Cybersecurity teams in Australia remain stretched thin, with more than half (54 percent) understaffed and 58 percent reporting unfilled positions. Yet despite this shortage, only a third of enterprises (34 percent) are training non-security staff to move into cyber roles, according to ISACA’s 2025 State of Cybersecurity Report.

ISACA State of Cyber 2025 global infographic

The survey also shows that many of today’s cyber professionals began their careers elsewhere, with 55 percent of Australian respondents saying more than half of their current staff transitioned from non-security roles. Now in its eleventh year, the global report examines skills, hiring, budgets, cyber risk and the growing role of AI.

Challenges persist with staffing, resources

Survey respondents in Australia indicate there is a high demand for technical cybersecurity professionals, but challenges with hiring and retention persist. Thirty-six percent say it takes three to six months to hire for entry-level roles, and 48 percent say this timeframe applies for hiring non-entry-level roles (higher than the global average of 39 percent). Half of global respondents admit their organisations struggle to retain cyber talent, which is concerning given 70 percent expect demand for technical contributors to rise.

A slightly higher percentage of Australian respondents than last year indicated their budgets are underfunded (49 percent vs 47 percent), yet only 24 percent expect budget increases in the next twelve months, compared to 41 percent of organisations globally that expect their budget to rise.

Organisational fit, soft skills in demand

As technology and threats continue to change, so too do the qualifications employers are looking for. Organisational fit is now the top factor (66 percent), followed by prior cybersecurity experience (62 percent). Adaptability is also highly valued, with 57 percent of Australian respondents ranking it as very important. Skills gaps remain an issue, with soft skills topping the list (59 percent) – particularly communication (60 percent), critical thinking (55 percent) and problem-solving (44 percent).

A greater voice in AI implementation, policy

Respondents indicate that they are increasingly using AI in their work, as well as playing a larger role in AI policy at their organisations. Fifty-one percent say they have helped develop AI governance (up from 32 percent last year) and 38 percent have been involved in AI implementation (up from 24 percent). Respondents most commonly use AI in security operations for 1) threat detection (35 percent), 2) endpoint security (31 percent) and 3) routine task automation (27 percent).

Complex threat landscape, high stress

In Australia, social engineering, insider attacks and denial of service dominate the threat landscape, each cited by 33 percent of respondents as the most common attack types. Forty-one percent also reported experiencing more attacks compared to a year ago, a sharp rise from 29 percent in 2024.

While 50 percent of Australian cybersecurity professionals believe an attack on their organisation is likely or very likely in the next year, only 35 percent are confident in their team’s incident response capabilities. Additionally, 45 percent believe cybercrime is underreported, even when reporting is required.

It may not come as a surprise then, that 68 percent of the Australian cybersecurity professionals surveyed also said that their role is more stressful now than five years ago, with 63 percent citing the complex threat landscape as their top stressor. In fact, 42 percent indicated that high stress is a major reason for attrition.

Jamie Norton, Vice President of ISACA’s Board, said the findings highlight the scale of the challenge in Australia and how organisations are managing staffing shortages, tight budgets, rising threat volumes and rapid AI adoption.

“The fact that stress levels are still climbing is a red flag for our industry,” Mr Norton said. “If we are to remain resilient in the face of rising threats, boards must continue to prioritise the wellbeing and development of their cyber teams.”

Jo Stewart-Rattray, ISACA’s Oceania Ambassador, said the results should spur boards to rebuild the talent pipeline and protect training budgets despite economic pressure.

“Australia can’t hire its way out of a skill gap this deep,” said Ms Stewart-Rattray. “The data shows fewer organisations are training non-security staff into cyber roles, even though most organisations acknowledge they are under-staffed. This approach is unsustainable. Boards need to prioritise cyber training and cross-skilling programs and recognise that developing people is the fastest, most sustainable path to resilience.”

Access the free State of Cybersecurity 2025 report at www.isaca.org/state-of-cybersecurity. Explore additional ISACA cybersecurity resources at www.isaca.org/resources/cybersecurity.