Increasingly, business and even political leaders are recognising security as a prerequisite to opportunity in a digitally-dependent world. The trends and reasons behind them are confirmed by industry analysts Frost & Sullivan in the latest (ISC)2 Global Information Security Workforce Study.
The profession itself is characterised in the report as having become a ‘barometer of economic health and the changing nature on how business is being conducted’.
Painting a picture of growth and success the study also highlights the challenges that accompany this, with a deepening worldwide skills shortage pitched against a sophisticated threat landscape, growing concern over cyber terrorism and hactivism, and little relief from more established economically motivated forms of attack.
Overall, this report, which surveyed over 12,000 (3229 in EMEA) people working directly in information or IT security, demonstrates the need for a broader understanding of the complexities in order to preserve the health of organisations and economies.
Given its breadth and scope, the (ISC)2 Global Information Workforce Study, now in its sixth edition, offers a comprehensive review of the trends and issues that affect the practice of information security, including the security posture of the businesses they protect.
Hacktivists (43 per cent), cyber-terrorists (44 per cent) and hackers (56 per cent) for example are some of the big security concerns expressed by respondents, while a few companies admit that their security readiness has worsened with their ability to discover a breach having dropped.
Too many (15 per cent) reported that they are unable to put a timeframe on their ability to remediate from an attack. This is despite service downtime being one of the highest organisational priorities identified by respondents.
Such concerns are more pronounced in the education, healthcare, manufacturing and retail verticals - the sectors that have not traditionally invested heavily in security; compared to banking, insurance and finance verticals that have often been the pioneers of information security.
Perhaps the most alarming revelation comes from the fact that application vulnerabilities are identified as the top security concern (69 per cent) for respondents, with C-level executives rating it even higher at 72 per cent.
In many ways the instincts in software development are the opposite to that of security, driven by tight timescales, tight budgets and the desire to make systems more open to users.
It is therefore a real worry that only 12 per cent of the information security professionals who responded were involved in software development within their organisations and that almost half of security organisations are not involved in software development at all.
As a result, there is a poor understanding and uncertainty in the security community around whether a breach is attributable to insecure software. For instance, in a full 40 per cent of detected breaches, the role of insecure software was uncertain.
It all adds to pressure being felt by the professionals working to protect systems and information at every level, not just the front line. While many may be basking in guru status, 71 per cent reported feeling strained by their workload. More than half told us their security organisations are short staffed and two-thirds of C-level managers suggested they felt this way, with the effect being felt across the organisation.
Just over 50 per cent reported that the shortage is having a direct impact on data breaches, more are happening, while 47 per cent of respondents said the staff shortage is impacting their customers.
Documented levels of uptake in both BYOD and cloud computing in particular signal major changes in IT systems, along with how, when, and where business operations occur. Professionals are required to apply new skills, technologies, and procedures in order to manage the dynamic range of risks being introduced with about three-quarters of respondents believe new skills are required for both these areas of development.
The greatest shortages reflect those same verticals that showed the greatest levels of concern over top security issues: education, healthcare, manufacturing and retail.
A number of barriers appear to be inhibiting efforts to address the shortage: business conditions, poor executive understanding of the need, and many simply struggling to find the professionals they are looking for.
A lack of available budget, however, does not appear to be of concern. The economy, lack of funding, and staffing cuts were each identified by only one per cent or less of the respondents. Further, 34 per cent of C-level respondents expect spending on personnel to increase.
This does of course create an upside for those currently working in Information security who are enjoying stable careers. 83 per cent of respondents reported no change in employer or employment status and 11 per cent changed jobs out of will.
Only 3 per cent changed employer due to redundancy - a sharp contrast to other industry sectors that continue to feel the effects of a poor global economy. Salaries too are high and rising. The majority (60 per cent) reporting an increase over the past year with some sectors, 11 per cent of respondents in the IT sector for example, receiving a salary increase of over 10 per cent in 2012.
Rising salaries, however, are also a symptom of the skills gap identified by the industry-wide staffing shortages. A concern documented since the first (ISC)2 Global Workforce Study was published in 2004, demographics portray an aging population of people working in security and fewer, now less than 7 per cent, under the age of 29.
The reports have also accurately predicted double digit growth in the profession’s ranks suggesting most enter mid-career from other industries. This growth shows no signs of slowing with 11 per cent year on year, expecting to swell the ranks to 4.9 million by 2017 (from an estimated 2.87 million at the beginning of 2013).
Within the profession, most welcome the continued success that comes with the recognition we are now getting. We now have the opportunity to build on what has been achieved and help business leaders, governments, educators and policymakers better understand what is required to catch up with the need.
