Day: June 7, 2017

What is the GISWS?

Since its first release in 2004, the biennial (ISC)²® Global Information Security Workforce Study (GISWS) has been gauging the opinions of information security professionals; and in turn, providing detailed insights into the important trends and opportunities within this increasingly crucial profession.

This year, the study conducted its largest-ever global survey of cybersecurity professionals, with over 19,000 individuals taking part (3,694 of which hailing from Europe), further allowing it to ascertain an even clearer and progressively more complete profile of the information security workforce; with stronger understandings of areas and issues such as pay scales, skills gaps, training requirements, corporate hiring practices, security budgets and career progression. Additionally, the study explored corporate attitudes towards information security; presenting a useful and reflective reference for governments, corporations, hiring managers, as well as information security professionals themselves.

The latest release from GISWS and what this means in Europe

This month sees the third release of data from the Global Information Security Workforce Study 2017: Benchmarking Workforce Capacity and Response to Cyber Risk, which was conducted by Frost & Sullivan for the Center for Cyber Safety and Education, with the support of (ISC)², Booz Allen Hamilton and Alta Associates; and offers up a deeper exploration of the growing cybersecurity skills gap.

The report revealed a number of interesting findings, including a predicted cybersecurity skills gap for Europe of 350,000 (globally 1.8 million) by 2022, resulting in European organisations planning their fastest rate of cybersecurity hiring in the world – as 38% of surveyed hiring managers in the region admitting they intend to grow their workforce by at least 15% in the coming year. Though, this is despite the fact that two-thirds of organisations have also stated that they currently have too few cybersecurity workers.

While there are strong recruitment targets, a shortage of talent and disincentives to invest in training are contributing to this skills shortage, with 70% of employers around the globe already looking to increase the size of their cybersecurity staff this year.

This demand is set against a broad range of security concerns which continue to develop at pace, with the threat of data exposure clearly identified as today’s top security concern amongst professionals around the world. Concern over data exposure reflects the advent of new regulations aimed at enhancing data protection around the world, including Europe’s General Data Protection Regulation to be in force by May 2018.

This month’s report illustrates a revolving door of scarce, highly paid workers amidst a non-existent unemployment rate of just 1% in Europe. While organisations struggle to retain their staff – 21% of the global workforce stated they had left their jobs in the past year – they are also facing high salary costs, with 33% of the workforce in Europe, in particular, making over $100,000 USD / EUR €95,000 / GBP £78,000 per year.

“The combination of virtually non-existent unemployment, a shortage of workers, the expectation of high salaries and high staff turnover that only increases among younger generations creates both a disincentive to invest in training and development and a conundrum for prospective employers: how to hire and retain talent in such an environment?” states the report.

Recruitment and professional development strategies must change

The lack of professionals entering the industry has a two-fold impact on the profile of the workforce. Not only is it not increasing at a rate fast enough to fill the necessary roles, it has also led to a greying workforce, with just 12% of workers under 35, and 53% over 45. The profession faces a looming skills cliff edge, with the majority of workers getting closer to retirement and companies failing to recruit long-term replacements.

Recommendations by this release suggest that organisations need to adapt their approach to recruitment and draw from a broader pool of talent. This is backed by findings that show that workers with non-computing related backgrounds account for nearly a fifth of the current workforce in Europe, and that they hold positions at every level of practice, with 63% at manager level or above.

As the fastest growing demographic, millennials will be critical to filling this employment gap, but the attitudes must change in order to entice valuable candidates. Recruiters are currently not hiring enough recent university graduates, instead opting for those with more prior experience – 93% of respondents indicated that this is an important factor when making their hiring decisions.

Yet, employers could be doing much more to attract and retain younger people. The study found that millennials value organisation training as well as mentorship and leadership programmes. As a demographic that holds personal development in such high regard, businesses need to be catering to these needs to attract vital young talent.

Undoubtedly, there is a real mismatch between the skills recruiters are looking for and workers’ priorities for developing a successful career, suggesting skills sets may not be keeping pace with requirements. Currently, the top two skills workers are prioritising include cloud computing and security (60%) and risk assessment and management (41%), while employers prioritise looking for communication (66%) and analytical skills (59%). Only 25% and 20% of workers are prioritising communication and analytical skills respectively.

Improving gender diversity

In addition to the widening skills gap, diversity within the workforce remains low. The study also revealed that women form just 7% of the workforce worldwide in Europe; a level that has remained virtually unchanged since 2004. There are also signs of a rampant gender pay gap, with male professionals in Europe earning £9,100 more on average than their female counterparts. This is despite Europe’s female cybersecurity professionals tending to be better educated, with a higher proportion of them occupying managerial positions. In the UK for example, 50% of female cybersecurity professionals hold postgraduate degrees, compared to just 37% of men, with 64% of women in managerial positions compared to 57% of men.

A workplace where women are both paid less and more likely to be subject to discrimination can make it harder to promote such a profession to women. The lack of women also creates a self-perpetuating cycle with few established female role models to encourage the new generation.

But there are clear steps that can be taken to attract more women into cyber, and at the same time address the growing need for more staff. Much like with millennials, employers need to create inclusive work places that support and value women, via sponsorship and mentorship programmes that tie to the success and satisfaction of women at all levels. Equally as important, organisations must end pay inequity, and also draw from a wider set of backgrounds and degrees, including humanities and arts degrees, where there tend to be higher proportions of females.

Fundamentally, this is no longer just an issue of increasing workforce diversity, but an issue of economic and national security. The cybersecurity skills gap is growing wider every time the workforce is surveyed, and governments across the world are recognising that cyberattacks are critical national vulnerabilities. Attracting more millennials and women into the industry would not only significantly help reduce this shortfall in skills, but by diversifying the workforce, it will provide the necessary basis for a safer world, especially in today’s increasingly plugged-in society.

The full report can be downloaded here:http://iamcybersafe.org/GISWS/

[(ISC)² Blog]

Editor’s note: The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight risk management professional and ISO delegate Michael Thiessmeier.

Perhaps owed to his military background, Michael Thiessmeier believes that knowing how to perform the duties of both his supervisors and subordinates is the best way to ensure success. He has put in the time to make sure that’s the case.

Thiessmeier has more than 20 certificates and certifications, including ISACA’s COBIT Foundation certificate.

“Think about it this way,” Thiessmeier said. “One person might go watch soccer on Sundays. I might sit on that same couch preparing for a certification exam and feel the same kind of joy and excitement if I pass that the other person feels when their home team scores a goal.”

Thiessmeier joined ISACA in 2012 when professors in Germany – where he was born and spent seven years performing military service – encouraged him to seek out professional organizations.

“I spent years looking for options and evaluating my career path,” Thiessmeier said. “Finally, I determined that ISACA was best aligned with the direction that my career was taking.”

His current role is Senior Manager, Technology & Security Risk Management, with Oportun in Redwood City, California, USA. He is especially interested in how trends like machine learning necessitate automating controls testing.

“Being situated at the intersect of fin-tech and financial services allows me to work on things that have not been done before,” Thiessmeier said. “There truly is no cookie-cutter approach to our industry, and that’s where the research I am doing with ISACA and other organizations turns out to be very helpful.”

Thiessmeier also is heavily involved with ISO as a delegate expert for ISACA, a relationship that came about when he saw an opening on the ISO liaison committee posted on ISACA’s website. He is active in the Security Controls and Services, and Identity Management and Privacy Technologies working groups, and recently was elected as project co-editor for the ISO standard pertaining to application security validation and verification.

Some of Thiessmeier’s career highlights include working on the largest gaming console launch in history – he was manager of consumer services technology with Sony PlayStation during the PS4 launch – while at the same time participating in a major customer relationship management (CRM) implementation that automated consumer service processes.

“During that time I was not only allowed to lead several teams of incredibly smart and caring individuals, but also designed and ran the ‘war room’ used to manage that console launch,” he said. “Thanks to everyone involved, the launch was a great success and beat our expectations.”

Going forward, Thiessmeier intends to learn more about penetration testing. Fitting his overarching approach, that objective isn’t for personal gain as much as to continue deepening his broad-based reservoir of knowledge.

“I do not plan on being a penetration tester at this point in my career, but I want to make sure that I am in the best position to empower them in their day-to-day duties,” he said.

Aside from his traditional career interests, Thiessmeier volunteers for Team Rubicon, an organization that provides disaster response and veteran integration services.

“The moment you see a community that went through a horrible disaster pull together and come out of it closer than ever – no words can describe that,” Thiessmeier said.

[ISACA Now Blog]