ISC(2) is releasing its sixth Global Information Security Workforce Study (GISWS) today, providing insight into the current state of the IT security work force.

The topline result from the study is that most IT security professionals believe their organizations are understaffed. Worse, the situation is stressing out and straining the IT security workforce.

Seventy-one percent of the current IT security workforce "is really feeling the strain," Hord Tipton, executive director of ISC(2) told eSecurityPlanet. "I fear it's placing many organizations in danger."


It's a fear backed up by survey data, with 52 percent of respondents noting that staffing shortages are having a direct impact on data breaches. Even C-level executives are aware of the issue. Nearly two-thirds of surveyed C-level execs admitted they have a security staff shortage.

There is also a disconnect between the involvement that security professionals have with enterprises and the types of security risks to which they are being exposed. According to the report, application vulnerabilities are a top security concern for 69 percent of respondents. Despite that concern, though, nearly 50 percent of security pros said they are not part of the software development process.

Perhaps even more confusing is the apparent lack of clarity within enterprises about the root cause of breaches. The study found that in 40 percent of breaches, organizations were unsure if insecure software was to blame.

IT Security Salaries and Certification

While there is a shortage of IT security pros, it's not due to insufficient compensation. Over half (58 percent) of respondents said they got a raise last year.

A key requirement for getting into the IT security business is certification. Among those hiring IT security professionals, 46 percent said they require certification. That result should not be surprising, as the ISC(2) runs one of the most popular certification programs with the CISSP (Certified Information Systems Security Professional) designation. ISC(2) has long preached the benefits of IT security certifications, though they also have candidly noted that certs are not a not security silver bullet.

Tipton believes at least 50 percent of IT organizations will begin requiring security staff to obtain certifications.

"There just doesn't seem to be as much progress as I would have liked," he said. "On the positive side, more C-level people recognize security is vitally important and even though times are tough, we'll see sustained support for the security workforce and security products."

IT security has recently been in the U.S. national spotlight, with President Obama calling for a cybersecurity framework. Tipton doesn't expect the order to have a significant impact on the IT security industry this year.

"Certainly it is encouraging," he said. "But a U.S. government interest in cybersecurity was there last year, too."

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter @TechJournalist.