As security executives with years of experience under our belts, we found the findings of the (ISC)2 fifth Global Information Security Workforce Study, released earlier this year, track well with the direction of information security since the last workforce study was completed in 2008. Overall, the study’s results reflect:
- The rise of focus on regulatory compliance in developed regions.
- The continuing growth of information security in the Asia-Pacific region.
- The maturation of information security in North America and Europe.
- The impact of the global economic downturn, particularly in Europe.
- The focus of technology and security “higher up the stack” towards application layers and away from infrastructure; this trend mirrors the evolution of threats over the past several years.
- The increasing influence of consumer technology on the enterprise.
We concur with the main conclusion of the study that the pressures presented to organizations and information security professionals by these trends have never been greater.
SECURITY RESOURCE AND SKILLS GAP
As the study shows, regulatory demands continue to expand the breadth and depth of requirements to deliver protection of company and customer information. The exponential growth of technology coupled with the desire of companies to seize this growth as a differentiator has also increased the demands placed on information security professionals.
We believe the security skills and workforce gaps described in the study to keep up with these trends will become even more pronounced as the global economy continues its steady recovery, with the Asia-Pacific region experiencing the greatest demand for security resources. Because of the interconnectedness of global business, all regions should be concerned regarding this trend. The extraordinary strength of Asian economies will continue to fuel demand for security and compliance resources as reflected by marked increases in spending across all categories. With less legacy information technology systems to replace, Asian countries are able to quickly deploy newer technologies such as mobility across their populations.
As another indicator of this gap, respondents in the Asia-Pacific region consider social media more important by considerable margins than their counterparts in other regions. Higher levels of adoption of new technologies, such as social media in the region, has been noted in numerous studies and surveys -- consumers in Australia and China, for example, have some of the highest usage rates of social media in the world. The security resource gap in the Asian-Pacific region is further exacerbated by a relatively small security resource pool and an overall lack of strong information security educational curricula.
Another driver of the resource gap in the security field noted in the study is the continual ebb and flow of demand between the public and private sectors. The past few years have seen explosive growth in demand for security experts in the public sector, particularly in the most developed countries. While this trend may be leveling off, the available pool of qualified candidates has decreased considerably during these times of demand.
On another front, respondents listed application vulnerabilities as their top threat concern. Few things about the IT landscape have grown in complexity more than the development and integration of software applications. As developers work to improve the flexibility and user-friendliness of applications, the back-office complexities of these systems are increasing. Many more applications today are Web-enabled, expanding the surface area of the systems that must be secured even more.
WAYS TO FILL THE GAP
While the study projects the profession will grow from 2.28 million today to almost 4.24 million by 2015, the question remains: “Where will these new professionals come from and how will we ensure they are knowledgeable, ethical entrants to the field?”
The topic of security has received much publicity in light of recurring high-profile breaches and data loss. This level of exposure attracts attention to the profession and, in turn, is one catalyst for new entrants into the resource pool. These entrants typically come from both traditional IT education and training programs and from within the IT industry itself.
Until the past few years, there were few security-specific curricula available at traditional universities or technical schools. This scenario has changed and now there are numerous security-specific programs available for both technical and managerial security education. However, current and relevant training for working professionals that fits into their busy schedules is also required. Because of the increasing need for continuing education, companies need training delivered in ways that help them maximize their travel and training budgets. By using Web-based technologies and computer-based curricula, training and certification organizations can improve their ability to meet these needs.
Also, since the pace of technology change in the information security field has rapidly accelerated over the past 10 years, training content must be refreshed at a similar pace to keep up with the evolution of threats and technologies. For instance, top threats noted in the study such as insecure applications and cloud computing were not even on the radar screens of most information security professionals just a few short years ago.
Many companies are mandating certification for their internal security employees and outsourced consultants. While by no means a guarantee of competence, industry certifications provide assurance that the individual meets a minimum level of knowledge in the information security field. Further, a minimum level of industry experience is also a requirement of professional certifications, such as those from (ISC)2 and ISACA. Companies use these certifications to validate baseline requirements when hiring security staff.
Due to the nature of the practice, ethical behavior is a hallmark of the information security profession. Practitioners must subscribe to a strong code of conduct and conduct themselves in a like manner. Training and certification organizations must make sure ethical conduct awareness and compliance is embedded in their programs.
Members of the (ISC)2 Advisory Board of the Americas Executive Writers Bureau include information security experts from across industry sectors. Send comments on this column to firstname.lastname@example.org.