Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

(ISC)2 2015 Global Workforce Study Results

advertisement 
(ISC)2 2015 Global Information Security
Workforce Study (GISWS) Results
U.S. Federal Government
Global Study Objectives & Project Background
2
Study Objectives
Study Objectives
• To obtain feedback from the (ISC)2 members regarding certification,
training and educational requirements for their organizations and
their professional development.
• To identify trends and issues related to information security from
both members and non-member security professionals.
• To understand potential gaps in organizational security.
• To forecast what positions will be most highly sought after in the
next 3 to 5 years.
3
Research Background
Background
The information security profession continues to undergo shifts as a
result of constantly changing regulatory environment and increasingly
sophisticated and emerging new threats. (ISC)2 has committed itself to
maintaining its leadership role and growing its membership base in key
geographic regions in which it is currently under represented.
• Bi-annual study
• 7th GISWS, first one released in 2004
• In partnership with Booz Allen Hamilton, Cyber 360 Solutions and
NRI Secure Technologies, conducted by Frost & Sullivan
• Likely the largest study of the information security profession ever
conducted, the GISWS is comprised of nearly 14,000 information
security professionals worldwide.
4
Research Background (continued)
• Of the nearly 14,000 - 11,208 were (ISC)2 members and 2,722 were
non-members
• Conducted using an on-line web based survey using the (ISC)2
membership list.
• Email invitations to complete the survey were sent out to (ISC)2
members between October 2014 and January 2015.
Source: Frost & Sullivan
5
U.S. Federal Government Results
6
U.S. Federal Government Composition
U.S. Federal Government Composition
Sample
U.S. Federal Government (Military, armed forces, defense)
1,099
U.S. Federal Government (Excluding military, armed forces,
defense)
727
Total U.S. Federal Government
1,826
Source: Frost & Sullivan
7
Profile—U.S. Federal Government
• Gender Composition of Workforce
86% male and 14% female
• Education
41% have degrees and an additional 47% have advanced degree
• Average Salary
$112,000
• Average Years of Experience
15
•Reporting Structure (Top 3)
24% Security Department, 24% Executive Management, and 18% to
IT Department
Source: Frost & Sullivan
8
Assessment of U.S. Government Information Security:
Better or Worse?
9
Assessment of U.S. Government Information Security
U.S. Government Information Security Assessment
2015
2013
52%
47%
27%
28%
5% increase since 2013
17%
12%
Better off
About the same
Worse off
9%
8%
Don't know
Base: Filtered Respondents (n=975).
QG5a. Overall, is the government's information security better or worse off than a year ago?
Source: Frost & Sullivan
10
Reasons for Improved U.S. Government Security
Reasons for Improved U.S. Government Security
76%
79%
Improved security awareness
58%
56%
Improved understanding of risk
management
51%
53%
Improving ability to keep pace with threats
45%
44%
Effective security guidance or standards
Better or more qualified professionals
available
Adequate funding for security initiatives
38%
48%
25%
27%
2015
2013
Base: Filtered respondents (n=441)/(n=725)
QG5b. Why do you say that government security is better off than a year ago?
Source: Frost & Sullivan
11
Reasons for Reduced U.S. Government Security
Reasons for Reduced Government Security
Inability to keep pace with threats
80%
Poor understanding of risk management
within government
73%
Inadequate funding for security initiatives
71%
Not enough qualified professionals
available
70%
Security awareness is still too low
Ineffective security guidance or standards
60%
49%
Base: Filtered respondents (n=174).
QG5c. Why do you say that government security is worse off than a year ago?
Source: Frost & Sullivan
12
Impact of Information Security Metrics, Tools and
Technologies
13
Useful IT Security Metric Tools
Useful IT Security Metric Tools
67%
Continuous monitoring reports
Annual FISMA reports and quarterly POAM
reports
45%
Statistics of viruses prevented, intrusions
blocked, etc.
38%
35%
Color coded dashboard techniques
CyberScope
16%
Base: Filtered respondents (n=974).
QG8. Which of the following IT security metric tools do you find useful? Select all that apply.
Source: Frost & Sullivan
14
Technologies Improving Security Activities in U.S.
Government
Technologies Improving Security Activities
79%
Network monitoring and intelligence
Improved intrusion detection and prevention
technologies
75%
57%
Policy management and audit tools
Automated identity management software
Web security applications
44%
40%
Base: Filtered respondents (n=1,059).
Q33b. What security technologies do you believe will provide significant improvements to the security of your organization? Select as many as you
feel apply.
Source: Frost & Sullivan
15
Effectiveness of U.S. Government Initiatives
Effectiveness of U.S. Government Initiatives
(Extremely Effective and Effective)
2015
72%
63%
68%
57%
2013
60%
50%
53%
45%
41% 38%
34%
27%
13%
NIST SP 800- NIST SP 80053
37
FISMA
FIPS 199
SCAP
FedRAMP
Baseline
Security
Controls
19%
CyberStat
Review
Base: Filtered respondents (n=1,058)/(n=1611).
Q33f. Please rate the effectiveness of each of the following government initiatives in providing security guidance and standards.
16
Implementation of NIST Cybersecurity Framework
Implementation of NIST CSF
Across the U.S. - Excluding the Federal Government
45%
39%
15%
Yes
No
Don't know
Base: Filtered respondents (n=2,983) Note: This base size represents all US respondents who do NOT work for the Federal government
Q33h. In 2014, the United States government released the Framework for Improving Infrastructure Cybersecurity. Has your company adopted any of
the measured outlined in this framework?
Source: Frost & Sullivan
17
Attitudes Toward Mandated Security Requirements
Attitudes Toward Specific, Mandatory Security Requirements in
Major IT Procurements
81% agree there should be security
requirements for every IT procurement
50%
31%
12%
3%
Agree completely
Agree somewhat
Neither agree nor Disagree somewhat
disagree
3%
Disagree
completely
Base: Filtered Sample (n=975)
QG7. How much do you agree that the government should include specific, mandatory security requirements in every major IT procurement?
Source: Frost & Sullivan
18
Threat Response
19
U.S. Government Threat Response
Threat Response
46%
21% say threat remediation would take
a week or more
17%
12%
5%
4%
Within one Two to seven Eight to
Three to five Six weeks or
day
days
twenty days
weeks
more
U.S. Private Industry
18%
43%
4%
13%
5%
Base: Filtered Sample (n=1,059)
Q33a. If your organization's systems or data were compromised by a targeted attack, how quickly do you predict it would take to remediate the
damage?
Source: Frost & Sullivan
20
U.S. Government Top Security Threats
Security Threats
(Very/Somewhat Concerned)
Application vulnerabilities
Malware
Configuration mistakes/oversights
Mobile devices
Faulty network/system configuration
Hackers
Internal employees
Cloud-based services
Cyber terrorism
Trusted third parties
Corporate espionage
State sponsored acts
Contractors
Hacktivists
Organized crime
72%
71%
65%
60%
59%
59%
54%
49%
48%
42%
42%
41%
41%
40%
38%
Base: Filtered respondents (n=1,059).
Q30. Thinking about your own organization, please rate the following potential security threats on the degree of concern you have for each. - Top
two box scores
Source: Frost & Sullivan
21
Workforce & Funding
22
Number of Security Workers in U.S. Government
Number of Security Workers in U.S. Government
2015
2013
60%
58%
30%
24%
3%
2%
Too many
The right number
Too few
Base: Filtered respondents (n=1,059) / (n=1,821)
Q28a. Would you say that your organization currently has the right number of information security workers, too few, or too many?
Source: Frost & Sullivan
23
Impact of Worker Shortage in U.S. Government
Impact of Worker Shortage
(Very Great/Great Impact)
74%
62%
56%
48%
On the existing
information security
workforce
On the organization as
a whole
On customers
On security breaches
Base: Filtered respondents (n=632).
Q28e. What is the impact of your organization's shortage of information security workers on each of the following? - Top two box scores
Source: Frost & Sullivan
24
Reasons for Worker Shortage in U.S. Government
Reasons for Worker Shortage in U.S. Government
It is difficult to find the qualified personnel we
require
48%
43%
Business conditions can't support additional
personnel at this time
46%
Leadership in our organization has insufficient
understanding of the requirement for information
security
It is difficult to retain security workers
There is no clear career path for information
security workers
58%
39%
40%
36%
2015
2013
31%
Base: Filtered respondents (n=632)/(n=1,049)
Q28d. What are the reasons that your organization has too few information security workers? Select as many as apply.
Source: Frost & Sullivan
25
Average Salary in U.S. Government
Average Salary
2015
2015 US Private Sector
2013
$118,000
$114,000
$112,000
$110,500
$106,500
Government Employee
Contractor
Base: Filtered Sample (n=1,802) / (n=1,798)
Q66. Which of the following includes your current annual salary in U.S. dollars before taxes?
Source: Frost & Sullivan
26
Salary Change in U.S. Government
2015 GISWS Salary Data in U.S. Government
Direct Hire
Contractor
47%
40%
40%
6%
Yes, an
increase of up
to 5%
8%
36%
9%
4%
4%
7%
Yes, an
Yes, an
No change in
Received a
increase of increase of over
salary or
salary or benefit
between 5%
10%
benefits
reduction
and 10%
Base: Filtered Sample (n=1,802) / (n=1,798)
Q67. Did you receive a salary increase, including benefits and incentives, in 2014?
Source: Frost & Sullivan
27
U.S. Government Projected Change in Overall Spend
Projected Change in Overall Spend
28%
60%
17%
20%
34%
72%
67%
58%
26%
24%
Increase
Stay the
Same
61%
64%
Decrease
12%
8%
11%
13%
13%
12%
Personnel
Security tools
Professional
services
Outsourced or
managed
services
Training and
education
Certification
Base: Filtered respondents (n=1,826).
Q16b. Do you expect overall information security spending at your organization to increase, decrease, or remain the same?
Source: Frost & Sullivan
28
Confidence in Legislators Providing Funding for
Cybersecurity
Confidence in Legislators to Provide Funding for Cybersecurity
58% not confident
33%
25%
21%
17%
4%
Very
confident
Somewhat
confident
Neither
Somewhat Not confident
confident nor unconfident
at all
unconfident
Base: Filtered Sample (n=401)
Q33l. How confident are you that your country's legislators understand the importance of security enough to provide sufficient funding to support
your key information security initiatives?
Source: Frost & Sullivan
29
Skills, Training & Education
30
Important Skills in New Hires in U.S. Government
Most Important Skills in New Hires
(% Very Important)
The candidate has relevant information
security experience
77%
The candidate has information security
certifications
The candidate has knowledge of relevant
regulatory policies
The candidate has an information security or
related degree
50%
30%
19%
Base: Filtered respondents (n=237).
Q19b. When making hiring decisions for information security staff how important is each of the following? – Top box scores
Source: Frost & Sullivan
31
Future Skills and Competencies in U.S. Government
Future Skills and Competencies
56%
50%
48%
44%
43%
43%
Risk assessment and management
Incident investigation and response
Governance, risk management, and compliance…
Virtualization
Analytical skills
InfoSystems and security operations management
Communications skills
Platform or technology specific skills
Architecture
Engineering
Data administration and management
Software system development
Business and business development skills
Acquisition/Procurement (supply chain)
35%
34%
33%
26%
19%
18%
14%
12%
Base: Filtered respondents (n=1,059).
Q25. What are the skills and competencies that you will need to acquire or strengthen to be in position to respond to the threat landscape over the
next three years? Select all that apply.
Source: Frost & Sullivan
32
Demand for Training and Education in U.S. Government
Demand for Training and Education
59%
62%
Cloud computing
Information risk management
Incidence response
Bring-your-own-device (BYOD)
Certification and accreditation
Mobile device management
Forensics
Security engineering
Access control systems and methodology
Applications and system development security
Telecommunications and network security
51%
48%
49%
43%
44%
46%
42%
44%
41%
47%
41%
39%
40%
38%
36%
36%
35%
36%
35%
2015
2013
Base: Filtered respondents (n=1,826)/(n=1,821).
Q23. In which areas of information security do you see growing demand for training and education within the next three years?
Source: Frost & Sullivan
33
Cloud Computing
34
Prioritization of Cloud Computing
Cloud Computing is a Priority
50%
37%
Now (currently)
In the near future (within two years)
Base: Filtered Sample (n=1,171)
Q57. To what extent is cloud computing a priority for your organization now and in the future? - Top two box scores
Source: Frost & Sullivan
35
Cloud Migration Due to FedRAMP
Cloud Migration Due to FedRAMP
64%
18%
18%
Yes
No
Don't know
Base: Filtered Sample (n=1,077)
QG12. Have FedRAMP's baseline security controls enabled your agency to migrate systems more securely to the cloud?
Source: Frost & Sullivan
36
New Skills for Cloud Computing
New Skills for Cloud Computing
71%
69%
68%
61%
57%
53%
52%
51%
50%
50%
50%
Application of security controls to cloud environments
Knowledge of risks, vulnerabilities and threats
An enhanced understanding of cloud security guidelines…
Risk management
Enhanced knowledge of multi-tenancy architecture
Security engineering
Knowledge of compliance issues
Service level agreement skills
Deal with dynamic infrastructures
Audit
Data/information centric approaches to security
Manage services and service providers
Enhanced data management skills
Business stakeholder management and education
Supply chain risk management
Procurement skills
36%
33%
24%
23%
17%
Base: Filtered respondents (n=810))
Q61c. What skills will be required for dealing with cloud computing? Select as many as apply.
Source: Frost & Sullivan
37
U.S. Government Frequency of Security Scans on
Application
Frequency of Security Scans
61%
57%
44%
Always
43%
Sometimes
33%
7%
32%
33%
24%
24%
Internally developed
applications that are
hosted in a public
cloud environment
Externally developed
applications that are
hosted in a public
cloud environment
34%
Never
9%
Internally developed Externally developed
applications that are applications that are
hosted in your private hosted in private data
data centers
centers
Base: Filtered respondents (n=1,059).
Q40. Please indicate the frequency with which security scans are conducted on the following applications. - Always
Source: Frost & Sullivan
38
Security Concerns in the U.S. Government When
Implementing Cloud
Top/High Concern in U.S. Government When Implementing Cloud
Data loss prevention
72%
Ensuring that existing IT security policy is
replicated in the cloud
65%
Ensuring that data and systems meet
established COOP (continuity of
operations) guidelines
Integration of cloud and mobility
58%
36%
Base: Filtered respondents (n=1,078))
QG10. How much of a security concern is each of the following for your government department agency when implementing cloud computing? - Top
two box scores
Source: Frost & Sullivan
39
SUMMARY OF CONCLUSIONS
40
The key conclusions offered by the 2015 U.S. government-specific
findings include:
• As predicted, the gap between the need for qualified information
security professionals and the supply is having a negative impact
on U.S. government security readiness and is only getting worse.
• The U.S. government has spent a lot of time, money and effort on
policies, programs and tools designed to improve its security
posture, but thus far there has been little return on that
investment.
• Although procurement and acquisition are cited as moments of
great vulnerability, there remains very little focus on applying
security during the supply chain process.
41
Questions?
42
Related documents
English 102 Poetry Chapter6
English 102 Poetry Chapter6
Choice (OE)
Choice (OE)
Frost & Sullivan - MarketResearch.com
Frost & Sullivan - MarketResearch.com
“The Road Not Taken” by Robert Frost PROMPT: Defend, refute
“The Road Not Taken” by Robert Frost PROMPT: Defend, refute
About Frost & Sullivan
About Frost & Sullivan
Key Market Participants
Key Market Participants
Trends Driving Growth and Innovation in the Healthcare Industry
Trends Driving Growth and Innovation in the Healthcare Industry
Early finish 27th Jan 2016
Early finish 27th Jan 2016
Download
advertisement