RSA 2011: (ISC)² study shows gap between cloud security technology and training

While information security professionals appear to have survived the global recession in relatively good shape, there are several areas of concern when it comes to emerging technology and training. These were just some of the findings of the latest (ISC)² 2011 Global Information Security Workforce Study published today.

On the positive side, the study – which was conducted by Frost & Sullivan with an accompanying report authored by Robert Ayoub, the firm’s global program director for information security – found that the security profession continues to grow at a healthy pace according to responses from the more than 10,000 security professionals who participated. Frost & Sullivan anticipates a compound annual growth rate for North American information security professionals of 14.2% between 2010 and 2015, outpacing the EMEA (13.2%) and APAC (11.9%) regions over this same period.

Considering the maturity of the profession in North America, this finding from the report may be rather surprising when compared to, for example, the Asia-Pacific region, where many emerging economies continue to grow at a substantially higher rate. According to Hord Tipton, executive director of (ISC)², the growth rate in North America speaks to the interest of the US government in having qualified security professionals that obtain industry certifications. “As an example, last year we tested twice as many candidates for certification then we had in any previous year”, he told Infosecurity.

Salaries among security professionals have risen since the (ISC)² published its last workforce study in 2008. Then the average salary among infosec professionals in North America came in at $100,967, which has increased to $106,900 in this latest survey – no small feat when you take into account the recent worldwide recession. Even more telling was the salary gap between (ISC)² and non-(ISC)² members, as non-members without certifications were paid, on average, almost $14,000 less per year.

Then there are the more concerning results from the report. Sixty-six percent of respondents identified mobile devices as a top security threat, second only to application vulnerabilities (73%). However, 29% of those polled said their organization has no formal policy for unmanaged mobile device use.

Tipton said these organizations tend to be smaller and freely allow personal mobile devices within their networks. “They take risks by doing this”, he added.

In addition, cloud computing was identified by Frost & Sullivan as “one area in particular where information security professionals cited the need for additional training”, according to its report. In North America alone, 93% of those surveyed said more education about understanding the cloud as a whole was in order, with 85% responding that enhanced knowledge of its associated technologies was necessary. A further 48% identified the need for specialized cloud contract negotiation skills.

What the survey shows is that when it comes to the IT industry’s hottest trend, technology and implementation are outpacing security professionals’ ability to keep up from an educational standpoint. According to the report, Frost & Sullivan believes there is a “significant and potentially dangerous gap between the goals of CIOs and the security required for [cloud] services”.

Tipton completely agrees with this assessment. If you look at the data, he continued, you see that security professionals spend nearly half their time researching new technologies. “This makes moving your data into the cloud so sensitive”, he said.

In today’s environment, Tipton believes security professionals are becoming akin to “mini-lawyers”.

“You need a new knowledge of how to do that contract. You need to have your SLAs in line. Currently, we don’t have enough people who know exactly how these things work. Right now [cloud computing] is like a freight train rolling down the track. People are stranded, and the risks are there.”

What’s Hot on Infosecurity Magazine?