What keeps security pros up at night? Software development – or at least the lack of security involved, according to a new study.
Respondents to the sixth Global Information Security Workforce Study, conducted by (ISC)², the non-profit organization that administers the Certified Information Systems Security Professional (CISSP) certification, ranked secure software development as their greatest worry.
That squares with the prediction of Avivah Litan, an analyst at Gartner Research, who expects that one in four DDoS attacks will be application based, as my colleague Sue Marquette Poremba has written.
In the (ISC)² survey of more than 12,000 security pros worldwide, only 12 percent said they were personally involved in software development, 20 percent in procurement, and just 10 percent were involved with outsourcing.
Meanwhile, just 28 percent said their organizations can remediate from a targeted attack within one day.
- 52 percent of respondents believe there is a workforce shortage, compared to 2 percent that believe there is a surplus.
- 80 percent of respondents did not change employers last year.
- Location matters. 79 percent of security pros in developed countries in the Americas average salaries of US$80,000 or more, whereas only 12 percent of respondents in Asia-Pacific developing countries do.
- They rated broad understanding of the security field as the most important factor to career success, followed by communication skills.
- Nearly 70 percent view certification as a reliable indicator of competency. (Critics of Defense Department cybersecurity training surely disagree.)
“Now, more than ever before, we’re seeing an economic ripple effect occurring across the globe as a result of the dire shortage of qualified information security professionals we’ve been experiencing in recent years,” said W. Hord Tipton, executive director of (ISC)², in a statement.
In apparent reference to recent reports of cyber attacks against private U.S. corporations, Tipton added:
“More and more enterprises are being breached. We must focus on building a skilled and qualified security workforce that is equipped to handle today’s and tomorrow’s most sophisticated cyber threats.”