The cybersecurity skills gap issue may be further from being solved than expected despite the large amount of money being invested around the world to train professionals, according to a report by the Information Systems Audit and Control Association (ISACA). While the volume of training has increased the number of entry-level professionals, organizations are looking for experienced cybersecurity personnel, the international IT governance professional association says.\n\n\u201cContinued hyper-focus on the perceived worker shortage to fill unverifiable open cybersecurity positions is problematic, for it not only fails to address duplicate job postings but also the perspectives of aspiring cybersecurity professionals who spent significant time and money completing pathway programs and yet remain unable to secure employment in the cybersecurity field,\u201d ISACA states in its State of Cybersecurity 2023, Global Update on Workforce Efforts, Resources and Cyberoperations report.\n\n\u201cFailure to resolve this critical issue will magnify the existing problem of students and career changers being unable to obtain employment due to lack of experience, despite any knowledge, skills or credentials they have acquired,\u201d found the report.\n\nThe annual ISACA report was conducted during the second quarter of 2023. More than 2,100 professionals around the world answered the online survey sent to those with ISACA Certified Information Security Manager (CISM) certification or who have registered job titles in the information security field.\n\nThe cyber workforce continues to age\n\nWhile the largest percentage of respondents (34%) remained among those aged between 35 and 44, the average age of the workforce continued to increase, albeit slowly \u2014 respondents in the 45 to 54 and 55 to 64 age ranges increased by two percentage points (32%) and three percentage points (19%), respectively, compared with 2022.\n\nThere has long been a discussion in IT circles around companies hiring and training recent graduates only to lose these now-skilled professionals to higher-paying jobs elsewhere. \u201cCybersecurity companies and departments largely do accept that training and upskilling is necessary to help combat the shortage of cyber staff,\u201d Jo Stewart-Rattray, CISO and ISACA ambassador, Oceania, tells CISO.\n\n\u201cBut it\u2019s a double-edged sword. While the intention is there, the under-staffing epidemic leaves us little capacity in terms of time to invest in training and upskilling \u2014 even though this is the ultimate solution.\u201d\n\nIt goes without saying that if a company finds the right professional with the right skills and can afford to hire that professional, it will. \u201cIn some ways, we are our own worst enemy,\u201d Stewart-Rattray says.\n\nCybersecurity teams are \u2018at capacity\u2019\n\n\u201cThe spike in cyberattacks that we have experienced globally has led to increased security vigilance by companies of all sizes. This is placing unprecedented demand on CISOs, who are being called upon to review and upgrade security and work with either legal teams or privacy teams to strengthen privacy programs, let alone handling data breaches themselves. We are at capacity,\u201d Stewart-Rattray says.\n\nThe long-term resolution to the problem relies on cybersecurity professionals and those hiring must look to simplify job descriptions and requirements expected of cyber graduates and those professionals transitioning from other sectors, she suggests.\n\n\u201cRather, job descriptions should focus on the important skills, sometimes referred to as soft skills, that we are lacking in our industry, which opens up a wider pool of potential talent.\u201d Stewart-Rattray also said that the risk of losing a trained professional is not something she sees as a problem from her perspective.\n\n\u201cThe deterrent is time. I believe there are many benefits we can offer to help retain employees such as flexible working arrangements, as the return to office mandate is not being well-received across our industry sector. In addition, paying for certification and training programs, and covering industry memberships is important.\u201d\n\nThe report found that 65% of the respondents paid employee certification fees. But the remaining 35% suggests that quite a few professionals have to pay out of pocket for their certifications and updates \u2014 which aren\u2019t always cheap \u2014 which becomes an additional stressor for some employees.\n\nRetention of cybersecurity professionals is on the rise\n\nThe good news is that retention increased, with a 6% drop in the number of respondents reporting retention issues compared to the previous year. But this improvement is more likely tied to economic uncertainty rather than work conditions having improved.\n\nThe main reasons for employees departing included recruitment by other companies (58%). The second highest response, poor financial incentives (e.g., salaries or bonuses), is likely the main driver, ISACA found. Those seeking better financial compensation increased by 6% from last year to 54%.\n\nWhile work stress levels dropped by two percentage points from 2022, it remains a contributing factor at 43%, ranking fourth on the list. Other notable reasons included limited remote work possibilities (increased by four percentage points from 2022) and poor work culture\/environment, both potentially driven by return-to-work mandates.\n\n\u201cUncertainty of any kind appears to be driving fewer job changes, and while vacancies persist, the survey results indicate that enterprises appear to be tightening budgets and compensation aids ahead of a potential recession,\u201d read the report.\n\nThe state of cybersecurity across regions\n\nIn Europe, about 52% of organizations said they experienced more attacks than the year before, while in Oceania that reached 56%, both higher than the global average of 48%.\n\nThe report found that companies were underreporting cyberattacks, with 78% in both European and Oceania regions. Only 3% of European organizations said they accurately report cybercrime even if not required to do so.\n\nThings get worse for Oceania when it comes to confidence in cybersecurity teams\u2019 ability to detect and respond to cyber threats, with only 36% being confident. The global average is 42%.\n\nWhile the percentage of employers requiring a university degree for entry-level cybersecurity positions remains at 52%, differences across geographical regions are notable \u2014 Europe and Africa saw decreases, Asia and North America remained unchanged, and Latin America and Oceania reported 9% and 10% increases respectively in this requirement.