1
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
State of Cybersecurity 2020
Part 1: Global Update on Workforce Efforts and Resources
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
2
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
ABSTRACT
State of Cybersecurity 2020 reports the results of the annual ISACA ® global
State of Cybersecurity Survey, conducted in the fourth quarter of 2019.
This Part 1 survey report highlights current trends in cybersecurity workforce
development, staffing, budgeting and gender diversity. The report
echoes—and reaffirms—key findings of prior years: Enterprises are still
short-staffed in cybersecurity, struggle to find sufficient talent for open
positions and expect their cybersecurity budgets to grow. Efforts to
increase the number of women in cybersecurity roles progressed slightly,
and more enterprises established gender diversity programs.
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
3
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
CONTENTS
4
Executive Summary
4
Survey Methodology
7
Challenges Persist in Cybersecurity Resourcing
8 / Vacancies
11 / Qualifications and Confidence Levels
14 / University Degree Programs Versus Training Programs
15
Retention Remains a Challenge
17
Gender Diversity Within Cybersecurity—Slow but Steady Improvement
17 / Gender Diversity and Disparity
19 / Gender Initiatives
20
Signs of Leveling in Cybersecurity Funding
21
Conclusion: Organizations Must Act on Talent Shortage
22
Acknowledgments
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
4
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
Executive Summary
This year’s global State of Cybersecurity Survey
combat the cyberthreats they face. However, the
asked respondents to identify current and anticipated
factors influencing whether candidates are viewed
challenges and trends in cybersecurity. This report
as well qualified shifted, which calls into question
analyzes survey results specific to cybersecurity
traditional pathways to cybersecurity careers. While
workforce development, resources and diversity.
hiring remains challenging, respondents indicate that
In a second (forthcoming) report, ISACA® examines
retaining cybersecurity talent is even more difficult this
survey results relating to security operations,
year, highlighting the criticality of skills gap mitigations—
cyberattacks and threats, and organizational
especially when the workforce shortage continues to
cybersecurity and governance.
rise. Gender diversity efforts are helping to bring more
women into the cybersecurity workforce—albeit slowly.
The latest State of Cybersecurity Survey results are
Cybersecurity budgets in 2020 are forecast to be higher
consistent with findings from the previous two years.
than 2019 budgets but show signs of leveling off when
Enterprises continue to lack the staff required to
compared to prior years.
Survey Methodology
In the final quarter of 2019, ISACA sent online survey
invitations to a global population of cybersecurity
professionals who hold ISACA’s Certified Information
• Security operations
• Cybersecurity budgets
Security Manager® (CISM®) certification or have
• Cyberattacks and threats
information security job titles. Survey data were
• Organization cybersecurity and governance
collected anonymously via SurveyMonkey. A total of
2,051 respondents completed the survey in its entirety,
The survey’s target population consists of individuals
and their responses are included in the results.
who have cybersecurity job responsibilities. Of the
1
2,051 respondents, 913 indicate that their primary
The survey presented respondents with multiple-choice
professional area of responsibility is cybersecurity.
and Likert scale-format questions organized into six
Figure 1 captures key demographic norms across a
major sections:
diverse set of survey respondents.
• Hiring and skills
• Diversity
Respondents represent over 17 industries (figure 2) and
hail from 102 countries.
1 Certain questions included the option to choose “Don’t know” from the list of answers. Where appropriate, “Don’t know” responses were removed
from the calculation of findings. Result percentages are rounded to the nearest integer.
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
5
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
FIGURE 1—RESPONDENT DEMOGRAPHICS
REGIONS
94%
IS ACA
M EM BER
NORTH
A M E R I CA
EUROPE
ASIA
50%
18%
18%
INDUSTRIES
3%
24
%
L AT I N
A M E R I CA
A F R I CA
3%
3%
MIDDLE
EAST
OCE ANIA
4%
T EC H N O LOGY
S ERV IC E S/C O NS U LT ING
MAIN AREA OF RESPONSIBILITY
22
%
33%
CY BER S EC U R I T Y
M A N AGEM EN T
61%
FIN A N CI A L /BA N K ING
37%
14
%
12%
GOV ER N M EN T/MIL I TA RY—
N AT IO N A L /S TAT E /LO CA L
CY BER S EC U R I T Y
PR ACT I T IO N ER
I T R IS K
M A N AGEM EN T,
AU DI T,
GOV ER N A N C E,
C O M PL I A N C E
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
EM PLOY ED IN
A N EN T ER PR IS E
WITH
AT L E A S T
1,500
E M PLOY E E S
6
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
FIGURE 2—INDUSTRY SECTORS
FIGURE
2—INDUSTRY
SECTORS
Indicate your
organization’s
primary industry.
Indicate your organization’s primary industry.
Technology Services/
Consulting
24%
Financial/Banking
22%
Government/Military–
National/State/Local
14%
Other
9%
Manufacturing/Engineering
6%
Healthcare/Medical
5%
Insurance
5%
Telecommunications/
Communications
4%
Retail/Wholesale/Distribution
3%
Mining/Construction/
Petroleum/Agriculture
2%
Transportation
2%
Utilities
2%
Advertising/Marketing/Media
1%
Aerospace
1%
Legal/Law/Real Estate
1%
Pharmaceutical
1%
Public Accounting
1%
0%
10%
20%
30%
40%
© 2020 ISACA. All Rights Reserved.
50%
60%
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
70%
80%
90%
100%
7
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
Challenges Persist in
Cybersecurity Resourcing
The demand for cybersecurity talent2 has steadily
is appropriately staffed increased from 25 percent last
risen, which is good news for new and aspiring
year to 31 percent this year.
practitioners. Although this year’s survey results
on staffing are largely consistent with prior-year
The industry remains a seller’s market and,
data, current data reveal a sizeable shift away
consequently, enterprises face resourcing and retention
from assessments of significantly understaffed to
issues. Analysis of this year’s responses confirms that
appropriately staffed (figure 3). Last year, 21 percent
understaffed organizations are significantly more likely
of respondents reported that their cybersecurity team
to have retention issues. Additionally, understaffed
was significantly understaffed; only 15 percent report
teams are significantly more likely to have experienced
the same perception this year. The percentage of
more cyberattacks during the last year—a point
respondents who believe that their cybersecurity team
supported by other cyberworkforce data.3
FIGURE3–CYBERSECURITY
3—CYBERSECURITY
STAFFING
FIGURE
STAFFING
How would
wouldyou
youdescribe
describe
the
current
staffing
of your
organization’s
cybersecurity
How
the
current
staffing
of your
organization’s
cybersecurity
team?team?
Significantly understaffed
15%
Somewhat understaffed
47%
Appropriately staffed
31%
Somewhat overstaffed
2%
Significantly overstaffed
Don’t know
1%
3%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2 (ISC)2® estimates a global shortage of 4.07 million cybersecurity staff, which represents a 26-percent increase from 2018. Fifty-one percent of
respondents to the 2019 (ISC)² Cybersecurity Workforce Study “say their organization is at moderate or extreme risk due to cybersecurity staff
shortage.” See (ISC)2, (ISC)² Cybersecurity Workforce Study, 2019: Strategies for Building and Growing Strong Cybersecurity Teams, www.isc2.org/-/
media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx?la=en&hash=D087F6468B4991E0BEFFC017BC1ADF59CD5A2EF7.
3 Ibid.
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
8
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
Vacancies
The amount of time required to fill a cybersecurity
position (figure 5) moved little this year—which is not
Fifty-seven percent of respondents claim to have
surprising—given the industry’s widespread
unfilled cybersecurity positions (figure 4), which
reporting of insufficient candidates for an increasing
closely aligns with last year’s data (58 percent).
number of current and future human resource needs.
FIGURE
4—UNFILLED
POSITIONS
FIGURE 4–UNFILLED
POSITIONS
Does
your
organization
have
unfilled
(open)
cybersecurity
positions?
Does your organization have unfilled
(open)
cybersecurity
positions?
Yes
57%
No
33%
Don’t know
10%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
FIGURE
5—TIMETO
TOFILL
FILL
A CYBERSECURITY
POSITION
FIGURE 5–TIME
A CYBERSECURITY
POSITION
On average,
average,how
howlong
longdoes
does
it take
your
organization
a cybersecurity
position
a qualified
candidate?
it take
your
organization
to filltoafill
cybersecurity
position
with awith
qualified
candidate?
< 2 weeks
1%
1 month
5%
2 months
12%
3 months
30%
6 months or more
Cannot fill open positions
29%
3%
Not applicable
6%
Don’t know
15%
0%
10%
20%
30%
40%
© 2020 ISACA. All Rights Reserved.
50%
60%
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
70%
80%
90%
100%
9
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
Technical cybersecurity positions remained the
generally anticipate no change in the coming
top vacancy again this year (figure 6); however,
year, except for growth in individual contributor/
all but executive-level positions declined from last
technical cybersecurity positions (for which 78
year. Figure 7 represents three-year reporting data
percent expect increased demand). Figure 9 charts
regarding unfilled positions.
three-year trends regarding future demand across
When asked about future demand (figure 8), respondents
various position categories.
FIGURE
6—PERCENTAGES
UNFILLED
POSITIONS
AT GIVEN
ORGANIZATIONAL
LEVELS
FIGURE 6–PERCENTAGES
OFOF
UNFILLED
POSITIONS
AT GIVEN
ORGANIZATIONAL
LEVELS
How many
manyof
ofyour
yourunfilled
unfilled
(open)
cybersecurity
positions
are
atfollowing
the following
(open)
cybersecurity
positions
are at
the
levels?levels?
9%
37%
Individual contributor/
Technical cybersecurity
25%
10%
19%
2%
11%
Individual contributor/
Nontechnical cybersecurity
29%
23%
34%
3%
10%
21%
Cybersecurity manager
23%
44%
2%
7%
Senior manager/
Director of cybersecurity
12%
22%
57%
3%
5%
Executive or
C-suite cybersecurity
(e.g., CISO)
7%
14%
71%
All
Most
Some
0%
10%
Few
None
20%
30%
40%
© 2020 ISACA. All Rights Reserved.
50%
60%
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
70%
80%
90%
100%
10
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
FIGURE 7–UNFILLED POSITION REPORTING (2018–2020)4
FIGURE 7—UNFILLED POSITION REPORTING (2018–2020)4
100%
90%
92%
80%
82%
81%
75%
70%
60%
63%
56%
55%
50%
47%
40%
66%
63%
43%
36%
30%
28%
20%
29%
19%
10%
0%
Executive or
C-suite cybersecurity
(e.g., CISO)
2018
2019
Senior manager/
Director of cybersecurity
Cybersecurity manager
Individual contributor/
Nontechnical cybersecurity
Individual contributor/
Technical cybersecurity
2020
FIGURE
8—FUTUREHIRING
HIRING
DEMAND
FIGURE 8–FUTURE
DEMAND
In
the next
nextyear,
year,do
doyou
yousee
see
the
demand
following
cybersecurity
position
increasing,
decreasing
or
In the
the
demand
for for
thethe
following
cybersecurity
position
levels levels
increasing,
decreasing
or remaining
remaining
the same? the same?
78%
Individual contributor/
Technical cybersecurity
20%
1%
47%
Individual contributor/
Nontechnical cybersecurity
48%
5%
46%
51%
Cybersecurity manager
3%
33%
Senior manager/
Director of cybersecurity
62%
4%
29%
Executive or
C-suite cybersecurity
(e.g., CISO)
67%
4%
0%
Increasing
Remaining the same
10%
20%
30%
40%
50%
60%
70%
80%
90%
Decreasing
4 Figure 7 compares unfilled position data aggregated from 2018–2020 State of Cybersecurity reports. Percentages represent all categories
of vacancies less “none.”
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
100%
11
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
FIGURE 9—HIRING DEMAND TRENDING (2018–2020)
FIGURE 9—HIRING DEMAND TRENDING (2018–2020)
100%
Individual contributor/
Technical cybersecurity
90%
Individual contributor/
Nontechnical cybersecurity
80%
70%
Cybersecurity manager
60%
Senior manager/
Director of cybersecurity
50%
Executive or
C-suite cybersecurity
(e.g., CISO)
40%
30%
20%
10%
0%
2018
2019
2020
Qualifications and
Confidence Levels
qualified. Although this datapoint alone does
Survey results indicate that hiring manager
not surprisingly, 73 percent of respondents who
confidence is low when it comes to applicants.
reported less than 25 percent of their applicants
Figure 10 indicates that 70 percent of respondents
are well qualified have unfilled positions longer than
generally do not believe their applicants are well
three months.
not characterize deficiencies among applicants,
it does help to explain delays in filling positions—
FIGURE
10—PERCENTAGE
CYBERSECURITY
APPLICANTS
ARE WELL
QUALIFIED
FIGURE 10–PERCENTAGE
OFOF
CYBERSECURITY
APPLICANTS
WHOWHO
ARE WELL
QUALIFIED
On
average,how
howmany
manycybersecurity
cybersecurity
applicants
qualified
forposition
the position
for which
they
are applying?
On average,
applicants
are are
wellwell
qualified
for the
for which
they are
applying?
Less than 25%
33%
26–50%
37%
51–75%
23%
76–100%
7%
0%
10%
20%
30%
40%
© 2020 ISACA. All Rights Reserved.
50%
60%
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
70%
80%
90%
100%
12
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
As shown in figure 11, prior hands-on cybersecurity
gap among cybersecurity professionals (figure 12),
experience remains the primary factor in
followed closely by IT knowledge and skills gaps—
determining whether a candidate is considered qualified.
specifically networking, infrastructure and IT operations.
However, when asked about the largest skills gaps,
Respondents also indicate a lack of knowledge and/or
the responses somewhat contradict this point.
experience with various technologies and applications
Respondents largely view soft skills as the primary
as skills gaps.
FIGURE
11—CANDIDATE
QUALIFICATIONS
FIGURE 11–CANDIDATE
QUALIFICATIONS
How
important
are
each
of
the
following
factors
in determining
if a cybersecurity
candidate
is qualified?
How important are each of the following
factors
in determining
if a cybersecurity
candidate
is qualified?
73%
Prior hands-on
cybersecurity experience
22%
2%
0%
3%
35%
54%
7%
Credentials
1%
3%
25%
56%
14%
Hands-on training
2%
3%
22%
48%
22%
Employer recommendation
4%
4%
20%
47%
23%
University degree
7%
3%
7%
36%
38%
Association membership
15%
4%
0%
Very important
10%
Somewhat important
20%
30%
Not very important
40%
50%
Not at all important
© 2020 ISACA. All Rights Reserved.
60%
70%
Don’t know
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
80%
90%
100%
13
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
A deficit of soft skills may also be to blame in another
Relatively higher degrees of understanding between
area—recruitment. Survey data shown in figure 13
hiring managers and HR departments correlate highly
illustrate a significant misunderstanding between
to filling open positions faster. Of those respondents
hiring managers and those who identify and prescreen
who report that HR always fully understands their
candidates. Seventy-two percent of respondents feel that
cybersecurity hiring needs, 29 percent hire in less than
their HR departments do not understand their needs.
two months (which is quicker than most).
5
5
FIGURE
12—QUANTIFIED
SKILLS
GAPS
FIGURE 12–QUANTIFIED
SKILLS
GAPS
What
arethe
thebiggest
biggestskill
skillgaps
gaps
you
in today’s
cybersecurity
professionals?
What are
you
seesee
in today’s
cybersecurity
professionals?
Soft skills
32%
IT knowledge and skills gaps
30%
Insufficient business insight
16%
Cybersecurity technical
experience
13%
Insufficient hands-on training
10%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
90%
100%
FIGURE
13—HRNEEDS
NEEDS
COMPREHENSION
FIGURE 13–HR
COMPREHENSION
How
oftendo
doyou
youfeel
feelyour
your
HR
department
understands
cybersecurity
to properly
How often
HR
department
fullyfully
understands
your your
cybersecurity
hiring hiring
needs needs
to properly
prescreen
candidates?
prescreen candidates?
Always
6%
Frequently
22%
Occasionally
37%
Rarely
30%
Never
5%
0%
10%
20%
30%
40%
50%
60%
70%
80%
5 ISACA normalized and aggregated certain survey responses to clarify respondents’ views on skills gaps. The aggregate category ‘IT knowledge
and skills gaps’ in figure 12 includes the following survey responses defining particular/discrete gaps: "different types of technologies and/or
applications," "IT operations knowledge and skills" and "networking and/or other infrastructure knowledge and skills." The aggregate category ‘Soft
skills’ combines the following discrete gaps: “insufficient soft skills” and “inability to collaborate between IT and the business units.”
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
14
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
University Degree Programs
Versus Training Programs
Perceptions of university degrees in cybersecurity
The cybersecurity talent gap continues to spur the
cybersecurity degrees prepare university graduates well
growth of new organizations and programs that aim
for their future organizations’ challenges (figure 14).
to develop—and/or increase—the candidate pool.
This represents an eight percentage-point increase from
There is no shortage of traditional academic programs
a year ago. The percent of respondents who indicate
and training courses in the market—each with certain
that cybersecurity university degrees do not prepare
advantages and disadvantages. Of the two, respondents
graduates for today’s challenges dropped to 28 percent
regard hands-on training as more important than
this year, down from 39 percent last year. Despite this
university degree programs (figure 11). Data represented
sentiment, 55 percent report that their organizations
in figure 12 suggest, however, that neither security-
require a degree (figure 15), though responses vary by
specific degree programs nor training courses provide
geography. For example, 78 percent of those responding
sufficient IT knowledge and skills for those just entering
from Africa indicate that their enterprises require a
the cybersecurity profession.
university degree to fill an entry-level cybersecurity
remain mixed among survey respondents. Forty-six
percent report that they neither agree nor disagree that
FIGURE
14—CONFIDENCE INDEGREE
UNIVERSITY
DEGREES
FIGURE 14–CYBERSECURITY
CONFIDENCE
To
what extent
extentdo
doyou
youagree
agree
disagree
recent
university
graduates
in cybersecurity
well prepared
To what
oror
disagree
thatthat
recent
university
graduates
in cybersecurity
are wellare
prepared
for the for the
cybersecurity
challengesinin
your
organization?
cybersecurity challenges
your
organization?
Strongly agree
4%
Agree
23%
Neither agree nor disagree
46%
Disagree
21%
Strongly disagree
7%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
90%
100%
FIGURE15–UNIVERSITY
15­— UNIVERSITY
REQUIREMENT
FIGURE
REQUIREMENT
Does your
yourorganization
organization
typically
require
a university
degree
fill entry-level
your entry-level
cybersecurity
positions?
Does
typically
require
a university
degree
to fillto
your
cybersecurity
positions?
Yes
55%
No
35%
Don’t know
10%
0%
10%
20%
30%
40%
© 2020 ISACA. All Rights Reserved.
50%
60%
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
70%
80%
15
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
position, while only 37 percent of those responding
bachelor-degree level or higher.6 The value of
from Oceana indicate requiring a university degree.
formal education is beyond the scope of this paper
Respondents from other geographies fall somewhere in
and arguably varies by region. However, given the
between regarding the university degree requirement—
cybersecurity human capital crisis that threatens
with Asia at 62 percent, Europe at 46 percent, Latin
global markets—and, when it comes to personal
America at 64 percent, North America (including the
privacy, for example, jeopardizes the reputations of
Caribbean and Central America) at 54 percent and the
everyday citizens, or even continuity of life in hospitals
Middle East at 67 percent.
or other healthcare settings—it becomes clear
that not only enterprises, but the public in general,
Reporting shows that a large majority of cybersecurity
would benefit from greater numbers of cybersecurity
professionals do have a degree. According to the
applicants. Mandating degrees—especially via
(ISC) Cybersecurity Workforce Study, 2019, 88 percent
automated recruiting platforms—unnecessarily
of practitioners have a degree—most at the
constrains talent pools.
2
Retention Remains A Challenge
This year, 66 percent of survey respondents indicate
continue to address their respective skills gaps
difficulty retaining talent—a slight increase over
this year (figure 17)—although different
last year’s 64 percent. Although justification varies,
mitigation strategies surface more prominently in
respondents overwhelmingly feel that cybersecurity
current-year results, compared to prior year.
professionals leave positions because they are actively
Cross-training of organizational personnel and
recruited (figure 16). Like last year, respondents ranked
increased use of contractors and consultants are the
limited promotion and development opportunities as a
primary mitigations of survey respondents. Thirty
likely reason for professionals to leave current jobs. The
percent of enterprises report using artificial intelligence
data further indicate that people leave positions not just
(AI) in their security operations, which may explain the
on account of financial reasons—an encouraging result
slight uptick in the reported use of AI or automation to
for enterprises with strained budgets. Forty percent of
mitigate skills gaps. ISACA expects this implementation
respondents attribute departures to workplace stress,
of AI to trend higher as strategies and solutions are
which marks a 10 percentage-point increase over the
increasingly proven beneficial
year prior. Not surprisingly, organizations with unfilled
within various industries.
cybersecurity positions are significantly more likely also
to have retention issues.
Performance-based training and requiring credentials—
Enterprises recognize that there is no quick answer to
mitigate skills gaps, nor do they decrease the workplace
their cybersecurity-resource woes. Accordingly, they
stress that accompanies shorthanded teams.
although viable and beneficial—do not uniformly
6 Op cit (ISC)2
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
16
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
FIGURE16—WHY
16—WHYCYBERSECURITY
CYBERSECURITY
PROFESSIONALS
LEAVE
THEIR
FIGURE
PROFESSIONALS
LEAVE
THEIR
JOBSJOBS
Which,
if
any,
of
the
following
factors
do
you
feel
are
causing
cybersecurity
professionals
leave
their jobs?
current
jobs?
Which, if any, of the following factors do you feel are causing cybersecurity professionals to leavetotheir
current
Select
Select
top 5 factors.
the
top the
5 factors.
Recruited by other companies
59%
Limited promotion and
development opportunities
50%
Poor financial incentives
(e.g., salaries or bonuses)
50%
High work stress levels
40%
Lack of management support
39%
Poor work culture/environment
32%
Limited remote work
possibilities
21%
Limited opportunities to work
with latest technologies (e.g., AI)
21%
Inflexible work policies
17%
Desire to work in a new industry
14%
Family situation changes
(e.g., children born, marriage)
11%
Retirement
9%
Switching careers (e.g., leaving
cybersecurity entirely)
8%
Lack of workplace diversity
7%
0%
10%
20%
30%
40%
© 2020 ISACA. All Rights Reserved.
50%
60%
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
70%
80%
90%
100%
17
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
FIGURE 17—MEANS OF MITIGATING SHORTFALLS
Which, if 17–MEANS
any, of the following
has your organization
undertaken to help decrease the perceived
FIGURE
OF MITIGATING
SHORTFALLS
cybersecurity
gaps? Select
all that
apply. undertaken to help decrease the perceived cybersecurity skills gaps?
Which,
if any, ofskills
the following
has your
organization
Training to allow nonsecurity
staff who are interested to move
into security roles
40%
Increased use of contract
employees or outside
consultants
40%
Increased use of performancebased training to attest to actual
skill mastery
22%
Increased reliance on artificial
intelligence or automation
20%
Increased reliance on
credentials to attest to actual
subject matter expertise
20%
Nothing has been done
Organization has no
skills gaps
16%
3%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Gender Diversity Within Cybersecurity—
Slow but Steady Improvement
Gender Diversity and Disparity
Overall, this year’s survey results extend the last two
years’ reporting of a male-dominated workforce: Eightysix percent of recent respondents report the employment
of more men than women in their enterprises’ security
roles (figure 18). However, this figure represents a small
decrease (three percentage points) from last year, while
percent—up one percentage point from the prior year
(figure 19). The number of women who believe that they
are afforded the same opportunities as men increased 6
percentage points (to 51 percent), and the gap between
the numbers of men and women who perceive equal
opportunity for career advancement narrowed by 7
percentage points from a year ago.
the number of respondents indicating equal numbers of
Forty-seven percent of respondents indicate that their
men and women increased three percentage points.
enterprise has a goal to increase the number of women
in cybersecurity roles—a two-percentage point gain
Most respondents believe that women are afforded the
from last year; the number of women making that claim
same opportunities for career advancement as men—81
increased five percentage points to 38 percent.
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
18
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
FIGURE18—PROPORTION
18—PROPORTION
MEN
WOMEN
IN CYBERSECURITY
ROLES
FIGURE
OFOF
MEN
VS.VS.
WOMEN
IN CYBERSECURITY
ROLES
How
would
you
describe
the
current
proportion
of
men
versus
women
in
cybersecurity
your organization?
How would you describe the current proportion of men versus women in cybersecurity roles inroles
your in
organization?
All men
13%
Significantly more
men than women
48%
Somewhat more
men than women
25%
Equal numbers of
men and women
11%
Somewhat more
women than men
2%
Significantly more
women than men
< 1%
All women
< 1%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
FIGURE19–GENDER
19—GENDER
DISPARITY
FIGURE
DISPARITY
Do you
youbelieve
believethat
thatwomen
women
offered
same
opportunities
for career
advancement
men
are offered
in the
Do
areare
offered
thethe
same
opportunities
for career
advancement
as menas
are
offered
in the field
of
field of cybersecurity
in your organization?
cybersecurity
in your organization?
Yes
81%
No
19%
0%
10%
20%
30%
40%
© 2020 ISACA. All Rights Reserved.
50%
60%
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
70%
80%
90%
100%
19
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
Gender Initiatives
progress—however slight—towards increasing the
Despite an increasing number of global initiatives to
The positive changes in this year’s data are promising.
boost the number of women in technology careers,
According to the data, almost half of all enterprises—
expectations should be tempered as broad-scale
49 percent—have gender diversity programs in
workforce efforts take time to cultivate. That said,
place, which is five percentage points higher than last
64 percent of those surveyed indicate some
year (figure 21).
number of women in cybersecurity roles (figure 20).
FIGURE20–ORGANIZATIONAL
20—ORGANIZATIONAL
PROGRESS
TOWARD WOMEN
INCREASING
WOMEN
IN CYBER ROLES
FIGURE
PROGRESS
INCREASING
IN CYBER
ROLES
How would
wouldyou
youdescribe
describe
the
progress
organization
has made
in increasing
the number
of women
How
the
progress
thatthat
youryour
organization
has made
in increasing
the number
of women
in cybersecurity
cybersecurityroles?
roles?
in
Significant progress
13%
Some progress
32%
Minimal progress
19%
No progress
14%
Organization has no program
in place to change the
proportion of women
22%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
FIGURE21–DIVERSITY
21—DIVERSITY
PROGRAMS
FIGURE
PROGRAMS
Does
your
organization
have
place
specific
diversity
programs
to support
women
cybersecurity
professionals?
Does your organization have in in
place
specific
diversity
programs
to support
women
cybersecurity
professionals?
Yes
49%
No
51%
0%
10%
20%
30%
40%
© 2020 ISACA. All Rights Reserved.
50%
60%
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
70%
80%
90%
100%
20
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
Signs of Leveling in
Cybersecurity Funding
Cybersecurity budgets are projected to bounce
increase of three percentage points from last
back in 2020; however, the increase remains less than
year. This increase is notable because the data in
the 64 percent reported two years ago. Specifically,
figures 22 and 23 suggest spending may be
58 percent of respondents anticipate an increase
leveling out, given the five-year trend represented
in cybersecurity budgets (figure 22), which is an
in figure 24.
7
FIGURE22–ENTERPRISE
22—ENTERPRISE
SECURITY
BUDGET
OUTLOOK
FIGURE
SECURITY
BUDGET
OUTLOOK
How, ififany,
any,will
willyour
yourorganization’s
organization’s
cybersecurity
budget
change
the 12
next
12 months?
How,
cybersecurity
budget
change
in theinnext
months?
Significantly increase
4%
8%
54%
Somewhat increase
47%
29%
Remain unchanged
34%
11%
Somewhat decrease
Significantly decrease
9%
2%
3%
0%
2020
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
50%
60%
70%
80%
90%
100%
2019
FIGURE23–CYBERSECURITY
23—CYBERSECURITY
FUNDING
PERCEPTION
FIGURE
FUNDING
PERCEPTION
Do you
youfeel
feelyour
yourorganization’s
organization’s
cybersecurity
budget
is currently…
Do
cybersecurity
budget
is currently…
17%
Significantly underfunded
19%
41%
Somewhat underfunded
41%
38%
Appropriately funded
Somewhat overfunded
34%
4%
3%
1%
Significantly overfunded
2%
0%
2020
10%
20%
30%
40%
2019
7 ISACA, State of Cybersecurity 2018, Part 1: Workforce Development, https://cybersecurity.isaca.org/csx-resources/state-of-cybersecurity-2018
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
21
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
FIGURE 24–FORECASTED SECURITY BUDGET INCREASES (5 YEAR)
FIGURE 24—FORECASTED SECURITY BUDGET INCREASES (5 YEAR)
100%
90%
80%
70%
64%
61%
60%
58%
55%
50%
50%
40%
30%
20%
10%
0%
2016
2017
2018
2019
2020
Conclusion: Organizations Must
Act on Talent Shortage
The cybersecurity workforce shortage is not new, nor
individuals—who already understand the organization’s
is it going away soon. Formal educational programs
business drivers and culture—can help to satisfy
and industry cybersecurity training programs—despite
some of the knowledge and skills gaps reported in this
their proliferation—cannot replicate cybersecurity
year’s survey. Gender diversity programs are one
experience, which is the most sought-after criterion for
vehicle to increase organizational talent, but they
filling a vacant job position. Organizations have difficulty
cannot be the only solution to combat the talent
locating individuals with the desired experience,
shortage. More can be done, but it requires commitment
and increasingly poach qualified talent from other
and nontraditional recruiting. Formal education and
enterprises—a practice whose frequency is likely to
industry training programs can be cost prohibitive
increase. The excessive time required to fill open
for many aspiring practitioners. Mandating college
positions not only exacerbates workplace stress but
degrees and certifications minimizes talent pools
is also associated with increased cyberattacks and
and disadvantages those who could not afford to
retention issues.
fulfill traditional requirements for cybersecurity jobs.
Government workforce development or employment
Most organizations have experienced a bad hire, which
agencies may also be viable sources for displaced
can prove undesirable and costly in some instances.
workers or career changers. The cybersecurity seller’s
However, that risk pales in comparison to any recently
job market will not diminish anytime soon; with
documented cybersecurity incident. With so few
budgets leveling out—and retention waning—traditional
qualified applicants, organizations are wise to cross-
recruitment strategies may have to give way to new and
train existing employees. Investing in familiar, motivated
inventive alternatives.
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
22
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
Acknowledgments
ISACA would like to recognize:
ISACA Board of Directors
Brennan P. Baybeck, Chair
CISA, CRISC, CISM, CISSP
Vice President and Chief Information
Security Officer for Customer Services,
Oracle Corporation, USA
Rob Clyde
ISACA Board Chair, 2018-2019
CISM
Board Director, Titus and Executive
Chair, White Cloud Security, USA
Rolf von Roessing, Vice-Chair
CISA, CISM, CGEIT, CISSP, FBCI
FORFA Consulting AG, Switzerland
Chris K. Dimitriadis, Ph.D.
ISACA Board Chair, 2015-2017
CISA, CRISC, CISM
INTRALOT, Greece
Tracey Dedrick
Former Chief Risk Officer with Hudson
City Bancorp, USA
Pam Nigro
CISA, CRISC, CGEIT, CRMA
Health Care Service Corporation, USA
R.V. Raghu
CISA, CRISC
Versatilist Consulting India Pvt. Ltd.,
India
Greg Grocholski
ISACA Board Chair, 2012-2013
CISA
Saudi Basic Industries Corporation, USA
David Samuelson
Chief Executive Officer, ISACA, USA
Gabriela Reynaga
CISA, CRISC, COBIT 5 Foundation, GRCP
Holistics GRC, Mexico
Gregory Touhill
CISM, CISSP
AppGate Federal Group, USA
Asaf Weisberg
CISA, CRISC, CISM, CGEIT
introSight Ltd., Israel
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)
23
STATE OF CYBERSECURITY 2020: GLOBAL UPDATE ON WORKFORCE EFFORTS AND RESOURCES
About ISACA
For more than 50 years, ISACA® (www.isaca.org) has advanced the best
talent, expertise and learning in technology. ISACA equips individuals with
knowledge, credentials, education and community to progress their careers
and transform their organizations, and enables enterprises to train and
build quality teams. ISACA is a global professional association and learning
organization that leverages the expertise of its 145,000 members who work
1700 E. Golf Road, Suite 400
Schaumburg, IL 60173, USA
Phone: +1.847.660.5505
Fax: +1.847.253.1755
in information security, governance, assurance, risk and privacy to drive
Support: support.isaca.org
innovation through technology. It has a presence in 188 countries, including
Web: www.isaca.org
more than 220 chapters worldwide.
Disclaimer
Provide feedback:
ISACA has designed and created State of Cybersecurity 2020, Part 1:
www.isaca.org/state-of-
Global Update on Workforce Efforts and Resources (the “Work”) primarily
cybersecurity-2020
as an educational resource for professionals. ISACA makes no claim
that use of any of the Work will assure a successful outcome. The Work
should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that
Participate in the ISACA
Knowledge Center:
www.isaca.org/knowledge-center
are reasonably directed to obtaining the same results. In determining the
Twitter:
propriety of any specific information, procedure or test, professionals
www.twitter.com/ISACANews
should apply their own professional judgment to the specific
circumstances presented by the particular systems or information
technology environment.
LinkedIn:
www.linkedin.com/company/isaca
Facebook:
RESERVATION OF RIGHTS
www.facebook.com/ISACAGlobal
© 2020 ISACA. All rights reserved.
Instagram:
www.instagram.com/isacanews/
State Of Cybersecurity 2020, Part 1: Global Update On Workforce Efforts And Resources
© 2020 ISACA. All Rights Reserved.
Personal Copy of Rashmi Mishra (ISACA ID: 1152767)