The survey found that 43% of respondents believe an attack on their organization is likely in the next year, yet just 41% are confident regarding incident-response capabilities. Additionally, 39% believe cybercrime is underreported, even when reporting is required.
The most common type of attack is social engineering (44%)—manipulation techniques that trick individuals into giving up confidential information—followed by 37% who noted exploited vulnerabilities (flaws or weaknesses in software, hardware, or network systems) and 36% said malware (malicious software or code). About one-third of cybersecurity professionals still reported an increase in incidents this year, according to the report.
“Cybersecurity professionals are navigating an increasingly complex threat landscape, marked by the rapid evolution of threats and an increase in both the frequency and sophistication of attacks,” Chris McGowan, ISACA principal for information security professional practices, said in a statement.
McGowan noted an anticipated rise in cyberattacks next year would put even more pressure on cybersecurity teams, emphasizing the importance of regularly reviewing support systems and training to strengthen skills and resilience. Companies must not only improve their defenses, but also prioritize the well-being of their cybersecurity teams, he added.
The stress is worsened by persistent understaffing, with 55% of cybersecurity teams short-staffed and 65% having unfilled roles. Fewer organizations are training non-security staff to move into cybersecurity positions.
Meanwhile, predictive models highlight attack risks, and in security operations centers, AI improves event correlation and investigation, she said. Experts caution that human oversight is needed to avoid bias, blind spots, and errors in decision-making, Achanta added.
Respondents report increased use of AI in their work and a larger role in AI policy at their organizations. Almost half (47%) said they helped develop governance practices (up from 35% last year), and 40% were involved in implementation (up from 29%). The top uses of AI in security operations are threat detection, endpoint security, and automating routine tasks.
In cybersecurity, adaptation isn’t optional—it’s survival.
