Skills Gap? What Skills                     are we Talking about                            Anyway?                       ...
Some key questions               • How big is the information security profession?               • How are salaries in the...
Some background© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Who is (ISC)2               • Established in 1989 – Non-profit consortium of information                 security industry...
Membership Honor Roll                                   1000+                                                           Ca...
John Colley                                                        John Colley, CISSP, is the Managing Director for       ...
Research source               • (ISC)2 Global Information Security                 Workforce study                      F...
The good, the bad, the ugly© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
The good© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Key findings – size of profession               • Strong growth                      Number of professionals worldwide 2....
Key findings - Economics               • 60% respondents received a salary increase                 in 2010               ...
Key findings - experience               • Average years of experience has increased                      But not in line ...
The bad© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Key findings               • Application vulnerabilities represent the key threat to                 organisations        ...
Top security threats concerns               80%                            73%               70%                          ...
Application security               Involvement                                                 0%   10%   20%    30%   40%...
Application security               Concerns             90%           81%             80%                               75...
Mobile devices                 Percentage of workforce with mobile devices                                    31%         ...
Mobile devices                 Formal policy for mobile devices                                                      69%  ...
Mobile devices            Security products in place         80%              71%         70%                             ...
Cloud computing                  Are new skills required for cloud computing?                                             ...
Cloud computing                 Specific skills?                    100%                     80%                     60%  ...
Social media                        Sites allowed access to within organisations                       Linkedin           ...
Social media                       Control methods                         80%                                            ...
Importance of social media tools                      14%                             32%                  27%           1...
The ugly© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Key findings               • A clear skills gap exists               • Deployment of new technologies               • Dema...
Where have we come             from?© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Where have we come from?                                                                     Information                  ...
Reporting lines                                      IT department                                                   28%  ...
What have we been doing?                                                                           More       More        ...
What have we been doing?                                                                              More       More     ...
What have we been doing?                                                                              More       More     ...
What have we been doing?                                                                              More       More     ...
What have we been doing?                                                                              More       More     ...
Most time consuming activities                                  Reasearching new technologies                             ...
Most time consuming activities –                            business related                                  Reasearching...
Business demands                 • Cloud                         The financial imperative                         The im...
The User’s Influence                 • Consumers bring IT to the organisation                 • Legitimate Social Networki...
What Skills Should we be Assessing and                                    Developing?© Copyright 1989 – 2011, (ISC)2 All R...
Training needs                        Information risk management                                              47%        ...
Expert commentary© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
What does all this mean?               • We need to get to grips with Application and Software                 development...
And finally© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
We need to get out of our Catch 22               • One cannot get a job in information security                 without pr...
Wake up and get real© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
John Colley       Managing Director       (ISC)2 EMEA                                                      Questions?© Cop...
Upcoming SlideShare
Loading in …5
×

Are we approaching a skills gap? If so, what skills are we talking about? by John Colley (ISC))

737 views

Published on

Seminar Are we approaching a skills gap? If so, what skills are we talking about? by John Colley (ISC) during Infosecurity.be 2011

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
737
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Are we approaching a skills gap? If so, what skills are we talking about? by John Colley (ISC))

  1. 1. Skills Gap? What Skills are we Talking about Anyway? John Colley, managing director, EMEA www.isc2.org© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  2. 2. Some key questions • How big is the information security profession? • How are salaries in the current economic climate? • How experienced is the workforce? • Who do they report to? • How do they occupy their time? • What are the major concerns? • What skills are required? • How do we go about getting them?© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  3. 3. Some background© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  4. 4. Who is (ISC)2 • Established in 1989 – Non-profit consortium of information security industry leaders • Support security professionals throughout their careers • Offered the first information technology-related credentials to be accredited to ANSI/ISO/IEC Standard 17024 • Global standard for information security – (ISC)² CBK®, a compendium of information security topics • Board of Directors – Top information security leaders worldwide • Over 74,000 certified professionals; over 135 countries • Body of Research: Global Information Security Workforce Study; Career Impact Studies; Subject Polls; joint projects with ISF and PWC© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  5. 5. Membership Honor Roll 1000+ Canada United Kingdom South Korea Australia Hong Kong India Japan Netherlands Singapore United States 500+ Germany France Switzerland China Spain Sweden South Africa Belgium Finland United Arab Brazil Emirates 200+ Denmark Mexico Taiwan Italy Malaysia Ireland Poland Saudi Arabia Israel New Zealand Russia Norway 100+ Thailand Nigeria Austria© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  6. 6. John Colley John Colley, CISSP, is the Managing Director for EMEA and Co- Chair of the European Advisory Board for (ISC)2, a non-profit professional consortium which represents over 74,000 members worldwide. He served on the (ISC)2 Board of Directors for eight years, including two as chairman. John has over fifteen years experience in information security. He has formerly held posts as Head of Risk Services at Barclays Group, Group Head of Information Security at the Royal Bank of Scotland Group, Director of Information Security at Atomic Tangerine and as Head of Information Security at ICL. John has also worked as an independent consultant providing value added advice and guidance to blue chip organisations. He has had a number of articles published in the IT and security press.© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  7. 7. Research source • (ISC)2 Global Information Security Workforce study  Four previous studies 2004, 2005, 2006, 2008 • 2011 Study conducted by Frost & Sullivan • Largest study ever undertaken  Responses from 10,413 information security professionals  72% of respondents (ISC)2 members https://www.isc2.org/gisws2011/default.aspx© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  8. 8. The good, the bad, the ugly© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  9. 9. The good© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  10. 10. Key findings – size of profession • Strong growth  Number of professionals worldwide 2.28 million  Projected Compound Annual Growth Rate of 13.2%  4.24 million by 2015 • 2008 Survey  1.66 million in 2007  Projected Compound Annual Growth Rate of 10%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  11. 11. Key findings - Economics • 60% respondents received a salary increase in 2010 • Overall salaries have increased over the previous survey • Spend on personnel has remained steady • Average annual salary: (ISC)2 member $98,600 $94,500 Non - member $78,500 $73,856 0 20000 40000 60000 80000 100000 120000 2010 2007© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  12. 12. Key findings - experience • Average years of experience has increased  But not in line with length between surveys Americas 10 9.5 EMEA 10 8.3 APAC 9 7.1 0 2 4 6 8 10 12 2010 2007© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  13. 13. The bad© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  14. 14. Key findings • Application vulnerabilities represent the key threat to organisations  Rated top concern by 73% of respondents • Mobile devices  Second highest concern • Social media threats  Lack of readiness • Cloud computing  40% using Software as a Service  70% reported the need for new skills to secure cloud technologies© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  15. 15. Top security threats concerns 80% 73% 70% 66% 65% 63% 60% 55% 50% 45% 44% 43% 40% 38% 30% 20% 10% 0% Application Mobile devices Virus and Internal Hackers Contractors Cyber Cloud-based Oranised crime vulnerabilities worm attacks employees terrorism services© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  16. 16. Application security Involvement 0% 10% 20% 30% 40% 50% 60% 70% My organisation doesnt do software development 15% Im personally involved in software development 22% Im not personally involved in software development 62%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  17. 17. Application security Concerns 90% 81% 80% 75% 71% 70% 70% 65% 60% 55% 55% 50% 40% 30% 20% 10% 0% Design Specifying Testing, Construction Integration Installation Maintenance requirements debugging or (implementation validation or coding)© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  18. 18. Mobile devices Percentage of workforce with mobile devices 31% 23% 14% 19% 11% none to 25% 26% to 50% 51% to 75% 76% to 99% 100% Risk from mobile devices 28% 40% 15% 10% 8% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very significant Somewhat significant Neither significant nor insignificant Somewhat insignificant Not significant at all© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  19. 19. Mobile devices Formal policy for mobile devices 69% 31% 0% 20% 40% 60% 80% 100% Have Do not© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  20. 20. Mobile devices Security products in place 80% 71% 70% 59% 60% 52% 50% 43% 42% 40% 28% 30% 20% 11% 10% 0% Encryption Network Mobile VPN Device Remote lock Anti-malware DRM Access management and wipe Control© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  21. 21. Cloud computing Are new skills required for cloud computing? 74% 26% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Yes No© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  22. 22. Cloud computing Specific skills? 100% 80% 60% 40% 92% 82% 20% 49% 0% Detailed understanding Technical knowledge Contract negotiation© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  23. 23. Social media Sites allowed access to within organisations Linkedin 63% Blogs 53% Facebook 51% YouTube 47% Twitter 44% Intersec 28% Xing 22% None of these 26% 0% 10% 20% 30% 40% 50% 60% 70%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  24. 24. Social media Control methods 80% 60% 60% 44% 40% 28% 20% 0% Content filtering Policy enforcement No restrictions© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  25. 25. Importance of social media tools 14% 32% 27% 10% 17% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very important Somewhat important Neither important nor unimportant Somewhat unimportant Not important at all© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  26. 26. The ugly© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  27. 27. Key findings • A clear skills gap exists • Deployment of new technologies • Demand for security education on those technologies© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  28. 28. Where have we come from?© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  29. 29. Where have we come from? Information Information IT Security Risk Security Management© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  30. 30. Reporting lines IT department 28% Executive management 25% Information assurance 19% Operations/administration 7% Board of directors 4% Risk management 4% Governance/compliance 3% Internal audit 2% Finance 1% Sales/Marketing 1% 0% 5% 10% 15% 20% 25% 30%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  31. 31. What have we been doing? More More Technical Grab some management business role of the IT turf focused focused© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  32. 32. What have we been doing? More More Technical Grab some management business role of the IT turf focused focused Systems Admin Firewall PKI Anti-Virus© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  33. 33. What have we been doing? More More Technical Grab some management business role of the IT turf focused focused Systems Admin Firewall PKI Anti-Virus© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  34. 34. What have we been doing? More More Technical Grab some management business role of the IT turf focused focused Systems Admin Firewall PKI Anti-Virus© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  35. 35. What have we been doing? More More Technical Grab some management business role of the IT turf focused focused Systems Admin Firewall PKI Anti-Virus© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  36. 36. Most time consuming activities Reasearching new technologies 49% Internal/political issues 46% Meeting regulatory compliance 45% Developing internal security policies, standards 39% and procedures Auditing IT security compliance 39% Implementing new technologies 39% Providing advice on security to customers 37% Selling security to upper management 36% Certifying/Accrediting (of information systems) 35% Inter-departmental activities cooperation 33% 0% 10% 20% 30% 40% 50% 60%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  37. 37. Most time consuming activities – business related Reasearching new technologies 49% Internal/political issues 46% Meeting regulatory compliance 45% Developing internal security policies, standards 39% and procedures Auditing IT security compliance 39% Implementing new technologies 39% Providing advice on security to customers 37% Selling security to upper management 36% Certifying/Accrediting (of information systems) 35% Inter-departmental activities cooperation 33% 0% 10% 20% 30% 40% 50% 60%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  38. 38. Business demands • Cloud  The financial imperative  The immediacy & flexibility • Mobility  Great Expectations • Agile development  Applications on demand from the global development shop Base: All member respondents (n=7547).© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  39. 39. The User’s Influence • Consumers bring IT to the organisation • Legitimate Social Networking for business • Cloud trials Base: All member respondents (n=7547).© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  40. 40. What Skills Should we be Assessing and Developing?© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  41. 41. Training needs Information risk management 47% Application and systems 41% development security Forensics 39% End-user security awareness 39% Security architecture and models 38% Access control systems and 38% methogology Security management practices 41% Business continuity and disaster 47% recovery planning 0% 10% 20% 30% 40% 50%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  42. 42. Expert commentary© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  43. 43. What does all this mean? • We need to get to grips with Application and Software development security • We need to get to grips with security surrounding new technologies  Currently: Cloud computing; Social networking; Mobile devices  Future: Who knows?  Could be location based services • We need to respond to changes outside of our bubble  Changes to how the Business is doing business  Changes to how User are using technology  Changes to IT itself • We need to get to grips with User education and awareness  Fourth ranked overall  Second most important in EMEA© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  44. 44. And finally© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  45. 45. We need to get out of our Catch 22 • One cannot get a job in information security without prior experience,  but one cannot get experience without getting a job in information security© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  46. 46. Wake up and get real© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  47. 47. John Colley Managing Director (ISC)2 EMEA Questions?© Copyright 1989 – 2011, (ISC)2 All Rights Reserved

×