RSA 2013: (ISC)2 report says shortage of skilled infosec pros hurts economy

(ISC)2's 2013 Global Information Security Workforce Study says two-thirds of CISOs lack adequate staff to stop costly data breaches.

(ISC)2, administrator of the CISSP, released the results of its latest study on the infosec workforce this morning. The gist: Many infosec managers are understaffed, which makes it harder to stop data breaches and, in the bigger picture, hurts the global economy.

The study polled more than 12,000 information security professionals -- many of whom admit they're in over their heads.

Those surveyed cited hactivism (43 percent), cyber-terrorism (44 percent), and hacking (56 percent) as their top concerns. More than half – 56 percent – feel their security organizations are understaffed. Fifteen percent said they can't put a timeframe on their ability to recover from an attack, even though minimizing service downtime is one of the highest priorities for nearly three-quarters of them.

More takeaways from the survey:

  • Information security is a stable and growing profession, and careers in security are fruitful – Information security professionals are enjoying stable employment. Over 80 percent of respondents reported no change in employer or employment in the last year, and 58 percent reported receiving a raise in the last year.  The number of professionals is projected to grow steady globally by more than 11 percent annually over the next five years. The global average annual salary for (ISC)²-certified professionals is US$101,014, which is 33 percent higher than professionals not holding an (ISC)² certification earn.
  • New skills, deepening knowledge, and a wider range of technologies are needed – A multi-disciplinary approach is required to address the risks in BYOD and cloud computing. 78 percent of respondents said BYOD technology is a significant security risk, and 74 percent reported that new security skills are required to meet the BYOD challenge. 68 percent reported social media is a security concern, with content filtering being the chief security measure used.
  • Application vulnerabilities rank the highest among security concerns, yet most organizations are not prioritizing secure software development – Almost half of security organizations are not involved in software development, and security is not among the most important factors when considering an outsourcing provider for software development, yet 69 percent reported application vulnerabilities as their top concern.
  • Top security priorities vary among verticals, logically – 63 percent of banking, insurance, and finance respondents selected damage to the organizations’ reputation as a top priority. In healthcare, 59 percent chose customer privacy violations as top priority. 57 percent of construction respondents chose health and safety as a top priority, and 50 percent of telecom and media respondents chose service downtime as their top priority.
  • While attack remediation is anticipated to be rapid, security incident preparedness is exhibiting signs of strain – 28 percent of respondents believe their organizations can remediate from a targeted attack within a day, and 41 percent said that they could remediate the damage within one week or less. A good portion of the respondents said they don’t know how long damage remediation may take.  With regard to being prepared for a security incident, twice the percentage of respondents in the 2013 survey believe their readiness has worsened in the past year, as did respondents in the 2011 survey.
  • Knowledge and certification of knowledge weigh heavily in job placement and advancement – Nearly 70 percent view certification as a reliable indicator of competency when hiring. Almost half of hiring companies – 46 percent – require certification. 60 percent of those surveyed plan to acquire certifications in the next 12 months, and the CISSP is still the top certification in demand.

Interesting stuff, though I know quite a few infosec practitioners who will be skeptical, given their feelings that the CISSP cert outlived its usefulness some time ago. More on that in the next post.

Copyright © 2013 IDG Communications, Inc.

8 pitfalls that undermine security program success