Cybersecurity positions in more than half of organizations are empty, according to a new survey.

The Information Systems Audit and Control Association (ISACA) surveyed 2,366 IT professionals for “State of Cybersecurity Report 2018” and found 59 percent of them said that their organizations have unfilled positions in information security.

54 of the respondents said that it take 90 days on average for their organizations to fill security-related positions while another 3 percent said their firms are unable to find skilled individuals to fill those roles.

Professionals associated with information security and those who held ISACA’s Certified Information Security Manager (CISM) and Cyber security Nexus Practitioner (CSXP) were among those surveyed.

59 Percent

A vast majority of employees expressed lack of confidence in qualification of the co-workers.


30 percent participants said that less than 25 percent of their colleagues are qualified while a little more (31 percent) said that 25-50 percent of the employees in their organization have sufficient skills.

54 of those surveyed said that it take 90 days on average for their organisations to fill security-related positions

Only 12 percent of those surveyed said that 75-100 percent of the workforce in their firm have necessary skills.

77 percent of the participants said that demand for skilled individuals for ‘individual contributor’ and ‘technical security’ positions was increasing.


The demand for “security manager” and “individual contributor, nontechnical security” has also increased by 39 percent and 46 percent respectively, the study says.

The survey personnel revealed that budget was not a major factor in firms’ inability to find the talented individuals needed to fill up these empty roles.

In fact, 64 percent of participants said that their organizations have increased the budget to combat cybersecurity threats.

“Even though enterprises have more budget than ever to hire, the available workforce lacks the skills organizations critically need,” Matt Loeb, Chief Executive Officer of ISACA, said in a statement.

“More of those dollars will need to be invested in technical cybersecurity training, along with effective retention programs.”

ISACA further suggested that the cyberseucrity skill gap can be minimized by investing in security automation tools and making enrollment process for these roles more effective.