April 21, 2015 by Canadian Underwriter
Two-thirds of surveyed information security professionals report being concerned about the addition of multiple security technologies – often referred to as sprawl – but cite outsourcing as one method being used to combat the issue, note results of (ISC)2’s latest Global Information Security Workforce Survey (GISWS).
The GISWS – a web-based survey last October through December and involving almost 14,000 information security professionals worldwide – was conducted by Frost & Sullivan and released last week in partnership with Booz Allen Hamilton, Cyber 360 Solutions and NRI Secure Technologies.
The seventh edition of the survey emphasizes the need for company IT departments to work collaboratively with other business units. “Information security is an organization-wide responsibility that requires a holistic commitment, execution and sustainment strategy,” David Shearer, executive director of (ISC)2, says in a joint statement from (ISC)2, the largest not-for-profit membership body of certified information and software security professionals, Booz Allen Hamilton and Frost & Sullivan.
Information security departments are pursuing several strategies, and with greater budgetary freedom, a broad-based uptick in security spending is projected, notes the report detailing survey results.
But with increased expenditures in security tools and technologies, respondents also offer a caution. “The incremental addition of security technologies without corresponding reduction in existing security platforms, what we term ‘security technology sprawl,’ is weighing on the security team’s effectiveness and efficiency,” states the report. [click image below to enlarge]
Asked about their concern with sprawl, 42% of respondents noted they were somewhat concerned, 23% noted they were very concerned, 14% noted they were neither concern nor unconcerned, 12% noted they were somewhat unconcerned or not concerned at all; and 9% noted they did not know.
The top reasons for sprawl include the following:
• security threats are evolving faster than vendors can evolve their existing products, 32%
• the organization has undertaken mergers and acquisitions, 24%;
• there is decentralized purchasing of security technologies, 22%;
• the organization inherited the situation, 17%;
• the organization is following a best-of-breach approach, 17%; and
• vendors prefer to create standalone products rather than add new functionality to existing products, 16%.
Among the top implications of sprawl were challenges in training in-house security personnel to cover all of an organization’s technologies, cited by 64% of respondents, and reduced security efficacy, cited by 62% of respondents.
Increasing use of managed and professional security service providers to augment existing staff and address skill shortages is projected, as is increased use of security delivered as a cloud service. Shearer notes that higher cloud adoption rates and spending on security tools and technologies “are further increasing the need for IT and security departments to function collaboratively.”
The survey has repeatedly pointed to a workforce shortage, Shearer says, but adds that things have changed. “Now, we’re finding that the shortage is being compounded with issues that are becoming more prevalent, such as configuration mistakes and oversights that can be detrimental to the security posture of global business,” he says.
The report points out that remediation time following system or data compromises is also steadily getting longer. A chart shows that 20% of respondents for the 2015 survey cited a remediation time following a system or data compromise of within one day, compared to 28% in 2013 and 33% in 2011. In addition, 8% of respondents cited response in three or more weeks, compared to 7% in 2013 and 5% in 2011.
Notes the report, “The net result is that information security professionals are increasingly cornered into a reactionary role of identifying compromises, recovering from mistakes and addressing security incidents as they occur rather than proactively mitigating the contributing factors.” [click image below to enlarge]
Although some readiness improvements were reported in 2015, “more than half of the survey respondents believe that their organizations did not improve their positions against the security adversaries,” notes the report.
These are all concerns since threats are not going away. A chart showing what respondents selected as security issues of top or high concern include application vulnerabilities, 72%; malware, 71%; configuration mistakes/oversights, 65%; mobile devices, 60%; hackers, 59%; faulty network/system configuration, 59%; internal employees, 54%; cloud-based services, 49%; cyber terrorism, 48%; and trusted third parties, 42%.
As for the Top 10 common threat techniques identified by respondents, these include the following:
• phishing (social engineering), 54%;
• scan network (malware), 36%;
• web application attacks (other than SQL – attacker adds structured query language code – injection), 35%;
• privilege abuse (insider misuse), 34%;
• denial of service and distributed denial of service, 33%;
• SQL injection (hacking), 31%;
• downloader (malware), 29%;
• command and control (malware), 27%;
• backdoor (malware), 26%; and
• spyware/key logger (malware), 25%.
The survey found that 62% of respondents stated their organizations have too few information security professionals compared to 56% in the 2013 survey. “An insufficient pool of suitable candidates is causing this shortfall,” notes the report, with Frost & Sullivan projecting that the shortfall in the global information security workforce will reach 1.5 million in five years.
“While the ceaseless advancement in variety and sophistication of cyber threats and a broadening footprint that requires security oversight (e.g., mobile devices, cloud-based services and the Internet of Things) are contributors to rising workforce demand and a workforce with a broader range of qualifications, other contributors are self-inflected due to decisions organizations make on security priorities,” the report states.
Angela Messer, the executive vice president leading Booz Allen’s predictive intelligence business in its Strategic Innovation Group, notes in the joint statement that the Internet of Things brings great opportunity and connectivity, but also new threats. “As organization shift their focus from defending within firewalls to defending entire cyber ecosystems, cyber security professionals will face unprecedented demands. To address this, senior leaders need to invest in a cyber talent management strategy that spans recruiting to career development and succession planning,” Messer emphasizes.
Other key findings from the study include the following:
• the information security workforce shortage trend is widening as a result of an inability for business conditions to support additional personnel and a lack of qualified professionals;
• training and education are needed most in cloud computing, BYOD and incidence response; and
• a lack of in-house skills is the top reason for outsourcing.
Notes the report: “In the final assessment, the strategies of investing in security technologies, personnel and outsourcing will be insufficient to materially reduce the workforce shortage. An expansion of security awareness and accountability throughout the organization is required.”