Florida-based (ISC)2 interviewed more than 2800 information security experts of which 775 had hiring responsibilities. Of these, 44% were looking to hire additional information security staff this year and over 11% planning to add more than three people.
| Areas of expertise most sought (in descending order): |
- Operations security
- Information risk management
- Access control systems and methodology
- Applications and systems development security
- Security management practices
|
More than 80% of hiring managers said they find it challenging to find the right candidate despite the economic downturn. According to (ISC)2, the range of concerns included: a lack of desired skills or lack of available professionals within a local area; poor cultural fit; and salary demands that are too high for available budgets – particularly from people previously working in the financial services sector.
“Demands on professionals are changing. Companies want more for their investment, and professionals need to keep their skills and expectations in line with what businesses are looking for”, said John Colley, CISSP, managing director EMEA at (ISC)2. “Training and professional development will be essential for individuals as they manage their careers in this tough economy.”
Budget cuts and outsourcing
The survey, which was carried out in April and May 2009, found that outsourcing is having an impact, but that “activity on this front may be slowing”. Although 30% reported increased levels of outsourcing of security functions, only 18.7% expect the situation to worsen over the next six months. Budget cuts could also be slowing.
Almost 72% saw information security budget reductions in the period October 2008 to March 2009, and 53.6% said their information security departments had experiences at least one lay-off in the past few months.
Looking forward, however, 62% said they do not expect any additional information security budgets cuts for the remainder of the year, and 9% expected an increase. 59% said no additional personnel cuts would be forthcoming in the remainder of the year.
“In this environment, companies may be tempted to make rash security decisions made in the panic to cut costs. Organisations are advised to proactively analyse how cuts affect their risk profile and avoid costly repercussions resulting from breaches and mandated reparations”, said W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS, executive director for (ISC)2.
Increasing attacks
At the same time as information security budgets are shrinking, the number of attacks is increasing, (ISC)2 warns. Internal hacking against the system is up 18.4%, external attacks 33.3%, intellectual property theft 27.8% and fraud and embezzlement is up 28.3%.