Study finds that growth of security workers is needed, though budget constraints remain a hurdle
Robust growth in the information security profession is a sign of economic health in the overall economy, according to a new report, "The 2013 (ISC)2 Global Information Security Workforce Study," released on Monday.
But, while the demand for IT professionals is increasing, quickly evolving technologies – particularly BYOD, cloud computing and social media – are moving the goalposts for those in the field, demanding that security personnel keep on top of business needs by learning new skills, the report found. Further, advancements by cyber criminals – who continuously find new methods of attack – means that those charged with defending corporate networks are in a perpetual battle.
Among the findings in the sixth biannual worldwide survey of information security professionals – conducted by (ISC)2, in partnership with Booz Allen Hamilton, with the assistance of Frost & Sullivan – is that secure software development was most in need of attention by the information security profession. The study received responses from 12,000 qualified information security professionals in the fourth quarter of 2012.
The good news for those in the profession, or for those considering it, is that information security is a stable and growing area of concentration. More than 80 percent of respondents reported they had no change in employer over the past year, and the number of professionals is projected to grow more than 11 percent annually over the next five years.
It appears too that the market is ripe with opportunities, as workforce shortages persist. In fact, more than half (56 percent) of respondents believe there is a workforce shortage, as compared to two percent who believe there is a surplus.
However, Hord Tipton, executive director of (ISC)2, speaking with SCMagazine.com on Tuesday, said this aspect of the study was a cause of concern.
"Two-thirds of C-level personnel acknowledge there is a shortage of security personnel," he said.
But, while half of survey respondents believe expansion is worthwhile and there is a need for more human capital, the reality is that the ideal scenario needs to be tempered by budget, he said.
"Many realize they are not going to get the help they need," Tipton said.
In terms of keeping up with threats, that's not good news. While Tipton acknowledged there's been significant progress in addressing enterprise security needs, the lack of adequate staffing places a strain on the existing workforce, he said.
For those in position, the key to success, according to the survey findings, is knowledge, and the certifications to validate it. An all-encompassing understanding of the security market was determined to be the top factor in establishing advancement. The second most important ingredient was found to be communication skills, which means being able to translate technical jargon into terms the board room can understand.
"Certifications add value, and operations are more efficient with more validated professionals," said Tipton, whose organization manages the security industry's flagship credential, the CISSP. Others, however, have argued that certs have lost value as more people have acquired them and that educational experience is more valuable. Some also say certs are too managerial focused and don't attest enough to technical acumen.
Meanwhile, the (ISC)2 study also found that application vulnerabilities are the most pressing security concern among respondents, with malware and mobility not far behind.
Cloud, too, is still an area prompting challenges, said Tipton.
"We need more knowledge as there is still no standard cloud architecture," he said.
The overall outlook for those in the profession is bright, according to the study, as incidents from miscreants attacking through computer networks will only rise, and corporations and government need knowledgeable security personnel to thwart attacks and prevent data leakage. However, it is not enough to simply be technologically proficient. It is vital too, the study determined, that information security professionals effectively convey their risk management expertise to the C-suite.
An infographic from the study is available here.