60% of security professionals say spend on information security is not keeping pace with growing risk
22 March 2016: The Institute of Information Security Professionals (IISP) has announced the findings from its 2016 member survey. With over 2,500 members working in security across a wide range of industries and roles, including a significant proportion at Senior/Lead/CISO level, the results of the IISP provide an accurate snapshot of the state of the UK cyber security landscape from those working on the frontline.
The survey reveals that for over two thirds of members, information security budgets have increased, while a further 15% said that they had stayed the same. These are encouraging figures but they have to be examined alongside increasing risk and the survey also found that 60% of respondents felt that budgets were still not keeping pace with the rise in the level of threats. Only 7% reported they were rising faster than the level of threat.
“In times of financial pressure or instability as we have seen in recent years, security is often seen as a supporting function or an overhead,” said Piers Wilson, Director at IISP. “Security budgets are hard won because they are about protection against future issues, so are a good indication of the state of risk awareness in the wider business community. While it is good news that businesses are increasing investment, it is clear that spending on security is still not at a level that matches the changing threat landscape.”
The survey also found that when it comes to recruitment, there is still a skills shortage but the problem doesn’t just lie in the number of people. Respondents point to a shortfall in the level of skills and experience, making staff training, development and retention crucial to the future of the industry.
The question: “As an industry are we getting better or worse at defending systems from attack and protecting data?” generated encouraging responses, with only 10% thinking that protection is declining. With growing recognition that despite every control and safeguard, a determined attacker will always be able to find a chink in the armour, the survey looked at incident response. Again, this was a fairly positive picture with an impressive 49% reporting improvement.
Overall, the results of the IISP Member survey show that there are growing challenges from more types of attack, more sources of threats, greater reliance on increasingly complex IT systems, shortage of effective security staff and a regulatory environment that is both fluid and challenging. However, the heightened awareness of security risks and the impacts of a breach are driving an increase in investment, skills, experience, education and professionalism.
“While there is clearly much more to be done, the results of the IISP Member survey are encouraging,” concludes Piers Wilson.
A copy of the IISP white paper on the results of the survey is available at: http://IISP.informz.net/IISP/data/images/WhitePaperWebsite.pdf
The Institute of Information Security Professionals (IISP) is a not-for-profit organisation, owned by its members and dedicated to raising the standard of professionalism in information security and the industry as a whole. The IISP does this through accrediting skills and competence, by sharing best practice and by providing a network of support and guidance on individual skill development. It speaks with an authoritative voice and its competency-based memberships are widely recognised in the information security industry.
Working closely with the Information Security community, the IISP has a growing membership of over 2,500 individual members across private and government sectors, thirty-nine Corporate Member Organisations and seventeen Academic Partners.
At the heart of the Institute is the IISP Skills Framework©2012 which is widely accepted as the de facto standard for measuring competency of Information Security Professionals. CESG has taken this framework to underpin a range of certification schemes including the Certified Professional Scheme (CCP), for which the IISP is the leading certifying body and to develop syllabuses for Masters Degrees. The skills framework is used extensively by our corporate members to benchmark and develop capability of their employees it has also been adopted by e-Skills UK to develop a National Occupational Standard for Information Security. The IISP also accredits training courses offered by commercial training providers against the Institute's Skills Framework. This enables attendees to build knowledge in areas of the skills framework where they might have gaps and to gain hands-on experience.
More information about the IISP and its work can be found at www.iisp.org.