(ISC)2 says the IT security workforce is at a crisis point

The sixth biannual Global Information Security Workforce Study is out, and it says the workforce is under tremendous strain, but job (and pay) prospects for certified security professionals are good.

At the end of February, (ISC)2 in partnership with Booz Allen Hamilton and Frost & Sullivan released its 2013 Global Information Security Workforce Study. The report confirms a few things we already knew about the IT security profession: It offers good stable jobs at very good pay, and there are lots of openings for qualified candidates. In fact, the number of open jobs is reaching a crisis point, according to Julie Peeler, director of the (ISC)2 Foundation. Peeler says there will be a need for 300,000 more IT security workers in the next year and our industry isn't developing the people to fill those needs fast enough.

Founded in 1989, (ISC)2 is a not-for-profit global organization dedicated to providing education, certification, and peer-networking opportunities for information security professionals throughout their careers. Even if you aren't familiar with the organization, you have heard about its certifications:

  • CISSP - Certified Information Systems Professional
  • CSSP - Systems Security Certified Practitioner
  • CSSLP - Certified Secure Software Lifecycle Professional
  • CAP - Certified Authorization Professional

[ BLACK HAT EUROPE: 10 intriguing security briefings ]

In particular, the CISSP is recognized around the world as the standard of achievement confirming an individual's knowledge in the field of information security.

The 2013 study is derived from the organization's sixth biannual survey that looks at the status of the global information security workforce. The Web-based survey was conducted in the last quarter of 2012 and the report includes input from more than 12,000 respondents from around the world.

The results show this workforce is under tremendous strain, primarily for the following three reasons:

  • IT security experts are facing an ever-increasing number of threats and risks to their organizations' well-being.
  • The experts are required to keep up with new technologies, each of which has a unique set of security challenges. Among the new technologies impacting business today are mobile computing (BYOD), cloud computing and social media in the enterprise.
  • Because of the critical shortage of qualified security professionals and budgets that are still constrained by the economy, people are tasked to do too much with too few resources.

Despite the pressures of the job, there is good news about the IT security workforce. Survey respondents say they don't feel like they are siloed into the IT department; that is, they understand that what they do pervades their entire organization. They see the big picture of how IT security provides value and sustains the well-being of the organization. At the same time, what they are not getting is full support from the C-suite and the board of directors. These latter two groups don't necessarily have the clearest understanding of how IT security pervades their organization, according to Peeler.

When asked what kind of skills they need to excel in their jobs, the first set the experts cited is technical skills, of course. They really need to know their stuff. The other thing that makes them successful is a broad set of management skills. They are improving their communication skills, their leadership skills, their business management skills, and their knowledge of legal and regulatory issues and data breach and privacy laws.

How important is certification to security professionals and their employers? This is a biased crowd, but 70% of the respondents say that a professional certification is a reliable indicator of IT security knowledge and competency.

Peeler says certification is becoming more important to hiring managers as the stakes for IT security are getting higher. She says high-level certifications like the CISSP are demanding. Besides the tests, candidates must have extensive hands-on experience in a number of disciplines and an endorsement from someone in the field. Even after attaining the certification, the professional must undergo continuing education in the security field. What employer would not appreciate this level of dedication in an employee?

Certification is required for many jobs, especially in government and critical infrastructure roles. The reward for certification is good pay (often $100,000 and above, annually) and good job security.

The job openings for IT security professionals aren't just at the top of the career ladder; plenty of lower level professionals are needed as well. Peeler says that less experienced people who aren't ready to prove their qualifications with CISSP certification can start with basic training and certifications from CompTIA and work their way up.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10