Seventy-five percent of cyber security professionals expect to be victims of a cyber attack in 2016, according to a recent study released by ISACA and the RSA Conference that highlighted a startling level of concern regarding organizational cyber security, given that respondents were the very people entrusted to protect and enforce their systems.

There were many worrisome figures to come out of the report. Of the 461 respondents, 30 percent said they experience daily phishing attacks, while only 40 percent believe their organizations can handle anything beyond a basic incident. Additionally, only 14 percent of information security chiefs report directly to the CEO, leaving the rest of the departments battling without help from the executive team that could include enforced policy, appropriate funding or awareness training.

Insufficient organizational congruence could lead to increased vulnerability from sub-optimal security systems to an under-supported or qualified staff. In fact, more than 20 percent of respondents reported not knowing whether or not their security systems had been breached in the past year, a very troubling statistic considering all respondents were primarily responsible for cyber security within their organizations.

Staffing was a concern for most recipients as many organizations appear to have a difficult time filling positions. Sixty-two percent of survey respondents reported that their organization had too few information security professionals, while almost 60 percent of respondents said that less than half of their job candidates are “qualified upon hire,” and 27 percent of respondents said they need six months to fill a cyber security position. This lack of appropriate candidates has led to longer vacancies in departments at a time when risk is at an all-time high. Exacerbating the issue is that each of these statistics are an increase over previous years, highlighting a worrying trend that does not appear to be getting any better.

While staffing numbers may be down, demand for trained professionals is only expected to grow. Among those surveyed, more than half believe that the Internet of Things will stretch potential attack surfaces and increase risk in both the short and long term. It’s possible that more organizations will be able to handle the perceived threats, however, as sixty-one percent of survey respondents said they expect an increase cyber security budgets in 2016, including increased pay, skills development training, awareness programs and response planning. Additionally, 75 percent said that their organization’s cyber security strategy now aligns to enterprise objectives.