The seventh annual (ISC)² Global Workforce Survey, conducted by Frost & Sullivan, was released on Wednesday and it makes for stark reading for CISOs, IT security teams and the information security sector in general.
The headline statistic is that there will be a shortage of 1.5 million information security professionals by 2020, in line with other estimates, with this shortage interestingly cited by half of cyber-security staff as a key reason for data breaches and for “heavily impacting” on customers (48 percent).
The lack of staff has a damaging impact on how enterprises react to data breaches; 44 percent say it takes up to seven days to correct a data breach with another 19 percent saying that this takes up to three weeks. Only 42 percent of organisations across public and private sector said they were confident in ability to recover from cyber-attack, with one in five saying it could take between eight days and eight weeks to remedy a cyber-attack.
Interestingly, the reason for this shortage is split; 45 percent blame a lack of qualified personnel, while another 45 percent blame ‘business conditions' from hiring. As a result, a quarter of UK firms expect to increase outsourcing to make up for the cyber-skills gap, which is especially prevalent when it comes to the number of women in the industry (94 percent of workers in the UK and German sectors are men).
“Our first workforce study was conducted in 2004 to illuminate critical concerns within information and cyber-security that were struggling for attention. The 2015 report shows that many of these issues are finally getting much needed budget and priority. Unfortunately, we are now facing new challenges and our skills and staffing challenge is growing,” says Dr Adrian Davis, CISSP, managing director at EMEA, (ISC)².
Speaking to SCMagazineUK.com before the announcement, he said that budgets and concern over the economy were also prevalent factors, with good infosec pros often poached by bigger firms. “They've got a lot of experience and have worked with big companies, so they come with a price tag,” he said.
[This backs up earlier observations from Dr Christopher Richardson, head of the cyber-security unit at Bournemouth University, who recently said at an SC roundtable that his second and third year students were being employed prior to the end of the course.]
Davis says that the problem is at all levels, from STEM and universities to industry awareness, with some firms trying to alleviate the problem by outsourcing to cloud solutions and even consultancies for staff.
“A lot of people don't really know this profession exists,” said Davis, adding kids under 16 "don't understand that there might actually be a job doing [cyber-security]”.
“There's an awareness problem on who we are, what we do and what we bring.” He added that 16 year olds would have to wait five years to be ready for information security at which point they might be “sick to death” of the sector. “It's going to take an awful long time to fill the pipeline.”
(ISC)² is working with universities, GCHQ, the Council of Professors and Heads of Computing and others on improving education but Davis says that there are still ‘many' university courses that do not make cyber-security a ‘fundamental component' of the course. In computer science and IT-related courses, he says that cyber contributes “less than five percent.”
As a result, some software developers are creating these security vulnerabilities. “We haven't got to grips with how we write code. Time is the most important factor and most apps tend to be a case of permanent beta. There's no drive to drive good secure code, it's not seen as essential.”
He said the same old flaws continue to be exploited, some 20-years old, as evidenced by Verizon's recent DBIR report.
Dr Arosha Bandara, Senior Lecturer in Computing at the Open University, said in an email to SC: “We are still a long way off having enough of the right skills in industry to stay ahead of cyber-security threats.
“Aspiring cyber-security professionals need to quickly learn both technical skills and an understanding of the business and human environment in which these threats exist. Skills must include understanding how hackers think, being able to assess the risks and understand how staff will respond to new IT and security systems, not just implementing the latest technology. Right now, we simply don't have enough of these skills to defend ourselves.
“Curriculum changes may address this long term, but the only immediate solution is to provide the right training to equip people to meet today's threat sooner rather than later.”