Risk
2/25/2013
11:53 AM
Connect Directly
RSS
E-Mail
50%
50%

IT Security Understaffing Worries CISOs

More than two-thirds of execs say current staffing levels pose risks to company safety, according to new study.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
More than two-thirds of the world's chief information security officers (CISOs) and other c-level executives report that their current information security operations are understaffed, and that it's compromising their company's security.

That finding comes from a new study released Monday by information security professional body (ISC)2, and is based on an online survey of 12,000 information security personnel, 14% of whom are C-level managers or officers, at the end of last year. The study was sponsored by (ISC)2 -- which counts nearly 90,000 members -- and Booz Allen Hamilton, and conducted by Frost & Sullivan.

Based on the survey, information security jobs are thriving and remaining relatively stable, with 80% of respondents reporting no change in their employment status or employer over the past year. Respondents with hiring power estimate that the number of available information security jobs will grow by 11% per year for at least the next five years.

[ Latest study echoes a Forrester survey from last summer. Read Security Skills Shortage, Or Training Failure? ]

Although 32% of organizations said they currently have the right headcount, and 2% said they have too many, 56% of respondents -- and two-thirds of C-level respondents -- said they currently have too few information security personnel. About 30% of respondents expect to increase their information security spending in the next year, but 12% expect it to decrease.

The top security threats seen by respondents are application vulnerabilities (69%), malware (67%), mobile devices (66%), internal employees (56%), hackers (56%), cloud-based services (49%), cyber terrorism (44%), contractors (43%), hacktivists (43%), trusted third parties (39%), organized crime (36%) and state-sponsored acts (36%).

Top worries about the organization itself are damage to reputation (83%), breach of laws and regulations (75%), service downtime (74%), customer privacy violations (71%), customer identity theft or fraud (66%) and theft of intellectual property (58%).

Comparing results from the previous survey in 2010 to these 2012 results, twice as many respondents now believe that their organization's security posture is worse than before. Hord Tipton, executive director of (ISC)2, said that decline stems in part from the increased complexity involved in securing cloud computing, managing bring-your-own device (BYOD) efforts and combating more advanced and automated attack tools. "We don't really hire additional people every year to do those things, so the workload stacks up for those folks, and when something breaks or gets out of control with your network, generally they're the ones who have to start answering questions first," said Tipton, speaking by phone.

Despite the increase in complexity, 28% of respondents did report "that they could remediate the damage from a targeted attack" within a day, according to the study. With such recently hacked businesses as Apple, Facebook, Microsoft and Twitter saying that they're still in the process of working with law enforcement agencies and investigating breaches, isn't that finding optimistic?

"It's a matter of containment: how quickly can you contain a particular breach or outbreak?" said Bruce Murphy, a principal at Deloitte & Touche who's on the (ISC)2 board of directors, speaking by phone.

"It comes down to how you define getting back to business. It can be something as serious as ... DDoS attacks on banks," said Tipton, who was formerly the CIO for the Department of the Interior. "To me, it's a matter of what you expose, to what degree you expose it, and did they get your good stuff or just make life inconvenient for you by messing up your website?"

What role does certification play in information security workers' ability to meet job requirements? That question is especially relevant for (ISC)2 members because the organization maintains multiple certifications, including the Certified Information Systems Security Professional (CISSP). According to the study, 46% of the survey respondents -- including 50% who are (ISC)2 members and 39% who are non-members -- reported that their organization requires certifications, most often (in 70% of cases) to demonstrate competency. Interestingly, 84% of government agencies and defense contractors require certifications, distantly followed by IT organizations (47%).

Bearing in mind that the study was partially funded by (ISC)2, respondents said that the certifications and affiliations that are of greatest importance to their career involve (ISC)2 (66%), the SANS Institute (32%), ISACA (31%), OWASP (18%), IEEE (16%) and the Cloud Security Alliance (13%).

Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for Interop today!

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J. Nicholas Hoover
50%
50%
J. Nicholas Hoover,
User Rank: Apprentice
2/28/2013 | 1:36:48 PM
re: IT Security Understaffing Worries CISOs
The problem I see is not necessarily the current headcount, but where the talent is going to come from to fill in that headcount. Cybersecurity may be a sexy field, but it's still not drawing enough students to fill the needs in government and private sector.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.