In the first half of 2025 the Chartered Institute of Information Security (CIISec) asked members to reflect on how the profession has fared over the last 12 months, offering their thoughts on the challenges they face and prospects moving forward. Responses from cyber security practitioners included:
- More than half (57pc) agree that the profession is getting better at dealing with and responding to incidents, compared to 49pc who said the profession is getting better at defending against attacks in the first place.
- 75pc of cyber security professionals say people are the biggest challenge they face, as opposed to processes (15pc) and tech (10pc).
- 48pc say that analytical and problem-solving skills are the most valued – communication skills (27pc) are the next highest, and just 14pc say technical skills are the most important.
- 84pc believe that security budgets are increasing more slowly than the threat level, while just 5pc agreed that budgets are in line with or ahead of threats.
- 78pc feel their job prospects are good or excellent, and 73pc expect the overall security market to grow over the next three years.
There’s certainly some good news here, CIISec adds. Job prospects and the growth of the cyber security profession are both positives. More than half of respondents also say the profession’s ability to respond to incidents is improving, and people-based skills are more coveted than technical. These statistics suggest a shift in direction for the profession, with different skills contributing towards better practices and growth.
However, the same problems continue to plague cyber security – people remain the profession’s Achilles’ Heel, and budgets are stagnating. If the cyber security market is forecasted to grow, a positive highlighted in the survey, budgets must reflect this. But sadly, it looks like cyber security professionals will continue to be forced to achieve more with less over the coming year.
But highly coveted communications skills offer an opportunity to address this issue. Most cyber security professionals will have already instilled processes, such as covering off basic cyber hygiene and enforcing policies. Investment in new technology is likely to be difficult without increased budgets, so like it or not, cyber security professionals will have to cover gaps with their existing tools. But while tools and procedures can help manage cyber risks, they can’t solve the underlying people problem.
The human element has never been more important. It belongs at the heart of organisations’ cyber strategy, not as an added extra. Cyber security professionals must find ways to bring their colleagues and their organisation’s supply chain on the cyber security journey. This means educating them on the risks of cybercrime via effective communication, helping them think differently, and actively challenging the deluge of misinformation and traps that are a sad fact of life. We need people with strong, proven communication skills – whether from inside or outside the profession. Using their talents for empathy, persuasion and clarity will be crucial to driving programmes that make people think, feel and ultimately act differently.
The good news is that developing or even attracting these skills generally costs less than shiny new tooling. And it’s easier to justify spending when board members who are well aware of the current spate of attacks want someone to communicate the risks to them. Becoming this communicator requires a new mindset. One where cyber security professionals see themselves as business partners and advisers, rather than being perceived as unapproachable technicians.
Without addressing all three issues – people, processes and tech – cyber security cannot be wholly effective. But with technology investment hamstrung by budgets and the correct processes in place, addressing the cyber security profession’s people problem will have the greatest impact, which must start with improving communication.
