Two-thirds of (ISC)² members have said that they have too few information security professionals, despite budgets allowing for more personnel.
According to its bi-annual Global Information Security Workforce Study (GISWS), spending on security is increasing across the board for technology, personnel and training, however complexity due to threats evolving faster than vendors can advance their products led two-thirds of respondents to suggest that a new phenomenon known as “technology sprawl” is undermining effectiveness.
Surveying over 13,000 information security professionals and practitioners worldwide, the survey found that application vulnerabilities and malware were identified as top security threats for the third study in a row and phishing is the top threat technique employed by hackers, yet the results showed a decline in importance of awareness training.
Speaking to IT Security Guru, Adrian Davis, managing director for EMEA at (ISC)² said that one of the key findings was the variances between regions, which are getting smaller because of a globalisation of threat and of response. “Professionals are doing the same job and have become much more aware of the global nature of the threat,” he said. “The other thing is we are still dealing with problems with applications and developments and exploits that take advantage of those threats.”
Asked why application security continued to be a problem, Davis said that this was a combination of dealing with a legacy of 25/30 years of software development where security was not a problem, and not having the knowledge, skill or the software there to fix that.
“There is so much old software out there that we are constantly playing catch up, and secondly we have never made the case to software developers that writing good secure software is something that should be rewarded,” he said. “There are so many lines of code in any product, I doubt any one human can go through all that code and find the problem.”
Martin Lee, cyber crime manager at Alert Logic, said: “The demand for security personnel is increasing, yet the supply of such people is not keeping pace and we are experiencing a skills drought.
“As with any severe drought, we have to admit that it will not rain soon, and we will not be flooded with skilled security staff in the foreseeable future. We must take stock of the facts and adapt our behaviour according to the situation. The managed service model where skilled staff are aggregated together and shared across many different companies is the best use of a scarce resource. Not only does this model make the best use of a rare resource, but by aggregating together attack data as well as skilled staff, wider attack patterns that are only identifiable in aggregated data can be discerned, and a better level of protection can be provided.”
Mike Spykerman, vice president of product management at OPSWAT, said that what concerned him was that the importance of phishing awareness training in the workplace is declining.
“Not only is phishing the most common entry point for hackers; a large element of the success of phishing depends on human error and lack of alertness,” he said. “With clear cyber security policies in place along with regular training, the chance that phishing attempts are successful can be greatly diminished. To help companies set up their employee cyber security policies and awareness training, OPSWAT has put together a list of the Ten Things to Include in Your Employee Cyber Security Policy.”
The full 2015 GISWS can be downloaded here: https://www.isc2cares.org/IndustryResearch/GISWS/