ISACA’s 8th Annual Cybersecurity Survey Shows an Increase in Unfilled Cybersecurity Positions and Lack of Qualified Talent in India

Press Release

• 01-04-2022

• In India, 60% indicate they have unfilled cybersecurity positions, an 11-percentage-point increase from 2021.
• 62% say it takes 3-6 months for their organisation to fill a cybersecurity position with a qualified candidate, compared to 47% globally.
• 42% feel their cybersecurity team in the organization is understaffed.
• 65% say their organisation has experienced difficulty in retaining qualified cybersecurity professionals, a 14-percentage-point increase from last year’s cybersecurity report.

India, March 30, 2022: —India ranks second only to the US in most security threats on cloud, followed by Australia, Cannada and Brazil (according to McCafe Enterprise Advanced Threat Research Report).  Cybersecurity skills demand in the country is slated to grow, reflecting the global trend of an increasing skills gap in cybersecurity and a workforce unable to meet industry demand. The eighth annual cybersecurity survey from reputed global IT association ISACA, unveiled in India today, reveals an increase in cybersecurity hiring and retention challenges in the country.

According to ISACA’s new survey report, State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyber Operations, sponsored by Looking Glass Cyber Solutions, organisations are struggling more than ever with hiring and retaining qualified cybersecurity professionals and managing skills gaps. This year’s survey results in India depict that 60% of the organisations have unfilled cybersecurity positions and that 42% report their organisation’s cybersecurity team is understaffed. Even more concerning is that 59% believe that less than half of their applicants are well qualified for the position they are applying.

Hiring and retention challenges

As in past years, filling cybersecurity roles and retaining talent continues to be a challenge for many enterprises. Sixty-three percent of global respondents indicate they have unfilled cybersecurity positions and India reflects the same trend with 60% unfilled positions. Sixty-two percent of India-based respondents say it takes three to six months for their organisations to find qualified cybersecurity candidates for open positions, compared to 47% globally. For respondents in India, the top factors hiring managers use to determine whether a candidate is qualified are prior hands-on cybersecurity experience (77%), credentials (45%) and hands-on training (38%). Two in three (65%) respondents report difficulties retaining qualified cybersecurity professionals, a 14 percentage -point increase from 2021. The top reasons that India respondents believe cybersecurity professionals are leaving their jobs include:

1. Poor financial incentives in terms of salary or bonus (51%)
2. Limited promotion and development opportunities (50%)
3. Recruited by other companies (47%) 
4. High work stress levels (38%)
5. Lack of management support (38%)

Skills gaps and mitigation

Respondents from India indicate they are looking for a range of skills in candidates, noting the top skills gaps they see in today’s cybersecurity professionals are soft skills (53%), cloud computing (48%)—a new response option for this question—and security controls implementation (42%). Soft skills is also the second-highest skills gap cited for recent graduates (after security controls), and has seen an 11-percentage-point increase in perception as a skills gap among Indian respondents since 2021.

The top three most required security skills are cloud computing (51%), identity & access management (45%) and data protection (44%). Among the top soft skills deemed important are critical thinking (53%), communication (52%) and problem solving (44%).

Fifty-nine percent of respondents in India believe that less than half of their applicants are well qualified for the position for which they are applying. India-based respondents note that their organisations are undertaking multiple measures to decrease cybersecurity skills gaps such as training to allow non-security staff who are interested to move into security roles (58%), increased use of reskilling programmes (44%), increased usage of consultants and external staff (38%), and increased use of performance-based training (36%).

Speaking at a press briefing to unveil the report, Chris Dimitriadis, ISACA Chief Global Strategy Officer, said, “Challenges in hiring and retaining cybersecurity professionals have impacted organizations around the world for years, and have only become more complex amid the pandemic and larger shifts in the global workforce. ISACA is addressing those challenges globally by building a workforce of digital trust professionals, who have more holistic and correlated views from the adjacent professions of cybersecurity, IT audit, risk, privacy and digital technology governance, while also offering state of the art tools in cyber maturity assessments.”

R.V Raghu, ISACA Ambassador in India and past ISACA board director, added, “A strong cybersecurity workforce with cutting-edge skills is essential in the face of evolving technology and an ever-changing cyber threat landscape to support much needed digital trust. Hands-on training, credentials, networking and sharing best practices through the cybersecurity community globally and in India, including through organisations like ISACA, can help cybersecurity professionals in India not only strengthen their skillsets and keep advancing their careers, but also ensure they are keeping their enterprises protected against the latest cyber threats.”

“It’s important to understand the trends across the community over time as well as how one’s organisation compares. This is necessary information to help advance the field as a whole, and we’re proud to be a part of sharing and disseminating these insights,” says Mary Yang, Chief Marketing Officer at Looking Glass Cyber Solutions. “Looking Glass is thrilled to support the cybersecurity community by partnering with ISACA on this report.”

Threat Landscape

This year, 33% of respondents in India indicate that their organisation is experiencing more cyberattacks compared to a year ago. When asked about their main concerns related to cyberattacks, organisational reputation (86%), data breach concerns (78%) and cyber-attack on supply chain or business disruption (63%) rank top of mind for India-based respondents. They also indicated that the top types of cyber-attacks they experienced in the past year include:

1. Advanced persistent threats (18%)
2. Ransomware (14%)
3. Denial of services (13%)
4. Injection flaws (12%)
5. Sensitive data exposure (12%)

Despite the threats they face, 79% of respondents in India indicate they are confident in their organisation’s cybersecurity team’s ability to detect and respond to cyber threats.

Cyber maturity

When it comes to cyber risk assessments, 77% of respondents based in India say their organisation currently assesses its cyber maturity. Eighty-six% say their executive leadership team sees value in conducting a cyber risk assessment and 35% say their organisation performs a cyber risk assessment every 1-6 months.  

Cybersecurity Budgets

While 48% of respondents in India opine that their cybersecurity budgets are appropriately funded, 31% perceive their budget is underfunded, compared to 54% globally. Fifty-nine percent of India respondents expect some level of increase in cybersecurity budgets, while only 17% of respondents in India, almost half of the global number of 38%, expect no change in budgets.

The survey features insights from more than 2,000 cybersecurity professionals around the globe, and examines cybersecurity staffing and skills, resources, cyber threats and cybersecurity maturity. A complimentary copy of the State of Cybersecurity 2022 survey report can be accessed at www.isaca.org/state-of-cybersecurity-2022, along with related resources. Additional cybersecurity resources can be found at www.isaca.org/resources/cybersecurity.

Previous News