Information Security Teams Strained and Constrained, Study Shows; Application Security, Mobile and Secure Software Development are Top Concerns
In what (ISC)2 believes to be largest study of the information security profession, 10,413 information security professionals from companies and public sector organizations from around the world showed that a growing number of technologies being widely adopted by businesses are challenging information security executives and their staffs. Additionally, a disappointing, but not surprising figure, is that nearly two-thirds of respondents don’t expect to see any increase in budget for information security personnel and training in 2011.
Conducted by Frost & Sullivan, for (ISC)2, the Global Information Security Workforce Study (GISWS) says new threats stemming from mobile devices, the cloud, social networking and insecure applications, as well as added responsibilities such as addressing the security concerns of customers, have led to “information security professionals being stretched thin, and like a series of small leaks in a dam, the current overworked workforce may be showing signs of strain.”
“The good news from this study is that information security professionals finally have management support and are being relied upon and compensated for the security of the most mission-critical data and systems within an organization,” said Robert Ayoub, global program director – network security for Frost & Sullivan. “The bad news is that they are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands,” Ayoub added.
Key findings from the information security professionals study include:
• Application vulnerabilities represent the number one threat to organizations. More than 20 percent of information security professionals reported involvement in software development.
• Mobile devices were the second highest security concern for the organization – Despite an overwhelming number of professionals having policies and tools in place to defend against mobile threats, with 70 percent of respondents reported having policies and technology in place to meet the security challenges of mobile devices. The study concluded that mobile security could be the single most dangerous threat to organizations for the foreseeable future.
• Secure software development is a significant new area of focus for information security professionals worldwide. According to Vinnie Liu, a Managing Partner at Stach & Liu, and an application security expert and SecurityWeek contributor there are many reasons for this shift. “The primary reason for this increased attention is to meet rising regulatory and customer requirements that demand due diligence in the development of software. As the industry has matured, so have the standards—gone are the days when the performance of a vulnerability scan signifies secure software. In certain cases, I’ve seen companies’ focus increase as a result of a significant data breach,” Liu explains.
• Professionals aren’t ready for social media threats. IT professionals reported inconsistent policies and protection for end-users visiting social media sites, and just less than 30 percent of respondents had no limits set whatsoever.
• A clear skills gap exists that jeopardizes professionals’ ability to protect organizations in the near future. This year’s survey repeatedly illustrates the deployment of new technologies in the enterprise being offset by a demand for more security education on these technologies.
• Cloud computing illustrates a serious gap between technology implementation and the skills necessary to provide security. More than 50 percent of information security professionals reported having private clouds in place, and more than 40 percent of respondents reported using software as a service, but more than 70 percent of professionals reported the need for new skills to properly secure cloud-based technologies.
• Developing countries illustrated opportunities for growth with an experienced and more educated workforce. On average, survey respondents in developing countries only had two fewer years of experience than their developed counterparts. They also spent more time on security management and less time on internal issues than their developed country counterparts.
• Information security professionals weathered the economic recession well. Salaries showed healthy growth despite a global recession, with three out of five respondents reported receiving a salary increase in 2010. Overall, salaries for information security professionals increased, with the Asia-Pacific (APAC) region showing the highest growth at 18 percent since the 2007 study. In the Americas, the average annual salary for (ISC)2 members was $106,900 (compared to $100,967 in 2007). Member salaries in EMEA were impressive at $87,400.
• The information security workforce continues to show signs of strong growth. As of 2010, Frost & Sullivan estimates that there are 2.28 million information security professionals worldwide. This figure is expected to increase to nearly 4.2 million by 2015 with a compound annual growth rate (CAGR) of 13.2 percent, creating career opportunities for those with the right skills. The main drivers of this growth are regulatory compliance demands, greater potential for data loss via mobile devices and mobile workforce, and the potential loss of control as organizations shift data to cloud-based services.
• Viruses and worms, hackers and internal employees all fell in significance as top threats from 2008, the most recent year of the study.
The surveyed was conducted in the fall of 2010, including 61 percent in the Americas, 22.5 percent in Europe, the Middle East and Africa, and 16.5 percent in Asia Pacific. Forty-five percent were from organizations with over 10,000 employees. The average experience of respondents worldwide was more than nine years. The full study can be found here.