The Cybersecurity and Privacy Workforce in Higher Education, 2023

Staffing and Budgets

In this section, we report on issues relating to staffing, including the ability to create new positions and to hire and retain talent; the impact of staffing issues on cybersecurity and privacy services; what could be done to address staffing issues; and concerns about layoffs. We also report on budget changes and their impacts on cybersecurity and privacy services.

Staffing issues have impacted the cybersecurity and privacy services offered. We asked respondents about the extent to which staffing issues have had a negative impact on cybersecurity and privacy services (i.e., causing difficulties in maintaining regular services and operations). Two-thirds (66%) of respondents said that staffing issues have had some or a lot of negative impact on cybersecurity services offered at their institution, while 60% said there was some or a lot of negative impact on privacy services offered. We also asked whether institutions are able to create new positions and hire and retain talent. Over half (55%) agreed that their institution is able to retain talent, while less than half agreed that their institution is able to hire successfully (46%) and create new positions (38%) (see figure 5). When examining these findings by position level, we found that C-level executives were more confident in their institution's ability to create positions and retain talent. A larger proportion of C-level executives agreed that their institution is able to retain talent (68%) than directors (53%), managers (54%), and staff (43%). Close to half of C-level executives agreed that their institution is able to create new positions (45%), compared to directors (29%), managers (37%), and staff (38%).

Figure 5. Staffing Capabilities (Creation of Positions, Hiring, Retention)
Chart showing agreement with three statements. 'We are able to create new positions' (38%), 'We are able to successfully hire into existing positions' (46%), and 'We are able to retain talent' (55%).

Less money leads to more staffing problems. We asked respondents what factors make staffing difficult at their institutions, and many focused on limited budgets (especially due to lower enrollments) and inadequate/noncompetitive compensation and benefits. Other challenges identified included hiring freezes, limited advancement and professional development opportunities, and lack of remote/hybrid work options.

Total compensation packages fall significantly below corporate levels due to a lack of bonus and equity. Funding for training and conferences, normally considered in corporate as a significant perk or even compensation, is limited. Finally, work must be performed 100% onsite, which is a detractor for potential employees.

Cybersecurity, privacy, and even IT are managed by the Chief Marketing Officer, and justification for positions is a challenge. Even more challenging is finding candidates who will accept the institution's pay scale and on-site work requirement. We have lost significant talent due to better pay in remote positions.

Retaining talent is challenging since there is no career advancement in the current cybersecurity department.

Budgets do not support additional hiring. Lower-than-industry salaries, tight budgets, and increased responsibilities for many years are beginning to lower morale and make staff retention difficult.

Steep enrollment declines, coupled with an unusually high level of retirements and resignations during the COVID era, have led to significant staff loss.

Respondents called for improvements to salaries, budgets, and development opportunities. We asked respondents to select from a list of the actions their institution could do to address staffing issues (see figure 6). The three most selected options were offer more competitive salaries (85%), increase departmental budgets (68%), and provide development opportunities (upskilling and reskilling) (43%). There were some differences in responses based on position level. Staff (40%) were more likely to say that institutions should improve communication and decision-making processes compared to C-level executives (25%), directors (33%), and managers (17%). Staff were also more likely to say that institutions should improve institutional culture and values (42%), compared to C-level executives (18%), directors (31%), and managers (22%).

Figure 6. How Respondents Think Staffing Issues Could Be Addressed
Bar chart showing what could be done to address staffing issues. Offer more competitive salaries (85%), Increase departmental budgets (68%), Provide opportunities for upskilling and reskilling (43%), Offer remote/hybrid work options (37%), Provide more flexibility (work location, hours, roles, duties) (31%), Improve communication and decision-making processes (31%), Offer more realistic and fair workloads (29%), Increase project budgets (29%), Improve institutional culture and values (29%), Offer more competitive benefits (23%), Recruit from more diverse applicant pools (14%), Other (10%), None of the above (1%).

Broad-level layoffs are more concerning than personally being laid off. Respondents felt most concerned about the possibility of layoffs across their institution (32% somewhat or strongly agreed that they felt concerned). Meanwhile, 16% somewhat or strongly agreed that they felt concerned about the possibility of layoffs within their department or unit, and 10% somewhat or strongly agreed that they felt concerned about being personally laid off. When we examined concerns about layoffs by position level, the differences were slight. Mainly, C-level executives were somewhat less concerned about personally being laid off (4% somewhat or strongly agreed that they felt concerned), compared to directors, managers, and staff (14%, 10%, and 13%, respectively).

Despite major concerns about budgets, many reported budget increases. Respondents were asked whether the cybersecurity and/or privacy budgets have changed within that past 12 months. Surprisingly, only 6% said that the budget had decreased, while a majority (68%) reported an increase, and 26% indicated no change. We asked respondents who reported a change in budget to comment on how the budget change had impacted cybersecurity and privacy services offered at their institution. Those who reported a decrease in budget noted that it caused projects and initiatives to be postponed and led to an increase in risks and security incidents, reduced services, and challenges in recruiting and retaining necessary personnel. Those who reported an increase in budget noted a number of positive impacts such as being able to create and fill new positions, hire more contractors and outsource more services, acquire more tools, expand and mature existing services, and increase defenses while reducing threat incidents.

Despite budget increases, inflation and allocation present challenges. Although budget increases allowed for some improvements, respondents also identified limitations and challenges even with budget increases, such as there being little to no positive impact on services because of rising costs and inflation, as well as limitations in the way the budget is allocated.

The increase has only allowed us to keep up with the cost increase of current services.

[The budget] is up at least 10%, but most of that is personnel.

Funding is difficult in the public education sector. Though we have had some increases, it does not cover all our needs. We prioritize and incrementally add improvements.

Cybersecurity gets all the money—privacy has not received an increase in budget. More tools are purchased, new positions for cybersecurity are offered and better pay with the increase in budget.

Privacy has no formal budget, so things beyond affordable training, like tools, staff, professional training, etc., are not attainable.

Change was due to the increased requirements from cybersecurity insurance companies. All extra funding went to products and service and no extra funding for support staff. This has caused a great deal of stress with the increased workload.

We have had security incidents. Serious ones. The university has had to pay for mitigation. We have not made significant investments in pre-incident tooling yet but are about to purchase a vulnerability management platform, which will shift some budget our way.