Awareness & Training

Survey: InfoSec Pros Need New Skills

Securing Cloud Computing, Mobile Apps, Social Media
Survey: InfoSec Pros Need New Skills
The information security profession is at a crucial turning point as professionals scramble to develop new skills in the arenas of cloud computing, mobile applications and social media, a new survey shows.

The 2011 (ISC)2 Global Information Security Workforce Study, conducted by Frost & Sullivan, also found that salaries for security professionals are increasing as demand for their services grows. The survey polled more than 10,000 private- and public-sector information security professionals from around the globe.

Frost & Sullivan estimates based on the survey results that the number of security professionals will grow to 4.24 million by 2015, compared with 2.28 million in 2010. That's a compound annual growth rate of 13.2 percent.

"The demand is high because security is now seen as a national priority and a global issue," says Rob Ayoub, Frost & Sullivan's global program director for information security.

Also, the high growth is attributed to the changing role of information security professionals, who are now engaged to protect an organization's reputation, business and customers, rather than just focusing on an organization's security and IT posture. "This increase in services to an organization has made their position invaluable," Ayoub says.

But security professionals must develop new skills so they can tackle the challenge of regulatory compliance as well as prevent the loss of data via mobile devices and manage the risks involved in using cloud-based services, says Hord Tipton, executive director of ISC2. "Security professionals are back in the position of playing catch-up and chasing emerging technologies," he adds.

Mobile applications

A sizable majority of survey respondents -- 70 percent -- said that more than 25 percent of the employees at their organization have mobile computing devices. Also, 66 percent of respondents identified mobile devices as a top or high concern.

"As people share more data electronically and boost their use of mobile applications, data security will become more challenging than ever," Ayoub says.

Nearly seven out of 10 respondents worldwide indicated they have a formal IT security policy for mobile devices.

The study further showed that security professionals have been tackling the mobile security problem by using such technologies as encryption, network access control and remote lock-and-wipe functionality.

Cloud computing

Some 74 percent of those surveyed reported the need to develop skills for properly securing cloud-based technologies. Of those, 92 percent indicated they needed to develop a detailed understanding of cloud computing, and about half identified contract negotiation skills as one of their top three requirements.

"The shift to the cloud highlights the need for security professionals to be business thinkers," Tipton says. "It is a business process for managing new capabilities and services requiring practitioners to think beyond technology to how data will be used, managed and consumed by their business and industry."

Over half of the respondents surveyed said their organizations are using cloud computing at some level. Of those, 16 percent said their organizations are using public cloud services, and 42 percent are using the software as a service model.

When it comes to cloud computing, respondents believe that the exposure of sensitive information and data loss are the top security concerns.

Social Media

The survey found that LinkedIn (63 percent), blogs (53 percent) and Facebook (51 percent) are the most popular social networking sites that employees are allowed to access from the workplace. It also found that 44 percent of organizations worldwide have enforced a social media policy to control user activity. But 28 percent of information security professionals worldwide reported having no organizational restrictions on the use of social media.

"Security professionals still view social media as a personal platform," Ayoub says. "Sooner or later, they will need to emphasize standardized practices and get the granular tools to understand what this means to their privacy and data."

Rising Salaries

Despite the economic recession, security professionals have seen a rise in salaries. In the Americas, the average annual salary for those with ISC2 certification was $106,900, up about 6 percent from 2007. Salaries in Europe, the Middle East and Africa averaged $87,400. And average salaries in Asian Pacific countries have become more closely aligned to those seen in other regions, averaging $74,500.

Also, there is a big difference in salaries between developed and undeveloped countries. While salaries continue to climb in the Americas, with 29 percent of respondents earning $120,000 or more, the average salaries in developing countries are relatively low, with the majority earning less than $40,000.

Worldwide, the survey confirmed that those who hold an ISC2 certification and having at least five years of experience earn an average annual salary that's $20,100 higher than non-certified professionals.

Education & Certification

Worldwide, 48 percent of information security professionals have a bachelor's degree or equivalent, with the Americas and Asia Pacific having the highest number, at 50 percent and 51 percent, respectively. Europe, the Middle East and Africa reported the highest number of professionals (42 percent) who hold a master's degree.

"Clearly we can see how security is becoming a profession by choice rather than an off-shoot of IT," Tipton says. "Education is transforming the profession to a more desirable and specialized field."

Of those surveyed who have hiring responsibilities, 90 percent ranked security certifications as very or somewhat important in their selection of job candidates. The top reasons why were: employee competency (69 percent), quality of work (58 percent) and regulatory requirements (48 percent).

Also, 60 percent of respondents worldwide reported that they plan to get one or two new certifications in the next 12 months.

Skill Development, Training

Information security professionals identified the need for additional training and education opportunities across a number of disciplines, the top three being- information risk management (47 percent), applications and systems development security (41 percent) and digital forensics (39 percent).

Training in how to provide end-user security awareness also ranked high, at 39 percent. "The profession is maturing and ultimately seeing the connection between end-user activity, security and data protection," Ayoub says.

Also, 22 percent of security professionals worldwide indicated they were involved in some aspect of the software development process as a new job focus area.

As salaries for security professionals continue to grow despite economic conditions, it's clear that security is becoming a priority for the private sector as well as governments, Tipton says. "With the growth we've seen in application security, cloud computing and data protection, the demand for qualified professionals will only grow exponentially."


About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.




Around the Network