There are about 2.2 million people working as information security professionals today, says Hord Tipton, executive officer for security education and credentialing organization (ISC)2 and former CIO of the U.S. Department of the Interior. That number is expected to grow to 4.25 million by 2015--assuming there are enough skilled security professionals to meet demand.
Already, access to enough IT staff with security expertise is particularly tricky for organizations of all sizes. In a study released earlier this year, IT industry association CompTIA found 41 percent of organizations reported moderate or significant deficiencies in security expertise among IT staff. On average, CompTIA says, organizations were about 30 percent short of their headcount devoted to security.
[ Find out the topics and issues affecting tech's biggest names and news makers as revealed in the IDGE Insider CEO interview series. | Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Read Bill Snyder's Tech's Bottom Line blog for what the key business trends mean to you. ]
And according to the U.S. Bureau of Labor Statistics (BLS), which added the category of Information Security Analyst in 2011, unemployment for people employed in the category stands at 0 percent.
"The demand for security people in organizations will be even higher," Tipton says. To meet the demand requires a multipronged approach in which not just (ISC)2 and security professionals but businesses and their executives have an important role, Tipton explains.
Write more secure code
One important preventative thing businesses can do to ease the pressure is to make sure developers write more secure code in the first place. Why are companies still producing software with vulnerabilities?" Tipton asks. "Why do we have to keep patching it?"
The answer, Tipton says, is that executives need to prioritize writing secure code upfront and make sure that developers are trained to do it. Additionally, organizations need to revise their lifecycle approach to give security professionals a seat at the table when project requirements get determined, not after.
"The business looks for functionality, user friendliness," Tipton says. "Security is an afterthought. People that are in the security portion of a company have a difficult time getting their recommendations in after the requirements are already set."
SQL injection still highest root cause of data breaches
A study by research firm the Ponemon Institute of more than 800 IT security and development professionals earlier this year found that most organizations don't prioritize application security as a discipline, despite the fact that SQL injection attacks are the highest root cause of data breaches. The second-highest root cause is exploited vulnerable code in Web 2.0 and social media applications. These types of attacks have been around for years, and, in most cases, are relatively easy to defend against.
"Security, per se, is not a complex science," Tipton says. "Most of it is just the basic controls, the sound principles of security, which we have proven in 23 years of credentialing. They actually work and haven't changed very much. Eighty to 90 percent of breaches are caused by simple attacks, and 96 percent of those breaches could be prevented with basic security controls."