Study: State of the Security Workforce(ISC)Â² Report Eyes Threats, Outsourcing and Staffing Crisis
See Also: Zero Trust: A Global Perspective
This news comes from (ISC)Â², the international not-for-profit membership group of infosec professionals, which is out with its seventh Global Information Security Workforce Study, in partnership with Booz Allen Hamilton, Cyber 360 Solutions and NRI. The study was conducted by Frost & Sullivan.
The study, conducted over a four-month period starting in October 2014 to gauge the opinions of information security professionals about trends and issues affecting their profession, included a survey base of 13,930 (ISC)Â² members and non-members across North America, Asia, Europe and the rest of the world.
The findings reveal CISOs must protect businesses from increasing phishing attacks, malware and application-level vulnerabilities, configuration mistakes/oversights, cyberterrorism, hackers and faulty network/systems.
"The strain due to the workforce shortage is materializing, while organisations struggle to manage threats, avoid errors, taking longer to recover from cyber-attacks," says Clayton Jones, managing director, Asia-Pacific, (ISC)Â². "Although infosec spending predictions are the highest this year, a security solution is only as effective as the people managing it."
The APAC Security Challenge
Information Security Media Group sought comments from security leaders on how CISOs must address the challenges identified in the report.
Bengaluru-based Raghu Iyer, president of ISACA, Bangalore chapter, says, "It's true enterprises struggle with traditional security threats like lost devices, insider threats, malware, hacks and social engineering, while handling attacks by non-traditional threat actors. So, CISOs must understand how to staff, manage security and hire the right talent."
The report indicates that increasing numbers of security technology products, security vendors and management consoles - known as ineffective architecture, or sprawl - is a concern. Among Asia-Pacific respondents, Indian firms voice the greatest concern about sprawl, with more than two in five reporting they are very concerned. Indian CISOs say sprawl will spell reduced security efficiency. A reason: security threats evolve faster than vendors can adapt their existing products.
Jones says two-thirds of APAC participants suggest the technology sprawl created by decentralized purchasing, mergers and a lack of backward compatibility from vendors undermines effectiveness.
"To combat it, Indian practitioners try to avoid new security vendors unless existing ones expire, and reduce the number of security vendors in the next 12 months," Jones says. A similar trend is observed in South Korean organisations, which are vigilant in periodically updating security architecture.
Nearly 72 percent of those surveyed indicate application vulnerabilities and malware as top concerns, followed by configuration mistakes/oversights and hackers. Chuan-wei Hoo, technical adviser, Asia-Pacific at (ISC)Â² observes, "Application security scanning, a primary means to discover vulnerabilities, is not done at the frequency or placement [early in the software development cycle] commensurate with the concern."
Iyer adds: "There's a lack of understanding about how computer network defense is adapting to increased persistence and frequency of attacks."
Shortage of Skills
The study indicates that many practitioners still can't find the right talent. "Most organisations need security analysts who can design the architecture around forensics and incident handling as well, and help in keeping attackers at bay," Hoo says.
Jones recommends how to fill the gap:
- The software community must prioritize the design imperatives of a connected society;
- Educators must embed cybersecurity into their courses, particularly within IT;
- Governments must invest more, recognizing that cybersecurity and the health of their economies are intrinsically linked;
- New disciplines must be recognized, and resources put behind them - specifically in forensics, cloud and healthcare;
- Business disciplines must embrace security concerns, especially technology adoption rates.
The study indicates that the skills shortage is the reason why many organisations are outsourcing a portion of ongoing security operations or engaging a professional security service provider for a particular project.
Hoo says more than 55 percent of CISOs indicate outsourcing is somewhat or very likely a strategy their organisations will employ. Jones observes that outsourcing is primarily for augmenting existing internal security teams, not replacing them.
Singapore-based Sid Deshpande, principal analyst at Gartner, says, "From an India perspective, end-to-end IT outsourcing contracts often include a security component which forms a majority of the security outsourcing business."
Deshpande adds that security monitoring and advanced threat defense are both high-growth areas in India - managing these technologies will further drive outsourcing. "However, outsourcing providers face the same skills shortage as enterprises, so CIOs/CISOs must evaluate the skills of the providers' personnel," he says.
Not ruling out outsourcing challenges, Hoo, nevertheless, says that the scope of work is usually not studied in detail to assess the right effort required.
Iyer suggests chief risk officers take control and ensure providers follow the ethics of the organisation, paying attention to the smallest detail.
"CISOs should form a working task force led by a certified practitioner with a ground-up and inside-out approach in negotiating the KRIs," Hoo suggests.
Rise in Security Spend
The study shows an anticipated increase in spending in APAC over the next 12 months on new security technologies and personnel including training and education, certification and use of external resources.
"C-suite executives with the greatest control over security spending were more bullish on spending: corporations now realize the importance of infosec," Hoo says.
The consultancy Gartner has reported that 5.6 percent of the total IT spend was devoted to security in 2013, increasing to 8.3 percent in 2014. And it predicts that percentage will go up significantly this year. According to Gartner's Deshpande, investments will be in risk-associated technologies, application-related solutions and infrastructure security.
He agrees with the (ISC)Â² study on the need for forensic capabilities, noting: "This year will also see 40 percent of enterprises investing in security data warehouse technologies, and 40 percent of them spending on developing forensic capabilities."