New Research from ISACA Reveals That Organizations with Unfilled Cybersecurity Roles Suffer More Attacks

Schaumburg, Ill. (June 1, 2020) — The cybersecurity landscape is constantly evolving, and even more so during this time of disruption. According to ISACA's State of Cybersecurity 2020 Survey Part 2 report, most respondents believe that their enterprise will be hit by a cyberattack soon—with 53 percent believing it is likely they will experience one in the next 12 months. This and other survey findings provide a powerful snapshot of what cybersecurity professionals are facing—including the types of cyberattacks, solutions, and reporting challenges—and just how much of an impact cyber teams make on the security of their organizations.


The survey, with responses from more than 2,000 respondents from over 17 industries and 102 countries, found cyberattacks are also continuing to increase, with 32 percent of respondents reporting an increase in the number of attacks relative to a year ago. However, there is a glimmer of hope—the rate at which the attacks increase is continuing to decline over time; last year, just over 39 percent of respondents answered in the same way.


Though while attacks are going up—with the top attack types reported as social engineering (15 percent), advanced persistent threat (10 percent) and ransomware and unpatched systems (9 percent each)—respondents believe that cybercrime remains underreported. Sixty-two percent of professionals believe that enterprises are failing to report cybercrimes, even in situations where they have a legal or contractual obligation to do so.


"These survey results confirm what many cybersecurity professionals have known from personal experience for some time and in particular during this health crisis—that attacks have been increasing and are likely to impact their enterprise in the near term," says Ed Moyle, founding partner, Security Curve, and lead writer of the report. "These findings also reveal some hard truths our profession needs to face around the need for greater transparency and communication around these attacks, so that practitioners can fully understand and effectively respond to the current threat landscape they are facing."


Among the tools used in security programs for fighting these attacks are artificial intelligence (AI) and machine learning solutions, and the survey asked about these for the first time this year. While these options are available to incorporate into security solutions, only 30 percent of those surveyed use these tools as a direct part of their operations capability.


The survey also offers sobering insights into the connection between a fully staffed cybersecurity team, confidence in abilities to respond to threats, and the number of attacks that an enterprise experiences. While the number of respondents indicating they are significantly understaffed fell by seven percentage points from last year, a majority of organizations (62 percent) remain understaffed. The research found that understaffed security teams and those struggling to bring on new staff are less confident in their ability to respond to threats.


Only 21 percent of "significantly understaffed" respondents report that they are completely or very confident in their organization's ability to respond to threats, whereas those who indicated their enterprise was "appropriately staffed" have a 50 percent confidence level. The impact of lack of staff goes even further, with the research finding that enterprises struggling to fill roles on their teams experience more attacks, with the length of time it takes to hire being a factor:


? Thirty-five percent of respondents in enterprises taking three months to hire reported an increase in attacks and 38 percent from those taking six months or more.
? 42 percent of organizations that are unable to fill open security positions are experiencing more attacks this year


"Security controls come down to three things—people, process and technology—and this research spotlights just how essential people are to a cybersecurity team," says Sandy Silk, CISSP, Director of IT Security Education & Consulting, Harvard University, and ISACA cybersecurity expert. "It is evident that cybersecurity hiring and retention are not just a challenge for teams—they can have a very real impact on the security of their enterprises. Cybersecurity teams need to think differently about how they search for and keep talent, including seeking candidates from non-traditional backgrounds, and diverse educational levels and experience."


To read the full report, expert insights and related resources, visit: More resources around cybersecurity can be found at



For more than 50 years, ISACA ( has advanced the best in technology. ISACA equips individuals with knowledge, credentials, education and community to progress their careers and transform their organizations. Through the CSX, COBIT and CMMI solutions, ISACA enables enterprises to train and build quality teams. ISACA is a global professional association and learning organization that leverages the expertise of its 145,000 members who work in information and cybersecurity, governance, assurance, risk and privacy to drive innovation through technology. It has a presence in 188 countries, including more than 223 chapters worldwide.