peshkova - Fotolia

People present the biggest challenge, say infosec professionals

More than 80% of security professionals identify people as the industry’s biggest challenge, but companies are becoming better prepared to deal with cyber breaches, a survey reveals

Security practitioners consider humans to be an even greater challenge than technology and processes, according to the results of the second annual survey from The Institute of Information Security Professionals (IISP). 

The survey also shows that while 60% of respondents still feel that investment is not keeping pace with threat levels, there was a modest 5% increase in businesses that feel better placed to deal with a breach or incident if it happens.

In real terms, spending appears to be on the rise with 70% of companies seeing an increase in budget, up from 67% and only 7% reporting a reduction, which is down from 12% last year, the survey found.

Underlining the importance of the human factor in cyber security, a key finding of the first Rapid7 quarterly threat intelligence report is that cyber attacks still rely heavily on human interaction. Social engineering is a common component of attacks using various techniques to trick people into clicking on malicious links and attachments.

While people have long been seen as the weakest link in IT security through lack of risk awareness and good security practice, the people problem also includes the skills shortage at a technical level, as well as the risk from senior business stakeholders making poor critical decisions around strategy and budgets.

However, the increase in reported skills shortages contrasts with a decrease in those reporting a lack of experience being a market factor.

According to the survey report, this suggests that as the industry matures, the shortage of experienced, senior managerial professionals will reduce and the problem will be felt most acutely in the hands-on technical disciplines. 

“The survey highlights the continued need for industry, government, academia and professional organisations such as the IISP to continue to work hard to attract new entrants and younger people into the industry,” said Piers Wilson, author of the report and director at the IISP. 

“This year, over 75% of respondents had a degree and over a third had a post-graduate masters degree, which is an increase of over 5%. This reflects the increasing number of university programmes, and while this is very encouraging, we also need to develop other routes into the industry to harness talent from diverse backgrounds.

“It is still the case that technical IT security disciplines don’t always get their share of respect, yet these are the people at the front line defending systems and companies from attack and keeping one step ahead of the cyber criminals,” he said.

Read more about information security skills

Despite a lack of wider recognition, the survey shows that the security industry is increasingly lucrative and provides a strong career path for those with the right skills and abilities.

Three-quarters of the survey respondents reported positive job and career prospects, with 28.6% earning between £50,000 and £75,000, and almost 20% reporting salaries over £100,000.

“The challenges around hiring and retention are putting an upward pressure on salaries,” said Wilson. “But while money and career opportunities were cited as the most common reasons for taking and leaving jobs, other factors include variety of work, management and company culture, research and learning and autonomy.”

Overall, many of the figures in this year’s survey show a step in the right direction, according to Wilson.

“The continuing high frequency of cases hitting the headlines and the regulatory pressures, including from GDPR [General Data Protection Regulation], are leading to a corresponding increase in investment and a drive for increased skill, experience, education and professionalism. However, there is still a lot of work to do and we need to redouble our efforts to meet the challenge of increasingly sophisticated threats,” he said.

IISP Skills Framework

The IISP is a not-for-profit organisation that is dedicated to raising the standard of professionalism in information security and the industry as a whole. The IISP does this through accrediting skills and competence, by sharing best practice and by providing a network of support and guidance on individual skill development.

The IISP has a growing membership of more than 2,800 individual members across private and government sectors, 44 corporate member organisations and 19 academic partners.

The IISP Skills Framework is widely accepted as the de facto standard for measuring competency of information security professionals. The UK’s National Cyber Security Centre (NCSC) is using this framework to underpin a range of certification schemes, including the Certified Professional Scheme (CCP), for which the IISP is the leading certifying body.

The skills framework is used by corporate members to benchmark and develop capability of their employees, and it has been adopted by the Tech Partnership (formerly e-Skills UK) to develop a National Occupational Standard for Information Security.

The IISP also accredits training courses offered by commercial training providers against the institute’s Skills Framework. This enables attendees to build knowledge in areas of the skills framework where they might have gaps and to gain hands-on experience.

Read more on Hackers and cybercrime prevention