Wednesday, 31 July 2013

Data breaches linked to cyber skills shortage - the importance of certification


The shortage of skilled professionals in cyber security is responsible for the high levels of data breaches according to the (ISC)² Global information Security Workforce Study (GISWS). This is having a weighty effect on the global economy, according to the study of more than 12,000 information security professionals worldwide conducted by Frost & Sullivan.

Lack of qualified professionals is the top concern of over half (56%) of chief information security officers (CISOs) alongside hacking. Hacktivism (43%) and cyber-terrorism (44%) are also major worries.

The report concludes that the major shortage of skilled cyber security professionals is negatively impacting organisations and their customers.

The executive director of (ISC)², Hord Tipton, stated that data breaches have an economic effect: “Now, more than ever before, we’re seeing an economic ripple effect occurring across the globe as a result of the dire shortage of qualified information security professionals we’ve been experiencing in recent years”. He added: “Underscored by the study findings, this shortage is causing a huge drag on organisations. More and more enterprises are being breached, businesses are not able to get things done, and customer data is being compromised.”

Given the high levels of cyber espionage, hactivism, and nation-state threats, Tipton stated that the time is now for the public and private sectors to join forces and close this critical gap.  “We must focus on building a skilled and qualified security workforce that is equipped to handle today’s and tomorrow’s most sophisticated cyber threats”.

In the 2011 GISWS, it was found that there is a problem upstream, a major shortage of software development professionals trained in security. With cloud security, bring-your-own-device (BYOD) and social network, there is more threats from malware and mobiles devices.

According to the report, a multi-disciplinary approach is required to address the risks in BYOD and cloud computing. 74% of respondents thought new security skills are required to meet the BYOD challenge and 68% that social media is a security concern, with content filtering being the top security measure used.

“The business model of cyber criminals is changing and therefore information security professionals need to change to address that and adapt their approach to new and emerging technologies,” said Richard Nealon, co-chairman (ISC)2 Advisory Board for Europe, Middle-East and Asia.

“This survey shows that we need to rethink our approach to the skills challenge. We need to look at the problem from the top down, not the bottom up,” added the managing director, John Colley.

Other key findings from the study include:

Information security is a stable and growing profession. Over 80% of respondents reported no change in employer or employment in the past year, and 58% reported receiving a raise in the past year.  

The number of professionals is projected to grow steadily by more than 11% a year over the next five years. The average annual salary for (ISC)² certified professionals is £66,330 globally, which is 33% higher than professionals without an (ISC)² certification.

Knowledge and certification is considered highly important in job placement and advancement. Almost 70% view certification as an important indicator of competency when hiring. Almost half of companies (46%) require certification. 60% of those surveyed plan to acquire certifications in the next 12 months, and the CISSP is still the top certification in demand. 

This figure is the same for the UK. If you want to find out more about certifications, we recently wrote an article on our top four IT security certs, you can find it here.

How to boost cyber security skills:

To end the shortage of cyber security skills, three actions are required according to Richard Nealon, co-chairman (ISC)2 Advisory Board for Europe, Middle-East and Asia.

1.   More engagement from businesses is needed with the IT security profession. Opportunities need to be made available to existing and prospective infosec professionals and provide incentives to stay. “By providing internships, for example, businesses can open the door and enable people to see if they are suited to a career in infosec,” said Nealon. He added that “The average age of skilled information security professionals in the UK is 43, we are not getting enough young people into organisations where they can learn as they work”.

2.   The Government needs to take on its responsibility of further promoting IT security as a key skill that is essential to the protection of critical national infrastructure. Nelson stated that “Government should encourage scholarships and help create training and employment opportunities”. 

3.   The educational industry should work harder to ensure their IT courses have a stronger focus on security. They should also offer more courses on cyber security and make them attractive to prospective students. “For example, a course in ‘forensic cyber security’ is much more attractive than a ‘bachelor is information security’,” said Nealon. “There is also a gender imbalance that needs to be addressed. Worldwide, 89% of infosec professionals are male, but in the UK the figure is 93%,” he added. These institutions should further promote IT security as a career, particularly to women as the gender imbalance is not good for the industry.

About the Author:
Julian writes for Firebrand Training on a number of IT related topics. This includes exams, training, certification trends, project management, certification, careers advice and the industry itself. Julian is the companies Digital Marketer.