New research by ISACA has found that over a third (39%) of European IT and cybersecurity professionals report that their organisation is experiencing more cybersecurity attacks than this time last year.
Yet despite this rising wave of attacks, confidence in organisational readiness remains low, with only 38% of professionals stating they are completely confident in their organisation’s ability to detect and respond effectively.
As attacks continue to increase in scale and scope, the pressure on professionals is also growing, with nearly two-thirds (65%) identifying the increasingly complex threat landscape as a major stress factor.
While budgets and staffing show some progress, the report found that the pace is not fast enough to ease pressure on professionals. Over half (58%) of those surveyed report that their organisation remains understaffed, only a modest improvement of three percentage points compared to last year. Budgets tell a similar story of slow progress – while over half (54%) of professionals say their organisation is underfunded, this has improved slightly from 58% in 2024.
While incremental gains suggest that organisations are beginning to prioritise cybersecurity, progress still lags behind the demands of the threat landscape, and professionals on the front line are feeling this pressure.
More than two-thirds (68%) say their job is more stressful now than it was five years ago, a figure which remains unchanged from last year. Within workplaces, organisations are failing to give professionals the support they need to manage stress. Over half (54%) report unrealistic expectations or excessive workloads, 48% highlight poor work-life balance, and more than a third (36%) say their teams lack the right skills or training.
Alarmingly, more than one in five organisations (22%) have still taken no action to address or prevent employee burnout, leaving professionals to manage growing responsibilities with limited support.
Chris Dimitriadis, Chief Global Strategy Officer at ISACA, said: “Over the past year, the public has seen first-hand just how impactful cyberattacks can be, with high-profile breaches devastating businesses and dominating headlines. At the same time, the overall volume of attacks is rising, with almost two in five organisations experiencing more incidents than a year ago.
“While organisations are starting to acknowledge the problem and take steps to address long-standing issues in budgets and staffing, the pace of change is still far too slow. The reality is that cyber criminals are moving faster than most organisations can respond. Now is the time to invest in investing in a more holistically trained cybersecurity workforce, an investment towards customer trust and in gaining competitive advantages, not just a reactive move following an incident.”
More than half of organisations (52%) are struggling to retain qualified cybersecurity professionals, according to those professionals familiar with hiring within their organisations. Entry-level roles are particularly difficult to fill; nearly one in five organisations (19%) have open positions that do not require experience, a degree or credentials, yet almost half (45%) say it still takes three to six months to hire at this level.
Part of the challenge lies in narrow hiring expectations. While just over half of respondents (55%) view a university degree as important for candidates, far more place value on professional credentials (84%) or hands-on training (73%). Expanding recruitment pathways and offering training opportunities for those without conventional backgrounds could help organisations grow their pipeline of talent.
Dimitriadis added: “To build resilience and keep pace with the evolving threat landscape, we must widen the pathways into cybersecurity. By valuing hands-on training, professional credentials and transferable skills, organisations can strengthen their teams and ease the pressure on overstretched professionals. But recruitment is only the start; continuous training and upskilling are critical. That is how we move from slow, incremental change to real progress, reducing stress and building long-term protection.”
Even as staffing and skills shortages persist, cybersecurity teams are increasingly at the forefront of AI governance and implementation. More than half of European professionals (51%) say they have helped develop their organisation’s AI governance framework – up sharply from 36% last year – while 46% are now directly involved in AI implementation (up from 27%).
Beyond governance, AI is already embedded in day-to-day operations, with top uses including threat detection (29%), endpoint security (28%) and routine task automation (27%). These findings point to the accelerating pace of AI adoption and the urgent need for stronger AI security legislation and continuous upskilling, particularly as Europe advances the EU AI Act and NIS2, and the UK prepares forthcoming AI legislation.
