The cybersecurity landscape is a dynamic arena in which innovation and threats evolve relentlessly. ISACA’s State of Cybersecurity 2025 report — drawing insights from more than 3,800 professionals worldwide — offers a critical snapshot of this environment. It highlights persistent staffing shortages, the transformative impact of AI, rising stress levels and constrained budgets. Together, these findings underscore the delicate balance organizations must strike between technology, talent and well-being.

The Enduring Skills Gap: Reconnecting Education and Industry

The cybersecurity skills gap remains one of the industry’s greatest challenges. ISACA reports that 55% of organizations are understaffed, with hiring delays of three to six months for both entry-level (38%) and experienced roles (39%). Sixty-five percent of organizations struggle to fill open positions, leaving teams stretched thin and more vulnerable to threats.

A major driver of this gap is the disconnect between academic curricula and industry needs. Only 27% of respondents believe recent graduates are adequately prepared, citing deficiencies in threat detection (43%), data security (39%), and incident response (39%). Academic institutions must modernize programs in partnership with industry leaders. Hands-on training, internships, and certifications can better equip students with real-world capabilities.

Organizations should also broaden talent acquisition by considering nontraditional candidates. Over half of cybersecurity professionals (56%) have transitioned from other fields. Upskilling programs, boot camps, and certifications emphasizing transferrable skills can onboard diverse talent and reduce reliance on traditional pipelines.

Soft Skills: The New Cornerstone of Cybersecurity Success

While technical expertise remains vital, soft skills are now a differentiator. ISACA’s report highlights adaptability (61%) as the top qualification factor, even ahead of hands-on experience (60%), underscoring the need to learn and pivot. Meanwhile, critical thinking (57%), communications (56%) and problem-solving (47%) rank as the top soft skills needed.

To cultivate these competencies, organizations should invest in mentorship, cross-functional simulations, and team-building initiatives that foster collaboration and problem-solving. By blending technical know-how with human-centered skills, teams become more resilient in navigating a constantly shifting threat landscape.

Rising Stress Levels: Addressing Burnout and Retention

The high-pressure nature of cybersecurity continues to impact employee well-being. Two-thirds of professionals (66%) report increased stress over the past five years, driven by complex threats (63%) and relentless demands. Nearly half (47%) cite workplace pressures as a reason for leaving, compounding retention challenges.

To mitigate burnout, organizations must adopt proactive workplace strategies:

• Automate Routine Tasks: Use AI to reduce repetitive work and free staff for higher-value priorities.
• Prioritize Mental Health and Flexibility: Offer flexible schedules, wellness programs, and access to mental health resources.
• Foster Collaborative Cultures: Build supportive teams where employees can share challenges and solutions.

Prioritizing well-being not only improves retention but also strengthens organizational resilience.

AI: Harnessing Opportunity While Managing Risk

Artificial intelligence is reshaping cybersecurity operations, driving advances in threat detection (32% rank it as a top use in security operations), endpoint security (30%), and automation (28%). Its ability to process massive datasets and detect anomalies holds enormous promise.

Yet AI is a double-edged sword. Algorithmic bias, exploitable vulnerabilities, and malicious use — such as AI-crafted phishing campaigns — pose serious risks. Encouragingly, nearly half of cybersecurity teams (47%) are now contributing to AI governance policy, and 40% are involved in implementation.

To accelerate progress, organizations should invest in training on AI ethics, risk management, and governance frameworks. Embedding cybersecurity into AI systems from the outset — through robust validation and access controls — ensures these tools are secure and responsibly deployed.

Budget Constraints: Advocating for Sustainable Investment

Budgets remain a persistent barrier. More than half of respondents (53%) report underfunded programs, and only 41% expect increases this year — down from 47%. Limited resources make it harder to address threats effectively or sustain long-term resilience.

To secure funding, cybersecurity leaders must link investments to measurable business outcomes, such as reduced risk exposure, improved efficiency, or compliance savings. Encouragingly, 56% of boards now prioritize cybersecurity, creating a valuable platform for aligning initiatives with organizational strategy.

Strategic Imperatives for the Future

ISACA’s report is both a warning and a roadmap. To meet these challenges, organizations should:

• Bridge the Skills Gap: Partner with academia to modernize curricula and expand hands-on learning.
• Cultivate Soft Skills: Invest in programs that build communication, critical thinking, and adaptability.
• Prioritize Employee Well-being: Implement stress management initiatives, promote flexibility, and leverage automation.
• Integrate AI Responsibly: Involve cybersecurity teams in AI governance and risk mitigation from the outset.
• Advocate for Funding: Tie cybersecurity investments to clear business value to secure sustainable budgets.

Striking the Right Balance for a More Secure Future

ISACA’s State of Cybersecurity 2025 report sheds light on the industry’s most urgent challenges. Addressing the skills gap, supporting employee well-being, responsibly leveraging AI, and securing adequate funding all require a holistic approach. Success will depend on collaboration among academia, industry, and business leaders.

Ultimately, cybersecurity is not just a technical problem — it is a people-driven mission. By balancing innovation with resilience and sustained investment, organizations can build security programs that endure in an increasingly complex world.