This is having a profound effect on the global economy, according to the study of more than 12,000 information security professionals worldwide conducted by Frost & Sullivan.
The lack of qualified staff is the top concern of 56% of chief information security officers (CISOs) alongside hacking, but ranks above hacktivism (43%) and cyber-terrorism (44%).
Many organisations (15%) are not able to put a timeframe on their ability to recover from an attack, even though service downtime is one of the highest priorities for nearly three-quarters of respondents.
The report concludes that the major shortage of skilled cyber security professionals is negatively impacting organisations and their customers.
“Now, more than ever before, we’re seeing an economic ripple effect occurring across the globe as a result of the dire shortage of qualified information security professionals we’ve been experiencing in recent years,” said Hord Tipton, executive director of (ISC)².
“Underscored by the study findings, this shortage is causing a huge drag on organisations. More and more enterprises are being breached, businesses are not able to get things done, and customer data is being compromised,” he said.
Given the severity of cyber espionage, hactivism, and nation-state threats, Tipton said the time is now for the public and private sectors to join forces and close this critical gap.
“We must focus on building a skilled and qualified security workforce that is equipped to handle today’s and tomorrow’s most sophisticated cyber threats,” he said.
The study also found that there is major shortage of software development professionals trained in security and that application security vulnerabilities still rank highest among security threat concerns, a trend identified in the 2011 GISWS.
Threats from malware and mobile devices are also at the high on the list, with cloud security, bring-your-own-device (BYOD) and social networking cited as major concerns among newer security threats.
“The business model of cyber criminals is changing and therefore information security professionals need to change to address that and adapt their approach to new and emerging technologies,” said Richard Nealon, co-chairman (ISC)2 Advisory Board for Europe, Middle-East and Asia.
Although 53% of respondents said their companies actively allow employees, business partners or both to connect their devices to their networks, 78% considered BYOD to present a “somewhat” or “very significant” risk.
This reflects increased levels of concern compared to the 2011 study, when mobile devices were identified as a significant risk by 68% of respondents.
According to the report, a multi-disciplinary approach is required to address the risks in BYOD and cloud computing.
Some 74% of respondents said that new security skills are required to meet the BYOD challenge and 68% said social media is a security concern, with content filtering being the chief security measure used.
But in many cases, said Nealon, it is not necessarily new skills that are required. “It if often the case that a new approach is required. It is more about looking at new technologies and what security requirements they bring,” he said.
“This survey shows that we need to rethink our approach to the skills challenge,” said John Colley, managing director, (ISC)2 for Europe, Middle-East and Asia.
“We need to look at the problem from the top down, not the bottom up,” he said. This means starting with end users - including the general public – and secure development of application and systems rather than the more traditional areas of securing the infrastructure.
Colley said the only way to deal with the threats presented by mobile devices, cloud security and BYOD is to throw away traditional thinking and focus on securing end users and applications.
The effectiveness of traditional security systems, he said, is forcing attackers to concentrate on the end users and applications, so that is where more effort is required in terms of defence.
“It is disturbing to see that application vulnerability is the top concern, while only 12% of information security professionals are involved in it.
“We need to take a wider view of the challenge, adopting a cooperative and concerted effort across academia, government and the information security profession to curtail the problem,” said Colley.
Some of the other key findings from the study include:
- Information security is a stable and growing profession.
Over 80% of respondents reported no change in employer or employment in the past year, and 58% reported receiving a raise in the past year. The number of professionals is projected to grow steadily by more than 11% annually over the next five years. The average annual salary for (ISC)²-certified professionals is US$101,014, which is 33% higher than professionals not holding an (ISC)² certification.
- Top security priorities vary among verticals.
Some 63% of banking, insurance, and finance respondents selected preventing damage to their organisations’ reputation as a top priority. In healthcare, 59% chose protecting customer privacy as top priority. In construction, 57% chose health and safety as a top priority, and 50% of telecom and media respondents chose service downtime as their top concern.
- Attack remediation is anticipated to be rapid, but incident preparedness is strained.
Some 28% of respondents (26% in the UK) believe their organisations can remediate from a targeted attack within a day, and 41% (44% in the UK) said that they could remediate the damage within one week or less. Some 15% of the respondents said they did not know how long damage remediation may take.
- Knowledge and certification weigh heavily in job placement and advancement.
Nearly 70% view certification as a reliable indicator of competency when hiring. Almost half of hiring companies (46%) require certification. Some 60% of those surveyed plan to acquire certifications in the next 12 months, and the CISSP is still the top certification in demand. This figure is the same for the UK.
HOW TO BOOST CYBER SKILLS:
To address the lack of cyber security skills, three types of action is required, according to Richard Nealon, co-chairman (ISC)2 Advisory Board for Europe, Middle-East and Asia.
- Business needs to engage with the information security profession. They need to make opportunities available to existing and prospective infosec professionals and provide incentives to stay. “By providing internships, for example, businesses can open the door and enable people to see if they are suited to a career in infosec,” said Nealon. “The average age of skilled information security professionals in the UK is 43, we are not getting enough young people into organisations where they can learn as they work,” he said.
- Government needs to take some responsibility by promoting information security as a key skill that is essential to the protection of critical national infrastructure. “Government should encourage scholarships and help create training and employment opportunities,” said Nealon. The government could also help sell infosec as an important and rewarding career.
- Educational institutions must work to ensure their IT courses have a much greater focus on security. They must also offer more courses dedicated to cyber security and make them attractive to prospective students. “For example, a course in ‘forensic cyber security’ is much more attractive than a ‘bachelor is information security’,” said Nealon. “There is also a gender imbalance that needs to be addressed. Worldwide, 89% of infosec professionals are male, but in the UK the figure is 93%,” he said. Educational institutions must do a better job of promoting infosec as a career, particularly to women as the gender imbalance is not good for the industry, said Nealon.