Large gap exists between security focus, new tech

Survey reveals security professionals see higher risk from application vulnerabilities, malware, mobile devices and cloud, but do not prioritize manpower in tackling these threats within the enterprise.

Application vulnerabilities, malware and mobile devices rank the highest among security concerns.

Application vulnerabilities, malware and mobile devices rank the highest among organizations' security concerns, yet most do not prioritize tackling potential threats posed by these new technologies, finds a new survey.

Released Monday, the (ISC)² Global Information Security Workforce Study 2013 found that secure software development, more than any other discipline, had the largest gap between risk and response attention given by information security professions.

Application vulnerabilities, malware and mobile devices were ranked the top threat and vulnerability concerns at 69 percent, 67 percent and 66 percent, respectively, noted the report released by (ISC)² and U.S.-based consulting firm, Booz Allen Hamilton. The survey is conducted annually by (ISC)².

However, almost half of organizations surveyed were not involved in software development and did not regard security as among the most important factors when considering an outsourcing provider for software development.

Some 78 percent of respondents also said Bring Your Own Device (BYOD) posed a significant security risk, and 74 percent said new security skills were needed to meet the BYOD challenge. This indicated new skills, deeper knowledge, wide-ranging technologies, and a multi-disciplinary approach were necessary to manage the risks of deploying BYOD and new technologies.

Also, 49 percent viewed cloud-based services as a top or high security concern in 2012, compared to 43 percent in 2011's report. This was due to increased adoption of cloud-based services over the past year, combined with resilient security concerns --real and perceived--associated with cloud-based services.

The security management of these new technologies, however, ranked higher in the sectors of banking, finance and insurance, IT, retail and wholesale, and telecom and media. Due to the nature and operations of these vertical businesses, respondents viewed the threat from cybercriminals higher than the other verticals.

"[There is] need for highly skilled professionals to meet demands of the growing digital enterprise," William Stewart, senior vice president at Booz Allen Hamilton, said in a statement. "It takes a combination of people, process and technology to combat the evolving threat landscape, while [embracing] the opportunities that come with cloud computing, social media and BYOD."

The survey, conducted by Frost & Sullivan in the fourth quarter of 2012, gathered responses from 12,396 information security professionals globally through an online survey, of which 11 percent were from the Asia-Pacific region.

Larger salary gap between certified and non-certified in APAC
The study also found knowledge and certification of knowledge  weighed heavily in job placement and advancement within the IT security industry.

Nearly 70 percent viewed certification as a reliable indicator of competency when hiring. Almost half of hiring companies, at 46 percent, required certifications from the job candidate.

Some 60 percent also planned to acquire certifications in the next 12 months, while the CISSP (Certified Information Systems Security Professionals) remained the top certification in demand.

In Asia-Pacific, the average annual salary for certified professionals within the security industry was US$74,990, which was 56 percent higher than the US$48,011 non-certified professionals earned. This salary difference was higher than the global average of 33 percent, Clayton Jones, managing director of (ISC)² Asia-Pacific, told ZDNet Asia during a phone interview.

He explained that many universities in Asia-Pacific did not have formal or specialized degrees for cybersecurity, compared to other regions such as the United States, hence, resulting in the gap in salaries. "Moving forward, the salary difference between those with credentials and those without will continue to rise," Jones said.