The International Information Systems Security Certification Consortium, (ISC)2, has issued its joint study of the global inventory of information security professionals versus demand revealing a shortfall that it believes is enouogh to have a profound impact on the global economy.
Such a bold and alarming conclusion is justified by the certification authority as a result of the prolific generation of new threats in the areas of hactivism, cyber-terrorism and hacking, a proliferance that can't be adequately tackled by the existing skill set available to the world's organisations to combat such emerging threats.
With more than half of the organisations surveyed stating that their IT security positions were understaffed, there was a general conclusion of vulnerability with uncertainty on the timeframes required to recover from any potential attacks.
To make matters worse, the survey concludes that there is insufficient training in security for software developers resulting in the highest concerns being associated with the vulnerabilities of applications which have been developed without adequate security protecting having been designed into them.
Commenting on this, John Colley of (ISC)2 said that it was disturbing to see that application vulnerability is the top concern with only 12% of information security professionals being involved in it. John Colley recommends a holistic approach to the problem with a cooperative and concerted effort across academia, government and the information security profession to curtail the problem.
Victoria Baines of the EUROPOL European Cybercrime Centre said, "Information Security is increasingly embedded in businesses processes but preparedness for cyber-attacks requires persistent effort, constant vigilance and skills renewal. As we enter an age of BYOD, cloud computing and even greater technological convergence, the recognised Information Security trinity of People, Process and Technology will face new challenges".
Reacting to the survey, Ashish Patel of Stonesoft said, “If the back-door of application security is being left wide open, it doesn’t matter how much a company spends on its IT defences nor how many security professionals it employs. If the application code itself is insecure from the off-set, the entire business, its products and more essentially, its customers and their data are all vulnerable to malicious threats.
“IT security leaders need to make sure their teams are actively involved in the software development process – whether it’s done in-house, outsourced to a partner or procured from a third-party“, Ashish concluded.