While 2024 saw a surge in layoffs, budget cuts, and hiring and promotion freezes, the economic conditions hitting cybersecurity teams appear to be levelling off.
A new report from ISC2 shows that budget cuts across the industry fell by one percentage point to 36% this year, with layoffs also dropping by one percentage point to 24%.
However, while budget cuts are slowing down, a continued lack of budget is still a key hurdle for security leaders, exacerbating long-running staff shortages.
Around one-third (33%) of respondents to the ISC2 survey noted their organizations didn't have the resources to adequately staff their teams. Meanwhile, 29% said they couldn't afford to hire staff with the skills they need to adequately secure their organizations.
As a result, 72% agreed that reducing security personnel significantly increases the risk of a breach in their organizations.
Crucially, it's a shortage of skilled personnel, rather than mere numbers, that's really giving security professionals headaches. Nearly nine-in-ten said they'd experienced at least one significant cybersecurity-related consequence in their organization because of skills shortages, while 69% said they'd experienced more than one.
An overwhelming 95% of respondents said they had at least one skill need - up 5% from 2024 - and 59% cited critical or significant skills needs, up 15% from last year.
“A shift is happening. This year’s data makes it clear that the most pressing concern for cybersecurity teams isn’t headcount but skills,” said ISC2 acting CEO and CFO Debra Taylor.
“Skills deficits raise cybersecurity risk levels and challenge business resilience.”
AI is a big opportunity for cyber teams
Notably, Taylor said the increased adoption of technologies such as generative AI is welcomed by cybersecurity workers. Nearly three-quarters (73%) said AI will create more specialized cybersecurity skills while 72% said the technology will create the need for more strategic cybersecurity mindsets.
Two-thirds, meanwhile, said AI will require broader skillsets across the workforce.
At present, around 28% of respondents have integrated AI tools into their operations, with 69% engaged in some sort of adoption process: integration, active testing, or early evaluation.
Demand for AI-related cybersecurity skills is also growing, ISC2 found, remaining among the top skills for the second consecutive year.
This year, 41% of respondents cited AI as a top skill needed followed by cloud security at 36%.
Nearly half of respondents said they were already working to gain more generalized AI knowledge and skills, while 35% are educating themselves on AI solutions at risk to better understand vulnerabilities and exploits.
All of this is leading to more confidence, with 87% believing there will always be a need for cybersecurity professionals and 81% confident the profession will remain strong.
"Many cybersecurity professionals view AI as an opportunity for career advancement," said Taylor. "They are using AI tools to automate tasks, and they are investing their time to learn more and demonstrate their expertise in using and securing AI systems."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Cybersecurity skills: Addressing gaps and challenges in 2025
- The cybersecurity skills your business needs
- Cyber skills shortages are pushing firms into dangerous shortcuts
-
IBM’s Confluent acquisition will supercharge its AI credentialsAnalysis IBM described Confluent as a “natural fit” for its hybrid cloud and AI strategy, enabling “end-to-end integration of applications, analytics, data systems and AI agents”.
-
AWS' no-nonsense reputation could pay dividends with agentic AIOpinion While AWS has jumped on the agentic AI hype train, its reputation as a no-nonsense, reliable cloud provider will pay dividends
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
