Study: 82% of Organizations Expect a Cyberattack, Yet 35% Are Unable to Fill Open Security Jobs

Global Talent Pool Reflects Urgent Skills Shortage and Hiring Delays

According to a study by ISACA and RSA Conference, 82 percent of organisations expect to be attacked in 2015, but they are relying on a talent pool they view as largely unqualified and unable to handle complex threats or understand their business. More than one in three (35 per cent) are unable to fill open positions. These are the key findings of State of Cybersecurity: Implications for 2015, a study conducted by ISACA, a global leader in cybersecurity, and RSA Conference, organizers of prominent, global cybersecurity events.

Based on a global survey of 649 cybersecurity and IT managers or practitioners, the study shows that 77 per cent of those polled experienced an increase in attacks in 2014 and even more (82 per cent) view it as likely or very likely that their enterprise will be attacked in 2015. At the same time, these organizations are coping with a very shallow talent pool. Only 16 per cent feel at least half of their applicants are qualified; 53 per cent say it can take as long as six months to find a qualified candidate; and more than a third are left with job openings they cannot fill.

A portrait of the ideal cybersecurity professional emerges from this list of shortfalls: the top three attributes are a formal education, practical experience and certifications.

“The State of Cybersecurity study reveals a high-risk environment that is being made worse by the lack of skilled talent,” said Garry Barnes, ISACA International Vice President and Governance Advisory Practice Lead at Vital Interacts. “ISACA is collaborating with industry and government to close this gap through resources designed specifically to meet the unique and complex requirements of the cybersecurity profession.”

As cybersecurity incidents increase, it is important to examine the surrounding issues. The collaboration between RSA Conference and ISACA explores recent issues such as hacks, attacks, flaws, security structures, budgets and policies.

“The survey findings reflect what we are seeing and hearing from our speakers and attendees,” said Fahmida Y. Rashid, editor-in-chief, RSA Conference. “The 2015 RSA Conference brings together professionals, experts and executives to share information about the latest attacks and exchange security strategies. This year’s hot topics include detecting and responding to security breaches, practical ways to consume threat intelligence, and understanding the ‘Human Element.’”

The study reveals that organizations are experiencing attacks that are largely deliberate, and they lack confidence in the ability of their staff. The top four threat actors exploiting organisations in 2014 were cybercriminals (46 per cent), non-malicious insiders (41 per cent), hackers (40 per cent) and malicious insiders (29 per cent). Sixty-four per cent are very concerned or concerned about the Internet of Things, and less than half feel their security teams are able to detect and respond to complex incidents.

Despite these gaps, this specialised area is growing in prominence within the business. The 2015 State of Cybersecurity report documents a job function that is quickly attracting increased visibility and investment:
• 79 per cent say their board of directors is concerned with cybersecurity
• Close to a third report either to the CEO (20 per cent) or to the board (11 per cent)
• 55 per cent employ a chief information security officer (CISO)
• 56 per cent will spend more on cybersecurity in 2015 and 63 per cent say their executive team provides appropriate funding

“If there is any silver lining to this looming crisis, it is the opportunities for university graduates and professionals seeking a career change. Cybersecurity professionals are responsible for protecting an organisation’s most valuable information assets, and those who are good at it can map out a highly rewarding career path,” noted Barnes.

Conducted 20-29 January 2015, State of Cybersecurity: Implications for 2015 is based on online polling of 649 ISACA certification holders and RSA Conference constituents. The survey has +/-3.8 percent margin of error at a 95 percent confidence level.

ISACA assisted the National Institute of Standards and Technology (NIST) by providing input for the US Cybersecurity Framework and launched Cybersecurity Nexus (CSX) in 2014. CSX is a global resource to help identify, develop and train a skilled cybersecurity workforce. The inaugural CSX North America conference will take place 19-21 October in Washington DC. For more information, visit

Follow ISACA on Twitter:
Join ISACA on LinkedIn: ISACA (Official),
Like ISACA on Facebook:

Garry Barnes
Garry Barnes is practice lead, Governance Advisory at Vital Interacts (Australia). He has more than 20 years of experience in information and IT security, IT audit and risk management and governance, having worked in a number of New South Wales public sector agencies and in banking and consulting. ISACA ( helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global non-profit association of 140,000 professionals in 180 countries.