Where's The Talent? 10 Ways The IT Security Job Landscape Is Changing12:00 PM EST Fri. Mar. 29, 2013
According to The 2013 (ISC)2 Global Information Security Workforce Study conducted by (ISC)2 in collaboration with contracting firm Booz Allen Hamilton and research firm Frost & Sullivan in a survey of over 12,000 information security professionals worldwide, there's a shortage of talented security pros, the impact of which is being felt now. "Fifty-six percent of respondents believe there is [an IT security] workforce shortage, compared to 2 percent that believe there is a surplus. The impact of the shortage is the greatest on the existing workforce." And the causes of the shortage, according to the report, are threefold: "The reasons for an inability to bridge the need for additional information security workers are fueled by three factors: business conditions, executives not fully understanding the need, and an inability to locate appropriate information security professionals."
Here's a look at some of the most interesting findings from (ISC)2's report, touching not only on the IT security job landscape but also the desired skills employers are looking for when hiring security professionals.
According to (ISC)2's survey, the majority of respondents felt their companies' security departments were understaffed. "Very few respondents view their security organizations as being over-staffed. Nearly one-third of respondents believe they have the right number of staff, but more than 50 percent believe staff expansion is justified." Fortunately, most executives in the survey felt the same way. "The good news is that two-thirds of C-levels, those with the greatest budgetary influence, view their security organizations as being too few in numbers," the report said. In terms of an organization's size in relation to its security staff, midsize companies indicated the greatest need to bolster their security team. "More midsize companies' [500-2,499 employees] respondents view their organizations as understaffed versus smaller and larger size companies." And among varying industries, regardless of market vertical, respondents agreed their security departments were understaffed. "Across industries, a greater percentage of respondents in education, healthcare, manufacturing, and retail & wholesale verticals believe they are understaffed."
According to the survey, technical skills aren't the only thing hiring managers look to see on a security professional's resume. At 92 percent, a broad understanding of the security field ranked No. 1, followed by communication skills at 91 percent. Technical skills came in as the No. 3 desired skill set at 88 percent. Awareness and understanding of the latest security threats ranked No. 4 with 86 percent, followed by security policy formulation and application at 75 percent. Legal knowledge ranked last at 42 percent. However, within different market verticals, the desired security skill sets varied slightly. "Respondents in the banking, finance, and insurance verticals place a higher emphasis on the importance of broad understanding than other verticals. Info tech and government-defense place higher importance on technical knowledge. Healthcare respondents rate communication skills higher in importance."
Although skills are important, survey respondents also pointed to security certifications as an important requirement necessary for hiring a security professional. "Slightly more than 46 percent of all survey respondents indicated that their organizations require certification." Within market verticals that require certifications, government-defense ranked the highest with 84 percent, followed not so closely but still significantly by info tech at 47 percent; however, the general private sector still views certification as a necessary requirement for security professionals.
"While regulations are a primary driver for certification in government-defense, that is an anomaly. The private sector overwhelmingly [74 percent] views certification as an indicator of competency," according to the report. Coming as the second most common reason for requiring certification was quality of work at 53 percent, followed by regulatory requirements (governance) at 48 percent, company image or reputation at 43 percent, with company policy and continuing education tying at 40 percent.
Just as important as skills and certifications, respondents felt that an IT security professionals' engagement in peer groups played an important role in their professional growth. As the survey notes, it was "no surprise" (ISC)2 ranked No. 1; however, this was true for both (ISC)2 members and nonmembers. "When asked about affiliations that matter most in career development and resiliency, (ISC)2 was rated the highest, no surprise by (ISC)2 members (74 percent chose extremely critical or critical), but the same is true with non-(ISC)2 members (51 percent chose extremely critical or critical)," the report said. Thirty-two percent of respondents indicated SANS as extremely critical or critical, followed closely by ISACA at 31 percent. Beyond that, 18 percent of respondents said OWASP was extremely critical or critical to a security professional's development, followed by IEEE at 16 percent and CSA Cloud Security Alliance at 13 percent.
Perhaps one of the most interesting findings in the report was that insecure software played a significant role in breaches, yet security pros indicated that their involvement in software development, procurement and outsourcing was minimal. According to the report, insecure software played a contributing role in about one-third of the 60 percent of detected security breaches and, in the other 40 percent of data breaches, insecure software's role was uncertain, due in part to either inclusive forensics or security pros not being privy to those forensics. With only 12 percent of respondents indicating they were personally involved in software development, 20 percent in procurement and 10 percent in outsourcing, according to the report, therein lies the problem: "The conclusion is apparent: unless software and information security professionals' involvement is deepened in secure software development, procurement, and outsourcing; and training and education permeates the ranks of software development functions, the risks associated with insecure software will remain."
A whopping 74 percent of respondents, regardless of company size, job title or industry vertical, indicated that security professionals' involvement in mobile security and BYOD was required. As such, 72 percent of respondents said that enhanced technical knowledge was required to work within the mobile security/BYOD space, followed closely by an enhanced understanding of security of applications at 70 percent. Knowledge of compliance issues ranked third with 66 percent of respondents saying it was required. How security applies to the cloud came in next at 47 percent, followed by an enhanced understanding of cloud security guidelines and reference architectures at 45 percent. Contract negotiation skills ranked last with only 11 percent of respondents marking it as a required skill for working within mobile security and BYOD.
Not surprisingly, considering a great deal of respondents placed an emphasis on security pros' cloud skills within the mobile security and BYOD space, 74 percent of survey respondents felt that new skills will be required in order to manage the anticipated risks associated with cloud use. As such, according to the survey, 89 percent of respondents indicated that information security professionals must know how security applies to the cloud. Other skills security pros must have, according to the report, centered on skills related to "understanding" the cloud. Having an enhanced understanding of cloud security guidelines and reference architectures ranked the highest at 78 percent, followed by knowledge of compliance issues at 71 percent, enhanced technical knowledge at 62 percent, and the ability to specify security-related contractual obligations and requirements at 61 percent. "The very high percentage of respondents choosing 'understanding' skills is indicative that there remains considerable ambiguity regarding cloud-related risks," the report said.
Similar to BYOD and cloud computing, security threats associated with social media ranked as a concern among survey respondents. At 43 percent, social media was considered less of a security threat than BYOD or cloud computing, which the report attributes to the systems most organizations already have in place for managing outside communications. "Social media represents more of an evolution in internal and external communication channels than the introduction of a mushrooming range of user-owned and therefore untrusted user devices. As such, companies have experience in managing the risk of unauthorized communications (e.g., when instant messaging and Web-based email became broadly available), with many of the same and existing technologies and procedures to monitor and manage the communication flows." However, according to the report, that's not to say that security pros shouldn't be skilled in social media-related security. "Nevertheless, there is sufficient concern that a majority of information security professionals take action to manage the risk emanating from social media use."
According to (ISC)2, the salary gap between members and nonmembers of affiliated groups is growing significantly. "In comparing average annual salaries for members and non-members between the 2013 and 2011 surveys, the member average salary is higher, and the salary gap between members and non-members is widening," the report said. Dependent upon job title and location, the average U.S. salary in 2012 for nonmembers was $75,682, down 3.6 percent from $78,494 in 2010. The average salary for members, on the other hand, was up 2.4 percent, from $98,605 in 2010 to $101,014 in 2012. What's more, (ISC)2 members had the highest salary, according to the report. "U.S.-based security analysts that are (ISC)2 members, on average, have a higher salary -- 23 percent greater than U.S.-based security analysts that are non-members." According to (ISC)2, this was primarily due to tenure. "Part of the reason for the higher salaries is tenure; (ISC)2 security analyst members located in the U.S. averaged 35 percent longer careers than non-members." On average, members received tenure within 8.9 years, whereas the average for non-members was 12 years.
Membership affiliation aside, the survey found no significant salary changes by job title or company size; however, the report did find salary discrepancies within different market verticals when it came to salary increases. The average annual salary across all survey respondents was U.S.$92,835. C-level executives, not surprisingly, reported a higher salary average of U.S. $106,151. Survey respondents within healthcare and government-defense reported the highest average annual salaries at U.S.$98,037 and U.S.$101,246, respectively. However, when it comes to average salary changes, 11 percent of survey respondents within the info tech vertical reported receiving more than a 10 percent salary increase in 2012. Among education respondents, 44 percent reported no change in salary, and 6 percent reported a salary reduction. Similarly, 45 percent of government respondents indicated no change in salary and 5 percent reported a salary reduction. "These differences," the report said, "provide an indication of which verticals are using salary to retain and reward security professionals more than other verticals."