The study involved 12000 existing security professionals throughout the world; two-thirds of whom hold an (ISC)2 qualification while one-third do not. “It’s about 20% larger than our last survey – and I think we’re safe in saying it is the largest survey of its kind ever undertaken,” said John Colley, managing director, (ISC)2 EMEA, in discussion with Infosecurity.
Colley believes that three key findings come out of the survey. The first is that the industry simply isn’t attracting enough staff of sufficient quality. “There is an apparent skills shortage in terms of the number of people that are required to actually provide advice and guidance on information security. That’s having a negative impact in a number of areas. First of all,” he explained, “it’s impacting on the workforce itself – 71% said they felt under strain because they don’t have enough staff in place.” Then, he added, that shortage is affecting the company, having a direct effect on the number of breaches and the company’s ability to respond to incidents. And finally, according to 47% of respondents, that inability then has a direct effect on the organization’s customers.
“If this issue is not adequately addressed,” warned Colley, “eventually it’s going to have a ripple effect right through the global economy.” He believes that the main problem starts with the education system. “We’re caught in a Catch 22 problem,” he said. “Companies want to employ experienced staff, but without the employment, people can’t get the experience.” While in many professions the education system at least provides some direct training, it doesn’t happen with security, he added. “If you want to be a civil engineer, you can get a degree in civil engineering; but the universities do not offer a degree in security.”
The second issue highlighted by the survey is an apparent disconnect between IT development and infosecurity. “Application security and software development is perceived as the number one issue for security professionals,” said Colley. “This is because IT doesn’t understand security, and security doesn’t get involved in software development.” One of the approaches we’re taking as an organization, he added, “is to engage more with academia, suggesting that basic security should be taught within IT and science courses. That way, when we turn out computer science graduates, at least they understand the fundamental principles of infosec. They should understand how to identify security requirements, how to design and architect security into systems, and how to code and test for security weaknesses.”
The problem is that neither of these are new issues. They have all been highlighted by (ISC)2 before; but rather than improving, they are arguably getting worse. “The people who are already in the profession,” said Colley, “are in a very privileged position – it’s a bit like the position IT was in 30 or 40 years ago, when they were the prima donnas. With IT, people were very quickly attracted into the profession – but I’m a bit concerned that this is taking so long for security.”
The attractiveness of the profession is the third key finding of the survey. “Information security as a career is resilient,” said Colley. “It’s flourishing, pretty well paid, provides good job security, and has little movement other than career progression.” With safe jobs and good pay, it is now up to education to furnish the right skills.