Australian firms cut cyber training despite rising threat levels

A new ISACA study has found that fewer Australian enterprises are training staff for cybersecurity roles despite ongoing workforce shortages and an anticipated rise in demand for technical cybersecurity professionals.

Workforce shortages

The State of Cybersecurity 2025 survey report from ISACA indicated that over half of Australian cybersecurity teams remain understaffed, with 54 percent reporting insufficient personnel and 58 percent citing unfilled positions. Despite these shortages, only 34 percent of enterprises are providing training for non-security staff to transition into cybersecurity roles.

The survey found that a majority of Australian cybersecurity professionals did not begin their careers in the field, with 55 percent of respondents stating that more than half of their current team members transitioned from other roles. This trend highlights the ongoing importance of internal mobility at a time of increasing demand and persistent staffing challenges.

Recruitment and retention concerns

Hiring for cybersecurity positions remains a lengthy process in Australia. Thirty-six percent of respondents said it takes between three and six months to fill entry-level roles, and 48 percent reported the same timeframe for non-entry-level positions. The latter figure is higher than the global average of 39 percent, underscoring recruitment difficulties in the Australian market.

Retention is also a challenge, with half of global respondents stating their organisations struggle to keep cyber talent. This is particularly notable as 70 percent of security professionals in the ISACA survey expect the demand for technical contributors to increase within the next year.

Budget and resource pressures

Budget constraints for cybersecurity programmes appear to be worsening. Forty-nine percent of Australian respondents in 2025 consider their budgets underfunded, a slight increase from 47 percent the previous year. Only 24 percent anticipate a rise in their budget allocations within the next 12 months, compared to a global average of 41 percent expecting increases.

Skills and organisational fit

Organisational fit is currently the top recruitment criterion for cybersecurity teams in Australia, reported by 66 percent of survey participants. Prior cybersecurity experience remains important, noted by 62 percent, while adaptability was cited as very important by 57 percent.

Soft skills are identified as significant gaps in existing teams, with 59 percent of respondents flagging them as a key issue. Within this area, communication skills are considered vital by 60 percent, critical thinking by 55 percent, and problem-solving abilities by 44 percent.

AI policy and adoption

The report notes a growing role for cybersecurity professionals in artificial intelligence. Among Australian respondents, 51 percent have contributed to developing AI governance policies, a rise from 32 percent last year. Involvement in AI implementation also grew, with 38 percent of professionals engaging in these processes compared to 24 percent previously.

AI is primarily used in security operations for threat detection (35 percent), endpoint security (31 percent), and automating routine tasks (27 percent).

Threats and stress

Social engineering, insider attacks, and denial of service are the most common types of cybersecurity incidents in Australia, each cited by 33 percent of respondents. Forty-one percent reported an increase in attacks over the past year, a significant jump from 29 percent in the 2024 survey.

Half of cybersecurity professionals believe an attack on their organisation is likely or very likely in the coming year, yet only 35 percent expressed confidence in their team's incident response. Forty-five percent also believe that cybercrime is underreported even when reporting is required.

There are rising stress levels across the sector, with 68 percent of respondents indicating that their roles are more stressful than five years ago. Complexity of threats is the primary stressor, identified by 63 percent, and 42 percent said that high stress is a major driver of staff attrition.

The fact that stress levels are still climbing is a red flag for our industry. If we are to remain resilient in the face of rising threats, boards must continue to prioritise the wellbeing and development of their cyber teams.

These were the words of Jamie Norton, Vice President of ISACA's Board, who noted the challenges Australian organisations face managing staffing shortages, restrictive budgets, increasing threat volumes, and rapid adoption of artificial intelligence.

Australia can't hire its way out of a skill gap this deep. The data shows fewer organisations are training non-security staff into cyber roles, even though most organisations acknowledge they are under-staffed. This approach is unsustainable. Boards need to prioritise cyber training and cross-skilling programs and recognise that developing people is the fastest, most sustainable path to resilience.

This was the response from Jo Stewart-Rattray, ISACA's Oceania Ambassador, who argued for boards to focus on rebuilding their talent pipelines and maintain training budgets despite economic challenges.