Cybersecurity professionals from around the world recently weighed in on some of the key findings from ISACA’s latest State of Cybersecurity survey report. Aparna Achanta, security leader, IBM (US); Simon Backwell, head of information security, Benefex (UK); Donavan Cheah, senior cybersecurity consultant, Thales (Singapore); Jenai Marinkovic, vCISO/CTO, Tiro Security, and CEO & chairman of the board, GRCIE (US); Kannammal Gopalakrishnan, cybersecurity and GRC professional (India), and Carlos Portuguez, Sr. Director BISO, Concentrix (Costa Rica)—all of whom are also members of ISACA’s Emerging Trends Working Group—reflect on how these stats show up for them in the profession.
55 percent of survey respondents report that their cybersecurity teams are understaffed, and half struggle to retain cyber talent. Why do you think that is, and what can cybersecurity leaders/organizations do about it?
“I see the greatest difficulty that is faced being the level of work cybersecurity teams must commit to. Teams are overworked and potentially already understaffed due to roles not being backfilled. This leads to burnout and more personnel leaving. Furthermore, more lucrative career prospects may lie elsewhere. As cyber leaders, we need to ensure that team morale and mental health are key priorities, but also that our executive teams are aware of these concerns, so that they can plan accordingly and hopefully retain staff. This can be via improving career paths or progression or looking at restructuring teams to rebalance workloads."
- Simon Backwell
“Retaining people is always a challenge in a very high demand market. I see limited availability of well-educated and experienced practitioners to hire for cybersecurity specialist roles. Adding to this challenge is today's global economic situation, in which countries are experiencing inflation that is impacting revenue generation for companies. This, plus other geopolitical factors, can cause employees to always be looking for better opportunities to keep up with their living expenses. Leaders should come up with benefits that will retain talent, like a work from home policy, paid training and certifications, and a recognition program where people feel incentivized and motivated."
- Carlos Portuguez
“Cybersecurity leaders need to take a strategic and holistic approach to staffing by building targeted upskilling and reskilling programs to bridge competency gaps; aligning compensation, growth opportunities, and career pathways with market standards to stay competitive; and then embedding clear objectives and key results to measure and demonstrate the impact of these initiatives. They need to also take additional steps to foster a strong culture of purpose, recognition, and inclusivity so that employees feel valued and engaged, and adopt flexible work models and mentorship programs that improve work-life balance and long-term retention."
- Kannammal Gopalakrishnan
66 percent say their role is more stressful than five years ago. What makes you feel most stressed about your job? What steps do you take to address stress? How do you help your teams navigate increased stress?
“I feel most stressed about the level of workload and pressure to ensure protection. When the slightest mistake could result in a data breach or cyber attack, that pressure to ensure that all the controls are in place, policies and procedures are up to date and employees are adhering to everything you say and do is sometimes overwhelming. I try to solve this by talking to my manager, but equally, by allowing the team to talk to me about their concerns and how they feel. By having an open forum on these types of discussions and listening, rather than always trying to have a solution, it helps reduce some of the stress and concerns."
- Simon Backwell
“The truth is that cybersecurity professionals are genuinely feeling overwhelmed. Sixty-three percent cite the "complex threat landscape" as their top stressor, and that stress is real. While these feelings are valid, I believe they are misattributing the origin of that stress. Threat actors are simplifying their approach. Social engineering is a top attack type precisely because it's easier than technical exploits. Our stress is from role sprawl masquerading as threat complexity, not necessarily from an increasingly sophisticated threatscape. We exist simultaneously as technical experts, business translators, compliance officers, and now AI governors. The "complex threat landscape" has become code for "I can't keep pace with everything I'm expected to be or become."
- Jenai Marinkovic
“To cope with these pressures, cybersecurity professionals should emphasize prioritization, focusing first on high-impact risks while breaking down larger projects into smaller, more manageable deliverables. They can also adopt exercise, mindfulness, and structured downtime to counterbalance the relentless pace of the job. On a team level, leaders are working to reduce stress through transparency, ensuring that staff understand the broader context of risks and resource limitations. Skills development and mentoring help close capability gaps, while balanced workloads and external support mitigate burnout. Flexible work arrangements and mental health resources provide additional support, and consistent recognition helps maintain morale even during periods of heightened pressure."
- Aparna Achanta
“Perhaps the most stressful aspect of cybersecurity roles arises from the fast-changing cybersecurity governance landscape arising from evolving tactics, techniques and procedures involved in cyber attacks. Cybersecurity investment is also typically reactive, which adds time pressure. I obtain best practices from other industry partners through active partaking in conferences. But at an organizational level, we need to look at systems of resilience to address increased stress. Examples include the softer elements of teams—team-building, matching roles to aspirations of teammates, and conscious, explicit messaging from top management to take time to recuperate when needed."
- Donovan Cheah
“Stress often arises when work is siloed, efforts are undervalued or unrecognized, and—in today’s AI-driven era—when there’s uncertainty around job security and the ability to adapt to new skills. To manage stress personally, I focus on continuous learning and upskilling, breaking down work into manageable goals, and practicing work-life balance through mindfulness and prioritization. For my teams, I help reduce stress by encouraging open communication so concerns are voiced early, recognizing contributions regularly to ensure people feel valued, and promoting collaboration across silos to ease workload pressure. I also provide upskilling opportunities in AI and emerging tech so employees feel empowered rather than threatened, and support flexibility and wellness initiatives."
- Kannammal Gopalakrishnan
Social engineering attacks came in as the top attack type, at 38 percent. What is your cyber team doing to combat this kind of attack?
Simon Backwell: We are reviewing our tools and processes to ensure that the risk of these types of attacks is minimal. Equally, further training and guidance is being rolled out across the business to ensure that all employees know their responsibilities and what to look out for.
Kannammal Gopalakrishnan: Social engineering attacks are increasing rapidly, and our cyber team is addressing them through a three-pronged approach: 1) Building resilient systems that are designed to detect, withstand, and recover quickly from attempted breaches. 2) Driving user awareness through engaging training and gamification, ensuring employees can recognize and respond to suspicious behavior in real time. 3) Lastly, leveraging AI/ML for predictive threat modeling, which allows us to anticipate emerging attack vectors, strengthen defenses proactively, and increase overall vigilance.
Carlos Portuguez: Awareness is always key. All employees need to take data protection and information security trainings regularly, and enterprises need to perform phishing simulation exercises and measure key indicators like reporting percentage, defaulter percentage and training completion on phishing or other type of social engineering attacks.
Aparna Achanta: To counter social engineering attacks, organizations are implementing layered defenses that combine education, process, and technology. Employee awareness programs, bolstered by ongoing training and realistic phishing simulations, are central to building resilience. Verification protocols for sensitive transactions or unusual requests are also being tightened. Technological defenses add another line of protection, and advanced email filtering, spoof detection, and anomaly monitoring systems intercept many malicious attempts before they reach their targets. Just as importantly, leaders are fostering a culture where employees feel comfortable reporting suspicious communications quickly and without stigma.
Why is it important for cybersecurity teams to be involved in AI policy? Do you find it valuable to use AI in your cybersecurity efforts, and if so, why?
Aparna Achanta: Many of the risks associated with AI, including data poisoning, adversarial manipulation, model exploitation, and privacy violations, are inherently security concerns. Without cybersecurity expertise, policies may overlook these vulnerabilities, leaving organizations exposed. At the same time, AI has proven valuable in strengthening defenses. Machine learning enhances the ability to detect anomalies at scale, and automation reduces the burden on analysts by triaging alerts, filtering out false positives, and accelerating responses. Predictive models provide insights into potential attack vectors, and in security operations centers, AI is improving event correlation and investigation speed. However, experts stress the importance of human oversight, transparency, and explainability to avoid blind spots, bias, or errors in critical decision-making.
Carlos Portuguez: AI is becoming the new ally on both sides to support in both protecting and attacking. Therefore, it is imperative for cybersecurity teams to get involved in developing AI cybersecurity frameworks and pushing for implementation. AI brings great value in facilitating and automating decision making. Technology should be able to rapidly adapt to the new threat landscape, and this is only possible using AI. Otherwise, we will always be running way behind the game.
Jenai Marinkovic: Cybersecurity organizations are the only enterprise function with experience governing autonomous decision-makers. Every other department governs predictable systems; however, cybersecurity has spent decades learning to govern against intelligent, adaptive, and autonomous agents that operate outside institutional norms. AI systems are autonomous decision-makers, just like attackers. The difference is we're trying to align them instead of defending against them, yet the core challenge is identical: how do you govern something that thinks for itself and adapts its behavior? And that is the experience we bring. Organizations are subconsciously recognizing that governing AI requires the same skillset as governing against sophisticated adversaries, thinking several moves ahead of an intelligent, adaptive system.
Simon Backwell: Cybersecurity teams need to be involved in AI policy, to ensure that security requirements are considered in AI usage internally and within any products or services that are externally used. Without this and clear boundaries put in place, the risk of data exposure increases. Whilst we have not started properly exploring AI in our efforts as a team, we are looking at ways it can help us with tasks, such as security assessments and responses. These could be addressed to speed up responses, so that our focus can be on other priority tasks.
Kannammal Gopalakrishnan: It’s important for cybersecurity teams to be actively involved in AI policy because AI is becoming an integral part of organizational systems. Their role is to ensure that the use of AI is well understood in context, risks are anticipated, and appropriate controls are applied from the start. AI can be especially impactful in predictive threat analysis, advanced threat modeling, and prescriptive insights for continuous improvement. However, the real benefit comes when these capabilities are embedded within a strong AI GRC framework, which ensures that AI is used securely, responsibly, and with full data privacy protection.
Donavan Cheah: Given the risks associated with AI misuse, cybersecurity teams must be involved in AI policy, such as acceptable use, cybersecurity activities to secure AI deployments, as well as cyber risk reporting of such systems. With laws such as the EU AI Act, AI compliance is also increasingly important. AI for cybersecurity is important to scale cyber operations especially due to the significant shortage in human capital to deal with an ever-evolving cybersecurity threat landscape.
With many respondents reporting retention and hiring challenges, what role does training play in developing and keeping a solid team, and do you think continuing professional development, including training and certification, should be a priority?
Donavan Cheah: Continuing professional development is crucial. To keep staff on the team, it is vital to communicate aspirations and training plans, especially for juniors, given the diversity of certification offerings and verticals in cybersecurity. Training is an essential step to keep cybersecurity professionals informed, aware and competent, to brush up their skills. But more importantly, continuing professional development objectives enable an opportunity to institutionalize continuous learning into a cybersecurity professional's psyche, no matter which stage or role they are in.
Carlos Portuguez: A professional in this field that doesn’t feel committed to stay updated is doomed to be left out on the market and be less valuable to stay on in high-performing companies. However, it is important for cybersecurity teams to have budget and a streamlined process for people to take trainings, certifications, and attend cyber events, with their commitment to return something back to the company, like sharing and implementing best practices.
Kannammal Gopalakrishnan: The true value of training emerges when organizations go beyond funding certifications and ensure employees can apply their skills in relevant projects and real-world scenarios. The most common gap in upskilling efforts is the lack of opportunities to demonstrate and embed new skills. To achieve meaningful outcomes, organizations must create structured pathways that connect training to on-the-job application, supported by mentorship, stretch assignments, and recognition. This approach not only builds a stronger cybersecurity workforce but also improves engagement and retention.
What are some key steps that cybersecurity leaders need to take before the end of the year to strengthen their teams and their defenses?
Kannammal Gopalakrishnan: Cybersecurity leaders need to focus on combatting social engineering and AI-driven threats by doubling down on user awareness, gamified training, and AI-powered threat detection. Then, with teams stretched thin, they also need to invest in targeted upskilling, flexible work models, and recognition programs to keeping talent engaged and motivated. Additionally, these leaders need to embed security awareness, collaboration, and accountability across the organization to create a culture where every employee is part of the defense. They should also be focusing on stress-testing resilience and incident response—going beyond adding tools to run live drills and cross-team exercises to ensure the organization can respond and recover quickly when—not if—an attack happens. The need of the hour is not just stronger technology, but a resilient culture, empowered people, and smart use of AI to stay ahead of attackers.
Simon Backwell: I think some of the key steps include revisiting policies and procedures to ensure that AI usage is addressed and taken into account, reviewing supply chain controls and assurance to ensure that a threat to a supplier results in minimal impact on the organization, and ensuring that team morale and mental health is focused on. Addressing all of these will help ensure their teams and controls are strengthened going into the new year, to tackle the increasing threats to organizations.
Aparna Achanta: Cybersecurity leaders should take decisive steps to bolster both human and technical resilience. The first priority is updating risk assessments, particularly in light of surging social engineering attacks and the growing use of AI by adversaries. Closing skills gaps with training programs, mentoring, and targeted hiring—building expertise in areas such as AI security, incident response, and secure development—as well as strengthening people-centric defenses should also be cornerstone strategies. On the technical side, investments in anomaly detection, endpoint defense, and automation are important to streamline workloads and improve efficiency. Incident response plans should also be tested and refined through tabletop exercises, ensuring teams are prepared for crises. Meanwhile, governance around emerging technologies, particularly generative AI, should be formalized through policies that safeguard data quality, provenance, and explainability. Finally, leaders need to incorporate flexible work policies, mental health support, and clear recognition of contributions to help retain talent in a competitive market.
