The search to find skilled IT security professionals has become a constant challenge. You can now add the 2015 ISC(2) Workforce study to a growing pile of research that indicates that little has changed in the last year in the IT security staffing landscape.
David Shearer, CISSP, PMP, executive director, (ISC)2, told eSecurityPlanet that some of the trends his organization has seen from previous studies were found again in this year’s responses. The information security workforce shortage trend is widening due to an inability for business conditions to support additional personnel and a lack of qualified professionals, the study found.
Shearer noted that 45 percent of hiring managers are struggling to support additional hiring needs, which is creating a gap between forecasted need and forecasted growth. ISC)2 predicts the gap will grow to a shortage of 1.5 million professionals in five years.
"The profession continues to age, with even fewer young entrants coming into the profession," Shearer said. "The average age is 42 years old. More than half of the workforce (61 percent) is 40 or older."
The new study once again identified communications skills as the most important attribute to infosec career success. From a job satisfaction perspective, information security professionals continue to be satisfied with their jobs and salaries continue to increase.
Security Staffing Strain
ISC(2) also spotlighted some new and interesting trends in the 2015 report. For instance, application security scanning is only conducted post production for the most part, Shearer said. Looking at remediation, the study found that the estimated time to remediate an attack following a system or data compromise is getting longer.
"The state of security readiness is declining due to workforce strain," Shearer said. "More than half of survey respondents believe that their organizations did not improve their security readiness, while response times are lengthening."
Two-thirds of respondents indicate that they are concerned about the addition of multiple security technologies, often referred to as sprawl, the study found.
From a tactics perspective, phishing is the top threat technique employed by hackers.
"Phishing is a social engineering tactic, which highlights the criticality of end-user awareness education," Shearer said. "The study found a declining focus on awareness education, which is particularly concerning with the rise of phishing attacks."
Shearer explained that phishing attacks can be very sophisticated and look like legitimate emails or links to an end-user, making them highly effective. Even an educated end-user can fall victim.
"Malicious actors often look for connections on social media sites and attempt to impersonate someone with whom you are connected," Shearer said. "Always question what you see and think before you click."
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.