Malware is not the only threat to enterprise security.
According to a new study from the International Information Systems Security Certification Consortium, or (ISC)2, a shortage of security experts with strong leadership and communications skills poses a direct challenge to organizations around the world.
The study, which was prepared in cooperation with research firm Frost & Sullivan and consulting firm Booz Allen Hamilton, included feedback from more than 12,000 information security professionals from across the globe.
Among the report’s findings is that while hackers (56 percent) and cyber-terrorism (44 percent) are among the chief concerns identified by participants, some 56 percent said their organizations are short-staffed.
But it is not just technical knowledge that companies are looking for, explained Julie Peeler, director of the (ISC)² Foundation. Businesses are also looking for job candidates with people skills as well.
According to the study, communication skills was the second most commonly cited success factor for information security professionals (91 percent), coming in right behind a “broad understanding of the security field.” Leadership skills and experience in project management were cited by 68 and 57 percent, respectively.
“I think there’s an understanding—not only on the part of professionals in this industry but also on the part of hiring managers—that a really good information security professional not only has the technical knowledge but also has a desire to stay on top of their field and have those broad managerial skills,” she told eWEEK.
More than any other discipline, security experts reported the biggest gap between risk and response attention resided in the area of secure software development. According to the survey, insecure software contributed to roughly one-third of the 60 percent of detected security breaches. In the other 40 percent of detected breaches, insecure software’s role was uncertain because either the post-breach forensics were inconclusive or the survey respondents were not privy to the forensics.
The phase of software procurement and development that security practitioners were most commonly involved with was specifying requirements (75 percent). When it came to the phases that involved confirming that these requirements were meeting objectives, the involvement of security professionals “drops off considerably,” according to the report.
Nearly 70 percent said they view security certifications as a reliable indicator of competency when hiring. In fact, almost half of all hiring companies (46 percent) require certification. Additionally, 60 percent said they plan to acquire certifications in the next 12 months, with the CISSP certification being in top demand.
Overall, the security business seems to provide steady employment. More than 80 percent of respondents reported no change in employer or employment in the last year, with 58 percent saying they received a pay raise in the past year. The global average annual salary for (ISC)2 certified professionals is $101,014 (USD), which is 33 percent higher than professionals not holding an (ISC)2 certification.
Though the challenge of finding bodies to fill security organizations remains, the report projects the number of security professionals will grow steadily by more than 11 percent annually around the globe during the next five years.
“Now, more than ever before, we’re seeing an economic ripple effect occurring across the globe as a result of the dire shortage of qualified information security professionals we’ve been experiencing in recent years,” said W. Hord Tipton, executive director of (ISC)², in a statement. “Underscored by the study findings, this shortage is causing a huge drag on organizations.”
“We must focus on building a skilled and qualified security workforce that is equipped to handle today’s and tomorrow’s most sophisticated cyber-threats,” he said.