(ISC)2, administrator of the CISSP, released the results of its latest study on the infosec workforce this morning. The gist: Many infosec managers are understaffed, which makes it harder to stop data breaches and, in the bigger picture, hurts the global economy.\tThe study polled more than 12,000 information security professionals -- many of whom admit they're in over their heads.\tThose surveyed cited hactivism (43 percent), cyber-terrorism (44 percent), and hacking (56 percent) as their top concerns. More than half \u2013 56 percent \u2013 feel their security organizations are understaffed. Fifteen percent said they can't put a timeframe on their ability to recover from an attack, even though minimizing service downtime is one of the highest priorities for nearly three-quarters of them.\tMore takeaways from the survey:\t\t\t\t\t\tInformation security is a stable and growing profession, and careers in security are fruitful \u2013 Information security professionals are enjoying stable employment. Over 80 percent of respondents reported no change in employer or employment in the last year, and 58 percent reported receiving a raise in the last year. \u00a0The number of professionals is projected to grow steady globally by more than 11 percent annually over the next five years. The global average annual salary for (ISC)\u00b2-certified professionals is US$101,014, which is 33 percent higher than professionals not holding an (ISC)\u00b2 certification earn.\t\t\t\t\tNew skills, deepening knowledge, and a wider range of technologies are needed \u2013 A multi-disciplinary approach is required to address the risks in BYOD and cloud computing. 78 percent of respondents said BYOD technology is a significant security risk, and 74 percent reported that new security skills are required to meet the BYOD challenge. 68 percent reported social media is a security concern, with content filtering being the chief security measure used.\t\t\t\t\tApplication vulnerabilities rank the highest among security concerns, yet most organizations are not prioritizing secure software development \u2013 Almost half of security organizations are not involved in software development, and security is not among the most important factors when considering an outsourcing provider for software development, yet 69 percent reported application vulnerabilities as their top concern.\t\t\t\t\tTop security priorities vary among verticals, logically \u2013 63 percent of banking, insurance, and finance respondents selected damage to the organizations\u2019 reputation as a top priority. In healthcare, 59 percent chose customer privacy violations as top priority. 57 percent of construction respondents chose health and safety as a top priority, and 50 percent of telecom and media respondents chose service downtime as their top priority.\t\t\t\t\tWhile attack remediation is anticipated to be rapid, security incident preparedness is exhibiting signs of strain \u2013 28 percent of respondents believe their organizations can remediate from a targeted attack within a day, and 41 percent said that they could remediate the damage within one week or less. A good portion of the respondents said they don\u2019t know how long damage remediation may take.\u00a0 With regard to being prepared for a security incident, twice the percentage of respondents in the 2013 survey believe their readiness has worsened in the past year, as did respondents in the 2011 survey.\t\t\t\t\t\t\tKnowledge and certification of knowledge weigh heavily in job placement and advancement \u2013 Nearly 70 percent view certification as a reliable indicator of competency when hiring. Almost half of hiring companies \u2013 46 percent \u2013 require certification. 60 percent of those surveyed plan to acquire certifications in the next 12 months, and the CISSP is still the top certification in demand.\t\tInteresting stuff, though I know quite a few infosec practitioners who will be skeptical, given their feelings that the CISSP cert outlived its usefulness some time ago. More on that in the next post.