Presentation Transcript

1. (ISC)2 2013 Global Workforce Study U.S. Government Results May 7, 2013
2. GLOBAL Study: Research Background and Objectives Background The information security profession is undergoing dramatic shifts as a result of constantly changing regulatory environment and increasingly sophisticated and emerging new threats. (ISC)2 has committed itself to maintaining its leadership role and growing its membership base. Study Objectives Provide insights into the makeup of the information security workforce including demographics, job functions/roles/responsibilities, size/gaps, future demand for workers and the value of certification To identify trends and issues related to information security from both members and non-member security professionals.
3. Methods: (ISC)2 Survey Conducted using an online web-based survey using the (ISC)2membership list. Email invitations to complete the survey were sent out to survey participants during the fall of 2012. A total of 12,396 were surveyed during the fall of 2012 by Frost & Sullivan, of which approximately 16% (1,931 respondents) were from the U.S. Government. U.S. Government respondents are currently employed directly by government agencies (federal and state/local), contractor organizations or independent consultants.
4. Methods: U.S. Government Breakdown A total of 1,931 from the U.S. government were surveyed during the fall of 2012 by Frost & Sullivan. The table below shows the U.S. government breakdown. Number of respondents Note regarding U.S. government data segmentation: “Other” is defined as respondents who support government initiatives but who would not classify their organization as Government.
5. Respondent Profile U.S. government respondents were characterized by the following: Highly educated with nearly half holding Bachelor degrees and more than a third holding Master’s or equivalent Highly experienced with nearly half having been actively involved with information or IT security for 15 years or more Predominately male (85%) Nearly three quarters (72%) of the U.S. government information security workforce are 40 years of age or older.
6. Workforce and Career Data
7. U.S. Government: Assessment of Performance Under Attack Scenarios Approximately half of U.S. government respondents assess that their agency would perform the same today under attack scenarios than a year ago, while approximately 40 percent report their agency would perform better. Q27. Compared to a year ago, please indicate how your organization would perform if its systems or data were compromised by a targeted attack? Base: Filtered 2012 respondents (n=1931).
8. U.S. Government: Activities of Security Professionals (Top Five) Q9a. Which of the following activities consumes a significant amount of your time? Please select all that apply to you. More than half of U.S. government respondents’ time is occupied with GRC—regardless of the agency. Notably, researching new technologies is significantly more prevalent among U.S. state/ local agencies than federal. Base: Filtered 2012 respondents (n=1931). Base: Filtered 2012 respondents (n=1931).
9. U.S. Government: Average Annual Salary Q48. Which of the following includes your current annual salary in U.S. dollars before taxes? U.S. government contractors have the highest annual salaries among information security workers in the U.S. government. Base: Filtered 2012 respondents (n=1931). Base: Filtered 2012 respondents (n=1931).
10. U.S. Private Enterprise: Average Annual Salary Q48. Which of the following includes your current annual salary in U.S. dollars before taxes? U.S. private enterprise salaries appear to be moving ahead of U.S. government salaries, likely due to U.S. government budgetary constraints under approximately 3 years of continuing resolution. U.S. Government $104,081 Base: Filtered 2012 respondents (n=4416).
11. U.S. Government: Changes in Security Training and Education Received Note: proportions less than five not shown numerically in chartQ15a. In the past 12 months has the amount of information security training and education you received increased, decreased, or remained the same? Q15b. Over the next 12 months do you expect the amount of information security training and education you receive to increase, decrease, or remain the same? Nearly half of U.S. government respondents received the same amount of training in the recent past, and nearly half expect an increase in the near future. Note: This question was asked prior to the 2013 Sequester taking place when personnel were likely not anticipating an impact. Base: Filtered 2012 respondents (n=1931). Base: Filtered 2012 respondents (n=1931).
12. Q22. In which areas of information security do you see growing demand for training and education? Select as many as apply. U.S. Government Areas Demanding Training and Education (Top 10) Cloud computing, information risk management and mobile/BYODare the areas of training and education most in demand by U. S. government respondents, both in federal and state/local agencies. U.S. government contractor personnel identify the same key areas of training and education most in demand as their non-contractor counterparts. Base: Filtered 2012 respondents (n=1931).
13. Q23a. To the best of your knowledge, would you say that your organization currently has the right number of information security workers, too few, or too many? U.S. Government Assessment of the Right Number of Employees The majority of U.S. government respondents believe there are too few information security workers in their agency. Base: Filtered 2012 respondents (n=1931).
14. Q23b. Of which of the following job titles or categories are there currently not enough of within your organization? U.S. Government Shortages by Job Titles (Top 10) The Security Analyst job title is the highest in demand. Three of the top ten job titles in demand are in Security Engineering (planning/design, applications, platform), indicating a growing understanding of the need to include security in the planning, design and development of information security systems and processes and in the development of new applications. Base: Filtered 2012 respondents (n=1176).
15. Q23c. What are all of the reasons that your organization has too few information security workers? U.S. Government Reasons for Shortages Over half of the U.S. government respondents believe the greatest reason their agency has too few information security workers is because business conditions can’t support additional personnel at this time which is greater than the difficulty in finding qualified personnel and funding challenges. Base: Filtered 2012 respondents (n=1176).
16. Q23d. What is the impact of the shortage of information security workers on each of the following? U.S. Government Impact of Shortages U.S. government respondents who believe the personnel shortage has caused a significant impact believe the impact has been the greatest on the existing workforce and overall organization, with the impact on customers and security breaches not far behind. Base: Filtered 2012 respondents (n=1176).
17. U.S. Government: Sources of New Hires Base: Filtered 2012 respondents (n=1863).G1a. What proportion of new hires will come from each of the following? The top three sources of new hires for U.S. government are internal, military veterans, and the private sector.
18. U.S. Government: Important Factors for Hiring Q19b. When making hiring decisions for information security staff how important is each of the following? Of the 300+ U.S. government respondents responsible for hiring information security staff, approximately 80% consider security certifications very important when making hiring decisions for information security staff, while half consider information security or related degrees to be important. Base: Filtered 2012 respondents (n=318).
19. U.S. Government: Important Factors in Securing Organizations’ Infrastructure Base: Filtered 2012 respondents (n=1863).G7. How would you rate the importance of each of the following in effectively securing your organization's infrastructure? Nearly all of the U.S. government respondents agree that hiring and retaining qualified information security professionals is the most important factor in effectively securing organization's infrastructure.