization. This method
incentive is providing additional training. Fifty-seven
allows an enterprise to decrease any potential risk that
percent of respondents indicate that their enterprises
may arise from attempting to obtain and maintain
undertake increased training as an incentive for
cybersecurity professionals natively. The use of
employees to stay at their enterprises (figure 11). The
certifications is also an understandable method of
prevalence of this retention tool is understandable,
retention as individuals in the cybersecurity field find
because both the individual and the enterprise benefit
great professional pride and personal satisfaction in
from more highly trained professionals. Additionally,
obtaining a certification in the field.
Increased usage of
contract employees or 36%
outside consultants
Increased reliance on
certification to attest to 23%
actual skill mastery
Increased reliance on
artificial intelligence 18%
or automation
Organization has
no skills gap 3%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Somewhat overstaffed 2%
Significantly overstaffed 1%
Don’t know 2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Significantly more
51%
men than women
Somewhat more
23%
men than women
Equal numbers of
8%
men and women
Somewhat more 2%
women than men
Significantly more 0%
women than men
All women 0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes 80%
No 20%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
further analysis provides potentially more meaningful women in cybersecurity roles. This result may be due to
insight. Of respondents who identify as female, the fact that 71 percent of respondents indicate they
only 41 percent believe that opportunity for career have no difficulty in retaining women in cybersecurity
advancement is equally distributed (figure 15). This roles (figure 16).
response represents a downward trend from last
year’s survey, which indicated that 51 percent of Gender Gap Mitigation
female respondents believed career advancement Some cybersecurity organizations establish diversity
opportunities were equally distributed. programs to support women in the field. These
programs take many forms, most often with the goal to
Compounding the downward trend of opportunity
ensure that women have the same level of access to
perception, just over half of the survey respondents
training and advancement opportunities as men.
(56 percent) indicate that their organization does not
Compared to last year, however, the ISACA survey
currently have a goal of increasing the number of
41%
Yes
79%
51%
No
12%
8%
Don’t know
9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Female Male
Yes 29%
No 71%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes 44%
No 56%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
shows that these programs may be declining. with a diversity program believe equal opportunity
Correlating directly to the question about whether an for advancement exists within their enterprise (a
enterprise has a goal of increasing the number of three-percentage-point increase from last year).
women in cybersecurity roles (44 percent of this year’s The gap between men’s and women’s perceptions
respondents report that this is a goal), when in organizations that have a diversity program has
respondents were asked if their enterprises have increased from 10 percentage points last year to 31
specific diversity programs to support women percentage points this year. In short, when comparing
cybersecurity professionals, 44 percent also report last year’s data to this year’s data, the effectiveness of
affirmatively (figure 17). This represents a seven- diversity programs appears to be trending downward,
percentage-point decrease from the previous year. at least with regard to women’s perceptions of
these programs.
In addition to the decline in the number of programs
supporting women cybersecurity professionals, those Enterprise Implications
that are in place are arguably decreasing in
Previous reporting and surveys have indicated that
effectiveness. Among respondents in enterprises with a
diversity programs may have aided in providing variety
diversity program, 59 percent of women believe that
to the workforce. Analysis of the current data should
women are offered the same opportunities for
prompt consideration and potential reappraisal of these
career advancement as men. This represents an
programs’ impact and effectiveness. However, those
18-percentage-point decrease compared to last year, the
enterprises that do have female cybersecurity talent
first year that diversity data was collected. In contrast,
should find reassurance in the strong retention
this year, 90 percent of men respondents in enterprises
numbers of those professionals.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Somewhat overfunded 3%
Significantly overfunded 2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
These changing financial projections may act as significantly underfunded (figure 19). Analysis of these
reflections of current budget perceptions. Sixty percent statistics, in combination with the decreased budgetary
of survey respondents indicate that they feel that their expectations, may have the potential to create under-
cybersecurity budget is currently underfunded, with supported cybersecurity staff and tools, feeding the
nearly 20 percent believing that their budgets are retention struggles of the previously identified findings.
Acknowledgments
ISACA would like to recognize:
R.V. Raghu
CISA, CRISC
Versatilist Consulting India Pvt. Ltd.,
India
Gabriela Reynaga
CISA, CRISC, COBIT 5 Foundation, GRCP
Holistics GRC, Mexico
Gregory Touhill
CISM, CISSP
Cyxtera Federal Group, USA
Ted Wolff
CISA
Vanguard, Inc., USA
Tichaona Zororo
CISA, CRISC, CISM, CGEIT, COBIT 5
Assessor, CIA, CRMA
EGIT | Enterprise Governance of IT (Pty)
Ltd, South Africa
About ISACA
Now in its 50th-anniversary year, ISACA® (isaca.org) is a global association helping
individuals and enterprises achieve the positive potential of technology. Today’s world 1700 E. Golf Road, Suite 400
is powered by information and technology, and ISACA equips professionals with Schaumburg, IL 60173, USA
the knowledge, credentials, education and community to advance their careers and
transform their organizations. ISACA leverages the expertise of its 460,000 engaged Phone: +1.847.660.5505
professionals—including its 140,000 members—in information and cybersecurity, Fax: +1.847.253.1755
governance, assurance, risk and innovation, as well as its enterprise performance Support: support.isaca.org
Web: www.isaca.org
subsidiary, CMMI® Institute, to help advance innovation through technology. ISACA
has a presence in more than 188 countries, including more than 220 chapters
worldwide and offices in both the United States and China.
Provide feedback:
About HCL www.isaca.org/state-of-cybersecurity-2019
HCL Technologies (HCL) is a leading global technology company that helps global
Participate in the ISACA Online Forums:
enterprises reimagine and transform their businesses through digital technology.
https://engage.isaca.org/onlineforums
HCL operates in 44 countries and had consolidated revenues of US $8.4 billion for
the 12 months ending 31 December 2018. HCL provides an integrated portfolio of Twitter:
services informed by its Mode 1-2-3 growth strategy. Mode 1 encompasses core www.twitter.com/ISACANews
services in the areas of applications, infrastructure, business processes outsourcing
(BPO) and engineering, research and development services, leveraging DRYiCE™ LinkedIn:
Autonomics to transform clients’ business and IT landscape, making them lean and www.linkedin.com/company/isaca
agile. Mode 2 focuses on experience-centric, outcome-oriented, integrated offerings
of Digital and Analytics, IoT WoRKS™, Cloud Native Services, and Cybersecurity Facebook:
and GRC services to drive business outcomes and enable enterprise digitization. www.facebook.com/ISACAHQ
Mode-3 strategy is ecosystem-driven, creating innovative IP-partnerships to build
product and platform business. HCL leverages its global network of integrated Instagram:
co-innovation labs to provide holistic multiservice delivery in key industry verticals www.instagram.com/isacanews
including financial services, manufacturing, telecommunications, media, publishing,
entertainment, retail and consumer packaged goods, life sciences and healthcare,
oil and gas, energy and utilities, travel, transportation and logistics, and government.
With 132,328 professionals from diverse nationalities, HCL creates real value for
customers by taking ‘Relationships Beyond the Contract’. For more information,
please visit www.hcltech.com.
Disclaimer
ISACA has designed and created State of Cybersecurity 2019, Part 1: Current Trends
in Workforce Development (the “Work”) primarily as an educational resource for
IT professionals. ISACA makes no claim that use of any of the Work will assure a
successful outcome. The Work should not be considered inclusive of all proper
information, procedures and tests or exclusive of other information, procedures and
tests that are reasonably directed to obtaining the same results. In determining the
propriety of any specific information, procedure or test, IT professionals should apply
their own professional judgments to the specific circumstances presented by the
systems or information technology environment.
RESERVATION OF RIGHTS