Are we approaching a skills gap? If so, what skills are we talking about? by  John Colley (ISC))
Upcoming SlideShare
Loading in...5
×
 

Are we approaching a skills gap? If so, what skills are we talking about? by John Colley (ISC))

on

  • 672 views

Seminar Are we approaching a skills gap? If so, what skills are we talking about? by John Colley (ISC) during Infosecurity.be 2011

Seminar Are we approaching a skills gap? If so, what skills are we talking about? by John Colley (ISC) during Infosecurity.be 2011

Statistics

Views

Total Views
672
Views on SlideShare
653
Embed Views
19

Actions

Likes
0
Downloads
31
Comments
0

1 Embed 19

http://www.infosecurity.be 19

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Are we approaching a skills gap? If so, what skills are we talking about? by  John Colley (ISC)) Are we approaching a skills gap? If so, what skills are we talking about? by John Colley (ISC)) Presentation Transcript

  • Skills Gap? What Skills are we Talking about Anyway? John Colley, managing director, EMEA www.isc2.org© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Some key questions • How big is the information security profession? • How are salaries in the current economic climate? • How experienced is the workforce? • Who do they report to? • How do they occupy their time? • What are the major concerns? • What skills are required? • How do we go about getting them?© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Some background© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Who is (ISC)2 • Established in 1989 – Non-profit consortium of information security industry leaders • Support security professionals throughout their careers • Offered the first information technology-related credentials to be accredited to ANSI/ISO/IEC Standard 17024 • Global standard for information security – (ISC)² CBK®, a compendium of information security topics • Board of Directors – Top information security leaders worldwide • Over 74,000 certified professionals; over 135 countries • Body of Research: Global Information Security Workforce Study; Career Impact Studies; Subject Polls; joint projects with ISF and PWC© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Membership Honor Roll 1000+ Canada United Kingdom South Korea Australia Hong Kong India Japan Netherlands Singapore United States 500+ Germany France Switzerland China Spain Sweden South Africa Belgium Finland United Arab Brazil Emirates 200+ Denmark Mexico Taiwan Italy Malaysia Ireland Poland Saudi Arabia Israel New Zealand Russia Norway 100+ Thailand Nigeria Austria© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • John Colley John Colley, CISSP, is the Managing Director for EMEA and Co- Chair of the European Advisory Board for (ISC)2, a non-profit professional consortium which represents over 74,000 members worldwide. He served on the (ISC)2 Board of Directors for eight years, including two as chairman. John has over fifteen years experience in information security. He has formerly held posts as Head of Risk Services at Barclays Group, Group Head of Information Security at the Royal Bank of Scotland Group, Director of Information Security at Atomic Tangerine and as Head of Information Security at ICL. John has also worked as an independent consultant providing value added advice and guidance to blue chip organisations. He has had a number of articles published in the IT and security press.© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Research source • (ISC)2 Global Information Security Workforce study  Four previous studies 2004, 2005, 2006, 2008 • 2011 Study conducted by Frost & Sullivan • Largest study ever undertaken  Responses from 10,413 information security professionals  72% of respondents (ISC)2 members https://www.isc2.org/gisws2011/default.aspx© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • The good, the bad, the ugly© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • The good© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Key findings – size of profession • Strong growth  Number of professionals worldwide 2.28 million  Projected Compound Annual Growth Rate of 13.2%  4.24 million by 2015 • 2008 Survey  1.66 million in 2007  Projected Compound Annual Growth Rate of 10%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Key findings - Economics • 60% respondents received a salary increase in 2010 • Overall salaries have increased over the previous survey • Spend on personnel has remained steady • Average annual salary: (ISC)2 member $98,600 $94,500 Non - member $78,500 $73,856 0 20000 40000 60000 80000 100000 120000 2010 2007© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Key findings - experience • Average years of experience has increased  But not in line with length between surveys Americas 10 9.5 EMEA 10 8.3 APAC 9 7.1 0 2 4 6 8 10 12 2010 2007© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • The bad© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Key findings • Application vulnerabilities represent the key threat to organisations  Rated top concern by 73% of respondents • Mobile devices  Second highest concern • Social media threats  Lack of readiness • Cloud computing  40% using Software as a Service  70% reported the need for new skills to secure cloud technologies© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Top security threats concerns 80% 73% 70% 66% 65% 63% 60% 55% 50% 45% 44% 43% 40% 38% 30% 20% 10% 0% Application Mobile devices Virus and Internal Hackers Contractors Cyber Cloud-based Oranised crime vulnerabilities worm attacks employees terrorism services© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Application security Involvement 0% 10% 20% 30% 40% 50% 60% 70% My organisation doesnt do software development 15% Im personally involved in software development 22% Im not personally involved in software development 62%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Application security Concerns 90% 81% 80% 75% 71% 70% 70% 65% 60% 55% 55% 50% 40% 30% 20% 10% 0% Design Specifying Testing, Construction Integration Installation Maintenance requirements debugging or (implementation validation or coding)© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Mobile devices Percentage of workforce with mobile devices 31% 23% 14% 19% 11% none to 25% 26% to 50% 51% to 75% 76% to 99% 100% Risk from mobile devices 28% 40% 15% 10% 8% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very significant Somewhat significant Neither significant nor insignificant Somewhat insignificant Not significant at all© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Mobile devices Formal policy for mobile devices 69% 31% 0% 20% 40% 60% 80% 100% Have Do not© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Mobile devices Security products in place 80% 71% 70% 59% 60% 52% 50% 43% 42% 40% 28% 30% 20% 11% 10% 0% Encryption Network Mobile VPN Device Remote lock Anti-malware DRM Access management and wipe Control© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Cloud computing Are new skills required for cloud computing? 74% 26% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Yes No© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Cloud computing Specific skills? 100% 80% 60% 40% 92% 82% 20% 49% 0% Detailed understanding Technical knowledge Contract negotiation© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Social media Sites allowed access to within organisations Linkedin 63% Blogs 53% Facebook 51% YouTube 47% Twitter 44% Intersec 28% Xing 22% None of these 26% 0% 10% 20% 30% 40% 50% 60% 70%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Social media Control methods 80% 60% 60% 44% 40% 28% 20% 0% Content filtering Policy enforcement No restrictions© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Importance of social media tools 14% 32% 27% 10% 17% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Very important Somewhat important Neither important nor unimportant Somewhat unimportant Not important at all© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • The ugly© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Key findings • A clear skills gap exists • Deployment of new technologies • Demand for security education on those technologies© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Where have we come from?© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Where have we come from? Information Information IT Security Risk Security Management© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Reporting lines IT department 28% Executive management 25% Information assurance 19% Operations/administration 7% Board of directors 4% Risk management 4% Governance/compliance 3% Internal audit 2% Finance 1% Sales/Marketing 1% 0% 5% 10% 15% 20% 25% 30%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • What have we been doing? More More Technical Grab some management business role of the IT turf focused focused© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • What have we been doing? More More Technical Grab some management business role of the IT turf focused focused Systems Admin Firewall PKI Anti-Virus© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • What have we been doing? More More Technical Grab some management business role of the IT turf focused focused Systems Admin Firewall PKI Anti-Virus© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • What have we been doing? More More Technical Grab some management business role of the IT turf focused focused Systems Admin Firewall PKI Anti-Virus© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • What have we been doing? More More Technical Grab some management business role of the IT turf focused focused Systems Admin Firewall PKI Anti-Virus© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Most time consuming activities Reasearching new technologies 49% Internal/political issues 46% Meeting regulatory compliance 45% Developing internal security policies, standards 39% and procedures Auditing IT security compliance 39% Implementing new technologies 39% Providing advice on security to customers 37% Selling security to upper management 36% Certifying/Accrediting (of information systems) 35% Inter-departmental activities cooperation 33% 0% 10% 20% 30% 40% 50% 60%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Most time consuming activities – business related Reasearching new technologies 49% Internal/political issues 46% Meeting regulatory compliance 45% Developing internal security policies, standards 39% and procedures Auditing IT security compliance 39% Implementing new technologies 39% Providing advice on security to customers 37% Selling security to upper management 36% Certifying/Accrediting (of information systems) 35% Inter-departmental activities cooperation 33% 0% 10% 20% 30% 40% 50% 60%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Business demands • Cloud  The financial imperative  The immediacy & flexibility • Mobility  Great Expectations • Agile development  Applications on demand from the global development shop Base: All member respondents (n=7547).© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • The User’s Influence • Consumers bring IT to the organisation • Legitimate Social Networking for business • Cloud trials Base: All member respondents (n=7547).© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • What Skills Should we be Assessing and Developing?© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Training needs Information risk management 47% Application and systems 41% development security Forensics 39% End-user security awareness 39% Security architecture and models 38% Access control systems and 38% methogology Security management practices 41% Business continuity and disaster 47% recovery planning 0% 10% 20% 30% 40% 50%© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Expert commentary© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • What does all this mean? • We need to get to grips with Application and Software development security • We need to get to grips with security surrounding new technologies  Currently: Cloud computing; Social networking; Mobile devices  Future: Who knows?  Could be location based services • We need to respond to changes outside of our bubble  Changes to how the Business is doing business  Changes to how User are using technology  Changes to IT itself • We need to get to grips with User education and awareness  Fourth ranked overall  Second most important in EMEA© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • And finally© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • We need to get out of our Catch 22 • One cannot get a job in information security without prior experience,  but one cannot get experience without getting a job in information security© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • Wake up and get real© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  • John Colley Managing Director (ISC)2 EMEA Questions?© Copyright 1989 – 2011, (ISC)2 All Rights Reserved