A lack of qualified information security professionals on the job market is causing hiring and staffing difficulties for many organizations, new (ISC)2 research shows.
Due to the predicted increase in demand for information security personnel outpacing the supply, the global workforce shortage will reach 1.5 million within five years, the not-for-profit certification body predicts in its 2015 Global Information Security Workforce Study. This is despite the fact that researchers Frost & Sullivan predict in the biennial study that the size of the global infosec workforce will actually increase by 6% within one year.
As it stands, 62% of survey respondents – from a sample of nearly 14,000 qualified security professionals worldwide – report that their organizations have too few security professionals. Healthcare and education are the two verticals where the shortfall is most keenly felt – 76% of respondents from each of these sectors report being understaffed in terms of security.
Responding to this, and offering potential ways to rectify the skills gap, Adrian Davis, EMEA managing director at (ISC)2 told Infosecurity, “In the UK over 90% of our respondents [to the study] were male, which instantly says we’re missing out on 50% of the population.
“Information security has done at bad job of explaining who we are and what we do, and the fact that it’s open to anybody – you don’t need a computing science degree. We need to stand up and say that what we do is interesting and important and an exciting career. It’s not about being a geek in the basement; there are a whole range of roles.”
Indeed, it is not budget in most cases that is preventing companies hiring more staff. In fact, there has been a 20% drop in respondents who report that business conditions can’t support more hiring (45%), compared with 2013, when this factor was rated as the most significant reason for understaffing.
According to 45% of those surveyed, the difficulty in actually finding qualified security professionals is a key factor behind the shortage. Since 2013, there has been a slight, 2% decrease in those who believe that a lack of understanding within the organization’s leadership contributes to a shortage of security personnel (43%).
In highest demand are security analysts; 46% say their organizations do not have enough.
The research show that the top-valued skills in the profession are communication and a broad understanding of the field, with 90% of respondents rating these as key drivers of success. Over three-quarters of professionals surveyed rated communication as a very significant factor in allowing them to achieve their current position – the highest ranked competency in this category overall.
Asked about the significance of this point, Davis explained that “There is greater emphasis now on rounded individuals with a wide set of skills. If you have great communication skills, are good at management and the soft business skills and you have good infosec knowledge and you evidence it with a CISSP or a similar certification, you have a world of opportunity.”
Employee churn, meanwhile, is at its highest compared with the 2011 and 2013 results. In the last year, 19% of the sample’s employment status changed, with the majority of this group changing employer while already in work.
On the operational side, security teams are feeling the pressure. Response time to incidents is getting longer, with just 20% reporting that response to a system or data compromise can be carried out within one day, down from 33% in 2013.
With a lack of candidates for job vacancies, 45% of respondents predict an increased expenditure on tools in the next 12 months (up 13% on 2013), compared with 35% of respondents who expect investment in personnel. Monitoring and intelligence technologies came top when respondents were asked to rank the tools that most significantly improve security.
However, over two-thirds of respondents expressed concern related to ‘technology sprawl’ caused by the increased deployment of a wide variety of technologies. Challenges in training in-house security personnel and reduced security efficacy were cited as possible side-effects of this sprawl.
“There’s a lot of investment in trying to automate security,” Davis explained. “Organizations are looking to technology as a way to mitigate that shortage, so security people are now spending more time managing the systems that are supposed to make their lives easier than doing the actual security work. Technology sprawl is actually undermining effectiveness.”