The survey has led experts to call on organisations to widen their recruitment net beyond the traditional IT ‘pool' – and to seek networking and influencing as well as technology skills because “information security management is all about persuading thousands of people to do things that they don't want to do”.
The SANS 2014 Application Security Programmes and Practices survey involved 488 IT professionals and found that over 80 percent now have a formal application security programme in place, up from 66 percent a year ago. But the respondents said a lack of qualified staff and lack of skills are the major inhibitors to instituting Appsec programmes.
"This year's survey provides valuable and surprising insights into the challenges that organisations face," said SANS analyst Jim Bird. "It's not only funding and getting management buy-in - there are other more fundamental problems, including a shortage of skills - that are preventing people from taking care of security where it makes the most difference, upfront in design and development."
In response, futurologist and information security researcher David Lacey said cyber security education needs a “revolution” to identify people with the right “innate technical skills that you cannot teach”, while also producing security graduates with practical skills like project management, networking and marketing.
“These skills are not encouraged in the current syllabi that you see in information security training,” he told SCMagazineUK.com. “My advice would be, scrap the whole lot and start again. I'm more into revolution than evolution because I think it's a step change that's needed.
”None of this is taught. We have courses designed to guide you through successive examinations and we do not recognise the training needed. We need great skills, we need common-sense problem-solving skills, not tick box ‘I've passed an exam' skills.”
As for organisations recruiting security specialists, he said: “I would say very strongly they should look for strong assignment skills - how to go about managing a project, but also marketing and influencing skills, because the key to it all is that information security management is all about persuading thousands of people to do things that they don't want to do.”
Amanda Finch, general manager of the UK-based Institute of Information Security Professionals (IISP), said that one answer to the skills shortage is to look in other ‘work pools' for staff with the right aptitude for cyber security.
“Existing employers need to look at transferring the existing skills from people who are talented within their own work pool,” she told SCMagazineUK.com. “I know that one of our corporate members looking for security developers have looked at people who are generalised IT programmers and have got the technical skills base - to see whether they've got the right mindset to be able to swop from a straightforward development role into an application protection role. It's looking for people with the right mindset.”
She added: “Organisations also need to be employers of choice - some of that is obviously about money but some of it is also about flexible working, developing people, those sorts of things.”
Francois Gratiolet, CSO for EMEA at Qualys, suggested advanced security technology as one possible solution to the skills gap.
“It may be that the cure for the technology industry's security problem is, in fact, more technology,” he told SCMagazineUK.com via email. “Automation of attack prevention and detection is growing much more advanced, and we are finding that companies can protect themselves against the vast majority of attacks without the need for a specialist engineer at all. The computers will start to do a good job of protecting themselves as time progresses and the technology matures.
“However, automation alone is not a magic bullet. Businesses themselves must start raising awareness of good security practices within their own organisations too.”
The SANS survey found more than 35 percent of respondents test the security of their business-critical applications on an ongoing basis, up from 23 percent last year. Just three percent leave application security to chance and do not test at all.
US-based SANS Institute is an information security training, certification, research and education body. More details of its survey will be released in a webcast on Wednesday February 12, at 1 PM EST. To register for the webcast, visit http://www.sans.org/info/150770.