Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Getting Beyond the hype –Middle East insights from GISWSDr. Adrian Davis, CISSPManaging Director EMEA, (ISC)2
Growing Influence in the Middle East
• Members work for major corporations & governments – Oil, & Gas, Finance, Healthcare, Tech
• Safe and Secure Online Internet Safety
• Annual Secure Summit• Advisory Council – CISO
roundtables, working groups
• 8th Bi-annual study, first released in 2004 – Developed by the Centerfor Cyber Safety and Education in partnership with Frost & Sullivan
• 19,600 - 12,300 were (ISC)2
members and 7,300 were non-members surveyed June 2016 –August 2016
• 518 Middle East; 330 GCC; 149UAE
Global Information Security Workforce Study
Varied Reports
• Feedback from professionals regarding certification, training and educational requirements
• Track trends/issues as seen by practicing professionals
• Understand potential gaps in organisational security and workforce requirements
• 518 Middle East - 330 GCC; 149 UAE
Three questions for todayWhat are the hot topics?Are they what really matters?How do we move forward?
Losing ground
60 % or more report worsening position for Security Incidents:
• Having systems in place
• Ability to discover a Breach
• Ability to Recover
Time to discover and recover
Less than half a day
Don't know
Two to seven days
Immediately
Within one day
Eight to twenty days
Six weeks or more
Three to five weeks
0% 5% 10% 15% 20% 25%
Discover
Series1
0% 5% 10% 15% 20% 25% 30% 35% 40%
Two to seven days
Within one day
Don't know
Eight to twenty days
Three to five weeks
Six weeks or more
Recover
Top concerns: ransomware/data exposure
0%10%20%30%40%50%60%70%80%90%
100%
No concern at all Low concern Medium concern
Does experience match concern?
0%10%20%30%40%50%60%70%80%90%
100%
Very uncommon Somewhat uncommon Neither common nor uncommon
Trends driving risk/false sense of security• Over reliance on tech
solutions • Consumer trust in big
brands• Component; device-centric
security• Cyber insurance for day to
day issues
• Volumes of exploitable IoT traffic flooding infrastructures –healthcare, smart cities
• Automated cybercrime; competitive crime groups
Trends impacting security strategy
0%10%20%30%40%50%60%70%80%90%
100%
The move tocloud and
applicationdriven services
Roll out of newsystems or
applications
More hostilethreat landscape
Protecting our IP Changinglegislativelandscape
Reactions topast breaches
Mobile,telecommuting,
andcollaborative
work practices
BYOD/A Security AwareManagement
New productdevelopmentssuch as IoT or
robotics
Prefer not to answer Not at all important Somewhat unimportant
Neither important nor important Somewhat important Very important
Professionals Struggling to Gain Security Oversight
Attacks attribute to known vulnerabilities31% don’t knowOnly 5 % say allOnly 19% said more than half10% said about half22% said less than half12% said none
That doesn’t mean we aren’t improving
• 63 % say security posture is better than a year ago
• Improved security awareness
• Assessment of threats/risks• Higher spending
0%10%20%30%40%50%60%70%80%90%
But it’s not enough…
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Not enough qualified professionals available
Security awareness is still too low
Inadequate funding for security initiatives
Poor understanding of risk management withingovernment
Inability to keep pace with threats
Ineffective security guidance or standards
Mind the GAP The recruitment challenge in cyber &information security
16
Job Market Concerns• Global workforce gap up from 1.5 to 1.8 million by 2022.• Unemployment tightening: 2% (4% in 2012); 84% ME are
permanent employees.• High churn in ME 21% changed jobs while still employed
(Global 18%; Europe 16%)• Higher for under 29s 32% (28% global; 30% Europe)• 62% of ME respondents report too few skilled people
today!• Salaries rising – 60% ME salary increase;
15% higher than 10%
Workforce Profile518 Middle East330 GCC149 UAE
Roles in the ME
• Managers & Strategists –34% (13% report to BoD)
• Builders – 15%• Operators –
10% • IT Focus -10%
0%2%4%6%8%
10%12%14%16%18%20%
Demographics
• Younger than global average -11%in ME under 29
• Top 3 Employers:• Consultancy (27%)
• Finance (20%)
• Government (10%)
• Large organisations (> 10,000 employees) make up 23% of employers
• 95% male
19
11%
27%
39%
23%
Under 29
30 - 34
Over 40
Other
Characteristics• 50% over 10 yrs experience• 95% university; 39 % masters• 86% worked in IT previously• 50% comp sci; 33%
engineering degrees• 19% non comp Sci or
engineering degress• Varied professional affiliations
20
40% information security professionals;19% security consultants; 13% IT professionals;11% cybersecurity or risk; Engineers, auditing, IA, software, data privacy …
Market indicatorsSpending, hiring, training,
Spending on the Rise
0%
20%
40%
60%
80%
100%
120%
Value Don'tknowValue Remainthe same
22
Significant Team Growth
59% hiring mangers in ME sample; 22% adding at least 20% to teams
Rising Investment in Training
• 50% received more training than in the previous 12 months/only 15% decreased
• 60% (62% UAE) expected an increase in the next 12 months
• 43% say their organizations do not provide adequate professional and training for their infosec workforce (compared to 33%/37% Europe/Global)
0%
10%
20%
30%
40%
50%
60%
Value
Cloud Computingand Security
Governance, riskmanagement, andcompliance (GRC)Risk assessmentand management
Incidentinvestigation andresponseVirtualization
InfoSystems andsecurity operationsmanagement
Talent Pool Not Growing With Need
• 15% non-managerial
• 17% entry level
Why the Gaps
47%, 23%
46%, 22%
46%, 22%
34%, 16%
31%, 15%3%, 2%
It is difficult to find thequalified personnel werequire
Business conditions can'tsupport additionalpersonnel at this time
Feeling the Impact
• At least 50% say shortage significantly impacts each of:• Infosec workforce• Number of breaches• Organisation as a whole• Customers
Job Market BarriersMyths, priorities, habits
Limited Understanding
• Over reliance on the technical concepts that are easy to understand
• Dominance of ‘buy-in rather than train culture’
• Lack of Maturity• No clear routes to join• Difficult to assess raw talent• Churn creates disincentive to train
Mismatch of priorities – Global
30
54%45%
39%35%34%
31%31%
28%
Cloud Computing…
Risk assessment and…
GRC
InfoSystems and…
Incident…
Data centric…
Communications skills
Analytical Skills
Millennials66%
59%46%
38%37%35%34%
30%
Communications skills
Analytical Skills
Risk assessment and…
Cloud Computing and…
InfoSystems and…
Platform or technology…
GRC
Data centric approaches
Hiring Managers
New Thinking Needed
94% Middle East!
0%
10%
20%
30%
40%
50%
60%
70%
Where recruiting
New Thinkingtalent, incentives, and more
Untapped Talent
11 % under 29 years
Only 5% are female
16% non-IT background
Young workers value
• Gravitating away from traditional hierarchy
• Perks over pay• Mentoring & Leadership• Training & prof certs• Flexibility & job diversity
35
21 % millennials aspire to primary role as consultant
Gender Wage Gap – Growing
Widest at operational levels
Support works
Behavior & choice rather than policy leads
to inequity
Technical expertise not prerequisite
• Expand recruitment horizon• Recognize dominance of ‘buy-in rather than
train culture’ • Remove barriers to entry, inequities and
develop support programs• Sell the profession - communicate true
requirements and opportunity – not just the technical
• Demystify the technical – it is more accessible than many think
Call to Action
Experience can no longer be core
criteria
Answering the call to action
• New routes to join - International Academic Programme; apprenticeships
• Associate Programme – one of the fastest growing classes of membership in Europe
• Chapters welcoming newcomers• Scholarships/commitment to continued
research• Showcasing talent