Analyst forecasts of a 1.5 million shortfall of information security professionals by 2020 come amid reports of rising salaries, an ageing workforce and the inability to fill existing positions.
Organisations are increasingly struggling to manage threats, avoid errors and are taking longer to recover from cyber attacks, according to the 2015 (ISC)2 Global Information Security Workforce Study.
The security of businesses is being threatened by understaffed teams dealing with the complexity of multiple security technologies, found the study conducted by Frost & Sullivan.
(ISC)2 said the study, which polled 13,000 information security professionals and practitioners worldwide, is likely to be the largest to date on the information security profession.
“Our first workforce study was conducted in 2004 to illuminate critical concerns within information and cyber security that were struggling for attention,” said Adrian Davis, managing director, Emea, at (ISC)2.
“The 2015 report shows that many of these issues are finally getting much-needed budget and priority, but we are facing new challenges and our skills and staffing challenge is growing,” he added.
Davis said the latest study also shows that the differences between Europe and the US are diminishing as things become more global and interconnected.
“There are some small differences from country to country, but at a higher level, as information security environments become increasingly homogeneous, there is not much variance,” he told Computer Weekly.
One difference Davis highlighted was that chief information security officers in Germany are three times more likely to report to the CEO than in the UK.
Read more about the infosec skills gap
- Harnessing existing expertise could address the demand for competence in countering cyber security threats.
- IT has an ongoing problematic shortage of enterprise cyber security skills.
- ISACA launches Cybersecurity Nexus programme to help address the security skills shortage.
- E-skills and UK security employers offer route into cyber security for the young and talented.
“This is likely to be due to the fact that the legal and privacy environment in Germany may make companies more sensitive to protecting information,” he said.
Davis added it may also indicate that information security professionals in Germany have a higher level of top executive support than in the UK and elsewhere in Europe.
Despite budgets allowing for more personnel, 62% of respondents reported that their organisations have too few information security professionals – up from 56% in 2013.
Frost & Sullivan estimates that the global workforce shortage will widen to 1.5 million in five years, while the variety and sophistication of cyber threats are expected to continue.
The situation is exacerbated by the broadening footprint of systems and devices requiring security oversight.
Signs of strain, including configuration mistakes and oversights, were identified as a significant concern, and recovery time following system or data compromises was found to be getting steadily longer.
But Davis said the fact that the skills gap is set to widen does not mean government and industry efforts to address cyber security in recent years are proving ineffectual.
Initiatives bearing fruit
“The initiatives that were started five years ago are just starting to bear fruit now, but the real benefits will not be felt for a while as people work their way through the skills pipeline,” he said.
The industry has also been slow to recognise the problem, which means it is now having to play catch-up, and that will take some years, he said.
“We are playing catch-up in an environment where information security has never really made its case as being an interesting and exciting career, and where security professionals are retiring faster than they are being replaced,” said Davis.
The study shows that security spending is increasing across the board for technology, personnel and training. Companies are also planning to invest more in tools and technologies.
However, complexity due to threats evolving more quickly than security technology suppliers can advance their products led two-thirds of respondents to suggest that a new phenomenon, known as “technology sprawl”, is undermining effectiveness.
Organisations can help limit the effect of this technology sprawl, said Davis, by being honest about their actual needs, which can often be met by their current technology set.
“Sometimes IT and security need to push back and challenge whether the latest technology would actually bring any new value to the business,” he said.
Struggling to support hiring
Given the challenges faced by hiring managers, 45% of respondents said they are struggling to support additional hiring needs.
Organisations need to be more imaginative by looking for people with the aptitude and attitude that will enable them to succeed in information security
Adrian Davis (ISC)²
Consequently, the use of outsourcing, managed and professional services, and cloud services is increasing, particularly among smaller organisations.
But there are other options, said Davis. First, organisations can use their spare hiring budget to offer incentives to attract people with the skills they need most.
Second, they can invest in labour-saving technologies, such as second-generation security information and event management (Siem) systems, big data analytics and security automation technologies.
Third, organisations should seek to source people from non-infosec disciplines, such as marketing and finance, who have the necessary skills to fill infosec roles, he said.
“Organisations need to be more imaginative by looking for people with the aptitude and attitude that will enable them to succeed in information security,” said Davis.
This could also be achieved by enabling job rotation in companies, he said, or setting up programmes to give all new graduate employees some initial experience in IT security.
“This could help identify people with an aptitude for IT security, but at the very least it will get more people in the business with a greater awareness and understanding of IT security,” said Davis.
David Shearer, executive director at (ISC)², said: “Many of the facets discovered in this year’s workforce study demonstrate that aspects of the information security programme are being carried out in IT departments and other business units – positioning IT as a force multiplier.”
This refers to the fact that information security is increasingly being understood and carried out by people in the business or in IT whose main role is not information security, said Davis.
Shearer said each year's study revealed a workforce shortage, but now the shortage is being compounded with issues that are becoming more prevalent, such as configuration mistakes and oversights that can be detrimental to the security posture of global businesses.
The interesting perspective to emerge from this year’s study, said Davis, is that information security professionals are faced with trying to do too much and reacting to too much with too little.
“The survey shows we are at an inflection point where it is probably going to get worse before it gets better, but we will not see that for at least a few more years,” he added.
The study also found that:
- Only one-fifth of respondents said remediation time following a system or data compromise would occur within one day, down from one-third in 2011.
- Application vulnerabilities and malware were identified as top security threats for the third year in a row, with application security scanning mainly being conducted only after deployment.
- Phishing is the top threat technique employed by hackers, but the survey respondents are showing less confidence in the effectiveness of user security training and education.
- The number of respondents predicting spending increases for security technologies (45%) is the highest since the study was launched in 2004.
- Lack of in-house skills is the top reason for outsourcing, while a move to outsourcing and managed services was identified as a strategy for tackling technology sprawl by nearly one-third of respondents.