Business is suffering from a global shortage of information security professionals, according to (ISC)2 the not-for-profit organisation that represents the group.
Its sixth Global Information Security Workforce Study has shown that the shortage is due to a combination of business conditions, executives not fully understanding the need for security, and an inability to locate qualified information security professionals.
A survey of more than 12,000 information security professionals has shown that hactivism (43%), cyber-terrorism (44%), and hacking (56%) are among the top concerns identified by respondents, yet more than half – 56 % – feel their security organisations are short-staffed.
A significant number of organisations (15%) are not able to put a timeframe on their ability to recover from an attack, even though service downtime is one of the highest priorities for nearly three-quarters of respondents.
The survey also reveals a major shortage of software development professionals trained in security, and that application security vulnerabilities still rank highest among security concerns – a trend identified in the 2011 GISWS.
Threats from malware and mobile devices are also at the top of the list, and cloud security, bring your own device (BYOD), and social networking are reported as major concerns in terms of newer security threats.
John Colley, Managing Director EMEA of (ISC)2, says: "This survey shows that we need to rethink our approach to the skills challenge. We need to look at the problem from the top down, not the bottom up, starting with end users (including the general public), moving on to application and systems development security, as well as tackling the more traditional areas of securing the infrastructure.
"Without doing this, we will never solve the threats presented by mobile devices, cloud security and BYOD.
"It is disturbing to see that application vulnerability is the top concern, while only 12% of information security professionals are involved in it. We need to take a holistic view of the challenge, adopting a cooperative and concerted effort across academia, government and the information security profession to curtail the problem."
