Top of Page

(ISC)² Study Reveals How Companies Overcome Cybersecurity Hiring Challenges

70% of companies with adequately-staffed cybersecurity departments train and promote from within, and place a priority on hiring professionals with cybersecurity certifications when recruiting externally


Clearwater, FL, September 20, 2018 – (ISC)² – the world’s largest nonprofit association of certified cybersecurity professionals – today announced the findings of its Building a Resilient Cybersecurity Culture study, in which it found that a strong security-focused culture and adherence to best practices helps companies attract and retain cybersecurity talent. (ISC)2 commissioned the study to better understand how successful organizations are overcoming the shortage of skilled cybersecurity talent in a demand-heavy, competitive recruitment environment.

“The growing cybersecurity workforce gap has received a lot of media attention. What we haven’t heard as much about is how some companies are actually succeeding in building their security teams even in the face of this competition for talent. Our empirical analysis shows the demonstrable effect cybersecurity leaders can achieve by fostering a strong cybersecurity culture,” said (ISC)² Director of Cybersecurity Advocacy for North America John McCumber. “The human factors of information security are most effectively accessed, developed, and employed by organizations with this critical professional leadership. This new report provides a window into how this gap can be leveraged by individuals and organizations alike to dramatically improve the protection and management of critical information assets.”

The data is based on a survey of 250 U.S. cybersecurity professionals with oversight of hiring and managing security departments, who say their organization does an adequate job of ensuring it has enough cybersecurity expertise on staff. Key insights from the study include:

  • 97% of respondents indicated that their entire executive management team understands the importance of strong security practices and reinforces those messages with staff
  • When asked which tactics were used to successfully build a strong cyber team, 70% said they hire certified security professionals, 70% train and promote from within, and 52% attribute their success to drafting clear job descriptions
  • 86% said their company employs a CISO
    • Of these, 57% of the CISOs report directly to either the CEO or the board of directors, indicating the level of importance associated with the position
  • 58% of these companies cited having a strong risk management policy as the #1 reason they are confident their capabilities are adequate to protect their enterprise
  • About half (51%) of these companies say they employ at least two dedicated cybersecurity staff, which they believe is critical to cybersecurity readiness
  • 79% of companies said their cybersecurity staff’s average tenure is at least three years
  • 50% have been able to hire talent from the government sector
    • 67% said salary was the biggest draw, while 60% cited the opportunity to work with a strong leadership team, and 59% believe the opportunity to work for a mission-based organization helps win over recruits from the public sector

For more insights, the full study can be downloaded at



Findings are based on a blind survey of 250 cybersecurity professionals within the United States

conducted by Market Cube, LLC, on behalf of (ISC)² in August 2018.


About (ISC)²

(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our membership, over 138,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit, follow us on Twitter or connect with us on Facebook and LinkedIn.

© 2018, (ISC)² Inc., (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CCFP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP and CBK are registered marks, of (ISC)², Inc.


Media Contact:
Jarred LeFebvre
Senior Manager, Corporate Communications
(727) 316-8129