Businesses are increasingly struggling to manage threats, avoid errors and are taking longer to recover from cyber-attacks, according to the study released today by (ISC)2 (“ISC-squared”), the IT membership body of information and software security people, with over 100,000 members. The results of its seventh Global Information Security Workforce Study (GISWS) by Frost & Sullivan suggest that the security of businesses is being threatened by reports of understaffed teams dealing with the complexity of multiple security technologies, says the IT body.
Dr Adrian Davis, CISSP, managing director, EMEA, (ISC)2, says: “Our first workforce study was conducted in 2004 to illuminate critical concerns within information and cybersecurity that were struggling for attention. The 2015 report shows that many of these issues are finally getting much needed budget and priority. Unfortunately, we are now facing new challenges and our skills and staffing challenge is growing.“
In this year’s survey, 62 percent of respondents (up from 56 percent in 2013) reported that their organisations have too few information security professionals, despite budgets allowing for more personnel. Frost & Sullivan estimate that the global workforce shortage will widen to 1.5 million in five years; with the variety and sophistication of cyber-threats expected to continue, and a broadening footprint of systems and devices requiring security oversight. Signs of strain, including configuration mistakes and oversights, were identified as a material concern. Recovery time following system or data compromises is steadily getting longer.
The report illustrates that security spending is increasing across the board for technology, personnel and training. Further, companies are planning to invest more in tools and technologies. However, complexity due to threats evolving faster than vendors can advance their products led two-thirds of respondents to suggest that a new phenomenon known as “technology sprawl” is undermining effectiveness. Given this and other challenges faced by hiring managers—45 percent are struggling to support additional hiring needs—the use of outsourcing, managed and professional services, and cloud services are also increasing.
David Shearer, CISSP, PMP, executive director, (ISC)2, says: “Many of the facets discovered in this year’s workforce study demonstrate that aspects of the information security program are being carried out in IT departments and other business units – positioning IT as a force multiplier. Year after year, the study has shown a workforce shortage; but now, we’re finding that the shortage is being compounded with issues that are becoming more prevalent, such as configuration mistakes and oversights that can be detrimental to the security posture of global businesses.”
Findings from the study include:
· Only one-fifth of global respondents said that remediation time following a system or data compromise would occur within one day. This is a significant decrease from the 2011 GISWS, which found one-third of respondents reporting the same.
· Application vulnerabilities and malware were identified as top security threats for the third study in a row. For the most part, application security scanning is only conducted post production.
· Phishing is the top threat technique employed by hackers, yet the results showed a decline in importance of awareness training.
· The number of respondents predicting spending increases for security technologies (45 percent) is the highest percentage reported since the study launched in 2004.
· Over 70 percent of respondents identified network monitoring and intelligence, and improved intrusion detection as technologies that significantly improve security. Over half (58 percent) identified that they have implemented, are implementing or are evaluating advanced analytics for detection of malware.
· Lack of in-house skills is the top reason for outsourcing; while a move to outsourcing and managed services was identified as a strategy for tackling technology sprawl by nearly one-third of respondents.
The study by Frost & Sullivan for the (ISC)2 Foundation was produced as a free resource for the industry with the support of corporate partners Booz Allen Hamilton, Cyber 360 Solutions and NRI. The 2015 GISWS was conducted October to December 2014 through a web-based survey of over 13,000 information security practitioners worldwide. The full 2015 GISWS can be downloaded here: https://www.isc2cares.org/IndustryResearch/GISWS/.
Comments
Dr Arosha Bandara, Senior Lecturer in Computing at the Open University, said: “We are still a long way off having enough of the right skills in industry to stay ahead of cyber security threats. Aspiring cyber security professionals need to quickly learn both technical skills and an understanding of the business and human environment in which these threats exist. Skills must include understanding how hackers think and being able to assess the risks and understand how staff will respond to new IT and security systems, not just implementing the latest technology. Right now, we simply don’t have enough of these skills to defend ourselves. Curriculum changes may address this long term, but the only immediate solution is to provide the right training to equip people to meet today’s threat sooner rather than later.”
Martin Lee, cyber crime manager, Alert Logic, said: “Providing adequate protection against today’s network security threats is tough and requires highly skilled individuals. The demand for security personnel is increasing, yet the supply of such people is not keeping pace and we are experiencing a skills drought. The nature of the drought is so severe that most organisations must face up to the reality that they will not be able to fully staff their security offices and will not be able to provide the full spectrum of security services in-house. As with any severe drought, we have to admit that it will not rain soon, and we will not be flooded with skilled security staff in the foreseeable future. We must take stock of the facts and adapt our behavior according to the situation. The Managed Services Model where skilled staff are aggregated together and shared across many different companies is the best use of a scarce resource. Companies can assure their security and maintain protection levels by effectively sharing security staff. Not only does this model make the best use of a rare resource, but by aggregating together attack data as well as skilled staff, wider attack patterns that are only identifiable in aggregated data can be discerned, and a better level of protection can be provided.”
And Mike Spykerman
