IT Security Understaffing Worries CISOs

More than two-thirds of execs say current staffing levels pose risks to company safety, according to new study.

Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
More than two-thirds of the worlds chief information security officers (CISOs) and other c-level executives report that their current information security operations are understaffed, and that its compromising their companys security.
That finding comes from a new study released Monday by information security professional body (ISC)2, and is based on an online survey of 12,000 information security personnel, 14% of whom are C-level managers or officers, at the end of last year. The study was sponsored by (ISC)2 -- which counts nearly 90,000 members -- and Booz Allen Hamilton, and conducted by Frost & Sullivan.
Based on the survey, information security jobs are thriving and remaining relatively stable, with 80% of respondents reporting no change in their employment status or employer over the past year. Respondents with hiring power estimate that the number of available information security jobs will grow by 11% per year for at least the next five years.
[ Latest study echoes a Forrester survey from last summer. Read
Security Skills Shortage, Or Training Failure?
]
Although 32% of organizations said they currently have the right headcount, and 2% said they have too many, 56% of respondents -- and two-thirds of C-level respondents -- said they currently have too few information security personnel. About 30% of respondents expect to increase their information security spending in the next year, but 12% expect it to decrease.
The top security threats seen by respondents are application vulnerabilities (69%), malware (67%), mobile devices (66%), internal employees (56%), hackers (56%), cloud-based services (49%), cyber terrorism (44%), contractors (43%), hacktivists (43%), trusted third parties (39%), organized crime (36%) and state-sponsored acts (36%).
Top worries about the organization itself are damage to reputation (83%), breach of laws and regulations (75%), service downtime (74%), customer privacy violations (71%), customer identity theft or fraud (66%) and theft of intellectual property (58%).
Comparing results from the previous survey in 2010 to these 2012 results, twice as many respondents now believe that their organizations security posture is worse than before. Hord Tipton, executive director of (ISC)2, said that decline stems in part from the increased complexity involved in securing cloud computing, managing
bring-your-own device (BYOD)
efforts and
combating more advanced and automated attack tools
. We dont really hire additional people every year to do those things, so the workload stacks up for those folks, and when something breaks or gets out of control with your network, generally theyre the ones who have to start answering questions first, said Tipton, speaking by phone.
Despite the increase in complexity, 28% of respondents did report that they could remediate the damage from a targeted attack within a day, according to the study. With such
recently hacked businesses
as Apple, Facebook, Microsoft and Twitter saying that theyre still in the process of working with law enforcement agencies and investigating breaches, isnt that finding optimistic?
Its a matter of containment: how quickly can you contain a particular breach or outbreak? said Bruce Murphy, a principal at Deloitte & Touche whos on the (ISC)2
board of directors
, speaking by phone.
It comes down to how you define getting back to business. It can be something as serious as ... DDoS attacks on banks, said Tipton, who was formerly the CIO for the Department of the Interior. To me, its a matter of what you expose, to what degree you expose it, and did they get your good stuff or just make life inconvenient for you by messing up your website?
What role does
certification
play in information security workers ability to meet job requirements? That question is especially relevant for (ISC)2 members because the organization maintains multiple certifications, including the Certified Information Systems Security Professional (CISSP). According to the study, 46% of the survey respondents -- including 50% who are (ISC)2 members and 39% who are non-members -- reported that their organization requires certifications, most often (in 70% of cases) to demonstrate competency. Interestingly, 84% of
government agencies and defense contractors
require certifications, distantly followed by IT organizations (47%).
Bearing in mind that the study was partially funded by (ISC)2, respondents said that the certifications and affiliations that are of greatest importance to their career involve (ISC)2 (66%), the SANS Institute (32%), ISACA (31%), OWASP (18%), IEEE (16%) and the Cloud Security Alliance (13%).
Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500 off the price of Conference Passes. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Register for
Interop
today!

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
IT Security Understaffing Worries CISOs