(ISC) 2 2015 Global Information Security Workforce Study (GISWS) Results U.S. Federal Government

(ISC)2 2015 Global Information Security Workforce Study (GISWS) Results

U.S. Federal Government

2

Global Study Objectives & Project Background

3

Study Objectives

Study Objectives

• To obtain feedback from the (ISC)2 members regarding certification, training and educational requirements for their organizations and their professional development.

• To identify trends and issues related to information security from both members and non-member security professionals.

• To understand potential gaps in organizational security.

• To forecast what positions will be most highly sought after in the next 3 to 5 years.

4

Research Background

Background

The information security profession continues to undergo shifts as a result of constantly changing regulatory environment and increasingly sophisticated and emerging new threats. (ISC)2 has committed itself to maintaining its leadership role and growing its membership base in key geographic regions in which it is currently under represented.

• Bi-annual study

• 7th GISWS, first one released in 2004

• In partnership with Booz Allen Hamilton, Cyber 360 Solutions and NRI Secure Technologies, conducted by Frost & Sullivan

• Likely the largest study of the information security profession ever conducted, the GISWS is comprised of nearly 14,000 information security professionals worldwide.

5

Source: Frost & Sullivan

Research Background (continued)

• Of the nearly 14,000 - 11,208 were (ISC)2 members and 2,722 were non-members

• Conducted using an on-line web based survey using the (ISC)2

membership list.

• Email invitations to complete the survey were sent out to (ISC)2

members between October 2014 and January 2015.

6

U.S. Federal Government Results

7


U.S. Federal Government Composition

U.S. Federal Government Composition Sample

U.S. Federal Government (Military, armed forces, defense) 1,099

U.S. Federal Government (Excluding military, armed forces, defense)

727

Total U.S. Federal Government 1,826

8


Profile—U.S. Federal Government

• Gender Composition of Workforce86% male and 14% female

• Education41% have degrees and an additional 47% have advanced degree

• Average Salary$112,000

• Average Years of Experience15

•Reporting Structure (Top 3)24% Security Department, 24% Executive Management, and 18% to IT Department

9

Assessment of U.S. Government Information Security:Better or Worse?

10


Assessment of U.S. Government Information Security

QG5a. Overall, is the government's information security better or worse off than a year ago?

Base: Filtered Respondents (n=975).

Better off About the same Worse off Don't know

27%

47%

17%

9%

28%

52%

12%8%

U.S. Government Information Security Assessment

2015 2013

5% increase since 2013

11


Improved security awareness

Improved understanding of risk management

Improving ability to keep pace with threats

Effective security guidance or standards

Better or more qualified professionals available

Adequate funding for security initiatives

76%

58%

51%

45%

38%

25%

79%

56%

53%

44%

48%

27%

Reasons for Improved U.S. Government Security

2013 2015

Reasons for Improved U.S. Government Security

QG5b. Why do you say that government security is better off than a year ago?

Base: Filtered respondents (n=441)/(n=725)

12


Ineffective security guidance or standards

Security awareness is still too low

Not enough qualified professionals available

Inadequate funding for security initiatives

Poor understanding of risk management within government

Inability to keep pace with threats

49%

60%

70%

71%

73%

80%

Reasons for Reduced Government Security

Reasons for Reduced U.S. Government Security

QG5c. Why do you say that government security is worse off than a year ago?

Base: Filtered respondents (n=174).

13

Impact of Information Security Metrics, Tools and Technologies

14


CyberScope

Color coded dashboard techniques

Statistics of viruses prevented, intrusions blocked, etc.

Annual FISMA reports and quarterly POAM reports

Continuous monitoring reports

16%

35%

38%

45%

67%

Useful IT Security Metric Tools

Useful IT Security Metric Tools

QG8. Which of the following IT security metric tools do you find useful? Select all that apply.


15


Technologies Improving Security Activities in U.S. Government

Q33b. What security technologies do you believe will provide significant improvements to the security of your organization? Select as many as you feel apply.

Network monitoring and intelligence

Improved intrusion detection and prevention technologies

Policy management and audit tools

Automated identity management software

Web security applications

79%

75%

57%

44%

40%

Technologies Improving Security Activities

Base: Filtered respondents (n=1,059).

16

Effectiveness of U.S. Government Initiatives

Q33f. Please rate the effectiveness of each of the following government initiatives in providing security guidance and standards.

NIST SP 800-53

NIST SP 800-37

FISMA FIPS 199 SCAP FedRAMP Baseline Security Controls

CyberStat Review

72%68%

60%53%

41%34%

13%

63%57%

50%45%

38%27%

19%

Effectiveness of U.S. Government Initiatives (Extremely Effective and Effective)2015 2013

Base: Filtered respondents (n=1,058)/(n=1611).

17


Implementation of NIST Cybersecurity Framework

Q33h. In 2014, the United States government released the Framework for Improving Infrastructure Cybersecurity. Has your company adopted any of the measured outlined in this framework?

Base: Filtered respondents (n=2,983) Note: This base size represents all US respondents who do NOT work for the Federal government

Yes No Don't know

15%

39%

45%

Implementation of NIST CSFAcross the U.S. - Excluding the Federal Government

18


Attitudes Toward Mandated Security Requirements

QG7. How much do you agree that the government should include specific, mandatory security requirements in every major IT procurement?

Base: Filtered Sample (n=975)

Disagree completely

Disagree somewhat

Neither agree nor disagree

Agree somewhatAgree completely

3%3%

12%

31%

50%

Attitudes Toward Specific, Mandatory Security Requirements in Ma-jor IT Procurements

81% agree there should be security requirements for every IT procurement

19

Threat Response

20


U.S. Government Threat Response

Q33a. If your organization's systems or data were compromised by a targeted attack, how quickly do you predict it would take to remediate the damage?

Base: Filtered Sample (n=1,059)

Within one day

Two to seven days

Eight to twenty days

Three to five weeks

Six weeks or more

17%

46%

12%

5% 4%

Threat Response

21% say threat remediation would take a week or more

U.S. Private Industry 18% 43% 4% 13% 5%

21


U.S. Government Top Security Threats

Organized crimeHacktivists

ContractorsState sponsored actsCorporate espionageTrusted third parties

Cyber terrorismCloud-based services

Internal employeesHackers

Faulty network/system configurationMobile devices

Configuration mistakes/oversightsMalware

Application vulnerabilities

38%40%41%41%42%42%

48%49%

54%59%59%60%

65%71%72%

Security Threats (Very/Somewhat Concerned)

Q30. Thinking about your own organization, please rate the following potential security threats on the degree of concern you have for each. - Top two box scores


22

Workforce & Funding

23


Number of Security Workers in U.S. Government

Q28a. Would you say that your organization currently has the right number of information security workers, too few, or too many?

Base: Filtered respondents (n=1,059) / (n=1,821)

Too many The right number Too few

3%

24%

60%

2%

30%

58%

Number of Security Workers in U.S. Government

2015 2013

24


Impact of Worker Shortage in U.S. Government

Q28e. What is the impact of your organization's shortage of information security workers on each of the following? - Top two box scores


On the existing in-formation security

workforce

On the organization as a whole

On customers On security breaches

74%

62%56%

48%

Impact of Worker Shortage (Very Great/Great Impact)

25


Reasons for Worker Shortage in U.S. Government

Q28d. What are the reasons that your organization has too few information security workers? Select as many as apply.

Base: Filtered respondents (n=632)/(n=1,049)

It is difficult to find the qualified personnel we require

Business conditions can't support additional personnel at this time

Leadership in our organization has insufficient un-derstanding of the requirement for information secu-

rity

It is difficult to retain security workers

There is no clear career path for information security workers

48%

46%

39%

36%

31%

43%

58%

40%

Reasons for Worker Shortage in U.S. Government

2013 2015

26


Average Salary in U.S. Government

Q66. Which of the following includes your current annual salary in U.S. dollars before taxes?

Base: Filtered Sample (n=1,802) / (n=1,798)

$110,500

$114,000

$106,500

$112,000

Average Salary

2015 2013

Government Employee Contractor

2015 US Private Sector$118,000

27


Salary Change in U.S. Government

Q67. Did you receive a salary increase, including benefits and incentives, in 2014?

Yes, an in-crease of up to

5%

Yes, an in-crease of be-tween 5% and

10%

Yes, an in-crease of over

10%

No change in salary or bene-

fits

Received a salary or bene-

fit reduction

47%

6% 4%

40%

4%

40%

8% 9%

36%

7%

2015 GISWS Salary Data in U.S. Government

Direct Hire Contractor

Base: Filtered Sample (n=1,802) / (n=1,798)

28


U.S. Government Projected Change in Overall Spend

Personnel Security tools Professional services

Outsourced or managed services

Training and education

Certification

12% 8% 11% 13% 13% 12%

60%58%

72% 67% 61% 64%

28% 34%17% 20% 26% 24%

Projected Change in Overall Spend

Increase

Stay the Same

Decrease


Q16b. Do you expect overall information security spending at your organization to increase, decrease, or remain the same?

29


Confidence in Legislators Providing Funding for Cybersecurity

Q33l. How confident are you that your country's legislators understand the importance of security enough to provide sufficient funding to support your key information security initiatives?

Base: Filtered Sample (n=401)

Very con-fident

Somewhat confident

Neither con-fident nor

unconfident

Somewhat unconfident

Not con-fident at

all

4%

21%17%

25%

33%

Confidence in Legislators to Provide Funding for Cybersecurity

58% not confident

30

Skills, Training & Education

31


Important Skills in New Hires in U.S. Government

Q19b. When making hiring decisions for information security staff how important is each of the following? – Top box scores


The candidate has an information security or re-lated degree

The candidate has knowledge of relevant regula-tory policies

The candidate has information security certifica-tions

The candidate has relevant information security experience

19%

30%

50%

77%

Most Important Skills in New Hires(% Very Important)

32


Future Skills and Competencies in U.S. Government

Q25. What are the skills and competencies that you will need to acquire or strengthen to be in position to respond to the threat landscape over the next three years? Select all that apply.


Acquisition/Procurement (supply chain)

Business and business development skills

Software system development

Data administration and management

Engineering

Architecture

Platform or technology specific skills

Communications skills

InfoSystems and security operations management

Analytical skills

Virtualization

Governance, risk management, and compliance (GRC)

Incident investigation and response

Risk assessment and management

12%14%

18%19%

26%33%34%35%

43%43%44%

48%50%

56%

Future Skills and Competencies

33


Demand for Training and Education in U.S. Government

Q23. In which areas of information security do you see growing demand for training and education within the next three years?

Cloud computing

Information risk management

Incidence response

Bring-your-own-device (BYOD)

Certification and accreditation

Mobile device management

Forensics

Security engineering

Access control systems and methodology

Applications and system development security

Telecommunications and network security

59%

51%

49%

44%

42%

41%

41%

40%

38%

36%

36%

62%

48%

43%

46%

44%

47%

39%

36%

35%

35%

Demand for Training and Education

2013

2015

Base: Filtered respondents (n=1,826)/(n=1,821).

34

Cloud Computing

35


Prioritization of Cloud Computing

Q57. To what extent is cloud computing a priority for your organization now and in the future? - Top two box scores


Now (currently) In the near future (within two years)

37%

50%

Cloud Computing is a Priority

36


Cloud Migration Due to FedRAMP

QG12. Have FedRAMP's baseline security controls enabled your agency to migrate systems more securely to the cloud?


Yes No Don't know

18% 18%

64%

Cloud Migration Due to FedRAMP

37


Procurement skills

Supply chain risk management

Business stakeholder management and education

Enhanced data management skills

Manage services and service providers

Data/information centric approaches to security

Audit

Deal with dynamic infrastructures

Service level agreement skills

Knowledge of compliance issues

Security engineering

Enhanced knowledge of multi-tenancy architecture

Risk management

An enhanced understanding of cloud security guidelines and reference architectures

Knowledge of risks, vulnerabilities and threats

Application of security controls to cloud environments

17%23%24%

33%36%

50%50%50%51%52%53%

57%61%

68%69%71%

New Skills for Cloud Computing

New Skills for Cloud Computing

Q61c. What skills will be required for dealing with cloud computing? Select as many as apply.

Base: Filtered respondents (n=810))

38


U.S. Government Frequency of Security Scans on Application

Internally developed applications that are hosted in your pri-vate data centers

Externally developed applications that are

hosted in private data centers

Internally developed applications that are

hosted in a public cloud environment

Externally developed applications that are

hosted in a public cloud environment

7% 9%24% 24%

33% 34%

32% 33%

61% 57%44% 43%

Frequency of Security Scans

Always

Sometimes

Never


Q40. Please indicate the frequency with which security scans are conducted on the following applications. - Always

39


Integration of cloud and mobility

Ensuring that data and systems meet established COOP (continuity of operations) guidelines

Ensuring that existing IT security policy is replicated in the cloud

Data loss prevention

36%

58%

65%

72%

Top/High Concern in U.S. Government When Implementing Cloud

Security Concerns in the U.S. Government When Implementing Cloud

QG10. How much of a security concern is each of the following for your government department agency when implementing cloud computing? - Top two box scores

Base: Filtered respondents (n=1,078))

40

SUMMARY OF CONCLUSIONS

41

The key conclusions offered by the 2015 U.S. government-specific findings include:

• As predicted, the gap between the need for qualified information security professionals and the supply is having a negative impact on U.S. government security readiness and is only getting worse.

• The U.S. government has spent a lot of time, money and effort on policies, programs and tools designed to improve its security posture, but thus far there has been little return on that investment.

• Although procurement and acquisition are cited as moments of great vulnerability, there remains very little focus on applying security during the supply chain process.

42

Questions?

Documents

(ISC) 2 2015 Global Information Security Workforce Study (GISWS) Results U.S. Federal Government