Common application vulnerabilities and the complexities involved in using cloud-based services have employers looking for IT professionals with knowledge of secure application development
In addition, the 2011 (ISC)2 Global Information Security Workforce Study (.pdf) found application vulnerabilities are the number one threat to organizations and the introduction of smartphones in the workplace is overwhelming at many firms. The survey of more than 10,000 information security professionals was conducted by research firm Frost & Sullivan on behalf of certification firm (ISC)2 Inc. and was released at the RSA Conference 2011.
Survey results reveal most pressing security needs
More than 20% of information security professionals reported involvement in software development activities and expressed a need to improve the software development lifecycle. Seventy-three percent of those surveyed said their companies are concerned about application vulnerabilities. Many firms are looking for IT professionals to build security into software requirements and have indicated a need for better tools to test, debug and validate the quality of software before it is used in production environments.
"The idea is that improving the security of software in the development lifecycle combined with more highly skilled code writers and the right people driving projects will reduce software vulnerabilities," said (ISC)2 executive director Hord Tipton. "At the same time you've got to look at the explosion in the mobile environment; the new ways that applications are being deployed are simply becoming overwhelming."
Improving the security of software in the development lifecycle combined with more highly skilled code writers and the right people driving projects will reduce software vulnerabilities.
Security professionals are pressured to address the tremendous increase in smartphones and other mobile devices used by employees and are concerned about the new risks they pose. Sixty-six percent of survey respondents indicated it was a top concern. Those surveyed said they already deployed encryption (71%) to protect data on devices and have remote wipe capabilities in place to guard against lost or stolen devices.
Survey respondents also indicated the need for mobile management software to enforce security policies across different device platforms. In addition, many firms are using network access control systems and requiring device owners to use a mobile VPN before accessing the company network.
Tipton, the former CIO for the Department of the Interior, said organizations are less concerned about the threat of mobile malware and more frightened by the leakage of sensitive data. In many cases, security professionals are being forced to allow nearly everything to connect to the network, creating increasing security concerns, he said.
"It comes down to biting the bullet and adopting architectures when deciding what you want to allow on the network," Tipton said. "If you are too lenient and you allow everything on the network, you've got a lot more than you can really manage and practically all of the mobile platforms have different nuances that require different types of support knowledge."
it to do everything.
The increased use of cloud computing services and the perceived security complexities involved have some organizations looking for skilled IT professionals capable of tackling the burden. More than 40% of respondents reported using Software as a Service, and more than 70% of professionals reported the need for new skills to properly secure cloud-based technologies.
While the survey didn't provide detail into the kinds of new skills needed, 74% of those surveyed indicated that cloud computing demanded new skill requirements. Nearly all security professionals surveyed said IT professionals need to help executives understand cloud computing and its associated technologies. The survey also noted an increased demand for specialized skills in contract negotiation.
"It's a little bit challenging to pinpoint specific skill sets or requirements related to cloud because every organization is different," said Rob Ayoub, an industry manager of information and communication technologies at Frost & Sullivan, who authored the survey. Ayoub added that more often IT professionals are being asked how to ensure data availability and security, and to meet compliance requirements during contract negotiations with cloud service providers.
The survey, which is designed to show how specialized-area certifications can help IT professionals differentiate themselves in a competitive job market, also continued to track the trend of what Frost & Sullivan calls the "dilution effect" of certifications. The number of vendor-neutral and vendor-specific certifications has grown to more than 40, making it difficult for certification vendors to differentiate themselves, the study found.
"The concern is that certifications considered of high value today may be perceived to be devalued and, consequently, less significant to information security professionals and, more importantly, their employers," according to the report.
Tipton said the CISSP certification continues to be coveted by information security professionals, with the vast majority of (ISC)2 members meeting annual education requirements to renew their CISSP credentials. Less than 1% of IT professionals who fail to renew their CISSP say they did so because they thought the value of the certification has diminished, Tipton said. The (ISC)2 board is also constantly updating the testing procedures for the CISSP certification to address emerging technologies like the use of virtualization and cloud computing, he said.
"Due to the popularity of the CISSP, don't expect it to do everything," Tipton said. "We're finally getting through to human resource directors and hiring officials that they really need to look under the hood when hiring for specialized positions."