Cyber security in crisis: European companies without people to defend themselves

New data from ISACA’s State of Cybersecurity 2025 report confirms that the digital security skills deficit problem is taking a systemic form in Europe. Two out of three companies are unable to fill cyber security vacancies and more than half complain of difficulties in retaining specialists.

At the same time, the pressure of attacks is increasing, with almost 40 per cent of IT and security professionals saying the number of incidents is up on last year, and another 27 per cent seeing levels maintained.

This combination of staff shortages and escalating threats is resulting in a significant cancer in the digital resilience of many organisations. Only 38% of respondents say they have full confidence in their organisation’s ability to effectively detect and respond to attacks. The remainder – either perceive gaps or are unsure how far reaching they are.

Where the source of the problem lies

1. maintenance vs. acquisition

The recruitment deficit is widely known, but equally important – although less discussed – is the problem of retention. More than half of organisations are facing the departure of professionals, further exacerbating the staffing gap.

There is often talk of a 'war for talent’, but less often about the fact that organisational structures in a large proportion of companies are not ready for a parallel battle: providing development paths, meaningful distribution of responsibilities, training or psychological support. Reported problems include overload, lack of work-life balance and insufficient competence of teams.

2. recruitment requirements do not correspond to market realities

A surprising paradox: 19% of companies admit that even for positions that do not require experience or a degree, it is difficult to find candidates. However, the problem is not just a lack of applicants – bias is often embedded in the recruitment process. It is an examination to require certificates, apprenticeships, formal diplomas when real day-to-day tasks depend more on ability than documents.

Respondents signal that professional certifications (84 %) and practical training (73 %) are most important, more so than a university degree alone (55 %). So the potential lies in opening up alternative pathways into the industry – bootcamps, 'bottom-up’ programmes, opportunities for internal promotion.

3. the growing role of AI in expectations of security teams

The survey indicates that 51% of European professionals are involved in the development of AI management frameworks in their organisations (previously 36%) and 46% are involved in their implementation (27% in 2024). AI is becoming an operational foundation in the areas of threat detection, endpoint security and automation. This makes AI and model management competences particularly desirable – and at the same time scarce.

At the same time, organisations have to navigate an increasingly complex regulatory environment (e.g. NIS2 Directive, EU AI Act), which forces a synergistic approach to risk, compliance and technology.

4 Pressure, stress, burnout

Almost two-thirds (68 %) of experts say their job is more stressful today than it was five years ago, and the pressure is not easing. More than half report unrealistic expectations, 48 % point to a poor work-life balance and 36 % report a lack of appropriate competencies in the team. Worse still, 22 % of organisations have not implemented any measures to prevent burnout.

According to additional data, as many as 73% of European IT professionals experience stress or burnout, largely due to an excess of responsibilities (61%) and a lack of resources (43%)

Scale of the problem in the face of global trends

Industry reports suggest that the skills gap in cyber security is global – up to 4.8 million roles may remain unfilled globally, resulting in increased incident costs and response times. In Europe, security teams are regularly described as 'overworked and underfunded’.

In turn, the strategic analysis indicates that despite growing awareness of the role of cyber security in the competitive value of companies, barriers remain: limited resources, cultural resistance and a lack of consistent commitment from business leaders.

What organisations can do – and what they should do

A. Redesign the HR process and recruitment models

• Reduce barriers to entry – e.g. through internship programmes, apprenticeships, bootcamps with mentoring.
• Bet on competences instead of formal diplomas: the ability to analyse, to make decisions, to adapt – these are qualities that often matter more in everyday work.
• Implement systems to recruit internally and develop talent already in the organisation.

B. Invest in culture and wellbeing

• Introduce procedures to counteract burnout: limit overtime, task rotation, breaks, psychological support.
• Teach leaders to understand the risks of the 'security hero’ ethos – That one person cannot be responsible for the whole organisation.
• Support the development of soft skills – communication, critical thinking, coping in a complex environment.

C. Improve efficiency through tools and automation

• Automate repetitive tasks: log analysis, correlations, monitoring – to leave space for specialists for strategic tasks.
• Consolidate and discipline tools to reduce operational costs and technological chaos.

D. Collaborate at the ecosystem level

• Industry organisations, government initiatives and educational institutions must work together to increase the candidate pool.
• Public programmes (e.g. in the EU) already support such activities, which can have an effect, subject to coordination and long-term budgeting.

E. Prioritise strategic oversight

• Cyber security must not be seen as a costly add-on – it must be an integral part of the board’s strategy.
• Budget, recruitment and technology decisions require synergy with business risk, not ad hoc responses.

Europe today faces a dilemma: organisations have more and more reasons to invest in cyber security (growing threats, regulation, AI), but staff shortages and organisational deficits prevent the pace from catching up quickly.

In practice, it is security professionals who are working at the limit – often becoming the bottleneck in the digital resilience architecture of entire companies. If HR processes, management culture, technology strategy and incentive systems remain divergent, the talent shortage will worsen and the risk of incident spikes will increase.

The key is not just „more” – but „smarter”: targeted recruitment, adaptive development paths, automation tools, and systemic support for people – these are the foundations that can shift the balance away from crisis towards resilience. Otherwise, the cost of the gap can be expressed not only in budgets, but in the lost trust and operational continuity of the organisation.