Cybersecurity Certification Survey: Trouble on the information superhighway
This feature first appeared in the Spring 2021 issue of Certification Magazine. Click here to get your own print or digital copy.
The concept of protecting valuables has probably troubled the minds of responsible individuals since the dawn of recorded history. Back then, the Mediterranean seaboard was such a seething hotbed of piracy and pillaging that the builders of early cities frequently situated major commercial centers up to 10 miles inland to escape the grasp of greedy raiders.
More recently, the Cheyenne and Black Hills Stage Company attempted to thwart Old West outlawry by building a steel-plated stagecoach with an integrated strongbox. The Slaughter and Monitor “treasure coaches” suffered only from the perhaps foreseeable design flaw of not providing protection for the stage driver and shotgun messenger — even an armored stagecoach needs a team of horses.
There’s less immediate danger to life and limb from pirates and outlaws in 2021, given that most of what happened out in the open in 18th-century America and ancient Greece is now confined to electronic transmission and more or less instantaneous delivery. That doesn’t mean security workers are a thing of past: The U.S. Bureau of Labor Statistics estimated last year that there are more than 130,000 jobs in the United States for individuals who “plan and carry out security measures to protect an organization’s computer networks and systems.”
Growth in the field over the next 10 years is projected at 31 percent, meaning that an estimated 40,900 more jobs will be created just in the United States by 2029 — a level of expansion described as being “much faster than average.” The pay is pretty good, too: BLS research pegs the median annual salary for “information security analysts” at $99,730, or $47.95 per hour.
Skills and knowledge both scarce
Even without having to worry about literal desperadoes or buccaneers while guarding the information superhighway, cybersecurity workers have a lot on their plates. In the course of our recent Security Certification Survey, we asked the certified information security professionals who responded to rate their level of agreement with a series of statements about security operations at businesses and other private organizations.
One of the biggest hurdles to effective cybersecurity is a people problem. Almost 75 percent of those surveyed either agree (48 percent) or strongly agree (26.6 percent) that enterprise security staffs are too small. The neutral “neither agree nor disagree” middle ground was staked out by 20.9 percent of respondents, leaving slightly fewer than 5 percent who disagree (3.4 percent) or strongly disagree (1.1 percent) that security staffs are too small.
Staffing shortages, however, don’t tell the whole story. A perhaps equally telling issue is the general lack of individual security smarts. Roughly 74 percent of those surveyed either agree (48.6 percent) or strongly agree (24.9 percent) that employees not hired for technology jobs tend to lack adequate basic information security training.
Even people who are trained to work with computers and information technology (IT) tend not to know as much about security best practices as they should. Two out of every three survey respondents either agree (54.2 percent of those surveyed) or strongly agree (18.6 percent) that security training of IT personnel on enterprise staffs — those who perform specific IT functions — is not adequate.
The result is that security staffs aren’t just contending with outside attacks, but must also continually guard against gaps in the security awareness of their coworkers.
Tools and technology
On top of manpower challenges and a general lack of security training, most of the certified information security professionals who responded to the survey believe that organizations are bogged down by sketchy software, hardware, and policy protections. More than 57 percent of respondents either agree (44.1 percent) or strongly agree (13.6 percent) that enterprise security controls are lacking.
That’s compared to just 12 percent who either disagree (11.9 percent) or strongly disagree (0.6 percent) that controls are not up to snuff. (A further 30 percent of those surveyed signaled a perhaps lesser degree of satisfaction with the status quo by choosing to neither agree nor disagree.)
Old or aging security technology is also a hindrance. More than half of those surveyed either agree (42.9 percent) or strongly agree (9 percent) that enterprise security controls are outdated. Some organizations, it would seem, are keeping up with changes, as indicated by the 21 percent of respondents who either disagree (18.1 percent) or strongly disagree (2.8 percent) that controls are outdated. (The remaining 27 percent of respondents took no position.)
There is money being invested in security technology, but most certified security professionals don’t seem to feel that security spending is either carefully thought-out or adequate to address problems. About 40 percent of survey respondents either agree (29.9 percent) or strongly agree (9 percent) that money for enterprise security measures is spent unwisely, while just 25 percent either disagree (20.3 percent) or strongly disagree (5.6 percent). (Thirty-five percent took a neutral position.)
A more serious problem concerns the amount of money being spent, as opposed to whether it’s been well-invested. A worrisome 72 percent of those surveyed either agree (45.2 percent) or strongly agree (26.6 percent) that there is not enough money being spent to install or improve security measures. Just 7.3 percent disagree — not a single respondent registered strong disagreement — that not enough money is being spent, while 20 percent are on the fence.
Information security professionals have a variety of duties and responsibilities. Some design and install security infrastructure, while others are charged with actively monitoring computer and network activity. Some specialists are involved in determining and defining policy documents, while others test and examine existing protections.
There’s quite a bit of work to be done, and only so many hours in the day. Are we pushing the current workforce too hard? About half of those we surveyed either agree (31.6 percent) or strongly agree (15.3 percent) that they are overworked. A little more than one-third (35 percent of respondents) took a neutral position, while the remaining 18 percent disagree (15.3 percent) or strongly disagree (2.8 percent) that they have too much on their plate.
For most certified information security professionals, the tasks they perform are complex and engaging. A solid 79 percent either agree (55.2 percent) or strongly agree (24.1 percent) that their work is challenging, with a further 16 percent taking a neutral position. That leaves just 4 percent who either disagree (3.4 percent) or strongly disagree (1.1 percent) that their work is engaging.
We did ask one question that touches on the broad issue of compensation. Generally speaking, are certified information security professionals satisfied with their current salary? Roughly 46 percent either agree (37.3 percent of respondents) or strongly agree (9 percent) that their current salary is satisfactory, while 23.7 percent took a neutral view. The remaining 30 percent either disagree (17.5 percent) or strongly disagree (12.4 percent) that their current salary is satisfactory.
Certification = employment
Certification is a long-established pillar of the information security realm, with many security credentials requested by name in employment listings. You don’t have to be certified to get a job: 57 percent of those surveyed were not required to have a security certification when hired for their current job. Forty-three percent, on the other hand, did have to meet a certification requirement in order to start work.
Even in cases where certification is not required, however, it could be a factor in any hiring decision that gets made. Asked to estimate the impact of certification on being hired at their current job, 58 percent of certified information security professionals said it was either influential (24.9 percent) or very influential (32.8 percent), with an additional 14.3 percent reporting that certification was at least somewhat influential.
It’s also true that many choose to get certified with an eye on future employment. Setting aside the popular rationales of gaining skills and increasing compensation, we asked those surveyed to name the two most important benefits of getting a certification.
Three of the top four responses are directly employment-related. The most popular choice is “Gain qualifications for a future job,” followed by “Improve or confirm qualifications for my current job.” “Grain greater confidence in my own skills,” narrowly edged ahead of “Become eligible for positions of greater responsibility with my current employer.”
Workplace and education
Every business or organization has to grapple with information security-related challenges in 2021. To judge by our survey audience, however, a sizeable chunk of the information security jobs available are focused in three workplace sectors: government (25.7 percent of those surveyed), computer or network consulting (12.3 percent), and financial services (10.7 percent).
Other popular employment sectors include aerospace (6.4 percent of respondents), health or medical services (5.3 percent), education (4.3 percent), and software (also 4.3 percent).
For teens and young adults who are considering information security as a potential career, definitely don’t rule out higher education. Among survey respondents, 38.7 percent pursued their formal education far enough to hold a bachelor’s degree, while 32.9 percent went one step further and claimed a master’s degree, and 4.1 percent hold doctorate degrees.