Good morning. Cyberattacks are a top concern for CFOs. However, cybersecurity professionals are feeling increased stress due to the complexity of the threat landscape and ongoing risks.
In a new report shared with CFO Daily, ISACA—a global association for IT governance, security, risk, and audit professionals—surveyed more than 3,800 cybersecurity experts. Two-thirds said their roles are more stressful than five years ago, and 63% named the complexity of today’s landscape as the top stressor. Nearly half (47%) cited high stress as the primary reason for attrition.
The survey found that 43% of respondents believe an attack on their organization is likely in the next year, yet just 41% are confident regarding incident-response capabilities. Additionally, 39% believe cybercrime is underreported, even when reporting is required.
The most common type of attack is social engineering (44%)—manipulation techniques that trick individuals into giving up confidential information—followed by 37% who noted exploited vulnerabilities (flaws or weaknesses in software, hardware, or network systems) and 36% said malware (malicious software or code). About one-third of cybersecurity professionals still reported an increase in incidents this year, according to the report.
“Cybersecurity professionals are navigating an increasingly complex threat landscape, marked by the rapid evolution of threats and an increase in both the frequency and sophistication of attacks,” Chris McGowan, ISACA principal for information security professional practices, said in a statement.
McGowan noted an anticipated rise in cyberattacks next year would put even more pressure on cybersecurity teams, emphasizing the importance of regularly reviewing support systems and training to strengthen skills and resilience. Companies must not only improve their defenses, but also prioritize the well-being of their cybersecurity teams, he added.
The stress is worsened by persistent understaffing, with 55% of cybersecurity teams short-staffed and 65% having unfilled roles. Fewer organizations are training non-security staff to move into cybersecurity positions.
Turning to AI for defense
“AI has proven valuable in strengthening defenses,” according to Aparna Achanta, a security leader at IBM Consulting. Machine learning helps detect anomalies at scale, while automation reduces analysts’ workload by triaging alerts and speeding up responses, Achanta told ISACA.
Meanwhile, predictive models highlight attack risks, and in security operations centers, AI improves event correlation and investigation, she said. Experts caution that human oversight is needed to avoid bias, blind spots, and errors in decision-making, Achanta added.
Respondents report increased use of AI in their work and a larger role in AI policy at their organizations. Almost half (47%) said they helped develop governance practices (up from 35% last year), and 40% were involved in implementation (up from 29%). The top uses of AI in security operations are threat detection, endpoint security, and automating routine tasks.
In cybersecurity, adaptation isn’t optional—it’s survival.
Sheryl Estrada
sheryl.estrada@fortune.com
