1. Skills Gap? What Skills are we Talking aboutAnyway?John Colley, managing director, EMEAwww.isc2.org Copyright 1989 2011, (ISC)2 All Rights Reserved

2. Some key questions How big is the information security profession? How are salaries in the current economic climate? How experienced is the workforce? Who do they report to? How do they occupy their time? What are the major concerns? What skills are required? How do we go about getting them? Copyright 1989 2011, (ISC)2 All Rights Reserved 3. Some background Copyright 1989 2011, (ISC)2 All Rights Reserved 4. Who is (ISC)2 Established in 1989 Non-profit consortium of information security industry leaders Support security professionals throughout their careers Offered the first information technology-related credentials to be accredited to ANSI/ISO/IEC Standard 17024 Global standard for information security (ISC) CBK, a compendium of information security topics Board of Directors Top information security leaders worldwide Over 74,000 certified professionals; over 135 countries Body of Research: Global Information Security Workforce Study; Career Impact Studies; Subject Polls; joint projects with ISF and PWC Copyright 1989 2011, (ISC)2 All Rights Reserved 5. Membership Honor Roll 1000+ Canada United Kingdom South Korea Australia Hong KongIndiaJapan Netherlands Singapore United States 500+GermanyFranceSwitzerlandChinaSpainSwedenSouth Africa Belgium FinlandUnited Arab BrazilEmirates200+DenmarkMexico TaiwanItalyMalaysiaIreland PolandSaudi ArabiaIsraelNew ZealandRussiaNorway100+ThailandNigeria Austria Copyright 1989 2011, (ISC)2 All Rights Reserved 6. John ColleyJohn Colley, CISSP, is the Managing Director forEMEA and Co- Chair of the European AdvisoryBoard for (ISC)2, a non-profit professionalconsortium which represents over 74,000 membersworldwide.He served on the (ISC)2 Board of Directors foreight years, including two as chairman.John has over fifteen years experience ininformation security. He has formerly held posts asHead of Risk Services at Barclays Group, GroupHead of Information Security at the Royal Bank ofScotland Group, Director of Information Security atAtomic Tangerine and as Head of InformationSecurity at ICL.John has also worked as an independentconsultant providing value added advice andguidance to blue chip organisations.He has had a number of articles published in theIT and security press. Copyright 1989 2011, (ISC)2 All Rights Reserved 7. Research source (ISC)2 Global Information Security Workforce study Four previous studies 2004, 2005, 2006, 2008 2011 Study conducted by Frost & Sullivan Largest study ever undertaken Responses from 10,413 information security professionals 72% of respondents (ISC)2 membershttps://www.isc2.org/gisws2011/default.aspx Copyright 1989 2011, (ISC)2 All Rights Reserved 8. The good, the bad, the ugly Copyright 1989 2011, (ISC)2 All Rights Reserved 9. The good Copyright 1989 2011, (ISC)2 All Rights Reserved 10. Key findings size of profession Strong growth Number of professionals worldwide 2.28 million Projected Compound Annual Growth Rate of 13.2% 4.24 million by 2015 2008 Survey 1.66 million in 2007 Projected Compound Annual Growth Rate of 10% Copyright 1989 2011, (ISC)2 All Rights Reserved 11. Key findings - Economics 60% respondents received a salary increase in 2010 Overall salaries have increased over the previous survey Spend on personnel has remained steady Average annual salary: (ISC)2 member $98,600 $94,500 Non - member$78,500 $73,8560 20000 4000060000 80000 10000012000020102007 Copyright 1989 2011, (ISC)2 All Rights Reserved 12. Key findings - experience Average years of experience has increased But not in line with length between surveysAmericas 109.5EMEA108.3APAC97.1 02 4 6 8 10122010 2007 Copyright 1989 2011, (ISC)2 All Rights Reserved 13. The bad Copyright 1989 2011, (ISC)2 All Rights Reserved 14. Key findings Application vulnerabilities represent the key threat to organisations Rated top concern by 73% of respondents Mobile devices Second highest concern Social media threats Lack of readiness Cloud computing 40% using Software as a Service 70% reported the need for new skills to secure cloud technologies Copyright 1989 2011, (ISC)2 All Rights Reserved 15. Top security threats concerns 80%73% 70%66% 65% 63% 60%55% 50%45%44%43% 40%38% 30% 20% 10% 0%Application Mobile devices Virus andInternal Hackers Contractors Cyber Cloud-based Oranised crime vulnerabilitiesworm attacks employees terrorism services Copyright 1989 2011, (ISC)2 All Rights Reserved 16. Application security Involvement 0% 10% 20%30% 40% 50% 60%70% My organisation doesnt do software development15% Im personallyinvolvedin software development22% Im not personally involved in software development 62% Copyright 1989 2011, (ISC)2 All Rights Reserved 17. Application security Concerns 90% 81% 80% 75% 71% 70% 70% 65% 60% 55%55% 50% 40% 30% 20% 10%0%Design SpecifyingTesting, ConstructionIntegration Installation Maintenancerequirements debugging or (implementationvalidation or coding) Copyright 1989 2011, (ISC)2 All Rights Reserved 18. Mobile devices Percentage of workforce with mobile devices31%23%14% 19% 11% none to 25%26% to 50%51% to 75%76% to 99% 100% Risk from mobile devices 28%40%15%10%8%0% 10%20% 30% 40%50%60% 70% 80%90% 100%Very significant Somewhat significantNeither significant nor insignificantSomewhat insignificantNot significant at all Copyright 1989 2011, (ISC)2 All Rights Reserved 19. Mobile devices Formal policy for mobile devices69% 31%0% 20%40%60%80% 100%Have Do not Copyright 1989 2011, (ISC)2 All Rights Reserved 20. Mobile devicesSecurity products in place 80%71% 70%59% 60%52% 50% 43% 42% 40%28% 30% 20% 11% 10%0% EncryptionNetwork Mobile VPN DeviceRemote lock Anti-malware DRM Access management and wipe Control Copyright 1989 2011, (ISC)2 All Rights Reserved 21. Cloud computingAre new skills required for cloud computing?74% 26%0% 10% 20%30%40% 50%60% 70% 80%90% 100% Yes No Copyright 1989 2011, (ISC)2 All Rights Reserved 22. Cloud computing Specific skills?100% 80% 60% 40%92%82% 20% 49%0% Detailed understanding Technical knowledge Contract negotiation Copyright 1989 2011, (ISC)2 All Rights Reserved 23. Social mediaSites allowed access to within organisations Linkedin63% Blogs 53%Facebook 51% YouTube 47%Twitter44%Intersec 28%Xing22% None of these26%0%10% 20% 30%40% 50% 60% 70% Copyright 1989 2011, (ISC)2 All Rights Reserved 24. Social media Control methods 80%60% 60%44% 40% 28% 20% 0% Content filtering Policy enforcement No restrictions Copyright 1989 2011, (ISC)2 All Rights Reserved 25. Importance of social media tools14% 32%27% 10% 17% 0% 10%20%30% 40% 50%60% 70% 80% 90% 100%Very importantSomewhat importantNeither important nor unimportant Somewhat unimportantNot important at all Copyright 1989 2011, (ISC)2 All Rights Reserved 26. The ugly Copyright 1989 2011, (ISC)2 All Rights Reserved 27. Key findings A clear skills gap exists Deployment of new technologies Demand for security education on those technologies Copyright 1989 2011, (ISC)2 All Rights Reserved 28. Where have we come from? Copyright 1989 2011, (ISC)2 All Rights Reserved 29. Where have we come from? InformationInformation IT Security RiskSecurityManagement Copyright 1989 2011, (ISC)2 All Rights Reserved 30. Reporting linesIT department 28% Executive management 25%Information assurance 19% Operations/administration 7%Board of directors4% Risk management4% Governance/compliance 3% Internal audit2% Finance1%Sales/Marketing 1% 0%5% 10% 15% 20% 25% 30% Copyright 1989 2011, (ISC)2 All Rights Reserved 31. What have we been doing? More More TechnicalGrab some management business role of the IT turf focusedfocused Copyright 1989 2011, (ISC)2 All Rights Reserved 32. What have we been doing?More More Technical Grab somemanagement business roleof the IT turffocusedfocusedSystems Admin Firewall PKIAnti-Virus Copyright 1989 2011, (ISC)2 All Rights Reserved 33. What have we been doing?More More Technical Grab somemanagement business roleof the IT turffocusedfocusedSystems Admin Firewall PKIAnti-Virus Copyright 1989 2011, (ISC)2 All Rights Reserved 34. What have we been doing?More More Technical Grab somemanagement business roleof the IT turffocusedfocusedSystems Admin Firewall PKIAnti-Virus Copyright 1989 2011, (ISC)2 All Rights Reserved 35. What have we been doing?More More Technical Grab somemanagement business roleof the IT turffocusedfocusedSystems Admin Firewall PKIAnti-Virus Copyright 1989 2011, (ISC)2 All Rights Reserved 36. Most time consuming activitiesReasearching new technologies 49%Internal/political issues 46%Meeting regulatory compliance 45% Developing internal security policies, standards 39%and proceduresAuditing IT security compliance 39%Implementing new technologies 39% Providing advice on security to customers 37%Selling security to upper management 36%Certifying/Accrediting (of information systems)35%Inter-departmental activities cooperation 33%0% 10% 20% 30% 40%50%60% Copyright 1989 2011, (ISC)2 All Rights Reserved 37. Most time consuming activities business relatedReasearching new technologies 49%Internal/political issues 46%Meeting regulatory compliance 45% Developing internal security policies, standards 39%and proceduresAuditing IT security compliance 39%Implementing new technologies 39% Providing advice on security to customers 37%Selling security to upper management 36%Certifying/Accrediting (of information systems)35%Inter-departmental activities cooperation 33%0% 10% 20% 30% 40%50%60% Copyright 1989 2011, (ISC)2 All Rights Reserved 38. Business demands Cloud The financial imperative The immediacy & flexibility Mobility Great Expectations Agile development Applications on demand from the globaldevelopment shop Base: All member respondents (n=7547). Copyright 1989 2011, (ISC)2 All Rights Reserved 39. The Users Influence Consumers bring IT to the organisation Legitimate Social Networking for business Cloud trials Base: All member respondents (n=7547). Copyright 1989 2011, (ISC)2 All Rights Reserved 40. What Skills Should we be Assessing andDeveloping? Copyright 1989 2011, (ISC)2 All Rights Reserved 41. Training needsInformation risk management47%Application and systems 41% development securityForensics 39%End-user security awareness 39% Security architecture and models38%Access control systems and 38% methogologySecurity management practices41% Business continuity and disaster 47% recovery planning0% 10% 20% 30% 40% 50% Copyright 1989 2011, (ISC)2 All Rights Reserved 42. Expert commentary Copyright 1989 2011, (ISC)2 All Rights Reserved 43. What does all this mean? We need to get to grips with Application and Software development security We need to get to grips with security surrounding new technologies Currently: Cloud computing; Social networking; Mobile devices Future: Who knows? Could be location based services We need to respond to changes outside of our bubble Changes to how the Business is doing business Changes to how User are using technology Changes to IT itself We need to get to grips with User education and awareness Fourth ranked overall Second most important in EMEA Copyright 1989 2011, (ISC)2 All Rights Reserved 44. And finally Copyright 1989 2011, (ISC)2 All Rights Reserved 45. We need to get out of our Catch 22 One cannot get a job in information security without prior experience, but one cannot get experience without getting a job in information security Copyright 1989 2011, (ISC)2 All Rights Reserved 46. Wake up and get real Copyright 1989 2011, (ISC)2 All Rights Reserved 47. John Colley Managing Director (ISC)2 EMEAQuestions? Copyright 1989 2011, (ISC)2 All Rights Reserved