In a profession moving as quickly as cyber security, another turbulent year should come as no surprise. We’ve seen major breaches, such as Scattered Spider using DragonForce to attack Marks & Spencer and Co-op. Class action lawsuits have been filed and settled, with MGM Resorts’ $45 million payout the most notable. There has also been progress from law enforcement, with the infamous RapperBot botnet taken down in August.
As in previous years, in the first half of 2025 we asked members to reflect on how the profession has fared over the last 12 months, offering their thoughts on the challenges they face and prospects moving forward. As ever, the candid responses provide us with insights into the current mood of cyber security practitioners:
- More than half (57%) agree that the profession is getting better at dealing with and responding to incidents, compared to 49% who said the profession is getting better at defending against attacks in the first place
- 75% of cyber security professionals say people are the biggest challenge they face, as opposed to processes (15%) and tech (10%)
- 48% say that analytical and problem-solving skills are the most valued – communication skills (27%) are the next highest, and just 14% say technical skills are the most important
- 84% believe that security budgets are increasing more slowly than the threat level, while just 5% agreed that budgets are in line with or ahead of threats
- 78% feel their job prospects are good or excellent, and 73% expect the overall security market to grow over the next three years
There’s certainly some good news here. Job prospects and the growth of the cyber security profession are both positives. More than half of respondents also say the profession’s ability to respond to incidents is improving, and people-based skills are more coveted than technical. These statistics suggest a shift in direction for the profession, with different skills contributing towards better practices and growth.
However, the same problems continue to plague cyber security – people remain the profession’s Achilles’ Heel, and budgets are stagnating. If the cyber security market is forecasted to grow, a positive highlighted in the survey, budgets must reflect this. But sadly, it looks like cyber security professionals will continue to be forced to achieve more with less over the coming year.
But highly coveted communications skills offer an opportunity to address this issue. Most cyber security professionals will have already instilled processes, such as covering off basic cyber hygiene and enforcing policies. Investment in new technology is likely to be difficult without increased budgets, so like it or not, cyber security professionals will have to cover gaps with their existing tools. But while tools and procedures can help manage cyber risks, they can’t solve the underlying people problem.
The human element has never been more important. It belongs at the heart of organisations’ cyber strategy, not as an added extra. Cyber security professionals must find ways to bring their colleagues and their organisation’s supply chain on the cyber security journey. This means educating them on the risks of cybercrime via effective communication, helping them think differently, and actively challenging the deluge of misinformation and traps that are a sad fact of life. We need people with strong, proven communication skills – whether from inside or outside the profession. Using their talents for empathy, persuasion and clarity will be crucial to driving programmes that make people think, feel and ultimately act differently.
The good news is that developing or even attracting these skills generally costs less than shiny new tooling. And it’s easier to justify spending when board members who are well aware of the current spate of attacks want someone to communicate the risks to them. Becoming this communicator requires a new mindset. One where cyber security professionals see themselves as business partners and advisers, rather than being perceived as unapproachable technicians.
Without addressing all three issues – people, processes and tech – cyber security cannot be wholly effective. But with technology investment hamstrung by budgets and the correct processes in place, addressing the cyber security profession’s people problem will have the greatest impact, which must start with improving communication.
