Startups, MSMEs Face Cyber Skills Gaps: ISACA Survey Insights

India’s cybersecurity sector is navigating a critical juncture. The ISACA State of Cybersecurity 2025 survey highlights that 40 percent of India-based cybersecurity teams are understaffed, with 68 percent of positions unfilled, even as demand for technical professionals rises.

The survey also shows that fewer enterprises are training non-security staff to transition into cybersecurity roles—only 34 percent, down from 50 percent last year—underscoring potential long-term risks for organisations.

Low-Cost Upskilling Models for Startups and MSMEs

While talking to CiOL, RV Raghu, ISACA India Ambassador and director, Versatilist Consulting India Pvt Ltd, shared insights on solutions for smaller organisations.

CiOL: For startups and MSMEs, what low-cost upskilling or staff augmentation models work best—apprenticeships, shared SOCs, managed detection services, or public-private training partnerships?

Raghu: “I think it’s going to be all of these. Depending on your needs, certain models will work better. For a startup with 10 people, you may not be able to hire a full-time cybersecurity professional. It helps to have an augmentation model—an expert who can guide you. If you’re building a product, you might need someone skilled to identify potential cybersecurity challenges. For network management, shared SOCs make sense, and managed detection services are being explored in the banking, insurance, and healthcare sectors. Public-private partnerships, like CERT-In advisories and ISACA certifications in the National Skill Database, also help translate skills into tangible hiring outcomes.”

These solutions allow smaller enterprises to leverage shared resources and targeted training, especially as the report shows that 38 percent of respondents take 3–6 months to hire for entry-level roles and 42 percent for non-entry-level positions.

Training vs. Budgets

The survey indicates a disconnect between budgets and training. While only 42 percent of Indian respondents reported underfunded budgets (compared to 53 percent globally), 65 percent expect budget increases (versus 41 percent globally). Despite this, fewer organisations invest in staff training.

CiOL: “Why are organisations cutting training, and is that short-term saving sowing long-term risk?”

Raghu: “Not training staff may be a short-term reaction or misunderstanding. Nearly 40 percent of current cyber staff in India transitioned from non-security roles, so training leverages domain expertise. Tools alone are ineffective without knowing how to apply them in healthcare, banking, or cloud environments.”

Skills in Demand

India-based organisations report that prior cybersecurity experience (76 percent) and adaptability (73 percent) are top qualifications. Soft skills gaps are significant (56 percent), including critical thinking (55 percent), problem-solving (52 percent), and communication (51 percent).

The report also notes that 39 percent of cyber staff transitioned from roles outside the field, highlighting the value of upskilling existing employees rather than hiring entirely new talent.

AI Adoption in Security Operations

The survey finds that Indian cybersecurity teams are increasingly adopting AI:

• 50 percent of respondents helped develop AI governance, up from 31 percent last year.

• 46 percent were involved in AI implementation, up from 29 percent.

• Top AI applications include automating threat detection (42 percent), endpoint security (37 percent), and routine task automation (33 percent).

Rising Threats and Stress

India’s threat landscape is dominated by exploited vulnerabilities (52 percent), ransomware (48 percent), and denial-of-service attacks (38 percent). 27 percent report increased attacks, and 25 percent expect an attack in the coming year.

Workplace stress is high: 59 percent report greater stress than five years ago, with limited promotion opportunities (48 percent), poor financial incentives (45 percent), and complex threats (40 percent) driving attrition.

“Cybersecurity professionals are navigating an increasingly complex environment,” said Chris McGowan, ISACA principal, information security professional practices. “As attacks rise, organizations must support teams, bolster defenses, and prioritize employee well-being.”