Cybersecurity skills gap widening in Australia: report

The Information Security Audit and Control Association (ISACA) has found that cybersecurity teams in Australia remain stretched thin, with more than half (54%) understaffed and 58% reporting unfilled positions. Yet despite this shortage, only a third of enterprises (34%) are training non-security staff to move into cyber roles, according to ISACA’s 2025 State of Cybersecurity report.

The survey also shows that many of today’s cyber professionals began their careers elsewhere, with 55% of Australian respondents saying more than half of their current staff transitioned from non-security roles. Now in its 11th year, the global report examines skills, hiring, budgets, cyber risk and the growing role of AI.

Challenges persist with staffing and resources

Survey respondents in Australia indicate there is a high demand for technical cybersecurity professionals, but challenges with hiring and retention persist. Thirty-six percent say it takes three to six months to hire for entry-level roles, and 48% say this timeframe applies for hiring non-entry-level roles (higher than the global average of 39%). Half of global respondents admit their organisations struggle to retain cyber talent, which is concerning given 70% expect demand for technical contributors to rise.

A slightly higher percentage of Australian respondents than last year indicated their budgets are underfunded (49% vs 47%), yet only 24% expect budget increases in the next twelve months, compared to 41% of organisations globally that expect their budget to rise.

Organisational fit and soft skills in demand

As technology and threats continue to change, so too do the qualifications employers are looking for. Organisational fit is now the top factor (66%), followed by prior cybersecurity experience (62%). Adaptability is also highly valued, with 57% of Australian respondents ranking it as very important. Skills gaps remain an issue, with soft skills topping the list (59%) – particularly communication (60%), critical thinking (55%) and problem-solving (44%).

A greater voice in AI implementation and policy

Respondents indicate that they are increasingly using AI in their work, as well as playing a larger role in AI policy at their organisations. Fifty-one percent say they have helped develop AI governance (up from 32% last year) and 38% have been involved in AI implementation (up from 24%). Respondents most commonly use AI in security operations for 1) threat detection (35%), 2) endpoint security (31%) and 3) routine task automation (27%).

Complex threat landscape and increasing stress

In Australia, social engineering, insider attacks and denial of service dominate the threat landscape, each cited by 33% of respondents as the most common attack types. Forty-one percent also reported experiencing more attacks compared to a year ago, a sharp rise from 29% in 2024.

While 50% of Australian cybersecurity professionals believe an attack on their organisation is likely or very likely in the next year, only 35% are confident in their team’s incident response capabilities. Additionally, 45% believe cybercrime is underreported, even when reporting is required.

It may not come as a surprise that 68% of the Australian cybersecurity professionals surveyed also said that their role is more stressful now than five years ago, with 63% citing the complex threat landscape as their top stressor. In fact, 42% indicated that high stress is a major reason for attrition.

Jamie Norton, Vice President of ISACA’s Board, said the findings highlight the scale of the challenge in Australia and how organisations are managing staffing shortages, tight budgets, rising threat volumes and rapid AI adoption.

“The fact that stress levels are still climbing is a red flag for our industry,” he said. “If we are to remain resilient in the face of rising threats, boards must continue to prioritise the wellbeing and development of their cyber teams.”

Jo Stewart-Rattray, ISACA’s Oceania Ambassador, said the results should spur boards to rebuild the talent pipeline and protect training budgets despite economic pressure.

“Australia can’t hire its way out of a skills gap this deep,” she said. “The data shows fewer organisations are training non-security staff into cyber roles, even though most organisations acknowledge they are under-staffed. This approach is unsustainable. Boards need to prioritise cyber training and cross-skilling programs and recognise that developing people is the fastest, most sustainable path to resilience.”

The State of Cybersecurity 2025 report can be accessed at www.isaca.org/state-of-cybersecurity.

Image credit: iStock.com/Kindamorphic