State of Cybersecurity 2024

Global Update on Workforce Efforts, Resources,

and Cyberoperations

Information
Security © 2024 ISACA. All rights reserved.
2 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

CONTENTS
4 Executive Summary

5 Survey Methodology

8 Cybersecurity Workforce Challenges

8 / Staffing
9 / Retention
11 / Vacancies
11 / Time to Fill Open Positions
12 / Analyzing Unfilled Positions
12 / Future Demand
15 / Attrition
15 / Employer Benefits Are Decreasing

17 Pipeline Progress
17 / Qualifying Applicants
20 / University Insights
22 / Qualifying Workforce Issues
22 / Professional Development Needs by Career Stage
22 / Human Capital Mitigations

27 Cybersecurity Budgets in Decline

29 Cyberattacks, Detection, and Threat Actors

33 Cyberrisk
34 / Cyberinsurance

36 Security Operations: Focus on Artificial Intelligence

38 Conclusion: Focus on Cybersecurity Readiness

39 Acknowledgments

© 2024 ISACA. All Rights Reserved.

3 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

ABSTRACT
State of Cybersecurity 2024: Global Update on Workforce Efforts, Resources, and
Cyberoperations reports the results of the annual ISACA® global State of Cybersecurity
Survey, conducted in the second quarter of 2024. This survey report focuses on the
current trends in cybersecurity workforce development, staffing, and budgets; threat
landscape; cyberrisk; and use of artificial intelligence (AI). Although past annual
cybersecurity reporting did not indicate major shifts in views or trends, 2024
survey data reveal multiple changes which carry the potential to adversely affect
cybersecurity readiness.

© 2024 ISACA. All Rights Reserved.

4 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Executive Summary
The tenth annual ISACA® global State of Cybersecurity • Sixty-six percent of respondents report that
Survey continues to identify current challenges and trends occupational stress is much higher than five years
within the cybersecurity field, while ISACA continues ago—81 percent of respondents attribute the higher
to expand its longitudinal reporting with year-over-year stress to an increasingly complex threat environment.
comparison survey results in State of Cybersecurity 2024.
• Open cybersecurity roles at all levels continue to wane.
This year’s report analyzes survey results on cybersecurity
Survey data reveal steep declines in vacant technical
skills, staffing, and budgets; cyberthreats; cyberrisk; and,
and nontechnical individual-contributor positions.
new this year, artificial intelligence (AI).
Cybersecurity manager positions drop nine percentage
Compared with prior year, some survey-result data points (from 60 percent) to their lowest level ever
has not changed, while other data reinforce the finding reported for the State of Cybersecurity Survey. Senior
last year that market uncertainty is having a marked manager/director vacancies decrease for the third
impact—especially on budgets and compensation, consecutive year. Executive cybersecurity positions do
which carry the potential to adversely affect the same, but not as severe.
cybersecurity readiness.
• Economic conditions appear to be discouraging
Key findings include: employees from leaving current jobs—especially
within the United States. The top two reasons why
• The aging workforce is growing. For the first time in
cybersecurity professionals leave their jobs are
the 10 years of this survey, the largest percentage
selected by fewer respondents this year—recruitment
of respondents are between the ages of 45 and 54
by other companies drops by eight percentage points
(34 percent). This age group overtakes respondents
to 50 percent and poor financial incentives drops
between the ages of 35 and 44 (30 percent). These
by four percentage points to 50 percent. High work-
results, combined with no uptick in the percentage
stress levels jumps to 46 percent—three percentage
of respondents who are ages 34 and below and no
points higher than last year’s survey results. The
increase in the number of respondents who manage
ongoing employer-employee struggle over return-to-
staff with less than three years of experience, are an
office mandates is likely fueling the increase of four
alert to industry leaders to consider succession plans
percentage points in respondents who identify limited
for any sudden increase in attrition.
remote work possibilities as a reason for attrition.
• This year’s survey findings show a slight
improvement in appropriate staffing levels. Thirty-
Economic conditions appear to be discouraging
eight percent of respondents believe that their employees from leaving current jobs—especially within
cybersecurity team is appropriately staffed, which is the United States.
an increase of two percentage points over last year’s
results. Respondents who believe that their team
• Employer benefits are shrinking. Fewer employers are
is somewhat understaffed (43 percent) decreases
paying for professional development training, dropping
by three percentage points from last year. Analysis
seven percentage points from last year’s survey
reveals no relationship between staffing levels and
results. Employers offering flex hours shows a similar
whether enterprises use AI to mitigate shortfalls.
drop this year.

© 2024 ISACA. All Rights Reserved.

5 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

• Hands-on cybersecurity experience continues to be the • budgets will plateau. Thirteen percent of respondents
primary factor in determining whether a candidate is expect budgets to shrink over the next year—a view that
considered qualified. Although views on credentials and is incrementally growing since 2022.
hands-on training are unchanged, respondents place
• Threat-landscape data change very little, with two
less emphasis on prior-employer recommendations
caveats—exploitations attributed to nonmalicious
and university degrees. Respondents report an increase
insiders drops to 9 percent, which is an acceptable
in the importance of association membership.
metric for effective insider-threat and cybersecurity
• Leveraging training to allow interested nonsecurity education and awareness training programs.
professionals to move into security roles and increased Respondents indicating the “Not applicable” answer
use of contractors or consultants remain the primary declines five points, which is not surprising given an
mitigations for the cybersecurity technical skills gaps. increasingly complex threat landscape.
Training decreases by four percentage points, and
• Almost half do not know what kind of cyberinsurance
increased use of contractors or consultants increases
their enterprise carries. From a regional perspective,
by two percentage points. After last year’s decline,
57 percent of those in Oceania lacked knowledge of
increased reliance on AI or automation to address
their enterprise cyberinsurance type, followed by North
staffing shortages rebounds to 23 percent. The use of
America (49 percent) and Europe (43 percent).
apprenticeship or internship programs decreased by
three percentage points. • Use of AI in security operations remains in its
infancy. Threat detection/response (28 percent) and
• Cybersecurity funding levels drop significantly this
endpoint security (27 percent) are the most popular
year, and its incremental year-over-year decline shows
applications. Eighteen percent of respondents prefer
signs of a potential multiyear freefall. Just thirty-six
to not answer. The number of respondents reporting
percent of respondents indicate that their cybersecurity
that either they or a team member are involved in the
budgets are appropriately funded, and 44 percent of
development, onboarding, or implementation of AI
respondents believe that their budgets are somewhat
solutions is disheartening. Nearly half (45 percent)
underfunded—an increase of four percentage points.
report no involvement. Results are similar regarding
Only 47 percent of respondents believe that budgets
respondent involvement in the development of AI
will increase, and 41 percent of respondents report that
governance policies.

Survey Methodology
In the second quarter of 2024, ISACA sent online formats and presents respondents with questions
survey invitations to a global population of cybersecurity across six focus areas:
professionals. • Hiring and Skills

These professionals hold the ISACA Certified • Security Operations

Information Security Manager® (CISM®) certification • Cybersecurity budgets

or have registered job titles in the information • Cyberattacks and Cyberthreats
security field.
• Cyberrisk Assessments

The survey uses multiple-choice and Likert-scale • Organizational Cybersecurity and Governance

© 2024 ISACA. All Rights Reserved.

6 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

A total of 1,868 respondents completed the survey Of the 1,868 respondents, 47 percent indicate that
in its entirety, and their responses are included in cybersecurity is their primary professional area of
the results. 1
responsibility. Figure 1 shows demographic information
about the respondents, who hail from 102 countries
This survey has a margin of error of +/- 2 percent at a and territories. Figure 2 further illustrates the breadth of
95-percent confidence interval. Survey data was collected survey input, showing that respondents represent more
anonymously, and response rates vary by question. than 17 industries.

FIGURE 1: Respondent Demographics

REGIONS

N O R T H A M E R I CA* E U RO PE AS I A** C H I N A†

100% 45% 22% 12% 3%

IS ACA
MEMBER

INDUSTRIES

7%
3% 4%
25 % INDIA
5%
L AT I N A M E R I CA A F R I CA
OCEANIA
T EC H N O LO GY * Including Caribbean and Central America ** Excluding China † Including Hong Kong and Macau
S E RV I C E S/C O N S U LTI N G
MAIN AREA OF RESPONSIBILITY

59%
21% 36%
CY B E RS EC U R IT Y
M A N AG E M E N T

8%
FI N A N C I A L /BA N K I N G IT
C O M PLI A N C E

13% E M PLOY E D I N
A N E N T E R PR IS E
W IT H
AT L E AS T

14 % IT R IS K

11% M A N AG E M E N T
1,500
GOV E R N M E N T/M I LITA RY CY B E RS EC U R IT Y
E M PLOY E E S
(N ATI O N A L /S TAT E /LO CA L) PR AC TITI O N E R

1 Some survey questions included the option to choose “Don’t know” from the list of answers. Where appropriate, “Don’t know” responses were removed
from the calculation of findings, consistent with prior-year survey reports. Result percentages are rounded to the nearest integer.

© 2024 ISACA. All Rights Reserved.

7 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 2: Industries Represented

Please indicate your organization’s primary industry.
Please indicate your organization’s primary industry.

Technology services/
25%
consulting

Financial/banking 21%

Government/military
14%
(national/state/local)

Other 8%

Healthcare/medical 6%

Manufacturing/engineering 5%

Telecommunications/
4%
communications

Insurance 4%

Retail/wholesale/distribution 2%

Utilities 2%

Transportation 2%

Mining/construction/ 2%
petroleum/agriculture

Public accounting 1%

Aerospace 1%

Legal/law/real estate 1%

Advertising/marketing/media 1%

Pharmaceutical 1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

© 2024 ISACA. All Rights Reserved.

8 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Cybersecurity Workforce Challenges

Staffing
The percentage of ISACA survey respondents who Respondents report a slight improvement in
manage security staff with less than three years of appropriate staffing (figure 4). Thirty-eight percent of
work experience is unchanged (44 percent) for a third respondents believe that their cybersecurity team is
consecutive year. Meanwhile, the 2023 spotlight on an appropriately staffed, which is two percentage points
aging workforce is trending worse. This year, the age higher than last year. Respondents who report that
group of respondents between the ages of 45 and 54 their cybersecurity team is somewhat understaffed
(34 percent) overtakes the 35-to-44 age group (30 decreased three percentage points from 2023. Further
percent). The percentage of respondents who are ages analysis shows no correlation between staffing levels
34 and below is showing no improvement (figure 3). and whether enterprises use AI to mitigate shortfalls.

FIGURE 3: Workforce by Age

Please select your age.
Please select your age.

<1%

18-24 <1%

<1%

9%

25-34 9%

11%

30%

35-44 34%

35%

34%

45-54 32%

30%

19%

55-64 19%

16%

3%

65+ 2%

2%

4%

Prefer not to answer 4%

5%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2024 2023 2022

© 2024 ISACA. All Rights Reserved.

9 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 4: Cybersecurity Staffing

How would you describe the current staffing of your organization’s cybersecurity team?
How would you describe the current staffing of your organization’s cybersecurity team?

14%

Significantly understaffed
13%

43%

Somewhat understaffed
46%

38%

Appropriately staffed
36%

2%

Somewhat overstaffed
2%

1%

Significantly overstaffed
1%

2%

Not applicable
2%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2024 2023

Retention pursue new opportunities, respondent data affirms the

trend observed previously in ISACA survey results that
Retention remains level relative to last year’s results and
uncertainty of any kind is usually accompanied by better
represents a notable shift in employee behavior2 from
retention (figure 6).
the Great Resignation to the Big Stay—many believe this
pattern reflects broad economic uncertainty and the Sixty-six percent of respondents indicate that their level
geopolitical landscape. Regional data reveals marked
3
of occupational stress is higher now than it was five
differences across reporting areas, with North America years ago. When asked why their role is more stressful,
reporting the least difficulty retaining talent (figure 5). 81 percent of respondents attribute the increase to an
Regardless of individual reasons to remain in place or increasingly complex threat environment (figure 7).

2 Kalser, A.; “Employees are staying put — but how long will that last?,” HR DIVE, 23 May 2024, www.hrdive.com/news/attrition-low-but-for-how-
long/716827/
3 PoliteMail, “How the Big Stay Has Replaced the Great Resignation,” 13 March 2024, https://politemail.com/how-the-big-stay-has-replaced-the-great-
resignation/

© 2024 ISACA. All Rights Reserved.

10 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 5: Retention Difficulty by Region4

Has your organization experienced difficulties retaining qualified cybersecurity professionals?
Has your organization experienced difficulties retaining qualified cybersecurity professionals?

Africa 65%

China 56%

Europe 55%

India 66%

Latin America 69%

North America 49%

Oceania 64%

Rest of Asia 65%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

FIGURE 6: Retention Difficulties (2019-2024)5

Has your organization experienced difficulties retaining qualified cybersecurity professionals?
Has your organization experienced difficulties retaining qualified cybersecurity professionals?
100%

90%

80%

64%
70%
60%
57% 56% 55%
60% 53%

50%

40%

30%

20%

10%

0%

2019 2020 2021 2022 2023 2024

Percentage of respondents answering “yes”

4 The figure depicts the percentage of “Yes” responses to the question by reporting region.
5 The figure depicts “Yes” responses for the years 2019 to 2024.

© 2024 ISACA. All Rights Reserved.

11 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 7: Sources of Stress

Please tell us why your role is more stressful today than it was 5 years ago.
Please tell us why your role is more stressful today than it was 5 years ago.

Threat landscape is 81%

increasingly complex

Budget is too low 45%

Hiring/retention challenges 45%

have worsened

Staff are not sufficiently 45%

trained/skilled

Cybersecurity risks are 34%

not prioritized

Other 11%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Vacancies positions increases three percentage points over

last year.
Forty-six percent of survey respondents report that
their enterprise has open non-entry-level cybersecurity
positions, which is down four percentage points from
Time to Fill Open Positions
last year. Respondents report almost no differences in the times
to fill entry-level and non-entry-level positions from the
Eighteen percent of respondent enterprises have open times reported in 2023. The lone change is a slight
entry-level positions, which is a three percentage- increase of two percentage points in non-entry-level
point drop from 2023 (figure 8). Also of interest, positions reportedly taking three-to-six months to fill (38
the percentage of respondents who report no open percent in 2023) (figure 9).

FIGURE 8: Unfilled Positions

Does your organization have unfilled (open) cybersecurity positions? Select all that apply.
Does your organization have unfilled (open) cybersecurity positions? Select all that apply.

46%
Non-entry-level positions
50%

18%
Entry-level positions
21%

38%
No open positions
35%

10%
Don’t know
8%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2024 2023

© 2024 ISACA. All Rights Reserved.

12 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 9: Time to Fill Cybersecurity Positions

On average, how long does it take your organization to fill a cybersecurity position with a qualified candidate?
On average, how long does it take your organization to fill a cybersecurity position with a qualified candidate?

4%
< 1 month
2%

7%
1 month
4%

18%
2 months
11%

37%
3–6 months
38%

13%
> 6 months
27%

2%
Cannot fill open positions
2%

7%
Not applicable
5%

12%
Don’t know
10%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Entry-level Non-entry-level

Analyzing Unfilled Positions nontechnical individual-contributor positions—13

and 9 percentage points, respectively. Cybersecurity
Technical nonsupervisory cybersecurity positions manager positions drop nine percentage points (from
remain the top category of vacancies (figure 10), but 60 percent) to the lowest level reported for the State
the real story this year can be seen in the longitudinal of Cybersecurity Survey. Senior manager/director-level
data for individual contributors and management vacancies declined for the third consecutive year to
levels in figure 11 and figure 12, respectively. Survey 40 percent. Executive cybersecurity positions also
data reveal steep declines in vacant technical and declined—but nominally to 28 percent (from 31 percent).

Future Demand
Survey data reveal steep declines in vacant technical
Demand for technical individual contributors has remained
and nontechnical individual-contributor positions.
high for many years, and, although future demand for this
Cybersecurity manager positions drop nine
percentage points to the lowest level reported for position is still high, it declined last year and continues to
the State of Cybersecurity Survey. fall (by five percentage points) to the lowest level reported
for the State of Cybersecurity Survey (figure 13).

© 2024 ISACA. All Rights Reserved.

13 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 10: Percentages of Unfilled Positions at Given Organizational Levels

How many of your unfilled (open) cybersecurity positions are at the following levels?
How many of your unfilled (open) cybersecurity positions are at the following levels?

8%

30%
Individual contributor/
27%
technical cybersecurity
11%

23%

3%

10%
Individual contributor/ 30%
Nontechnical cybersecurity
21%

36%

3%

10%

Cybersecurity manager 21%

23%

43%

3%

9%
Senior manager/ 12%
director of cybersecurity
21%

55%

3%

6%
Executive or C-suite 9%
cybersecurity (e.g., CISO)
14%

67%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

All Most Some Few None

FIGURE 11: Unfilled Positions Reporting—Individual Contributors (2018-2024)6

100%
92% Individual contributor/
86% technical cybersecurity
90% 82% 83%
81% 81%
75% Individual contributor/
80%
71% nontechnical cybersecurity
66% 68% 65% 68%
70% 63%

60% 56%

50%

40%

30%

20%

10%

0%

2018 2019 2020 2021 2022 2023 2024

6 This figure compares reported unfilled position data from 2018 to 2024 survey results. Percentages represent the sum of all reported vacancy
percentages for each position and exclude the “Don’t Know” and “None” responses.

© 2024 ISACA. All Rights Reserved.

14 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 12: Unfilled Position Reporting—Management (2018-2024)7

100%
Cybersecurity manager
90%
Senior manager/
80% director of cybersecurity

70% 63% 63% Executive or C-suite

61% 60% cybersecurity (e.g., CISO)
60% 55% 56%
51% 51%
50% 47% 47% 44%
43%
40%
40% 36% 36%
31% 31%
28% 29%
30% 28%

19%
20%

10%

0%

2018 2019 2020 2021 2022 2023 2024

FIGURE 13: Future Hiring Demand

In the next
In the next year,
year,do
doyou
yousee
seethe
thedemand
demandforfor the
the following
following cybersecurity
cybersecurity position
position levels
levels increasing,
increasing, decreasing,
decreasing, or remaining
or remaining
the same?
the same?

73%
Individual contributor/
23%
technical cybersecurity
3%

45%

Individual contributor/ 46%

nontechnical cybersecurity
8%

48%

Cybersecurity manager 47%

5%

38%

Senior manager/ 56%

director of cybersecurity
6%

32%

Executive or C-suite 63%

cybersecurity (e.g., CISO)
6%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Increase No change Decrease

7 This figure compares reported unfilled position data from 2018 to 2024 survey results. Percentages represent the sum of all reported vacancy
percentages for each position and exclude the “Don’t Know” and “None” responses.

© 2024 ISACA. All Rights Reserved.

15 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Future demand for nontechnical individual contributor and two percentage points from the previous year. Note that
cybersecurity manager positions are unchanged, while the seven-year trend between years is very similar for
future demand for senior- and executive-level cybersecurity technical and nontechnical individual contributors.
positions is reported to increase slightly, each increasing Figure 14 shows historical views on this question.

FIGURE 14: Hiring Demand Trending (2018-2024)

100%
Individual contributor/
90%
technical cybersecurity
82%
79%
77%
75%
78% 78% Individual contributor/
80% 73% nontechnical cybersecurity
70%
Cybersecurity manager
60%
51% Senior manager/
46% 47% 47% 48% 48%
50% 44% director of cybersecurity
51%
39% 45%
40% 46% 46% 46% Executive or C-suite
42% 33% 34% 38%
39% 29% 36% cybersecurity (e.g., CISO)
30%
26%
33% 32%
29% 30% 30%
20%
21% 21%
10%

0%

2018 2019 2020 2021 2022 2023 2024

Attrition of respondents who believe that limited remote

work possibilities is a cause for cybersecurity
As previously stated, industry reporting suggests that professionals leaving their current jobs, which rose
economic conditions are discouraging employees four percentage points from 2023 and eight percentage
from leaving current jobs—at least within the United points since 2022.
States. However, attrition cannot be entirely prevented.
Although the cybersecurity profession historically
Employer Benefits Are
favors well-qualified job seekers, this year’s data reflects
large drops in the top two reasons why cybersecurity
Decreasing
professionals leave their jobs (figure 15). Recruitment The 2024 survey data show that employer benefits are
by other companies and poor financial incentives tightening (figure 16). Respondents report major cuts to
remain the largest perceived reasons why cybersecurity professional development training (seven percentage-
professionals leave positions—each at 50 percent. High point drop) and a six percentage-point fall in employers
work-stress levels increase by 3 percentage points (46 offering flex hours. Professional development budgets
percent), which is a rebound from last year’s minor dip. are commonly cut when enterprises seek cost savings.
High work stress is now tied with limited promotion The reasons for cutting this budget are not conclusive
and development opportunities, which decreases 2 but may include unclear business value.8 The favorable
percentage points from one year ago. The ongoing reporting on employer benefits is that employers are
employer-employee struggle over return-to-office still covering employee certification fees, and university
mandates is likely fueling the increase in the percentage tuition reimbursement increases slightly.

8 Everett, C.; “Training budgets first to be cut due to unclear business value,” HR Zone Ltd, 14 February 2012, https://hrzone.com/training-budgets-first-to-
be-cut-due-to-unclear-business-value/

© 2024 ISACA. All Rights Reserved.

16 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 15: Why Cybersecurity Professionals Leave Their Jobs

Which, if any, of the following factors do you feel are causing cybersecurity professionals to leave their current jobs?
Which, if any, of the following factors do you feel are causing cybersecurity professionals to leave their current jobs?

50%
Recruited by other companies
58%

50%
Poor financial incentives
(e.g., salaries or bonuses) 54%

46%
Limited promotion and
development opportunities
48%

46%
High work stress levels
43%

34%
Lack of management support
34%

32%
Poor work culture/environment
33%

32%
Limited remote work
possibilities 28%

22%
Inflexible work policies
21%

Limited opportunities to work 19%

with latest technologies
(e.g., AI) 20%

15%
Family situation changes
(e.g., children born, marriage) 14%

14%
Retirement
13%

13%
Desire work in new industry
16%

11%
Switching careers (e.g., leaving
cybersecurity entirely) 9%

7%
Lack of workplace diversity
9%

5%
Don’t know
6%

2%
Other (please specify)
3%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2024 2023

© 2024 ISACA. All Rights Reserved.

17 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 16:
Which Employer
of the Benefits
following benefits does your employer offer? Select all that apply.
Which of the following benefits does your employer offer? Select all that apply.

65%
Pays employee
certification fees 65%

57%
Professional
development training 64%

54%
Pays employee
certification maintenance 55%

50%
Flex work hours
56%

29%
University tuition
reimbursement 28%

19%
Paid volunteer time
21%

16%
Recruitment bonus
18%

14%
Signing bonus
16%

10%
None of the above
8%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2024 2023

Pipeline Progress
Qualifying Applicants are unchanged. Respondents place less emphasis
on prior-employer recommendations and university
Respondent views on whether candidates are well
degrees than last year—each fall three percentage
qualified for vacancies9 crept up slightly by two
points. Surprisingly, the importance of association
percentage points from last year to 28 percent
membership climbed four percentage points.
(figure 17).

Figure 18 shows that prior hands-on cybersecurity Respondents report that although soft skills continue
experience dominates as the primary factor (73 percent) to dominate all other skill gaps (51 percent), soft skills
in determining whether a candidate is considered decrease four percentage points from last year’s survey
qualified. Views on credentials and hands-on training results. Respondents report betterments in cloud

9 Derived from a combination of the 50-75% and 76-100% responses.

© 2024 ISACA. All Rights Reserved.

18 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 17: Percentage of Cybersecurity Applicants Who Are Well Qualified

On average, how many cybersecurity applicants are well qualified for the position for which they are applying?
On average, how many cybersecurity applicants are well qualified for the position for which they are applying?

0% 1%

1-25% 24%

26-49% 26%

50-75% 22%

76-100% 6%

Not applicable 16%

Don’t know 5%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

FIGURE 18: Candidate Qualifications

How important are each of the following factors in determining if a cybersecurity candidate is qualified?
How important are each of the following factors in determining if a cybersecurity candidate is qualified?
73%
22%
Prior hands-on 3%
cybersecurity experience 1%
2%
38%
51%
Credentials 7%
1%
3%
27%
54%
Hands-on training 15%
2%
2%
20%
46%
Employer recommendation 25%
5%
4%
21%
46%
University degree 23%
8%
3%
9%
34%
Association membership 37%
16%
4%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Very important Somewhat important Not very important Not at all important Don’t know

© 2024 ISACA. All Rights Reserved.

19 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

computing (down five percentage points); coding (21 percent), and computing devices (10 percent) are
(down three percentage points); and software unchanged. New for 2024, two response options—LLM
development-related topics, data-related topics, and SecOps and ML SecOps—are added to this question.
pattern analysis—each down two percentage points. Twenty-four percent of respondents select these skill
Security controls (35 percent), network operations gaps (figure 19).

FIGURE 19: Quantified Skill Gaps

What are
What are the
thebiggest
biggestskill
skillgaps
gapsyou
yousee
seeinintoday’s
today’s cybersecurity
cybersecurity professionals?
professionals?

Soft skills
(e.g., communication, 51%
flexibility, leadership)

Cloud computing 42%

Security controls
(e.g., endpoint, network, 35%
application) implementation

Software development-related
topics (e.g., languages, machine 28%
code, testing, deployment)

Coding skills 27%

Data-related topics (e.g.,

characteristics, classification, 26%
processing, structure)

Networking-related topics
(e.g., architecture, addressing, 26%
networking components)

LLM SecOps 24%

ML SecOps 24%

System hardening 22%

Network operations
(e.g., configuration, 21%
performance monitoring)

Pattern analysis 18%

Computing devices
(e.g., hardware, software, 10%
file systems)

Don’t know 10%

Other (please specify) 4%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

© 2024 ISACA. All Rights Reserved.

20 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

University Insights advancements in security operations, ML SecOps and LLM

SecOps are added to the response options for the skill
Respondent views about whether recent university
gaps question in the 2024 survey. Seventeen percent of
graduates are well prepared for enterprise cybersecurity
respondents believe that these are skill gaps.
challenges are unchanged from last year (figure 20), yet
the percentage of respondent enterprises requiring Regional requirements for a university degree vary. Africa
a degree to fill entry-level cybersecurity positions saw a seven percentage-point climb (76 percent) in the
(figure 21) increases three percentage points (55 requirement, which may be due to the small sample size.
percent). When asked about skill gaps among recent European respondents continue to be reluctant to require
university graduates, respondent views are mixed, but soft a university degree for entry-level cybersecurity positions
skills and security controls remain the top-two skill gaps and report another incremental decrease (43 percent).
observed by respondents (figure 22). To keep current with Europe is second only to Oceania (38 percent).

FIGURE 20: Cybersecurity Degree Confidence

To what extent do you agree or disagree that recent university graduates in cybersecurity are well prepared for the cyberse-
To what extent do you agree or disagree that recent university graduates in cybersecurity are well prepared for the cybersecurity
curity challenges in your organization?
challenges in your organization?

Strongly agree 4%

Agree 23%

Neither agree nor disagree 39%

Disagree 19%

Strongly disagree 6%

Don’t know 9%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

FIGURE 21: University Requirement

Does your organization

Does your organizationtypically
typicallyrequire
requirea auniversity
university degree
degree to to
fill fiyour
ll your entry-level
entry-level cybersecurity
cybersecurity positions?
positions?

Yes 55%

No 35%

Don’t know 9%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

© 2024 ISACA. All Rights Reserved.

21 Which
STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, ANDofCYBEROPERATIONS
the following skills gaps have you noticed among recen

Soft skills (e.g., communication,

flexibility, leadership)
FIGURE 22: Skill Gaps Among Recent Graduates10

Which of
Which of the
the following
followingskill
skills gaps
gaps have
have youyou noticed
noticed among
among recent
recent university
university graduates?
graduates?
Security controls (e.g.,
endpoint, network,
64% application)
implementation
68%
Soft skills (e.g., communication,
flexibility, leadership) 66%
64%
Network-related topics
(e.g., architecture,
59% addressing,
networking components)
Security controls (e.g., 54%
endpoint, network, application)
implementation 56%
56%Network operations 3
43% (e.g., configuration,
performance monitoring)
Network-related topics 39%
(e.g., architecture, addressing,
35%
networking components)
41%
41% System hardening
Network operations 34%
(e.g., configuration,
39% 33
performance monitoring)
41%
Data-related topics
(e.g., characteristics,
38% classification, processing, 3
36% structure)
System hardening
36% 25%
41% Software development-related 25%
33% topics (e.g., languages, machine
25%
Data-related topics code, testing, deployment)
35%
(e.g., characteristics, 30%
classification, processing, 33% 24%
structure) 40% 25%
25% Pattern analysis
27%
Software development-related 25% 30%
topics (e.g., languages, machine
25% 20%
code, testing, deployment)
30% 21%
24% Coding skills
22%
25% 27%
Pattern analysis
27% 19%
30% Computing devices 20%
20% (e.g., hardware, software,
20%
file systems)
21% 22%
Coding skills
22%
17%
27%
19% LLM SecOps
Computing devices 20%
(e.g., hardware, software,
20% 17%
file systems)
22%

17%
ML SecOps

LLM SecOps
10%
9%
17% Other (please specify)
6%
11%
ML SecOps
0% 10% 20% 30%

10% 2024 2023 2022 2021

9%
Other (please specify)
6%
11%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

102024
LLM SecOps and ML SecOps
2023 2022are new2021
response options in 2024.

© 2024 ISACA. All Rights Reserved.

22 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Qualifying Workforce Issues (early career) require the most professional development/
training are security controls (58 percent), soft skills
For 2024, the reported top-three security skills change
(55 percent), and cloud computing (44 percent).
(figure 23). Data protection (46 percent) overtakes
Security controls and soft skills improved by three
identity and access management (45 percent), while
and five percentage points, respectively, from 2023
incident response (44 percent) ranks higher than cloud
survey results.
computing (43 percent) in this year’s survey results.
DevSecOps falls eight percentage points (28 percent); When comparing this early-career group against
data collection/correlation (30 percent) and threat hunting university graduates and those with more experience
(26 percent) drop three percentage points; and forensics (figure 25), a prevailing theme surfaces for many
drops two percentage points (18 percent). Ten percent training areas—proficiency improves markedly as
of respondents believe that the newly added responses, individuals advance in their careers, which is logical.
ML SecOps and LLM SecOps, belong in the top-five most This theme diverges with cloud computing, software
important security skills needed in their enterprises. development-related topics, coding, ML SecOps, and
LLM SecOps because early-career professionals have
Respondent reporting about required soft skills for security
greater perceived proficiency than the career groups
professionals (figure 24) shows that communication
above and below them. In an era where professional
(both listening and speaking skills) (56 percent), critical
development budgets are often targets for cost
thinking (54 percent), and problem solving (50 percent)
savings, this observation underscores the need
remain the top-three required soft skills. The survey results
for continuous learning/upskilling—especially on
show a concerning trend in ethics—attention to detail
emerging technology—for employees who have
(35 percent) falls three percentage points since 2022,
been in the cybersecurity profession for a
honesty (15 percent) continues not to be recognized as
longer time.
sufficiently important, and empathy (11 percent) drops
two percentage points.
Human Capital Mitigations
Forty-one percent of respondents indicate that their
Survey results show a concerning trend in ethics—
attention to detail falls three percentage points enterprises leverage training to allow interested

since 2022, honesty continues not to be recognized nonsecurity professionals to move into security roles
as sufficiently important, and empathy drops two as a method of mitigating skill gaps. Respondents
percentage points. report decreased usage of contracted help or outside
consultants (36 percent) to help decrease skill gaps.
After a sizeable decline in 2023, reliance on AI or

Professional Development automation rebounds to 23 percent. Reskilling programs

(21 percent), use of performance-based training, and
Needs by Career Stage credentials (19 percent) remain unchanged, while the
Respondent data shows that the top-three areas where use of apprenticeship programs (16 percent) slid three
staff with less than three years of work experience percentage points (figure 26).

© 2024 ISACA. All Rights Reserved.

23 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 23: Top Five Security Skills

Please choosethe
Please choose thetop
TOP FIVE
five most
most important
important security
security skillsskills
neededneeded in organization
in your your organization
today.today.

46%
Data protection 44%
47%
45%
Identity and access 49%
management (IAM)
46%
44%
Incident response 44%
43%
43%
Cloud computing 48%
52%
31%
Threat detection technologies 31%
(e.g., IDS, IPS, UTM)
29%
30%
Data collection and correlation 33%
(e.g., SIEM, SOAR)
31%
29%
Endpoint security 30%
(e.g., EDR, XDR)
32%
28%
DevSecOps 36%
36%
27%
Vulnerability scanning 28%
30%
27%
Penetration testing 27%
27%
26%
Threat hunting 29%
28%
25%
Vulnerability discovery 24%
24%
18%
Forensics 20%
21%
16%
Network segmentation 16%
17%
10%
LLM SecOps

10%
ML SecOps

9%

Virtualization 10%
11%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2024 2023 2022

© 2024 ISACA. All Rights Reserved.

24 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 24: Top Five Soft Skills

Please choose the TOP FIVE most important soft skills needed by security professionals in your organization today.
Please choose the top five most important soft skills needed by security professionals in your organization today.

56%
Communication (both listening 58%
and speaking skills)
57%
54%

Critical thinking 54%

56%
50%

Problem-solving 49%

49%
44%
Teamwork (includes 45%
collaboration and cooperation)
44%
35%

Attention to detail 36%

38%
35%

Adaptability to change 33%

32%
29%

Decision making 31%

30%

26%

Attitude 27%
24%

28%

Leadership qualities 26%

29%
27%

Time management 25%

27%
25%

Work ethic 25%

23%
19%

Writing skills 23%

22%
21%

Conflict resolution 22%

22%
15%

Honesty 17%
16%
11%

Empathy 13%
13%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2024 2023 2022

© 2024 ISACA. All Rights Reserved.

25 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Thinking about your security staff with less than 3 years of work experience, in which of the following areas is professional
development/training most needed? Select all that apply. 11
FIGURE 25: Professional Development Needs by Career Stage

59%
Security controls (e.g.,
endpoint, network, application) 58%
implementation 35%

64%
Soft skills (e.g., communication,
critical thinking, flexibility, 55%
leadership)
51%
38%

Cloud computing 44%

42%

43%
Network-related topics
(e.g., architecture, addressing, 40%
networking components) 26%

41%
Network operations (e.g.,
configuration, performance 35%
monitoring) 21%

38%

System hardening 31%

22%

35%
Data-related topics (e.g.,
characteristics, classification, 28%
collection, processing, structure) 26%

24%

Pattern analysis 21%

18%

25%
Software development-related
topics (e.g., languages, machine 21%
code, testing, deployment) 28%

21%

Coding skills 18%

27%

20%
Computing devices
(e.g., hardware, software, 17%
file systems) 10%

17%

ML SecOps 14%
24%

17%

LLM SecOps 12%

24%
9%

Other 3%
4%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

University graduate Early career Current workforce

11 This chart is a comparative analysis based on respondent views about which professional development/training areas are MOST needed by university
graduates, early career, and all others.

© 2024 ISACA. All Rights Reserved.

26 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 26: Means of Mitigating Technical Skill Gaps

Which, ifif any,

Which, any, of
ofthe
thefollowing
followinghas
hasyour
yourorganization
organization undertaken
undertaken to to help
help decrease
decrease technical
technical cybersecurity
cybersecurity skillsskills
gaps? gaps?
Select all that apply.
Select all that apply.

41%
Training to allow nonsecurity
staff who are interested to 45%
move into security roles 45%
36%
Increased usage of contract
employees or outside 38%
consultants 42%
23%
Increased reliance on artificial 19%
intelligence or automation
25%
21%
Increased use of reskilling 21%
programs
21%
20%
Increased use of
performance-based training to 20%
attest to actual skill mastery 22%
19%
Increased reliance on
credentials to attest to actual 18%
subject matter expertise 19%

16%
Apprenticeships/
19%
internships

15%

Nothing has been done 12%

14%

4%
Organization has no 3%
skills gap
3%
2%

Other 1%
1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2024 2023 2022

© 2024 ISACA. All Rights Reserved.

27 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Organizations continue to leverage online learning mentoring (43 percent) declines three percentage
websites primarily (54 percent) to increase points from 2023 survey results. Figure 27
nontechnical skills of staff. Corporate training events shows employer actions to overcome soft
increases two percentage points (44 percent), while skills shortcomings.

Which, if any,
FIGURE 27: Meansof the following Nontechnical
of Mitigating has your organization
Skill Gapsundertaken to help decrease nontechnical skills gaps?
Select all that apply.
Which, if any, of the following has your organization undertaken to help decrease nontechnical skills gaps? Select all that apply.

54%
Online learning websites
(e.g., LinkedIn Learning, 53%
Coursera, edX) 55%

44%

Corporate training events 42%

42%

43%

Mentoring 46%

45%

21%
Academic tuition 20%
reimbursement
24%

18%

Nothing has been done 17%

17%

4%
Organization has no 3%
nontechnical skills gap
3%

1%

Other 2%

1%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2024 2023 2022

Cybersecurity Budgets in Decline

After two years of respondents strongly feeling that respondent data are bleak (figure 29). Only 47 percent
budgets are appropriately funded, data show a significant of respondents believe that budgets will increase (down
drop in cybersecurity funding levels (figure 28). Thirty-six four percentage points), while 41 percent (an increase of
percent of respondents indicate that their budgets are three percentage points) of respondents say that budgets
appropriately funded, which is a five percentage-point will remain the same. Thirteen percent of respondents
drop from last year; forty-four percent of respondents feel expect budgets to shrink over the next year—a view that is
that their budgets are somewhat underfunded, which is incrementally growing since 2022. The nine-year outlook
an increase of four percentage points. When asked how on enterprise security budgets no longer shows leveling,
they expect budgets to change in the next 12 months, instead shows a potential multiyear freefall (figure 30).

© 2024 ISACA. All Rights Reserved.

28 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 28: Cybersecurity Funding Perception

Do you feel your organization’s cybersecurity budget is currently:
Do you feel your organization’s cybersecurity budget is currently:

Significantly overfunded 1%

Somewhat overfunded 3%

Appropriately funded 36%

Somewhat underfunded 44%

Significantly underfunded 15%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

FIGURE 29: Enterprise Security Budget Outlook

How, if any, will your organization’s cybersecurity budget change in the next 12 months?
How, if any, will your organization’s cybersecurity budget change in the next 12 months?

5%

5%

Significantly increase 7%

5%

4%

42%

46%

Somewhat increase 48%

47%

54%

41%

38%

Remain unchanged 38%

27%

29%

11%

9%

Somewhat decrease 6%

16%

11%

2%

2%

Significantly decrease 2%

4%

2%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2024 2023 2022 2021 2020

© 2024 ISACA. All Rights Reserved.

29 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 30: Forecasted Security Budget Increases (9 Year)

100%

90%

80%

70% 64%
61%
58%
60% 55% 55%
52% 51%
50%
47%
50%

40%

30%

20%

10%

0%

2016 2017 2018 2019 2020 2021 2022 2024 2023

Cyberattacks, Detection, and

Threat Actors
Respondent organizations are experiencing more Confidence levels surrounding the ability of respondent
cyberattacks compared to a year ago. Figure 31 organizations to respond to cyberthreats show no notable
shows a seven-year trend. change from 2023 (figure 32).

FIGURE 31: Year Over Year Comparison of Cybersecurity Attack Reporting12

100%

90%

80%

70%
62% 62%
60% 55% 55%
53%
52%
48%
50%

40% 36% 39%

35% 36% 33%
31%
30%
28%

20%
13% 12%
9% 10% 11%
9%
10% 7%

0%

More attacks Same number of attacks Fewer attacks

2018 2019 2020 2021 2022 2023 2024

12 The responses “I don’t know” and “prefer not to say” are omitted from this figure.

© 2024 ISACA. All Rights Reserved.

30 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 32: Organizational Confidence

How confident are you overall in your organization’s cybersecurity team’s ability to detect and respond to cyberthreats?
How confident are you overall in your organization’s cybersecurity team’s ability to detect and respond to cyberthreats?

7%
Completely confident

33%
Very confident

39%
Somewhat confident

9%
Not so confident

2%
Not at all confident

Don’t know 5%

5%
Prefer not to answer

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Nearly half of respondents believe that their enterprises FIGURE 33: Likelihood of Attack

will experience a cyberattack next year (figure 33), which How likely is it that your organization will experience a
is similar to last year’s survey results. How likely isnext
cyberattack it that your organization will experience a cyberattack next year?
year?

Data surrounding threat actors nearly mirror last year’s

data and are consistent with prior-year survey results
(figure 34), with two minor differences. Nonmalicious
insider exploits drop two percentage points (nine 8%
19%
percent), which is an acceptable metric that is likely 13%
attributed to cybersecurity training and awareness
programs and insider-threat awareness education.
4%

The respondents selecting the “Not applicable”

8%
answer declines three percentage points to 23 percent, 28%
which is not surprising given an increasingly complex
threat landscape.
20%

Nearly half of respondents believe that their

enterprises will experience a cyberattack next year.

Likely Prefer not to answer

The use of social engineering as an attack vector
Neither likely nor unlikely Unlikely
increases four percentage points (19 percent) and
remains the prominent type of attack. Figure 35 shows Very likely Very unlikely

the attack types that hackers used to successfully Don’t know

exploit respondent enterprises.

© 2024 ISACA. All Rights Reserved.

31 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 34: Threat Actors

If your organization was exploited this year, which of the following threat actors were to blame? Select all that apply.
If your organization was exploited this year, which of the following threat actors were to blame? Select all that apply.

Cybercriminals 28%

Hackers 20%

Nation/state 13%

Malicious insiders 12%

Hacktivists 10%

Nonmalicious insiders 9%

Not applicable 23%

Prefer not to answer 21%

Don’t know 17%

Other 1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Data surrounding threat actors nearly mirror last year’s

data and are consistent with prior-year survey results.

Nonmalicious insider exploits drop two percentage

points­—an acceptable metric that is likely attributable
to cybersecurity training and awareness programs and
insider-threat awareness education.

The use of social engineering as an attack vector

increases four percentage points and remains the
prominent type of attack.

© 2024 ISACA. All Rights Reserved.

32 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

FIGURE 35: Attack Types

If your
your organization
organizationwas
wascompromised
compromisedthis
thisyear,
year, which
which of of
thethe following
following attack
attack types
types were
were used?
used? Select
Select all that
all that apply.
apply.

Social engineering 19%

Malware 13%

Denial of service (DoS) 11%

Unpatched systems 11%

Third party 10%

Zero-day exploit 10%

Sensitive data exposure 9%

Security misconfiguration 9%

Advanced persistent threat (APT) 8%

Password attack 8%

Broken access control 6%

Broken authentication 5%

Cross-site scripting 5%

Injection flows and/or attacks 5%

Insider theft 5%

Man in the middle 5%

Physical loss of mobile devices 5%

Mobile malware 4%

IoT attack 3%

Other means of cyberattack 3%

Cryptojacking 2%

Insecure deserialization 2%

Living off the land (LOTL) 2%

Watering hole 2%

Not applicable 27%

Prefer not to answer 20%

Don’t know 16%

0% 5% 10% 15% 20% 25% 30%

© 2024 ISACA. All Rights Reserved.

33 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Cyberrisk
Respondent beliefs about whether their board of FIGURE 36: Executive Leadership Value

directors adequately prioritizes cybersecurity remains Does your

Does yourexecutive
executiveleadership
leadership team
team see
see value
value in conducting
in conducting a a
cyberrisk assessment?
cyberrisk assessment?
unchanged this year. Fifty-six percent of respondents
believe that their board of directors adequately
prioritizes enterprise cybersecurity. Nine percent of
respondent executive-leadership teams do not find
value in conducting cyberrisk assessments (figure 36), 10%
which is surprising in the current era of cyberattacks.
9%
Forty-one percent of respondent enterprises conduct
cyberrisk assessments annually (figure 37), which is
a two-point increase from last year. All other response
options, except “Don’t know,” remain unchanged.
Respondents indicating “Don’t know” decreases three
percentage points from last year’s survey results. 81%

Enterprises face many obstacles to performing

cyberrisk assessments. The percentage of respondent
enterprises affected by these barriers are largely
unchanged from last year. Time commitment remains
Yes No Don’t know
key (41 percent); however, lack of internal expertise
increases two percentage points (24 percent) and lack
of funds to outsource to a third party increases four
percentage points (18 percent) from 2023.

FIGURE 37: Cyberrisk Frequency

How often is a cyber risk assessment performed on your organization?
How often is a cyberrisk assessment performed on your organization?

Never 2%

Monthly 8%

Every 1-6 months 20%

Every 7-12 months 7%

Annually 41%

Every 1-2 years 6%

2 years or longer 3%

Don’t know 12%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

© 2024 ISACA. All Rights Reserved.

34 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Cyberinsurance ability to help plan for incidents and other claimable

events, and their subsequent responses (e.g., incident
The topic of cyberinsurance is added to the State of
response playbooks). Considering that an enterprise
Cybersecurity Survey in 2024. The cyberinsurance
risk profile highly influences cyberinsurance premiums,14
questions ask respondents about their knowledge of
not knowing can result in organizational dismay if
the type of cyberinsurance that their enterprise
expectations surrounding coverage go unmet. Lastly,
purchased, whether the policy is adequate to address
insurers increasingly require minimal levels of care;
cyberrisk, and whether their enterprise cyberinsurance
therefore, close collaboration between those who
policy was ever used.
secure cyberinsurance for the enterprise and key
security professionals can help decrease the risk
Ten percent of respondents report that their enterprise
profile and improve rates.
has first-party cyberinsurance (figure 38), which
generally covers the costs associated with investigating
and responding to cyberevents and includes the FIGURE 38: Cyberinsurance Type
financial impact on business operations. Sixteen percent
What
What kind
kind ofofcyberinsurance,
cyberinsurance,ififany,
any,does
doesyour
your organization carry?
of respondents report that their enterprise has only organization carry?
third-party cyberliability insurance, which addresses
financial indemnity to the enterprise for claims of
damages resulting from a cyberevent.13 Fifteen percent
of respondents indicate that their enterprise has first- 10%
party and third-party cyberinsurance. Fourteen percent
of respondent enterprises do not carry cyberinsurance.
16%

The bigger story in the data is that almost half of 45%

the survey respondents do not know what kind of
cyberinsurance their enterprise carries. Survey results
show a relationship between respondent knowledge 15%
of enterprise cyberinsurance and enterprise size;
specifically, the greatest number of respondents report
no knowledge about their enterprise cyberinsurance 14%
work for enterprises with more than 10,000 employees.
From a regional perspective, 57 percent of those in
Oceania lacked knowledge of enterprise cyberinsurance
type, followed by North America (49 percent) and First party No cyberinsurance

Europe (43 percent). Although views may vary about Third party Don’t know

whether cybersecurity professionals need to know Both first party

the type of cyberinsurance carried by the enterprise, and third party

the benefits to having this knowledge include the

13 Vaideeswaran, N.; “Cyber Insurance Explained," 22 February 2024, www.crowdstrike.com/cybersecurity-101/cyber-insurance/

14 Bedard, T.; “Cyber Insurance: Why You Need It and What to Look for in a Policy,” proofpoint, 20 May 2024, www.proofpoint.com/us/blog/email-and-cloud-
threats/what-to-look-for-cyber-insurance-coverage

© 2024 ISACA. All Rights Reserved.

35 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Ninety-six percent of respondents in enterprises that have that their enterprise used its cyberinsurance policy
cyberinsurance report that their enterprise cyberinsurance (figure 40). Of those respondents who are aware that their
policy at least somewhat addresses their enterprise risk enterprise used its cyberinsurance policy, most believe that
profile (figure 39). One-third of these respondents report their policy has complete coverage.

FIGURE 39: Adequacy of Cyberinsurance FIGURE 40: Utilization of Cyberinsurance

Does your organization's

Does organization’scyberinsurance
cyberinsurancepolicy
policyadequately Has your organization
adequately addressHas organizationever
everused
usedits
itscyberinsurance
cyberinsurancepolicy?
policy?
address your risk
your risk profile? profile?

4%

33%
40%

56% 67%

Completely Somewhat Not at all Yes No

Insurers increasingly require minimal levels of care;

therefore, close collaboration between those who secure
cyberinsurance for the enterprise and key security
professionals can help decrease the risk profile and
improve rates.

© 2024 ISACA. All Rights Reserved.

36 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Security Operations: Focus on

Artificial Intelligence
Roughly one-third of respondent enterprises have security enterprise security operations. Automating threat
teams consisting of more than 25 individuals (figure 41); detection/response (28 percent) and endpoint security
however, the average size of staff is 16 individuals. (27 percent) are the most popular applications of AI.
Those respondents reporting that their enterprise is
ISACA added questions about the use of AI in security increasing reliance on AI or automation to decrease
operations to the State of Cybersecurity Survey in 2024. the cybersecurity technical skills gap still say that their
Figure 42 shows how AI is being used in respondent cybersecurity teams do not have enough workers.

FIGURE 41: Security Team Size

Please indicate the size of your security staff.
Please indicate the size of your security staff.

1 6

2-5 28

6-10 20

11-25 13

More than 25 32

0 10 20 30 40 50

FIGURE 42: AI Use in Security Operations

Does your organization use artificial intelligence (AI) in any of the following security operations?
Does your organization use AI in any of the following security operations?

Automating threat
28%
detection/response

Endpoint security 27%

Automating routine 24%

security tasks

Fraud detection 13%

Other 2%

None of the above 20%

Prefer not to answer 18%

Don’t know 17%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

© 2024 ISACA. All Rights Reserved.

37 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Security operations is just one of the areas in which AI employees report less involvement than respondents
can help enterprises. ISACA sought to understand how in smaller organizations, which is understandable and
respondents are involved with AI policies and onboarding provides an opportunity to increase collaboration and
solutions for other areas of the business. transparency in decision making.

When asked whether the respondent or anyone on their When asked whether the respondent or anyone on
team was involved in the development, onboarding, or their team was involved in the development of a policy
implementation of AI solutions, the respondent answers governing the use of AI technology in their enterprise
are disheartening (figure 43). Nearly half (45 percent) of (figure 44), the respondent answers are equally
respondents report no involvement, which holds true for disappointing. Only 35 percent of respondents report
Europe, India, Latin America, North America, and Oceania involvement. Ten percent of respondents indicate that
data. Twelve percent of respondents indicate that the the question does not apply. Respondents who are
question does not apply to their organization. Responses employed by enterprises with 500-to-4,999 employees
are similar across cybersecurity staffing and budgetary report greater involvement than respondents employed
views. Respondents in enterprises with more than 10,000 by enterprises with fewer than 500 employees.

Were 43: Involvement

FIGUREyou, ofyour
or anyone on AI Life Cycle
team, involved in the development, onboarding, or implementation of Artificial
Intelligence (AI) solutions?
Were you, or anyone on your team, involved in the development, onboarding, or implementation of AI solutions?

Yes 29%

No 45%

Not sure 14%

Does not apply to my

12%
organization

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Were
FIGUREyou, or anyone on
44: Involvement in your team, involved in the development of a policy governing the use of AI technology in
AI Policy
your organization?
Were you, or anyone on your team, involved in the development of a policy governing the use of AI technology in your organization?

Yes 35%

No 41%

Not sure 14%

Does not apply to my

10%
organization

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

© 2024 ISACA. All Rights Reserved.

38 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

Conclusion: Focus on
Cybersecurity Readiness
The ISACA global State of Cybersecurity Survey has Although nearly half of respondents indicate that
been conducted for a decade. Although 10 years is a their enterprises leverage training to allow interested
relatively long time for a comparatively new profession, nonsecurity professionals to move into security roles,
some of the challenges reported from the survey have declining professional development training budgets
not changed much over these 10 years. are concerning. This approach may also demotivate
existing staff. The significant drop in cybersecurity
The demand for cybersecurity talent has been funding levels reported this year points to the beginning
consistently high, yet efforts to increase supply are not of a multiyear freefall.
reflected in the global ISACA IS/IT-community workforce.
The current cybersecurity practitioners are aging, and the Although this year’s survey data show fewer
efforts to increase staffing with younger professionals exploitations attributed to nonmalicious insiders,
are making little progress. Left unchecked, this situation effective insider-threat and cybersecurity training and
will create business continuity issues in the future. awareness programs alone do not protect enterprises in
today’s everchanging threat landscape. Moreover, data
Shrinking budgets and employee compensation carry reveal major unawareness in the type of cyberinsurance
the potential to adversely affect cybersecurity readiness that enterprises carry, which may result in inflated
much sooner than the aging workforce, when the Big Stay confidence by senior leadership about what these
passes. Declines in vacant positions across all reporting policies cover. Finally, this year’s survey results affirm
categories may lead some enterprises to believe that the that the use of AI in security operations is still novel;
pendulum of power will swing back to employers, but however, the involvement of security professionals in
the increasingly complex threat environment is greatly the development, onboarding, and implementation of
increasing stress in cybersecurity teams; therefore, the AI is astonishingly low. Most concerning is the lack of
concern is not if, but when, employees will reach their involvement in the development of a policy that governs
tipping point to vacate current positions. the use of AI technology within respondent enterprises.

© 2024 ISACA. All Rights Reserved.

395 STATE
STATE OF CYBERSECURITY
OF CYBERSECURITY 2024: GLOBAL
2024: GLOBAL UPDATE UPDATE ON WORKFORCE
ON WORKFORCE EFFORTS, RESOURCES,
EFFORTS, RESOURCES, AND CYBEROPERATIONS
AND CYBEROPERATIONS

Acknowledgments
ISACA would like to recognize:

Board of Directors
John De Santis, Chair Pamela Nigro
Former Chairman and Chief Executive ISACA Board Chair, 2022-2023
Officer, HyTrust, Inc., USA
CISA, CGEIT, CRISC, CDPSE, CRMA
Niel Harper, Vice-Chair Vice President, Security, Medecision, USA
CISA, CRISC, CDPSE, CISSP, NACD.DC
Tracey Dedrick
Chief Information Security Officer and
ISACA Board Chair, 2020-2021
Data Protection Officer, Doodle, Former
Chief Information Security Officer, United Former Executive Vice President and
Nations Office for Project Services Head of Enterprise Risk Management,
(UNOPS), Germany Santander Holdings, USA

Stephen Gilfus Brennan P. Baybeck

Managing Director, Oversight Ventures ISACA Board Chair, 2019-2020
LLC, Chairman, Gilfus Education Group CISA, CISM, CRISC, CISSP
and Founder, Blackboard Inc., USA
Senior Vice President and Chief
Gabriela Hernandez-Cardoso Information Security Officer for
Customer Services, Oracle Corporation,
NACD.DC USA
Former President and CEO, GE Mexico,
Independent Board Member, Mexico

Jason Lau
CISA, CISM, CGEIT, CRISC, CDPSE, CIPM,
CIPP/E, CIPT, CISSP, FIP, HCISPP
Chief Information Security Officer,
Crypto.com, Singapore

Massimo Migliuolo
Independent Board Member, Malaysia

Jamie Norton
CISA, CISM, CGEIT, CIPM, CISSP
Partner, McGrathNicol, Australia

Maureen O’Connell
NACD.DC
Board Chair, Acacia Research (NASDAQ),
Former Chief Financial Officer and Chief
Administration Officer, Scholastic, Inc.,
USA

Erik Prusch
Chief Executive Officer, ISACA, USA

Asaf Weisberg
CISA, CISM, CGEIT, CRISC, CSX-P, CDPSE
Chief Executive Officer, introSight Ltd.,
Israel

© 2024 ISACA. All Rights Reserved.

© 2024 ISACA. All Rights Reserved.
40 STATE OF CYBERSECURITY 2024: GLOBAL UPDATE ON WORKFORCE EFFORTS, RESOURCES, AND CYBEROPERATIONS

About ISACA
For more than 50 years, ISACA® (http://www.isaca.org) has advanced the best
talent, expertise and learning in technology. ISACA equips individuals with 1700 E. Golf Road, Suite 400
knowledge, credentials, education and community to progress their careers Schaumburg, IL 60173, USA
and transform their organizations, and enables enterprises to train and build
quality teams that effectively drive IT audit, risk management and security Phone: +1.847.660.5505
priorities forward. ISACA is a global professional association and learning
Fax: +1.847.253.1755
organization that leverages the expertise of more than 150,000 members who
work in information security, governance, assurance, risk and privacy to drive Support: support.isaca.org
innovation through technology. It has a presence in 188 countries, including
more than 220 chapters worldwide. In 2020, ISACA launched One In Tech, a Website: www.isaca.org
philanthropic foundation that supports IT education and career pathways for
under-resourced, under-represented populations.

About Adobe Participate in the ISACA Online

Forums:
Adobe is changing the world through digital experiences. Great experiences
https://engage.isaca.org/
have the power to inspire, transform, and move the world forward, and
onlineforums
every great experience starts with creativity. Creativity is in our DNA—
our game-changing innovations are redefining the possibilities of digital X:
experiences. We connect content and data and introduce new technologies www.X.com/ISACANews
that democratize creativity, shape the next generation of storytelling, and
LinkedIn:
inspire entirely new categories of business.
www.linkedin.com/company/isaca

RESERVATION OF RIGHTS Facebook:

www.facebook.com/ISACAGlobal
© 2024 ISACA. All rights reserved.
Instagram:
DISCLAIMER www.instagram.com/isacanews/

ISACA has designed and created State of Cybersecurity 2024: Global Update
on Workforce Efforts, Resources, and Cyberoperations (the “Work”) primarily
as an educational resource for professionals. ISACA makes no claim that
use of any of the Work will assure a successful outcome. The Work should
not be considered inclusive of all proper information, procedures and tests
or exclusive of other information, procedures and tests that are reasonably
directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, professionals should apply their
own professional judgment to the specific circumstances presented by the
particular systems or information technology environment.

State of Cybersecurity 2024: Global Update on Workforce Efforts, Resources, and Cyberoperations

© 2024 ISACA. All Rights Reserved.

 adobe.com/go/securitynews

Dive deeper with our

Security@Adobe newsletter
Learn security best practices from our experts
and keep up with our latest innovations. Six
times a year, delivered right to your inbox.