Shortage of infosec pros equals frequent and costly data breaches

(ISC)2 released the results of its sixth Global Information Security Workforce Study (GISWS). The study of more than 12,000 information security professionals worldwide (3,229 from the Europe/Middle East/Africa region) reveals that the global shortage of information security professionals is having a profound impact on the economy and is driven by a combination of business conditions, executives not fully understanding the need for security, and an inability to locate qualified information security professionals.

The report finds that hacktivism (43 percent), cyber-terrorism (44 percent), and hacking (56 percent) are among the top concerns identified by respondents, yet more than half – 56 percent – feel their security organizations are short-staffed. Many organizations (15 percent) are not able to put a timeframe on their ability to recover from an attack, even though service downtime is one of the highest priorities for nearly three-quarters of respondents. The data concludes that the major shortage of skilled cyber security professionals is negatively impacting organizations and their customers, leading to more frequent and costly data breaches.

The GISWS finds that there is also a major shortage of software development professionals trained in security and that application security vulnerabilities still rank highest among security concerns – a trend identified in the 2011 GISWS. Threats from malware and mobile devices are also at the top of the list, and cloud security, Bring Your Own Device (BYOD), and social networking are all reported as major concerns in terms of newer security threats on the horizon.

Some of the other key findings from the study include:

Information security is a stable and growing profession, and careers in security are fruitful
Information security professionals are enjoying stable employment. Over 80 percent of respondents reported no change in employer or employment in the last year, and 58 percent reported receiving a raise in the last year. The number of professionals is projected to grow steady by more than 11 percent annually over the next five years. The average annual salary for (ISC)²-certified professionals is US$101,014, which is 33 percent higher than professionals not holding an (ISC)² certification.

New skills, deepening knowledge, and a wider range of technologies are needed
A multi-disciplinary approach is required to address the risks in BYOD and cloud computing. 78 percent of respondents said BYOD technology is a significant security risk, and 74 percent reported that new security skills are required to meet the BYOD challenge. 68 percent reported social media is a security concern, with content filtering being the chief security measure used.

Application vulnerabilities rank the highest among security concerns, yet most organizations are not prioritizing secure software development
Almost half of security organizations are not involved in software development, and security is not among the most important factors when considering an outsourcing provider for software development, yet 69 percent (66 percent in EMEA) reported application vulnerabilities as their top concern.

Top security priorities vary among verticals
63 percent of banking, insurance, and finance respondents selected damage to the organizations’ reputation as a top priority. In healthcare, 59 percent chose customer privacy violations as top priority. 57 percent of construction respondents chose health and safety as a top priority, and 50 percent of telecom and media respondents chose service downtime as their top priority.

While attack remediation is anticipated to be rapid, security incident preparedness is exhibiting signs of strain
28 percent of respondents (26 percent in the UK) believe their organizations can remediate from a targeted attack within a day, and 41 percent (44 percent in the UK ) said that they could remediate the damage within one week or less. A good portion of the respondents said they don’t know how long damage remediation may take. With regard to being prepared for a security incident, twice the percentage of respondents in the 2013 survey believe their readiness has worsened in the past year, as did respondents in the 2011 survey.

Knowledge and certification of knowledge weigh heavily in job placement and advancement
Nearly 70 percent view certification as a reliable indicator of competency when hiring. Almost half of hiring companies – 46 percent – require certification. 60 percent of those surveyed plan to acquire certifications in the next 12 months, and the CISSP is still the top certification in demand. This figure is the same for the UK.

“This survey shows that we need to rethink our approach to the skills challenge. We need to look at the problem from the top down, not the bottom up, starting with end users (including the general public), moving on to application and systems development security, as well as tackling the more traditional areas of securing the infrastructure,” said John Colley, CISSP, managing director, (ISC)2 EMEA. “Without doing this, we will never solve the threats presented by mobile devices, cloud security and BYOD. It is disturbing to see that application vulnerability is the top concern, while only 12 percent of information security professionals are involved in it. We need to take a holistic view of the challenge, adopting a cooperative and concerted effort across academia, government and the information security profession to curtail the problem.”