Information security professionals are overwhelmed by the rapid deployment of new technologies in the workplace, potentially putting government agencies, businesses and consumers at risk, reveals a new study released Friday.
According to the 2011 (ISC)2 Global Information Security Workforce Study (GISWS), IT security personnel are challenged by the proliferation of mobile devices as well as the rise of cloud computing and social networking. Many of the professionals admitted they needed more training to manage these technologies, yet, reported that such tools were already deployed without security in mind.
Conducted by Frost & Sullivan in the second half of 2010, the study surveyed over 10,400 IT security professionals from the public and private sectors. U.S.-based respondents made up 61 percent of total respondents, while 22.5 percent were from Europe, Middle East and Africa. Respondents in Asia accounted for 16.5 percent of the sample pool.
Mobile "single most dangerous threat"
Organizations polled ranked mobile devices as No. 2 security concern, after application vulnerabilities. At the same time, almost 70 percent of respondents said their companies had in place policies and technologies such as encryption and mobile VPN (virtual private network) to meet the security challenges posed by portable devices.
In the report, Frost & Sullivan said mobile security could be the "single most dangerous threat to organizations for the foreseeable future".
Security professionals, on the other hand, appeared more lax in their approach toward social media, treating it as a personal platform and doing little to manage it, reported the analyst firm. Less than half, or 44 percent, indicated their companies had policies in place to control access to social media sites.
Frost & Sullivan said it was "disappointed" that 28 percent of organizations globally had no restrictions on the use of social media.
Robert Ayoub, the research firm's global program director for information security and author of the report, said in a statement that the pressure to "secure too much" and a resulting skills gap increasingly put a strain on IT security professionals. This, in turn, creates risk for organizations across the world in the coming years.
"The good news from this study is that information security professionals finally have management support and are being relied upon and compensated for the security of the most mission-critical data and systems within an organization," Ayoub said. "The bad news is that they are being asked to do too much, with little time left to enhance their skills to meet the latest security threats and business demands."
He added: "Information security professionals are stretched thin, and like a series of small leaks in a dam, the current overstretched workforce may show signs of strain."
Manpower, skills key to risk management
The risks, according to Ayoub, can be mitigated by attracting quality talent to the field and investing in professional development for emerging skills.
The need for skills improvement was especially evident in the area of cloud computing--over 70 percent of survey respondents reported the need for new skills to properly secure cloud-based technologies.
However, nearly two-third of respondents in the (ISC)2 study indicated that they did not expect any budget increases this year for IT security personnel and training.
In terms of manpower growth, Frost & Sullivan estimates there are 2.28 million information security professionals globally as of 2010, of whom around 750,000 are based in the Asia-Pacific region. The analyst firm expects the region's demand for security professionals to increase at a compound annual growth rate of 11.9 percent to over 1.3 million by 2015.
Ayoub noted: "As the study finds, these solutions are underway but the question remains whether enough new professionals and training will come soon enough to keep global critical infrastructures in the private and public sectors protected."