IT Security Understaffing Worries CISOs

More than two-thirds of the world's chief information security officers (CISOs) and other c-level executives report that their current information security operations are understaffed, and that it's compromising their company's security.

That finding comes from a new study released Monday by information security professional body (ISC)2, and is based on an online survey of 12,000 information security personnel, 14% of whom are C-level managers or officers, at the end of last year. The study was sponsored by (ISC)2 -- which counts nearly 90,000 members -- and Booz Allen Hamilton, and conducted by Frost & Sullivan.

Based on the survey, information security jobs are thriving and remaining relatively stable, with 80% of respondents reporting no change in their employment status or employer over the past year. Respondents with hiring power estimate that the number of available information security jobs will grow by 11% per year for at least the next five years.

[ Latest study echoes a Forrester survey from last summer. Read Security Skills Shortage, Or Training Failure? ]

Although 32% of organizations said they currently have the right headcount, and 2% said they have too many, 56% of respondents -- and two-thirds of C-level respondents -- said they currently have too few information security personnel. About 30% of respondents expect to increase their information security spending in the next year, but 12% expect it to decrease.

The top security threats seen by respondents are application vulnerabilities (69%), malware (67%), mobile devices (66%), internal employees (56%), hackers (56%), cloud-based services (49%), cyber terrorism (44%), contractors (43%), hacktivists (43%), trusted third parties (39%), organized crime (36%) and state-sponsored acts (36%).

Top worries about the organization itself are damage to reputation (83%), breach of laws and regulations (75%), service downtime (74%), customer privacy violations (71%), customer identity theft or fraud (66%) and theft of intellectual property (58%).

Comparing results from the previous survey in 2010 to these 2012 results, twice as many respondents now believe that their organization's security posture is worse than before. Hord Tipton, executive director of (ISC)2, said that decline stems in part from the increased complexity involved in securing cloud computing, managing bring-your-own device (BYOD) efforts and combating more advanced and automated attack tools. "We don't really hire additional people every year to do those things, so the workload stacks up for those folks, and when something breaks or gets out of control with your network, generally they're the ones who have to start answering questions first," said Tipton, speaking by phone.

Despite the increase in complexity, 28% of respondents did report "that they could remediate the damage from a targeted attack" within a day, according to the study. With such recently hacked businesses as Apple, Facebook, Microsoft and Twitter saying that they're still in the process of working with law enforcement agencies and investigating breaches, isn't that finding optimistic?

"It's a matter of containment: how quickly can you contain a particular breach or outbreak?" said Bruce Murphy, a principal at Deloitte & Touche who's on the (ISC)2 board of directors, speaking by phone.

"It comes down to how you define getting back to business. It can be something as serious as ... DDoS attacks on banks," said Tipton, who was formerly the CIO for the Department of the Interior. "To me, it's a matter of what you expose, to what degree you expose it, and did they get your good stuff or just make life inconvenient for you by messing up your website?"

What role does certification play in information security workers' ability to meet job requirements? That question is especially relevant for (ISC)2 members because the organization maintains multiple certifications, including the Certified Information Systems Security Professional (CISSP). According to the study, 46% of the survey respondents -- including 50% who are (ISC)2 members and 39% who are non-members -- reported that their organization requires certifications, most often (in 70% of cases) to demonstrate competency. Interestingly, 84% of government agencies and defense contractors require certifications, distantly followed by IT organizations (47%).

Bearing in mind that the study was partially funded by (ISC)2, respondents said that the certifications and affiliations that are of greatest importance to their career involve (ISC)2 (66%), the SANS Institute (32%), ISACA (31%), OWASP (18%), IEEE (16%) and the Cloud Security Alliance (13%).

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!