Infosec pros feeling strain of increasingly complex threats
Information security professionals in organisations worldwide are struggling to deal with deal with increasingly complex threats, understaffing and avoid errors, while taking longer to recover form cyberattacks, according to a survey by the not-for-profit group ISC2.
The seventh Global Information Security Workforce Study (GISWS), conducted by Frost and Sullivan, has found that security is being threatened through understaffed teams dealing with the complexity of multiple security technologies.
“We are now facing new challenges and our skills and staffing challenge is growing,” Dr Adrian Davis, (ISC)²
Almost two thirds (62%) of respondents reported that their organisations has too few information security professionals, despite budgets allowing for more. This figure is up significantly from 56% in 2013. It estimated that the global workforce shortage will widen to 1.5 million in five years. This is to the backdrop of continued variety and sophistication of cyber-threats expected, with a broadening footprint of systems and devices requiring security oversight. Signs of strain, including configuration mistakes and oversights, were identified as a material concern, with recovery time following system or data compromises is steadily increasing.
“Our first workforce study was conducted in 2004 to illuminate critical concerns within information and cybersecurity that were struggling for attention. The 2015 report shows that many of these issues are finally getting much needed budget and priority. Unfortunately, we are now facing new challenges and our skills and staffing challenge is growing,” says Dr Adrian Davis, CISSP, managing director, EMEA, (ISC)².
The report highlights that security spending is increasing across the board for technology, personnel and training. However, there is an issue around complexity due to threat evolution outpacing vendor developments that has led two-thirds of respondents to identify a new phenomenon known as “technology sprawl”, which is undermining effectiveness. Given this and other challenges faced by hiring managers, with nearly half (45%) struggling to support additional hiring needs, the use of outsourcing, managed and professional and cloud services, are also increasing, says the survey report.
“In the final assessment, the strategies of investing in security technologies, personnel and outsourcing will be insufficient to turn the tide on the reactionary role that plagues the information security discipline,” said Mike Suby, report author and programme manager, Stratecast, which is part of Frost and Sullivan.
Among the other findings of note were that only 20% of respondents said that remediation time following a system or data compromise would occur within a day, which was a significant decrease from the 2011 results where a third of respondents reported the same.
Application vulnerabilities and malware were identified as top security threats for the third year in a row, with most reporting that application security scanning is only conducted post production.
Phishing was the top threat technique employed by hackers, yet the results showed a decline in importance of awareness training. This is contrasted by nearly half (45%) of respondents predicting spending increases for security technologies, the highest percentage reported since the study launched in 2004.
More than 70% of respondents identified network monitoring and intelligence, and improved intrusion detection as technologies that significantly improve security. More than half (58%) identified that they have implemented, are implementing or are evaluating advanced analytics for detection of malware.
A lack of in-house skills was the top reason for outsourcing; while a move to outsourcing and managed services was identified as a strategy for tackling technology sprawl by nearly one-third of respondents.