July 09, 2012, 1:49 PM — There are about 2.2 million people working as information security professionals today, says Hord Tipton, executive officer for security education and credentialing organization (ISC)2 and former CIO of the U.S. Department of the Interior. That number is expected to grow to 4.25 million by 2015--assuming there are enough skilled security professionals to meet demand.
Already, access to enough IT staff with security expertise is particularly tricky for organizations of all sizes. In a study released earlier this year, IT industry association CompTIA found 41% of organizations reported moderate or significant deficiencies in security expertise among IT staff. On average, CompTIA says, organizations were about 30% short of their headcount devoted to security.
And according to the U.S. Bureau of Labor Statistics (BLS), which added the category of Information Security Analyst in 2011, unemployment for people employed in the category stands at 0%.
"The demand for security people in organizations will be even higher," Tipton says. To meet the demand requires a multipronged approach in which not just (ISC)2 and security professionals but businesses and their executives have an important role, Tipton explains.
Write More Secure Code
One important preventative thing businesses can do to ease the pressure is to make sure developers write more secure code in the first place. Why are companies still producing software with vulnerabilities?" Tipton asks. "Why do we have to keep patching it?"
The answer, Tipton says, is that executives need to prioritize writing secure code upfront and make sure that developers are trained to do it. Additionally, organizations need to revise their lifecycle approach to give security professionals a seat at the table when project requirements get determined, not after.
"The business looks for functionality, user friendliness," Tipton says. "Security is an afterthought. People that are in the security portion of a company have a difficult time getting their recommendations in after the requirements are already set."
SQL Injection Still Highest Root Cause of Data Breaches
A study by research firm the Ponemon Institute of more than 800 IT security and development professionals earlier this year found that most organizations don't prioritize application security as a discipline, despite the fact that SQL injection attacks are the highest root cause of data breaches. The second-highest root cause is exploited vulnerable code in Web 2.0 and social media applications. These types of attacks have been around for years, and, in most cases, are relatively easy to defend against.