CybersecurityIncident Response

Cybersecurity Teams Struggle to Find Time for New Threat Training

Analyst 207||Source: InfoSecMag
Cybersecurity pro with concerned expression surrounded by colleagues in busy office.

“Make that commitment real by protecting dedicated time for training, meaningfully adjusting workloads and equipping managers with the guidance and resources they need to help their teams prioritize learning,” said the report.

Budgets are rising — but time for training is not

A new ISC2 study of 995 cybersecurity leaders at enterprise organizations (5,000+ employees) across Canada, Germany, India, Japan, the UK and the USA finds a familiar contradiction: most organizations are increasing investment in training, yet defenders still struggle to find the hours to use it.

Nearly three-quarters of respondents (73%) said their organization’s security training budget has increased over the past year. At the same time, almost a third (29%) said they still lacked the budget to provide up-to-date training for their teams. And although 98% of security leaders reported that their organization allows employees to engage with professional development and training during work hours, just over half (53%) said they face challenges that prevent staff from actually doing so during the working day.

AI is the top emergent skill being addressed

The survey points to a clear focus area: almost half of respondents (47%) said that artificial intelligence is the most pressing skill their organization is addressing or planning to address through training. That single figure towers over other specific priorities mentioned in the report, signaling where enterprises are directing learning programs as new technologies reshape risk.

Practical barriers beyond the budget line

Respondents identified several operational obstacles that blunt the effectiveness of training programs even when money is available. The most common issues were:

  • Keeping training content current and relevant (45%);
  • Difficulty finding qualified trainers (39%);
  • Lack of employee willingness to participate (37%);
  • Lack of support from leadership or other stakeholders (32%).

These findings underline a familiar reality: procurement of courses or seats is not the same as producing usable skills inside an organization. Time, content, trainer supply and buy-in all intersect to determine whether a training program sticks.

ISC2’s prescription: protect time, reduce competing work

ISC2’s report does not stop at diagnosis. It recommends explicitly protecting dedicated time for training, meaningfully adjusting workloads so learning can occur, and equipping managers with guidance and resources to help teams prioritize that learning. The report argues that when time is built into the workday and supported by management, security teams may be more likely to take full advantage of training opportunities.

That prescription is set against another positive data point: most security leaders said their security training programs have been very or extremely effective in improving key processes within their organizations over the past year. In short, programs can work — the challenge is making the workday accommodate them.

What this means for security teams, managers, and procurement leaders

  • Security teams: Even when organizations formally permit training during work hours (98%), frontline defenders report real barriers (53%) that stop them from attending. Teams will need explicit, scheduled time away from operational tasks if training is to become routine rather than aspirational.
  • Managers and organizational leaders: The report places responsibility on line managers to adjust workloads and prioritize learning. Without that managerial action, the study suggests, training allowances on paper will not translate into training in practice.
  • Procurement and training planners: Budget increases are widespread, yet gaps remain — 29% of leaders said they still lack sufficient budget, and 39% reported difficulty finding qualified trainers. Planners must balance funds, supplier capability and content refresh to meet the speed of change highlighted by the report (notably around AI).

The ISC2 survey produces a clear, practical tension: enterprises are willing to spend more on cybersecurity training and see measurable process improvements when training happens, yet day-to-day workloads, content freshness, trainer availability and variable leadership support keep many employees from using the time offered. The report’s central challenge — turn policy into protected practice — is specific and actionable. Will organizations follow the report’s call to “protect dedicated time for training” and adjust work so learning can actually occur? That remains the question the study leaves before enterprise leaders and their defenders.

Source: Infosecurity Magazine — ISC2 report on cybersecurity training time

Emerging ThreatsEnterprise SecurityWorkload ManagementBudget AllocationCybersecurity TrainingISC2 StudyThreat PreparednessOrganizational Leadership
Related Intelligence

Continue Reading

Formal award ceremony with people on stage and in audience.

Cybersecurity Stars Awards 2026 Reveals Top Winners

The 2026 Cybersecurity Stars Awards shines a spotlight on the unsung heroes of cybersecurity, recognizing outstanding achievements across 95+ subcategories. This year's winners are celebrated for their exceptional work, proving that even the most invisible security efforts can earn top honors.

Analyst 207
Computer screen shows patch update being applied in a government office setting.

CISA Mandates Swift Patching of Exploited Flaws Within 3 Days

The US Cybersecurity and Infrastructure Security Agency (CISA) is now requiring federal agencies to patch high-risk vulnerabilities within just three days to significantly reduce the threat of cyberattacks. This new directive aims to slash the time attackers have to exploit weaknesses, protecting the public sector from potential breaches.

Analyst 207
Lab equipment and computer workstations surround a central laptop displaying abstract code.

Vulnerability Management Collapses as AI Compresses Attack Window

In just one month, AI-powered vulnerability management uncovered over 10,000 high-risk flaws in critical software, revealing a staggering new reality: AI has dramatically compressed the attack window, making traditional vulnerability management nearly obsolete.

Analyst 207
Technician in server room checking a blurred screen with daylight through large windows.

Microsoft Resolves BitLocker Recovery Bug in Windows Server 2025 Update

Microsoft has fixed a frustrating bug in the April 2026 security update for Windows Server 2025 that could have forced devices into BitLocker recovery mode, and the solution is now available in two cumulative updates, KB5094125 and KB5093998. This fix ensures a smoother experience for users by preventing unexpected BitLocker recovery key prompts.

Analyst 207