Security job skills lacking when it comes to technology trends

The need for information security pros is growing worldwide, particularly for those with skills to lock down emerging technologies, a new report from (ISC)2 finds.

A survey of more than 10,000 information security professionals worldwide has exposed what may be a security job skills gap that could leave organisations open to threats as they adopt cloud computing, social networking and mobile communications.

The profession as a whole appears to be resistant to adopt new trends in technology, such as social media and cloud computing, which are widely adopted by businesses and the average end user.


Global Information Security Workforce Study,

The 2011 (ISC)2 Global Information Security Workforce Study, based on research carried out by consultants Frost & Sullivan, claims the security profession is set in its ways and is slow to react to the dangers of newer technologies, even when those technologies are already being adopted by organisations.

The study concludes that, while organisations are ploughing ahead and adopting newer technologies, the information security community is unprepared for the challenge. Around a third of respondents in the EMEA region said they imposed no policies on social networking applications, and around the same proportion had no policies for managing smartphones. When it comes to cloud computing, 92% of EMEA respondents admitted they needed more training to understand the security implications, and 50% said they needed to hone their contract negotiating skills.

"The profession as a whole appears to be resistant to adopt new trends in technology, such as social media and cloud computing, which are widely adopted by businesses and the average end user," the report said. "The information security profession could be on a dangerous course, where information security professionals are engulfed in their current job duties and responsibilities, leaving them ill-prepared for the major changes ahead, and potentially endangering the organizations they secure."

However, it is not all bad news. The report shows that management support for security and training is improving, and salaries in information security have held up well despite the recession. Those favourable conditions will help boost the numbers of people joining the profession, Frost & Sullivan said, taking the global population of professionals from 2.28 million in 2010 to almost 4.24 million by 2015.

Mobile, cloud and social media
Unmanaged mobile devices were seen as a major threat by 66% of respondents in the EMEA region, and roughly the same proportion said they had specific policies in place to cover the use of mobile devices. The most popular security technologies deployed to secure the devices are encryption (71%), network access control (59%) and mobile VPN (51%).

Cloud computing was a big cause for concern, with 85% seeing loss or exposure of confidential data as a threat, and 68% worrying about weak system access controls. Most also admitted they needed new skills to cope not only with the technical aspects of cloud computing, but also the negotiation skills they would need to formulate proper service contracts.

Social networking emerged as a problem area as well, according to the report, because security professionals have failed to realise that organisations are using the technology legitimately to communicate with their markets. "Unfortunately, many information security professionals still appear to believe that social media is a personal platform and are doing little to manage the threats associated with it," the report said.

The poll found that 31% of security professionals in the EMEA region imposed no restrictions over the use of social media.

The poll is carried out every two years by researchers Frost & Sullivan on behalf of (ISC)2, the security education organisation. John Colley, (ISC) 's European managing director, said: "The profession is expanding fast, reflecting the fact that security is now higher up the corporate agenda."

But he urged professionals to develop their skills further. "We need to be able to anticipate new technologies," Colley said. "Cloud, mobile and social media were easy to predict – we knew they were coming down the track – and yet security people are still playing catch-up on understanding their security implications and deciding what [to] do about them."

Read more on Security policy and user awareness