A slew of data breaches targeting intellectual property and the rising wave of hacktivist activity are putting pressure on information security professionals, especially hiring managers who have to select from a dwindling talent pool.
That was one of the key findings of the (ISC)2's sixth Global Information Security Workforce Study. The certification organization issued the report this week at the beginning of 2013 RSA Conference. The firm is running half-day workshops Monday for its certified secure software life-cycle professional (CSSLP) and certified information systems security professional (CISSP) certifications. (ISC)2 worked with contracting giant Booz Allen Hamilton and research firm Frost & Sullivan to survey more than 12,000 information security professionals globally.
Not surprisingly, hackers were cited as the chief concern by 56 percent of those surveyed, followed by the increasingly rising profile of cyberterrorism activities. Those targeted attacks can disrupt the operation at a critical infrastructure facility, as seen two years ago when Stuxnet first surfaced, or bypass traditional security technologies and remain stealthy on an organization's systems for years, silently stealing intellectual property and other information.
The threat posed by hacktivists such as Anonymous and other splinter groups came in third as a top concern of survey respondents.
"These three things have reached a crisis point for the industry," said Julie Peeler, director of the (ISC)2 Foundation, which oversees the organization's education and scholarship activities. "We're at an inflection point and we've got to put some focus into building the workforce and professionalizing it to have enough highly trained and skilled people as new technologies continue to cause disruption."
More than 80 percent of those surveyed said they had no change in employer or employment in the past year, but (ISC)2 said the number of professionals is projected to steadily increase more than 11 percent annually over the next five years. Still, more than half of those surveyed (56 percent) indicated that their security organization is short-staffed.
"When we ask them what kind of additional support they need, they tell us it's an understanding from upper management about how security issues pervade the entire organization," Taylor said. "They say the No. 1 thing is avoiding damage to an organization's reputation."
Some said recovering from an attack would be difficult and costly even though service downtime was named as one of the highest priorities for nearly three-quarters of the survey respondents. Twenty-eight percent indicated that their organization can remediate from a targeted attack within one day.
NEXT: Increasing Anxiety Over Application Security, Malware InfectionsApplication security vulnerabilities ranked the highest among security concerns, a trend identified in the 2011 survey, Taylor said. A shortage of software development professionals trained in security and secure software development processes is a significant issue, she added.
"There's a real need for more software engineers knowledgeable in secure application, product and platform design," Taylor said.
Threats from malware infections, the loss of control and visibility of data in the cloud, social networking ills and the BYOD trend also were identified as top issues of concern. BYOD technology was cited as a significant security risk by 78 percent of respondents, and 74 percent reported that new security skills are required to address BYOD issues. Sixty-eight percent of those surveyed said social media is a continued security concern as well.
The migration to cloud platforms and infrastructure and the steady adoption of Software-as-a-Service is also causing some anxiety, (ISC)2 said. Forty-nine percent of respondents named cloud-based services as either a top or high security concern in the 2013 survey, a 6 percent increase since 2011. Increased adoption of cloud-based services over the two-year period may have contributed to the increasing security concerns, the report found.
(ISC)2 said it believes there continues to be "considerable ambiguity regarding cloud-related risks," with 89 percent of survey respondents seeking security professionals with a sense of how security applies to the cloud. Seventy-eight percent of those surveyed said talented security pros with an understanding of cloud security guidelines and reference architectures are being sought. Security pros also need knowledge of compliance issues, technical knowledge and an understanding of how contractual obligations and requirements are related to security.
"A thorough understanding of each potential cloud service provider would be required to adequately assess risk across provider," the report said. "With cloud services providers not bound by industry standards or regulations with regard to security practices and procedures, general understanding of potential cloud risks would be incomplete in assessing risk."
PUBLISHED FEB. 25, 2013