Despite information security being a stable and growing profession with many career opportunities, the skills shortage is biting businesses hard.

According to the (ISC)² 2013 Global Information Security Workforce Study two-thirds of CISOs feel that they are short-staffed and this is leading to mistakes such as data breaches.

The survey of more than 12,000 information security professionals worldwide identified application security and mobile skills to be the most in demand, with 69 per cent reporting application vulnerabilities to be their top concern, while the rising popularity of 'bring your own device' (BYOD) policies require a multi-disciplinary approach.

More than three-quarters (78 per cent) said that BYOD technology is a significant security risk, and 74 per cent reported that new security skills are required to meet the BYOD challenge.

John Colley, managing director of (ISC)2 for EMEA, told SC Magazine that the demand for specialists in cloud and social networking are much the same year-on-year, as there is an acceptance that businesses need to address these, but he said that BYOD was much like social networking was a few years ago.

He said: “BYOD is drive-by multiple devices and the concept of if you don't get offered a device by your employer, you buy your own IT equipment. Security professionals are getting around it with encryption and mobile device management, while they have also developed policies on usability.”

Despite the challenges, the study said that information security professionals are enjoying stable employment, with over 80 per cent of respondents reporting no change in employer or employment in the last year, 58 per cent reported receiving a raise in the last year. The number of professionals is projected to grow steady by more than 11 per cent annually over the next five years.

Colley said: “We are getting a broader view of people and the state of the skills gap and on the people who are required and who is there now. Those who are hiring are finding the best people hard to find still and this is impacting on organisations and individuals. Interestingly, a third of our respondents this year to the study are not our members.

“This is not an easy problem to fix, as employers need new people but there is no pipeline at the bottom. Look at computer science degrees – they don't talk about security and people don't consider security to be a career direction.”

Colley said that there was a notable decline in the number of people in the under 29 age bracket, which had declined in previous studies from 17 per cent in 2009 to seven per cent in 2013, while the average age of respondents was over 40.

Michael Suby, Stratecast vice president of research at Frost & Sullivan and author of the report, said: “Security is an organisation-wide responsibility, with information security professionals serving as the beacon of knowledge and security stewardship. Information security professionals are constantly on the front lines, having to adapt to an ever-changing threat and IT landscape. They are also in a strategic position to educate business leaders as to why and how security is critical to all areas of the business.

“As the study reveals, the need for more skilled and qualified security professionals to deal with the onslaught of sophisticated cyber attacks that organisations are facing on a daily basis, is real and acute. If we continue to let this skills gap grow, the economy will undoubtedly suffer.”

W. Hord Tipton, executive director of (ISC)², said: “Now, more than ever before, we're seeing an economic ripple effect occurring across the globe as a result of the dire shortage of qualified information security professionals we've been experiencing in recent years.

“Underscored by the study findings, this shortage is causing a huge drag on organisations. More and more enterprises are being breached, businesses are not able to get things done, and customer data is being compromised. We must focus on building a skilled and qualified security workforce that is equipped to handle today's and tomorrow's most sophisticated cyber threats.”