(isc) 2 2015 global information security workforce study (gisws) results u.s. federal government
Post on 19-Dec-2015
214 Views
Preview:
TRANSCRIPT
(ISC)2 2015 Global Information Security Workforce Study (GISWS) Results
U.S. Federal Government
2
Global Study Objectives & Project Background
3
Study Objectives
Study Objectives
• To obtain feedback from the (ISC)2 members regarding certification, training and educational requirements for their organizations and their professional development.
• To identify trends and issues related to information security from both members and non-member security professionals.
• To understand potential gaps in organizational security.
• To forecast what positions will be most highly sought after in the next 3 to 5 years.
4
Research Background
Background
The information security profession continues to undergo shifts as a result of constantly changing regulatory environment and increasingly sophisticated and emerging new threats. (ISC)2 has committed itself to maintaining its leadership role and growing its membership base in key geographic regions in which it is currently under represented.
• Bi-annual study
• 7th GISWS, first one released in 2004
• In partnership with Booz Allen Hamilton, Cyber 360 Solutions and NRI Secure Technologies, conducted by Frost & Sullivan
• Likely the largest study of the information security profession ever conducted, the GISWS is comprised of nearly 14,000 information security professionals worldwide.
5
Source: Frost & Sullivan
Research Background (continued)
• Of the nearly 14,000 - 11,208 were (ISC)2 members and 2,722 were non-members
• Conducted using an on-line web based survey using the (ISC)2
membership list.
• Email invitations to complete the survey were sent out to (ISC)2
members between October 2014 and January 2015.
6
U.S. Federal Government Results
7
Source: Frost & Sullivan
U.S. Federal Government Composition
U.S. Federal Government Composition Sample
U.S. Federal Government (Military, armed forces, defense) 1,099
U.S. Federal Government (Excluding military, armed forces, defense)
727
Total U.S. Federal Government 1,826
8
Source: Frost & Sullivan
Profile—U.S. Federal Government
• Gender Composition of Workforce86% male and 14% female
• Education41% have degrees and an additional 47% have advanced degree
• Average Salary$112,000
• Average Years of Experience15
•Reporting Structure (Top 3)24% Security Department, 24% Executive Management, and 18% to IT Department
9
Assessment of U.S. Government Information Security:Better or Worse?
10
Source: Frost & Sullivan
Assessment of U.S. Government Information Security
QG5a. Overall, is the government's information security better or worse off than a year ago?
Base: Filtered Respondents (n=975).
Better off About the same Worse off Don't know
27%
47%
17%
9%
28%
52%
12%8%
U.S. Government Information Security Assessment
2015 2013
5% increase since 2013
11
Source: Frost & Sullivan
Improved security awareness
Improved understanding of risk management
Improving ability to keep pace with threats
Effective security guidance or standards
Better or more qualified professionals available
Adequate funding for security initiatives
76%
58%
51%
45%
38%
25%
79%
56%
53%
44%
48%
27%
Reasons for Improved U.S. Government Security
2013 2015
Reasons for Improved U.S. Government Security
QG5b. Why do you say that government security is better off than a year ago?
Base: Filtered respondents (n=441)/(n=725)
12
Source: Frost & Sullivan
Ineffective security guidance or standards
Security awareness is still too low
Not enough qualified professionals available
Inadequate funding for security initiatives
Poor understanding of risk management within government
Inability to keep pace with threats
49%
60%
70%
71%
73%
80%
Reasons for Reduced Government Security
Reasons for Reduced U.S. Government Security
QG5c. Why do you say that government security is worse off than a year ago?
Base: Filtered respondents (n=174).
13
Impact of Information Security Metrics, Tools and Technologies
14
Source: Frost & Sullivan
CyberScope
Color coded dashboard techniques
Statistics of viruses prevented, intrusions blocked, etc.
Annual FISMA reports and quarterly POAM reports
Continuous monitoring reports
16%
35%
38%
45%
67%
Useful IT Security Metric Tools
Useful IT Security Metric Tools
QG8. Which of the following IT security metric tools do you find useful? Select all that apply.
Base: Filtered respondents (n=974).
15
Source: Frost & Sullivan
Technologies Improving Security Activities in U.S. Government
Q33b. What security technologies do you believe will provide significant improvements to the security of your organization? Select as many as you feel apply.
Network monitoring and intelligence
Improved intrusion detection and prevention technologies
Policy management and audit tools
Automated identity management software
Web security applications
79%
75%
57%
44%
40%
Technologies Improving Security Activities
Base: Filtered respondents (n=1,059).
16
Effectiveness of U.S. Government Initiatives
Q33f. Please rate the effectiveness of each of the following government initiatives in providing security guidance and standards.
NIST SP 800-53
NIST SP 800-37
FISMA FIPS 199 SCAP FedRAMP Baseline Security Controls
CyberStat Review
72%68%
60%53%
41%34%
13%
63%57%
50%45%
38%27%
19%
Effectiveness of U.S. Government Initiatives (Extremely Effective and Effective)2015 2013
Base: Filtered respondents (n=1,058)/(n=1611).
17
Source: Frost & Sullivan
Implementation of NIST Cybersecurity Framework
Q33h. In 2014, the United States government released the Framework for Improving Infrastructure Cybersecurity. Has your company adopted any of the measured outlined in this framework?
Base: Filtered respondents (n=2,983) Note: This base size represents all US respondents who do NOT work for the Federal government
Yes No Don't know
15%
39%
45%
Implementation of NIST CSFAcross the U.S. - Excluding the Federal Government
18
Source: Frost & Sullivan
Attitudes Toward Mandated Security Requirements
QG7. How much do you agree that the government should include specific, mandatory security requirements in every major IT procurement?
Base: Filtered Sample (n=975)
Disagree completely
Disagree somewhat
Neither agree nor disagree
Agree somewhatAgree completely
3%3%
12%
31%
50%
Attitudes Toward Specific, Mandatory Security Requirements in Ma-jor IT Procurements
81% agree there should be security requirements for every IT procurement
19
Threat Response
20
Source: Frost & Sullivan
U.S. Government Threat Response
Q33a. If your organization's systems or data were compromised by a targeted attack, how quickly do you predict it would take to remediate the damage?
Base: Filtered Sample (n=1,059)
Within one day
Two to seven days
Eight to twenty days
Three to five weeks
Six weeks or more
17%
46%
12%
5% 4%
Threat Response
21% say threat remediation would take a week or more
U.S. Private Industry 18% 43% 4% 13% 5%
21
Source: Frost & Sullivan
U.S. Government Top Security Threats
Organized crimeHacktivists
ContractorsState sponsored actsCorporate espionageTrusted third parties
Cyber terrorismCloud-based services
Internal employeesHackers
Faulty network/system configurationMobile devices
Configuration mistakes/oversightsMalware
Application vulnerabilities
38%40%41%41%42%42%
48%49%
54%59%59%60%
65%71%72%
Security Threats (Very/Somewhat Concerned)
Q30. Thinking about your own organization, please rate the following potential security threats on the degree of concern you have for each. - Top two box scores
Base: Filtered respondents (n=1,059).
22
Workforce & Funding
23
Source: Frost & Sullivan
Number of Security Workers in U.S. Government
Q28a. Would you say that your organization currently has the right number of information security workers, too few, or too many?
Base: Filtered respondents (n=1,059) / (n=1,821)
Too many The right number Too few
3%
24%
60%
2%
30%
58%
Number of Security Workers in U.S. Government
2015 2013
24
Source: Frost & Sullivan
Impact of Worker Shortage in U.S. Government
Q28e. What is the impact of your organization's shortage of information security workers on each of the following? - Top two box scores
Base: Filtered respondents (n=632).
On the existing in-formation security
workforce
On the organization as a whole
On customers On security breaches
74%
62%56%
48%
Impact of Worker Shortage (Very Great/Great Impact)
25
Source: Frost & Sullivan
Reasons for Worker Shortage in U.S. Government
Q28d. What are the reasons that your organization has too few information security workers? Select as many as apply.
Base: Filtered respondents (n=632)/(n=1,049)
It is difficult to find the qualified personnel we require
Business conditions can't support additional personnel at this time
Leadership in our organization has insufficient un-derstanding of the requirement for information secu-
rity
It is difficult to retain security workers
There is no clear career path for information security workers
48%
46%
39%
36%
31%
43%
58%
40%
Reasons for Worker Shortage in U.S. Government
2013 2015
26
Source: Frost & Sullivan
Average Salary in U.S. Government
Q66. Which of the following includes your current annual salary in U.S. dollars before taxes?
Base: Filtered Sample (n=1,802) / (n=1,798)
$110,500
$114,000
$106,500
$112,000
Average Salary
2015 2013
Government Employee Contractor
2015 US Private Sector$118,000
27
Source: Frost & Sullivan
Salary Change in U.S. Government
Q67. Did you receive a salary increase, including benefits and incentives, in 2014?
Yes, an in-crease of up to
5%
Yes, an in-crease of be-tween 5% and
10%
Yes, an in-crease of over
10%
No change in salary or bene-
fits
Received a salary or bene-
fit reduction
47%
6% 4%
40%
4%
40%
8% 9%
36%
7%
2015 GISWS Salary Data in U.S. Government
Direct Hire Contractor
Base: Filtered Sample (n=1,802) / (n=1,798)
28
Source: Frost & Sullivan
U.S. Government Projected Change in Overall Spend
Personnel Security tools Professional services
Outsourced or managed services
Training and education
Certification
12% 8% 11% 13% 13% 12%
60%58%
72% 67% 61% 64%
28% 34%17% 20% 26% 24%
Projected Change in Overall Spend
Increase
Stay the Same
Decrease
Base: Filtered respondents (n=1,826).
Q16b. Do you expect overall information security spending at your organization to increase, decrease, or remain the same?
29
Source: Frost & Sullivan
Confidence in Legislators Providing Funding for Cybersecurity
Q33l. How confident are you that your country's legislators understand the importance of security enough to provide sufficient funding to support your key information security initiatives?
Base: Filtered Sample (n=401)
Very con-fident
Somewhat confident
Neither con-fident nor
unconfident
Somewhat unconfident
Not con-fident at
all
4%
21%17%
25%
33%
Confidence in Legislators to Provide Funding for Cybersecurity
58% not confident
30
Skills, Training & Education
31
Source: Frost & Sullivan
Important Skills in New Hires in U.S. Government
Q19b. When making hiring decisions for information security staff how important is each of the following? – Top box scores
Base: Filtered respondents (n=237).
The candidate has an information security or re-lated degree
The candidate has knowledge of relevant regula-tory policies
The candidate has information security certifica-tions
The candidate has relevant information security experience
19%
30%
50%
77%
Most Important Skills in New Hires(% Very Important)
32
Source: Frost & Sullivan
Future Skills and Competencies in U.S. Government
Q25. What are the skills and competencies that you will need to acquire or strengthen to be in position to respond to the threat landscape over the next three years? Select all that apply.
Base: Filtered respondents (n=1,059).
Acquisition/Procurement (supply chain)
Business and business development skills
Software system development
Data administration and management
Engineering
Architecture
Platform or technology specific skills
Communications skills
InfoSystems and security operations management
Analytical skills
Virtualization
Governance, risk management, and compliance (GRC)
Incident investigation and response
Risk assessment and management
12%14%
18%19%
26%33%34%35%
43%43%44%
48%50%
56%
Future Skills and Competencies
33
Source: Frost & Sullivan
Demand for Training and Education in U.S. Government
Q23. In which areas of information security do you see growing demand for training and education within the next three years?
Cloud computing
Information risk management
Incidence response
Bring-your-own-device (BYOD)
Certification and accreditation
Mobile device management
Forensics
Security engineering
Access control systems and methodology
Applications and system development security
Telecommunications and network security
59%
51%
49%
44%
42%
41%
41%
40%
38%
36%
36%
62%
48%
43%
46%
44%
47%
39%
36%
35%
35%
Demand for Training and Education
2013
2015
Base: Filtered respondents (n=1,826)/(n=1,821).
34
Cloud Computing
35
Source: Frost & Sullivan
Prioritization of Cloud Computing
Q57. To what extent is cloud computing a priority for your organization now and in the future? - Top two box scores
Base: Filtered Sample (n=1,171)
Now (currently) In the near future (within two years)
37%
50%
Cloud Computing is a Priority
36
Source: Frost & Sullivan
Cloud Migration Due to FedRAMP
QG12. Have FedRAMP's baseline security controls enabled your agency to migrate systems more securely to the cloud?
Base: Filtered Sample (n=1,077)
Yes No Don't know
18% 18%
64%
Cloud Migration Due to FedRAMP
37
Source: Frost & Sullivan
Procurement skills
Supply chain risk management
Business stakeholder management and education
Enhanced data management skills
Manage services and service providers
Data/information centric approaches to security
Audit
Deal with dynamic infrastructures
Service level agreement skills
Knowledge of compliance issues
Security engineering
Enhanced knowledge of multi-tenancy architecture
Risk management
An enhanced understanding of cloud security guidelines and reference architectures
Knowledge of risks, vulnerabilities and threats
Application of security controls to cloud environments
17%23%24%
33%36%
50%50%50%51%52%53%
57%61%
68%69%71%
New Skills for Cloud Computing
New Skills for Cloud Computing
Q61c. What skills will be required for dealing with cloud computing? Select as many as apply.
Base: Filtered respondents (n=810))
38
Source: Frost & Sullivan
U.S. Government Frequency of Security Scans on Application
Internally developed applications that are hosted in your pri-vate data centers
Externally developed applications that are
hosted in private data centers
Internally developed applications that are
hosted in a public cloud environment
Externally developed applications that are
hosted in a public cloud environment
7% 9%24% 24%
33% 34%
32% 33%
61% 57%44% 43%
Frequency of Security Scans
Always
Sometimes
Never
Base: Filtered respondents (n=1,059).
Q40. Please indicate the frequency with which security scans are conducted on the following applications. - Always
39
Source: Frost & Sullivan
Integration of cloud and mobility
Ensuring that data and systems meet established COOP (continuity of operations) guidelines
Ensuring that existing IT security policy is replicated in the cloud
Data loss prevention
36%
58%
65%
72%
Top/High Concern in U.S. Government When Implementing Cloud
Security Concerns in the U.S. Government When Implementing Cloud
QG10. How much of a security concern is each of the following for your government department agency when implementing cloud computing? - Top two box scores
Base: Filtered respondents (n=1,078))
40
SUMMARY OF CONCLUSIONS
41
The key conclusions offered by the 2015 U.S. government-specific findings include:
• As predicted, the gap between the need for qualified information security professionals and the supply is having a negative impact on U.S. government security readiness and is only getting worse.
• The U.S. government has spent a lot of time, money and effort on policies, programs and tools designed to improve its security posture, but thus far there has been little return on that investment.
• Although procurement and acquisition are cited as moments of great vulnerability, there remains very little focus on applying security during the supply chain process.
42
Questions?
top related