Major security survey reveals staffing concerns and skills shortfalls

27 Feb 2013

Many information security teams are understaffed and don’t always have the appropriate skills to tackle new risks, a major new survey has found.

The sixth Global Information Security Workforce Study (GISWS), which polled more than 12,000 security professionals worldwide, was released this week. The survey was carried out by Frost & Sullivan along with consultants Booz Allen Hamilton for (ISC)2, the world’s largest non-profit information security professional body.

The results point to a global shortage of information security professionals, driven by a combination of factors: business conditions, executives that don’t fully understand the need for security, as well as an inability to locate qualified information security professionals.

More than one in two respondents (56pc) feel their security organisations are short-staffed and 15pc say they don’t know how long it would take to recover from an attack, despite almost three-quarters claiming that downtime is one of their highest priorities.

The report concludes that the major shortage of skilled cybersecurity professionals is negatively impacting organisations and their customers, leading to more frequent and costly data breaches.

More software developers, please

Continuing a trend from the previous survey in 2011, the biggest security concern is a major shortage of software development professionals with appropriate training in security and that application security vulnerabilities still rank highest among security concerns.

Threats from malware and mobile devices are also at the top of the list, and cloud security, bring your own device (BYOD), and social networking are all reported as major concerns in terms of newer security threats.

The ability of IT teams to respond to a security incident appears to be under strain: 28pc of respondents believe their organisations could remediate from a targeted attack within a day, while 41pc say the damage would take less than a week to fix.

In this year’s survey, 6pc of respondents believe their readiness for a security incident has worsened in the past year – double the 3pc figure given in the 2011 survey.

The survey also sheds light on the related problem of the gap between senior management’s assessment of the team’s readiness and what the IT team knows it can adequately deal with.  

Richard Nealon, co-chair of (ISC)2’s European Advisory Board and senior security executive in the financial sector in Ireland commented: “We may have a perception at the higher levels that we’re better able to prepare for an incident whereas the people on the ground are saying we don’t have the resources and the skills.”

While making clear he didn’t want to hype the problem, Nealon said it was a “worry” that more security professionals think they’re not as well prepared to deal with an incident as they were last year.

“The reality of it is that we’re always playing catch-up. The security area by its very nature has new concerns, new threats and new attacks emerging and we in security have to react to those. Without resources, skills, training and experience, it’s harder and harder to be able to react to them well,” he said.

“That’s one of the big issues with the skills shortage. Where all hands are on deck and we’re battling something, we need to have skills readily available, when you’re in the middle of an incident, you can’t send people off to go training.”

Nealon said information security is often simply about applying common sense to a problem, but that approach isn’t being cultivated in students and graduates. “A lot of computer science courses don’t even have an information security module in them. There are people being trained for IT and computing with no fundamental understanding of what IT security is about,” he told Siliconrepublic.com. 

“They don’t have that mindset embedded, so when they produce something, it doesn’t have information security bedded in from an architectural point of view.”

Security mindset

Malware writers frequently exploit long-standing flaws in software. SQL injection attacks are a typical example of a problem that has been known about for years and still isn’t being adequately addressed. “There are so many vulnerabilities being introduced into systems because they’re not being developed with a security mindset,” said Nealon. 

Businesses could do more by adopting models for passing on security knowledge to younger people coming into the profession.

“The mentoring aspect is far underplayed in information security than in most other business. Companies take a trainee accountant in and give them an internship. We never do that with kids from college in information security,” Nealon said. 

Government could also play a role in promoting the profession and encouraging training, he added. 

Some good news for would-be security professionals was found in the high levels of stability and increasing salary rates noted by survey respondents. 

More than 80pc reported no change in employer or employment in the past year and 58pc said they had received a pay rise. The number of professionals is projected to grow steadily by more than 11pc per year over the next five years.

“We’re probably not hit economically as badly as some of the other industries. Pay has remained steady and a lot will be looking at pay increases this year and that’s rare in the current economic climate,” said Nealon. 

He added that security roles provide a varied career choice: to remain in a technical role, move into a management position or specialise in an area like digital forensics.

Cybersecurity image via Shutterstock

Gordon Smith was a contributor to Silicon Republic

editorial@siliconrepublic.com