The global cybersecurity workforce is ageing and at risk of burnout, with not enough younger workers ready to step into higher roles, a major new report has found.
The 11th iteration of ISACA’s State of Cybersecurity is based on a survey of 3,800 cybersecurity workers around the world.
It reveals that despite cybersecurity workers facing increasing stress and enjoying fewer benefits from their employers, companies are finding it easier to retain their staff.
An ageing workforce
The ongoing trend of workers in the cybersecurity sector being older has continued this year, the survey found, with the majority of respondents to the ISACA survey – 35 per cent – being aged between 45 and 54 years old.
This is a “cause for concern” the report found, with fears there are not enough experienced younger workers to take the place of these older employees when they retire.
“Further evidence of an ageing workforce is the survey finding that less than half of respondents manage staff with less than three years of work experience,” the ISACA report said.
“As these experienced cybersecurity workers approach retirement age, enough cybersecurity talent with managerial experience might not be available to replace retiring managers.
“Enterprises should begin to consider succession planning now to anticipate and address potential hiring challenges.”
Nearly one-fifth of all respondents to the survey were around a decade away from considering retirement.
Stressed and burning out
Cybersecurity workers are also finding their jobs to be highly stressful, with two-thirds of respondents saying they are significantly or slightly more stressed now than they were five years ago.
The main reason for this was the increasingly complex threat landscape.
While this leads to concern about potential burnout amongst the workforce, just one-quarter of respondents said their employer was taking steps to mitigate burnout.
“Burnout remains a considerable challenge, so it is concerning that almost one-quarter of respondents say their enterprises have not taken any action to mitigate burnout,” the report said.
“Despite many respondents reporting that their jobs are more stressful now than in previous years, the job market and broader economic uncertainty has helped enterprises with retention.”
A separate report from August found cybersecurity workers are losing more hours of productivity to stress and burnout than a year earlier.
The survey, conducted by Sophos, found that these workers lost 4.8 hours per week to stress and burnout in 2025, an increase of more than 25 per cent compared to 2024.
Despite the high levels of stress, just half of employers who responded to the survey said they were having challenges retaining staff, the lowest percentage since the metric was introduced in the ISACA report in 2020.
The missing skills
According to the survey, adaptability is now the most important factor in determining whether someone is qualified for a cyber role, with more than 60 per cent of respondents listing this as very important.
The previously most important factor – prior hands-on experience – has dropped down to second place and fallen by 13 percentage points.
Many cybersecurity workers are also lacking in soft skills, such as critical thinking, communication and problem-solving, according to the report.
Of all the workers surveyed, more than 40 per cent said they think their company will experience a cyberattack in the next year, but just 41 per cent were completely or very confident in the ability of their employer to detect and respond to cyber threats.
The survey also found that the use of AI by the cyber workforce has increased, including in automating threat detection and response, endpoint security, and automating routine security tasks.
“Security professionals are not only increasing their use of AI tools, but also are more likely to be involved with shaping how their enterprises use AI,” the report said.
A separate report earlier this year found less than a third of IT leaders think their organisations are ready to withstand AI-powered cyberattacks.
