A recent global survey of over 3,800 cybersecurity experts reveals a profession under significant pressure. The report, conducted by the IT association ISACA, indicates that professionals are dealing with heightened stress levels, persistent staff shortages, and an increasingly complex landscape of digital threats. As a result, many organizations are turning to artificial intelligence to reinforce their defenses.
Key Takeaways
- A survey of over 3,800 experts found two-thirds feel their roles are more stressful than five years ago.
- 55% of cybersecurity teams report being understaffed, and 65% have unfilled positions.
- Social engineering (44%) is the most common type of cyberattack, followed by exploited vulnerabilities (37%).
- Organizations are increasingly using AI for threat detection, endpoint security, and automating routine tasks.
The State of Cybersecurity Stress
The cybersecurity field is experiencing a significant rise in occupational stress, according to new data from ISACA. The survey found that a substantial two-thirds of cybersecurity professionals believe their roles have become more stressful over the past five years.
The primary driver of this stress, cited by 63% of respondents, is the sheer complexity of the modern threat environment. This complexity contributes directly to burnout and employee turnover, with nearly half (47%) of those surveyed identifying high stress as a primary reason for people leaving the profession.
By the Numbers: Stress and Attrition
The ISACA report highlights a clear link between job pressure and retention. With 47% of professionals pointing to stress as a key reason for attrition, organizations face a critical challenge in maintaining experienced security teams.
An Escalating Threat Landscape
The pressure on security teams is compounded by the expectation of future attacks. The survey revealed that 43% of respondents believe a significant cyberattack on their organization is likely within the next 12 months. Despite this perceived risk, confidence in their ability to handle such incidents is not universal. Only 41% of professionals reported feeling confident in their organization's incident-response capabilities.
Furthermore, there is a belief that the problem is larger than official statistics suggest. Approximately 39% of those surveyed think that cybercrime is underreported, even in cases where disclosure is legally required. This suggests that the true frequency and impact of attacks may be greater than what is publicly known.
Most Common Attack Methods
The report identified the most prevalent types of cyberattacks currently facing organizations. The findings show that human-centric attacks remain a top concern:
- Social Engineering: 44% of respondents cited this as the most common attack, where attackers manipulate individuals into divulging sensitive information.
- Exploited Vulnerabilities: 37% pointed to attacks that take advantage of flaws in software, hardware, or network systems.
- Malware: 36% identified malicious software as a frequent threat vector.
Even with existing defenses, about one-third of cybersecurity professionals reported that the number of security incidents at their companies had increased this year.
Persistent Staffing Gaps Worsen the Problem
The challenges of a difficult threat environment are made worse by ongoing staffing shortages. The ISACA data shows that 55% of cybersecurity teams are understaffed, and 65% of organizations have open, unfilled cybersecurity positions. This talent gap places additional strain on existing team members, who must manage a growing workload with limited resources.
The report also notes a decline in one potential solution: internal training. Fewer organizations are now training employees from non-security departments to transition into cybersecurity roles, further limiting the pipeline of available talent.
The Impact of Understaffing
When security teams are short-staffed, response times can slow, routine security maintenance may be delayed, and the overall security posture of an organization can weaken. This creates a cycle where increased threats lead to more work, which contributes to burnout in an already strained workforce.
Turning to AI for Reinforcement
In response to these mounting pressures, organizations are increasingly integrating artificial intelligence into their security operations. AI is seen as a valuable tool for augmenting human capabilities and managing the high volume of security data.
"AI has proven valuable in strengthening defenses," stated Aparna Achanta, a security leader at IBM Consulting, in a comment to ISACA. She explained that machine learning helps detect anomalies at scale, while automation reduces the workload on analysts by handling routine alerts and speeding up response times.
The survey data reflects this trend. Cybersecurity professionals report a growing involvement in their company's AI strategies. Nearly half (47%) said they helped develop AI governance practices, a notable increase from 35% the previous year. Similarly, 40% were involved in AI implementation, up from 29%.
Top Uses of AI in Security
According to the survey, the most common applications of AI in security operations include:
- Threat detection and analysis
- Endpoint security for devices like laptops and servers
- Automation of routine and repetitive tasks
The Human Element in an AI-Driven Defense
While AI offers powerful capabilities, experts caution that it is not a complete replacement for human expertise. Aparna Achanta noted that human oversight remains essential to prevent bias in AI models, identify potential blind spots, and correct errors in automated decision-making.
This sentiment was echoed by Chris McGowan, ISACA's principal for information security professional practices. He emphasized the need for companies to support their human teams as threats evolve.
"Cybersecurity professionals are navigating an increasingly complex threat landscape, marked by the rapid evolution of threats and an increase in both the frequency and sophistication of attacks," McGowan said. He stressed that companies must not only improve their technological defenses but also "prioritize the well-being of their cybersecurity teams."
McGowan concluded that regular reviews of support systems and continuous training are crucial for strengthening both the skills and the resilience of cybersecurity professionals in the face of anticipated increases in cyberattacks.
