(ISC)2 ha pubblicato lo studio 2013 sullo stato dell’arte dell’Information Security Workforce; lo studio riassume le piu’ importanti considerazioni sull’evoluzione delle professioni che ruotano intorno ai “Security Professionals” tramite sondaggi indirizzati ai membri (ISC)2. Di seguito un estratto dei punti piu’ interessanti, e chiaramente i link per il download:
The study tracks down results of different surveys submitted to different security professionals, with the premise that “information security profession, in addition to being a large and growing field, is a barometer of economic health and the changing nature of how business is being conducted: […] growth in this profession a signal that global economic activity is advancing”. From the previous Workforce study, 2011, the most relevant news are the explosion of BYOD and cloud computing.
Information Security professionals must face new risk management challenges and they are usually involved in cross-activities (network hardening and software security, third party assessment and code review,…). Secure software development is much more present in Security Professional activities than 2 years before, as professionals agree that and serious consequences —data breaches, disrupted operations, lost business, brand damage, and regulatory fines – is one of the most important drivers in Security activities. Secure software development, more than any other discipline, is where the largest gap between risk and response attention by the information security profession exists.
Information security professionals are very stable in their employment; more than 80 percent had no change in employer or employment in the past year, and the number of professionals is projected to continuously grow more than 11 percent annually over the next five years. There is still an high request, as Information security professionals trump products in effectiveness: in a ranking of importance, software and hardware solutions rank behind the effectiveness of information security professionals. (ISC)2 membership and location drive higher salaries – The salary gap between (ISC)2 members and non-members is widening. In America 79 % of (ISC)2 security professionals have average salaries of US$80,000 or more. Workforce shortages persist and the impact of shortage is the greatest on the existing workforce. Knowledge and certification of knowledge weigh heavily in job placement and advancement; 70% of respondents consider Certifications as reliable credentials to assess competencies; broad understanding of the security field was the #1 factor in contributing to career success, followed by communication skills.
Application vulnerabilities rank the highest in security concern, malware and mobile device are close seconds. About attack response, 28% percent believe their organizations can remediate from a targeted attack within one day, but the preparedness to an attack has worsened compared to the respondents in the 2011 survey. A multi-disciplinary approach is required to address the risks in BYOD and cloud computing, especially with cloud computing (organizations balance the type of cloud environment with their level of acceptable risk and ability to control risk); the use of private clouds to get more control over the cloud infrastructure is confirmed by respondents.
- Dallo studio si evince come ci sia ancora un vuoto di expertise nel campo della sicurezza informatica specie in ambito applicativo e di come le certificazioni siano particolarmente apprezzate nell’ambito professionale.
- Le certificazioni (ISC)2 sono considerate tra le più qualificanti anche dal pubblico non certificato.
- Per quanto riguarda i temi classici di sicurezza informatica, sul fronte delle minacce avanza la percezione di rischio collegata ai paradigmi emergenti quali BYOD, minacce interne o Cloud Services. Le minacce più avvertite rimangono comunque quelle legate alle applicazioni sia in termini di vulnerabilità che di software malevolo.
- Sul fronte degli impatti degli attacchi, il danno d’immagine e reputazionale è considerato stabilmente il danno più temuto, seguito quasi a pari merito dal timore di infrangere le leggi e dal disservizio