The security of our computers, our computerized controls and medical devices, and our data in the cloud are vitally important. In some ways, World War II may be fought on the Internet and the Dark Web. The events of the last several weeks, with one revelation after another about the hacking of federal data, make the 2015 release of the The 2015 (ISC)2 Global Information Security Workforce Study all the more prescient.
The International Information System Security Certification Consortium, Inc., (ISC)2, is one of the leaders in education and certification of information security professionals. The 2015 study is based upon a survey of almost 14,000 people working in that field. The study also has similar studies done 2011 and 2013 for data comparison.
Four security concerns were cited by over 60 percent of the respondents. At the top of the list were application vulnerabilities, followed by malware, configuration mistakes and oversights and mobile devices. The number one threat technique, offered by 54 percent of respondents, was phishing. No other technique received more than 36 percent.
Despite the fact that application vulnerabilities were of the greatest concern, the survey found that efforts to lessen those vulnerabilities are a low priority and usually take place after an incident. Among the reasons for this were the lack of interest from application vendors to modify code, the time that scanning takes and the need for more training on the hows and whys of the process.
Security Dollars and Cents
The survey looked at computer security costs. Some 45 percent of those surveyed forecast increased spending on security tools. Personnel spending was forecast to increase by 35 percent of respondents. Other costs were forecast by even fewer percentages. This reflects the general uncertainty on the topic.
Part of that uncertainty is due to the recognized “sprawl” in the industry. There are more vendors and more applications available every month, it seems. It requires that computer security departments support more and more technologies and find, somehow, the time and funds to train personnel. The survey found that significant numbers of those asked felt that they would be reducing the number of security vendors used over the next year. Unless products are retired, the respondents would likely be avoiding adding any new products.
ISC2 surveyed respondents on salaries. In 2015, the average member of the organization earned a salary of $103,117. The respondents, on the whole, are fairly satisfied with their jobs. Some 76 percent answered that they were satisfied or somewhat satisfied. However, there was some “churn” with 19 percent of those in the survey changing jobs in 2014. The average tenure on the job for respondents was over ten years.
The survey asked for the areas of information security where those surveyed say the greatest need for training and education over the next three years. 57 percent said “cloud computing”. Tied at 47 percent were “bring your own devices”, “incidence response” and “information risk management.”
The good news is that 62 percent of respondents said that there were too few information security professionals in their organization. An analysis done from the survey data projects that the industry will grow about six percent per year over the next five years in the Americas.
It’s difficult to lay out all the data in such a survey. It includes important information about what employers are looking for (hint: good communications skills) and which job titles will be in demand. The overarching theme remains that the number of information security professionals is too few, and opportunities for those looking to pursue a career abound.