When is a security professional not a security professional? When they’re an analyst, a political scientist, a sociologist, an accountant, a communicator, and a risk manager. A subset of the 2013 (ISC)2 Global Information Security Workforce Study (GISWS) report, “Critical Times Demand Critical Skills: An analysis of the skills gap in information security”, was just launched to further analyze the skills gap by job title, region, skill sets, industry vertical, and company size to define the specific challenges that contribute to this gap.
In partnership with Booz Allen Hamilton and conducted by Frost & Sullivan, the 2013 (ISC)2 GISWS found a widening gap between the current pool of qualified information security workforce professionals and demand for skilled workers. The study of more than 12,000 information security professionals worldwide revealed that the global shortage of information security professionals is having a profound impact on the economy and is driven by a combination of business conditions, executives not fully understanding the need for security, and an inability to locate enough qualified information security professionals.
So what skills are needed? Naturally, technical skills come to mind, however, survey results revealed that a diverse skill set beyond mere technical skills is needed for one to be considered a successful information security professional. In fact, communication skills were found to be the most important factor contributing to success. Other non-technical skills such as policy formulation and application as well as leadership, business management, and project management skills were among the top ten most important factors.
A list of 39 job categories was used in the survey questionnaire based on a group of industry frameworks developed throughout the world. Professionals in Security Analyst roles who conduct the integration and testing, operation and maintenance of systems security were identified by respondents as their top need in terms of shortages by job titles. Also, three out of the top ten job titles in demand are in Security Engineering (planning/design, applications, platform), which highlights a growing understanding of the need to include security in the planning, design, and development of information security systems and processes in the development of new applications.
It came as no surprise that various industry verticals had varying demand for job titles. Forensic Analysts, Security Systems Administrators, Security Testers, Incident Handlers, and Security Engineers were priority for government; Security Analysts were priority for banking, insurance, and healthcare industries; and Security Engineers and Security Architects were priority for telecom and media companies.
In regards to regional differences, the Americas generally follow the pattern of the global results (with a few exceptions); Europe, Middle East, and Africa indicate a greater need for additional security leadership from CSO/CISO/CAIO and Deputies; and Asia-Pacific varied greatly depending on the country, with Japan and South Korea diverging furthest from the global average responses.
Read the full report for more information and be on the lookout for the 2015 (ISC)2 Global Information Security Workforce Study survey in late 2014.
