Understaffed Tech Teams: The Hidden IT Audit and Security Risk

Logo

GNAW Resources

IT: Risk. Control. Assurance.

Guiding your business through audits, migrations, and transformations

with clarity, compliance, and confidence

LATEST

‹ Back

Understaffed Cyber Teams and Rising Demand

Understaffed Cyber Teams and Rising Demand: The ISACA 2025 State of Cybersecurity Findings & What It Means for Audit

The ISACA 2025 State of Cybersecurity Report reveals that 55% of cybersecurity teams are understaffed, 65% of enterprises have unfilled cybersecurity positions, yet fewer organisations are training non-security staff to move into security roles.

The report further finds that 70% of security professionals expect demand for technical cybersecurity roles to increase over the next year.

Implications:

From a technology risk and internal audit perspective, these findings highlight a capacity weak point so even with risk frameworks in place, the human resource dimension is a bottleneck. Controls may exist but are not being continuously executed or monitored due to staffing gaps.

For IT Audit/SOX: The implication is that when assessing IT general controls, auditors should be alert to whether key roles (e.g., security operations centre, vulnerability management, access review) are fully staffed and whether fallback/oversight mechanisms exist. Just having a control documented is not enough if no one performs it or monitors effectiveness.

In consulting: Advising clients to treat staffing and skill gap mitigation as part of their audit risk management plan will be increasingly valuable. The shortage of staff should be treated as a control deficiency risk in its own right.

Key Take-aways:

Conduct a staffing/skills gap audit. Align your security team’s head count and skills inventory to your threat/risk matrix. If key roles are unfilled, remedial actions should be documented.

Ensure compensating controls are in place. If you are understaffed, implement stronger automation, third-party monitoring, or increased oversight to make up the difference, and document this for audit.

Update your audit planning to include "resourcing risk" as a stand alone audit focus. For example: "Are there unfilled positions in the security control chain that could lead to delayed threat detection?"

Building Assurance Through

Risk Based Decisions

Stay informed with the latest updates, analysis, and expert commentary from GNAW Resources, your partner in IT Risk Assurance and Audit Readiness.
We deliver practical, results-driven solutions to strengthen governance, controls, and compliance across complex technology environments.

Our focus areas include IT Risk Management, IT General Controls (ITGC) Reviews, Audit Preparation and Mitigation, and Control Planning for Cloud Migrations and Transformations.

With extensive experience in IT SOX compliance, security frameworks, and global assurance standards, our team helps organisations stay audit-ready, secure, and confident in every review cycle.

Empowering leaders to make informed, risk-based decisions that’s the GNAW Resources commitment. A community of forward-thinking professionals taking a smarter, stronger approach to technology risk.