Skills shortages still pose major risk to long term information security capability
23 May 2018: The latest survey from the not-for-profit industry body, the Institute of Information Security Professionals (IISP), shows that over the last three years, those feeling that organisations are getting worse at defending against major cyber security breaches has leapt from 9% to 18%. In contrast, the number of businesses that feel better prepared to respond to and deal with incidents rose from 47% to 66% over the same period.
“These results reflect the difficulty in defending against increasingly sophisticated attacks and the realisation that breaches are inevitable – it’s just a case of when and not if,” says Piers Wilson, Director at the IISP. “Security teams are now putting increasing focus on systems and processes to respond to problems when they arise as well as learning from the experiences of others.”
When it comes to investment, the survey suggests that for many organisations, the threats are outstripping budgets in terms of growth. The number of businesses reporting increased budgets dropped from 70% to 64% and businesses with falling budgets increased from 7% up to 12%. Economic pressures and uncertainty in the UK market are likely to be restraining factors, while the demands of the GDPR (General Data Protection Regulation) and other regulations such as PSD2 (Payment Services Directive) and NISD (Networks and Information Systems Directive) are undoubtedly putting more pressure on limited resources.
The IISP Survey report also once again reinforces the problems of skills shortages with the number of respondents reporting a dearth of skills growing to 18% of respondents citing it as a challenge in this year’s results. While acting as a potential brake on capability, the skills shortage is also driving job prospects year-on-year, reflected in a growth of respondents in all the higher salary bands and in those reporting good job and career prospects.
“This year’s survey further highlights the continued need for industry, government, academia and professional bodies like the IISP to continue to work to resolve these shortages in skills across all levels and disciplines,” says Amanda Finch, General Manger at the IISP.
The rate of advancement in technology in the wider IT, systems and threat environment will also put more pressure on skills and resources. When asked about the impact and disruption caused by emerging technologies, respondents put the Internet of Things (IoT) and the rise of Artificial Intelligence (AI) at the top of the list.
“We have seen AI and machine learning used in defensive security systems for some time and this is now starting to become part of a wider automation approach,” says Wilson. “But like the IoT, AI can also be exploited by cyber criminals, so we need to have the people and technologies to respond and mitigate these emerging risks.”
The IISP has a growing and diverse membership representing over 8,000 individuals across private and government sectors, 41 Corporate Member organisations and 22 Academic Partners. As well as surveying its members, the IISP opened the survey up to non-member security professionals, representing a wide range of ages, experience and industry sectors. The survey was conducted in the second half of 2017/early 2018.
A copy of the IISP white paper on the results of the survey is available here https://drive.google.com/open?id=1CpmbsvNADZ04sBCXlzGRTkvT0c1-n-ib
About the IISP
The Institute of Information Security Professionals (IISP) is a not-for-profit organisation, owned by its members, dedicated to raising the standard of professionalism in information security and the industry as a whole. The IISP does this through accrediting skills and competence, by sharing best practice and by providing a network of support and guidance on individual skill development. It speaks with an authoritative voice and its competency-based memberships are widely recognised in the information security industry.
Working closely with the information security community, the IISP has a growing membership representing over 8,000 individuals across private and government sectors, 41 Corporate Member organisations and 22 Academic Partners.
At the heart of the Institute is the IISP Skills Framework ©2017 which is widely accepted as the de facto standard for measuring competency of information security professionals. The NCSC has taken this framework to underpin a range of certification schemes including the Certified Professional Scheme (CCP), for which the IISP is the leading certifying body and to develop syllabuses for Masters Degrees. The skills framework is used extensively by our corporate members to benchmark and develop capability of their employees.
It also been adopted by e-Skills UK to develop a National Occupational Standard for Information Security. The IISP also accredits training courses offered by commercial training providers against the Institute’s Skills Framework. This enables attendees to build knowledge in areas of the skills framework where they might have gaps and to gain hands-on experience.
The IISP Skills Framework is protected by the Creative Commons Non-Commercial - No Derivatives (BY-NC-ND) license.2017 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals®, IISP®, A.Inst.ISP™, M.Inst.ISP®, F.Inst.ISP™ and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only with express permission of the Institute.
More information about the IISP and its work can be found at www.iisp.org