Estimated reading time: 5 minutes
Factories once ground to a halt due to a lack of steel. Today, it’s cybersecurity talent. ISACA’s State of Cybersecurity 2025 reveals that enterprises are understaffed, underfunded, and unprepared for the challenges ahead. This lack of cybersecurity investment comes as cyber risks mount and reliance on cyber insurance grows.
Attacks Rising, Confidence Fading
The ISACA survey of 3,800 cybersecurity professionals worldwide found that more than one-third of organizations faced more attacks this year. Despite this increase, readiness remains weak. Only 41% of professionals said they felt confident in their team’s ability to detect and respond. The pressure is visible on staff. “Cybersecurity roles remain stressful,” the report notes, with 66% saying their jobs are more stressful now than five years ago.
“The reality is that cyber criminals are moving faster than most organisations can respond. Now is the time to invest in investing in a more holistically trained cybersecurity workforce, an investment towards customer trust and in gaining competitive advantages, not just a reactive move following an incident,” said Chris Dimitriadis, Chief Global Strategy Officer at ISACA.
“Now is the time to invest in investing in a more holistically trained cybersecurity workforce, an investment towards customer trust and in gaining competitive advantages, not just a reactive move following an incident.”
Chris Dimitriadis, ISACA
Understaffed Teams, Aging Workforce
Enterprises continue to run thin. 55% of teams are understaffed, with mid-sized organizations reporting the worst shortages.
Hiring is slow. Nearly 40% of non-entry-level roles take six months or more to fill, resulting in critical positions remaining vacant. Entry-level jobs are also challenging to staff despite looser requirements.
The talent pool is aging. 35% of professionals are now 45–54 years old, surpassing younger cohorts. ISACA warns that succession planning is urgent as experienced managers near retirement.
Burnout and Retention Risks
High workloads and unclear expectations fuel burnout. Half of professionals face unrealistic demands, while one-third report poor work-life balance. Alarmingly, one in four enterprises does nothing to mitigate burnout, despite its link to turnover and mistakes.
Retention remains uneven worldwide. Latin America (68%) and Africa (66%) report the highest retention challenges, while North America fares better at 43%.
Benefits Declining, Morale at Risk
Employer-provided benefits are slipping. Professional development training is now the top perk (60%), while paid certification fees dropped 11 points from last year.
Other benefits, such as tuition reimbursement and signing bonuses, also declined. ISACA warns that cuts to incentives, combined with high stress, risk accelerating attrition.
Budgets Stuck in Neutral
Cybersecurity funding shows modest progress but remains inadequate. 53% of respondents say budgets are underfunded, down slightly from 59% in 2024.
Confidence in future investment is falling. Only 41% expect budgets to grow in the next year, down from 47% in 2024.
Boardroom priorities make the difference. At companies where boards adequately prioritize cybersecurity, staff report more substantial funding, higher confidence, and fewer retention issues.
Insurance Uptake but Limited Use
Cyber insurance continues to expand, but uptake does not match usage. Only 21% of enterprises have ever filed a claim, while 28% hold unused coverage.
The report cites outside research noting that “cyber claims are down,” despite ransomware still driving significant costs. This raises concerns about underreporting, which could distort insurers’ ability to price risk.
WATCH – AI and Cybersecurity – Do you know enough?
Misaligned Risk Assessments
A worrying number of enterprises fail to conduct risk assessments. 9% of firms with low confidence in their security teams never conduct assessments.
Even among those who do, time constraints and lack of staff are leading obstacles. ISACA warns this misalignment leaves organizations unprepared when attacks hit.
Underreporting Cybercrime
The report highlights a troubling trend: 39% of professionals believe that most enterprises underreport cybercrime, even when required to disclose it.
This culture of silence undermines transparency, distorts public understanding of risk, and could limit the effectiveness of both regulation and insurance.
AI Expands Responsibilities
AI adoption in security operations is accelerating. 29% of organizations use AI for threat detection, 28% for endpoint security, and 27% for task automation.
Staff are also shaping governance. 47% helped draft AI policy, nearly double the 2024 rate. While these added responsibilities are beneficial for safe implementation, they stretch already strained teams.
Skills Gaps Leave Firms Exposed
Interestingly, soft skills top the list of gaps. Some 59% of respondents cited communication, critical thinking, or problem-solving as areas for improvement.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Technical shortfalls include cloud computing, incident response, and identity management, all of which are vital to modern defense. ISACA warns these weaknesses leave firms vulnerable to evolving attacks and regulatory scrutiny.
Plain-Language Analogy
Think of cybersecurity like running a hospital, one with a shortage of doctors. Emergencies keep arriving, patients pile up, and the staff on duty are exhausted. Despite that, administrators cut training programs, hoping insurance covers mistakes. But as Yogi Berra once quipped, “It’s déjà vu all over again.” Without more investment, organizations risk repeating the same crises with higher stakes.
Related Posts
