“Cyber security teams struggling to keep pace with rising threats” reports ISACA

Despite this rising wave of attacks, confidence in organisational readiness remains low, with fewer than two-in-five professionals stating that they’re completely confident in their organisation’s ability to detect and respond effectively.

As attacks continue to increase in scale and scope, the pressure on professionals is growing, with 65% of those individuals questioned identifying the increasingly complex threat landscape as a major stress factor.

Stress levels remain high

While budgets and staffing show some progress, the pace is not fast enough to ease pressure on professionals. Over half (58%) of those surveyed report that their organisation remains understaffed. That’s only a modest improvement of three percentage points when compared to last year.

Budgets tell a similar story of slow progress. While over half (54%) of professionals say their organisation is underfunded, this has improved slightly from 58% in 2024.

While incremental gains suggest that organisations are beginning to prioritise cyber security, progress still lags behind the demands of the threat landscape and professionals on the front line are feeling this pressure.

More than two-thirds (68%) say their job is more stressful now than it was five years ago (a figure which remains unchanged from last year). Within workplaces, organisations are failing to give professionals the support they need to manage stress. Over half (54%) report unrealistic expectations or excessive workloads, 48% highlight poor work-life balance and more than one-third (36%) say their teams lack the right skills or training.

Alarmingly, more than one-in-five organisations (22%) have still taken no action to address or prevent employee burnout, leaving professionals to manage growing responsibilities with limited support.

Devastating for businesses

“Over the past year, the public has seen first-hand just how impactful cyber attacks can be, with high-profile breaches devastating businesses and dominating headlines,” said Chris Dimitriadis, chief global strategy officer at ISACA. “At the same time, the overall volume of attacks is rising, with almost two-in-five organisations experiencing more incidents than a year ago.”  

Dimitriadis continued: “While organisations are starting to acknowledge the problem and take steps to address long-standing issues in budgets and staffing, the pace of change is still far too slow. The reality is that cyber criminals are moving faster than most organisations can respond. Now is the time to invest in a more holistically trained cyber security workforce. That’s an investment towards customer trust and in gaining competitive advantages, not just a reactive move following an incident.”

Recruitment and retention challenges

More than half of organisations (52%) are struggling to retain qualified cyber security professionals. That’s according to those professionals familiar with hiring within their organisations. Entry-level roles are particularly difficult to fill. Nearly one-in-five organisations (19%) have open positions that don’t require experience, a degree or credentials, yet almost half (45%) say it still takes three-to-six months to hire at this level.

Part of the challenge lies in narrow hiring expectations. While just over half of respondents (55%) view a university degree as important for candidates, far more place value on professional credentials (84%) or hands-on training (73%).

Expanding recruitment pathways and offering training opportunities for those without conventional backgrounds could help organisations to grow their pipeline of talent.

Chris Dimitriadis added: “In order to build resilience and keep pace with the evolving threat landscape, we must widen the pathways into cyber security. By valuing hands-on training, professional credentials and transferable skills, organisations can strengthen their teams and ease the pressure on overstretched professionals. Recruitment is only the start, though. Continuous training and upskilling are critical. That’s how we move from slow and incremental change to real progress, reducing stress and building long-term protection.”

Involvement in Artificial Intelligence

Even as staffing and skills shortages persist, cyber security teams are increasingly at the forefront of Artificial Intelligence (AI) governance and implementation. More than half of European professionals (51%) say they’ve helped develop their organisation’s AI governance framework – that’s up sharply from 36% last year – while 46% are now directly involved in AI implementation (up from 27%).

Beyond governance, AI is already embedded in day-to-day operations, with top uses including threat detection (29%), endpoint security (28%) and routine task automation (27%). These findings point to the accelerating pace of AI adoption and the urgent need for stronger AI security legislation and continuous upskilling, particularly so as Europe advances the EU AI Act and NIS2 and the UK itself prepares forthcoming AI legislation.

*Further information is available online at www.isaca.org