Information security professionals must keep skills up to date

There is a clear gap in skills needed to protect organisations, a study has revealed.

There is a clear gap in skills needed to protect organisations, a study has revealed.

The information security community admits it needs better training in a variety of technology areas, according to the 2011 (ISC)2 Global Information Security Workforce Study (GISWS) conducted by analyst Frost & Sullivan.

The profession as a whole appears to be resistant to adapting to new trends in technology such as social media and cloud computing, Frost & Sullivan said in the GISWS survey of over 10,000 security professionals, including 25% of non-(ISC)2 members.

More than 50% of respondents reported having private clouds in place. More than 40% used software-as-a-service, but more than 70% said they lacked the skills to secure cloud-based technologies.

"The information security profession could be on a dangerous course, where information security professionals are engulfed in their current job duties and responsibilities, leaving them ill-prepared for the major changes ahead and potentially endangering the organisations they secure," the GISWS survey said.

The GISWS report revealed security professionals are not ready for a social media threat, with respondents reporting inconsistent policies and protection for users. Over a quarter - 28% - admitted their organisations did not restrict employees' use of social media.

IT security professionals need to start anticipating technology and understanding how it will be used in their organisations, said John Colley, EMEA regional managing director of (ISC)2, a not-for-profit education and certification body for information security professionals.

"This will enable them to draw up plans in advance to educate users about the potential risks and how to handle the technology sensibly," he told Computer Weekly.

It is no longer good enough for information security professionals to know their stuff, he said. They need to continually improve their knowledge in much the same way as medical doctors need to stay abreast of new diseases and treatments.

"Unless they keep up their skills and education they will fall behind, which means no-one can afford to stand still," said John Colley.

The report said it is important for information security professionals to improve their education, he said, through formal education, courses conferences or just talking to peer groups to understand what other people are doing.

The study also found respondents identified application vulnerabilities as the top threat to organisations by 73% with over 20% reporting involvement in software development, followed by mobile devices (66%) and malware attacks (63%).

On a positive note, the study found information security professionals had weathered the economic recession well, with 60% of respondents reporting a salary increase in 2010.

This reflects the importance being put on information security, said Colley.

"At a time when the UK government is implementing huge budgetary cuts, it has committed £650m over four years to information security," Colley said.

The report concludes 2011 will be a good year for information security professionals as many companies are emerging from the global recession ready to hire additional resources and spend money on training and equipment.

With the projected growth in the number of security professionals from 2.28m to 4.2m by 2015 and concurrent increases in training, the risk of skills' gaps can be reduced, the report said.


Frost & Sullivan action points 
  • Consumerisation has end-users bringing technology to the enterprise, so security professionals should work to securely embrace these new technologies instead of acting as roadblocks
  • Cloud computing and software development are areas of information security that require new skills, not just incremental advances
  • Compliance is driving organisational behaviour from changes in spending levels, to shifts in accountability, to requirements in new skill sets
  • Certifications will continue to be an important differentiator as the number of professionals necessary to effectively secure organisations continues to increase.
  • Read more on Hackers and cybercrime prevention