(ISC) 2 2013 Global Workforce Study U.S. Government Results May 7, 2013

(ISC)2 2013 Global Workforce Study U.S. Government Results

May 7, 2013

2

GLOBAL Study: Research Background and Objectives

Background

The information security profession is undergoing dramatic shifts as a result of constantly changing regulatory environment and increasingly sophisticated and emerging new threats. (ISC)2 has committed itself to maintaining its leadership role and growing its membership base.

Study Objectives

• Provide insights into the makeup of the information security workforce including demographics, job functions/roles/responsibilities, size/gaps, future demand for workers and the value of certification

• To identify trends and issues related to information security from both members and non-member security professionals.

3

Methods: (ISC)2 Survey

• Conducted using an online web-based survey using the (ISC)2 membership list.

• Email invitations to complete the survey were sent out to survey participants during the fall of 2012.

• A total of 12,396 were surveyed during the fall of 2012 by Frost & Sullivan, of which approximately 16% (1,931 respondents) were from the U.S. Government.

• U.S. Government respondents are currently employed directly by government agencies (federal and state/local), contractor organizations or independent consultants.

4

Methods: U.S. Government Breakdown

A total of 1,931 from the U.S. government were surveyed during the fall of 2012 by Frost & Sullivan. The table below shows the U.S. government breakdown.

U.S. Government 1931

U.S. Federal Government 1612

U.S. State/Local Government 251

U.S. Government Contractors 763

U.S. Government Non-Contractors 1100

U.S. Government “Other*” 68

Number of respondents

Note regarding U.S. government data segmentation: “Other” is defined as respondents who support government initiatives but who would not classify their organization as Government.

5

Respondent Profile

U.S. government respondents were characterized by the following:

• Highly educated with nearly half holding Bachelor degrees and more than a third holding Master’s or equivalent

• Highly experienced with nearly half having been actively involved with information or IT security for 15 years or more

• Predominately male (85%)• Nearly three quarters (72%) of the U.S. government information security workforce are 40 years of age or older.

6

Workforce and Career Data

7

U.S. Government: Assessment of Performance Under Attack Scenarios

Perform worse Perform the same Perform better

6%

54% 40%6%

54% 40%7%

59%35%

Being prepared for a security incident

U.S. Government U.S. Federal Government U.S. State/Local Government


6%

54%39%

6%

54%40%

6%

61%

33%

Discovering a security breach


6%

55%39%

6%

56%38%

6%

57%37%

Recovering from a security incident

Base: Filtered 2012 respondents (n=1931). Q27. Compared to a year ago, please indicate how your organization would perform if its systems or data were compromised by a targeted attack?

Approximately half of U.S. government respondents assess that their agency would perform the same today under attack scenarios than a year ago, while approximately 40 percent report their agency would perform better.

8

U.S. Government: Activities of Security Professionals (Top Five)

Gov

erna

nce,

risk

m...

Sec

urity

ma

nage

men

t

Pro

vide

adv

ice

on s

e...

Sec

urity

ope

ratio

ns

Res

earc

hing

new

te...

66

%

45

%

44

%

45

%

34

%68

%

45

%

45

%

45

%

31

%53

%

45

%

40

%

45

%

51

%

Activities of Security Profes-sionals

U.S. GovernmentU.S. Federal GovernmentU.S. State/Local Government

Q9a. Which of the following activities consumes a significant amount of your time? Please select all that apply to you.

More than half of U.S. government respondents’ time is occupied with GRC—regardless of the agency. Notably, researching new technologies is significantly more prevalent among U.S. state/ local agencies than federal.

Gov

erna

nce,

risk

m...

Sec

urity

man

agem

ent

Pro

vide

adv

ice

on s

e...

Sec

urity

ope

ratio

ns

Res

earc

hin

g ne

w te

...

66

%

45

%

44

%

45

%

34

%65

%

39

%

48

%

46

%

33

%

67

%

49

%

41

%

44

%

35

%

Activities of Security Profes-sionals

U.S. GovernmentU.S. Government ContractorsU.S. Government Non-contractors

Base: Filtered 2012 respondents (n=1931). Base: Filtered 2012 respondents (n=1931).

9

U.S. Government: Average Annual Salary

$104,081 $106,430

$86,394

Average Annual Salary (in USD)

U.S. GovernmentU.S. Federal GovernmentU.S. State/Local Government

Q48. Which of the following includes your current annual salary in U.S. dollars before taxes?

U.S. government contractors have the highest annual salaries among information security workers in the U.S. government.

$104,081$113,676

$96,832


U.S. GovernmentU.S. Government ContractorsU.S. Government Non-contractors


10

U.S. Private Enterprise: Average Annual Salary

Q48. Which of the following includes your current annual salary in U.S. dollars before taxes?

U.S. private enterprise salaries appear to be moving ahead of U.S. government salaries, likely due to U.S. government budgetary constraints under approximately 3 years of continuing resolution.

$111,376 $110,029

$84,899

$103,707

$119,453 $117,148


U.S. Private Enterprises U.S. Banking/ Insurance/ FinanceU.S. Education U.S. HealthcareU.S. Information Technology U.S. Telecom & Media

Base: Filtered 2012 respondents (n=4416).

U.S. Government

$104,081

11

U.S. Government: Changes in Security Training and Education Received

U.S. Government

U.S. Federal Government

U.S. State/Local Government

37%

38%

33%

45%

45%

47%

17%

16%

18%

Changes within Past Year of Security Training and Education Received

Increased Remained the same

Decreased Don't know

Note: proportions less than five not shown numerically in chartQ15a. In the past 12 months has the amount of information security training and education you received increased, decreased, or remained the same?Q15b. Over the next 12 months do you expect the amount of information security training and education you receive to increase, decrease, or remain the same?

U.S. Government

U.S. Federal Government

U.S. State/Local Government

42%

42%

43%

44%

44%

45%

11%

11%

8%

Anticipated Changes within Next Year of Security Training and Education to

be ReceivedIncrease Remain the same

Decrease Don't know

Nearly half of U.S. government respondents received the same amount of training in the recent past, and nearly half expect an increase in the near future. Note: This question was asked prior to the 2013 Sequester taking place when personnel were likely not anticipating an impact.


12

U.S. Government Areas Demanding Training and Education (Top 10)

Cloud computing, information risk management and mobile/BYOD are the areas of training and education most in demand by U. S. government respondents, both in federal and state/local agencies. U.S. government contractor personnel identify the same key areas of training and education most in demand as their non-contractor counterparts.

Q22. In which areas of information security do you see growing demand for training and education? Select as many as apply.

Clo

ud

co

mp

utin

g

Info

rma

tion

ris

k m

an

ag

e...

Mo

bile

de

vice

ma

na

ge

...

Bri

ng

-yo

ur-

ow

n-d

evi

ce ..

.

Inci

de

nce

re

spo

nse

Ce

rtifi

catio

n a

nd

acc

red

it...

En

d-u

ser

secu

rity

aw

are

...

Fo

ren

sics

Acc

ess

co

ntr

ol s

yste

ms.

..

Te

leco

mm

un

ica

tion

s a

nd

...

61

%

50

%

48

%

48

%

44

%

41

%

41

%

39

%

36

%

36

%

61

%

50

%

47

%

46

%

45

%

44

%

39

%

39

%

36

%

36

%

57

%

50

%

54

% 63

%

44

%

24

%

47

%

39

%

39

%

38

%

Areas Demanding Training and Education (Top 10)



13

U.S. Government Assessment of the Right Number of Employees

The majority of U.S. government respondents believe there are too few information security workers in their agency.

Q23a. To the best of your knowledge, would you say that your organization currently has the right number of information security workers, too few, or too many?

Too many The right number Too few Don't know

2%

28%

61%

9%3%

29%

60%

9%

1%

24%

71%

4%

Assessment of the Right Number of Employees

U.S. Government U.S. Federal GovernmentU.S. State/Local Government


14

U.S. Government Shortages by Job Titles (Top 10)

Q23b. Of which of the following job titles or categories are there currently not enough of within your organization?

Se

curit

y a

na

lyst

Se

curit

y e

ng

ine

er.

..

Se

curit

y a

ud

itor

Se

curit

y sy

ste

ms

...

Se

curit

y te

ste

r

Se

curit

y e

ng

ine

er

...

We

b s

ecu

rity

Se

curit

y a

rch

itect

...

Se

curit

y e

ng

ine

er

...

Se

curit

y a

rch

itect

...

48

%

39

%

34

%

33

%

31

%

30

%

26

%

24

%

23

%

16

%

46

%

38

%

34

%

33

%

32

%

30

%

25

%

23

%

23

%

16

%

57

%

40

%

37

%

33

%

33

%

30

%

33

%

26

%

24

%

18

%

Shortages by Job Titles (Top 10)



The Security Analyst job title is the highest in demand. Three of the top ten job titles in demand are in Security Engineering (planning/design, applications, platform), indicating a growing understanding of the need to include security in the planning, design and development of information security systems and processes and in the development of new applications.

15

U.S. Government Reasons for Shortages

Over half of the U.S. government respondents believe the greatest reason their agency has too few information security workers is because business conditions can’t support additional personnel at this time which is greater than the difficulty in finding qualified personnel and funding challenges.

Q23c. What are all of the reasons that your organization has too few information security workers?

Business condi-tions can't support

additional per-sonnel at this time

Leadership in our organization has insufficient under-

standing of the requirement for in-formation security

It is difficult to find the qualified per-sonnel we require

Money/Cost/Budget

Lack of funding/Federal

funding

61%

42% 40%

3% 3%

58%

40% 42%

3% 3%

72%

54%

27%

3% 2%

Reasons for Shortages



16

U.S. Government Impact of Shortages

U.S. government respondents who believe the personnel shortage has caused a significant impact believe the impact has been the greatest on the existing workforce and overall organization, with the impact on customers and security breaches not far behind.

Q23d. What is the impact of the shortage of information security workers on each of the following?

On the organization overall

On the existing in-formation security

workforce

On customers On security breaches

61%

76%

54% 55%60%

76%

56% 54%

67%77%

47%

60%

Impact of Shortages (Very Great Impact and Great Impact)



17

U.S. Government: Sources of New Hires

23%20% 20%

14%12%

8%4%

22% 22%19%

14% 12%8%

4%

30%

8%

25%

17%

7%11%

3%

Sources of New Hires


Base: Filtered 2012 respondents (n=1863).G1a. What proportion of new hires will come from each of the following?

The top three sources of new hires for U.S. government are internal, military veterans, and the private sector.

18

U.S. Government: Important Factors for Hiring

The candidate has information security certifica-tions

The candidate has an information security or re-lated degree

82%

53%

85%

56%

72%

45%

Important Factors for Hiring (Very Important and Important)


Q19b. When making hiring decisions for information security staff how important is each of the following?

Of the 300+ U.S. government respondents responsible for hiring information security staff, approximately 80% consider security certifications very important when making hiring decisions for information security staff, while half consider information security or related degrees to be important.


19

U.S. Government: Important Factors in Securing Organizations’ Infrastructure

87%

70%

56% 55% 54%

41%

87%

69%

57% 54% 53%

41%

87%

72%

49%

63% 61%

39%

Important Factors in Securing Organizations’ Infrastructure (Ex-tremely Important and Important)


Base: Filtered 2012 respondents (n=1863).G7. How would you rate the importance of each of the following in effectively securing your organization's infrastructure?

Nearly all of the U.S. government respondents agree that hiring and retaining qualified information security professionals is the most important factor in effectively securing organization's infrastructure.

Documents

(ISC) 2 2013 Global Workforce Study U.S. Government Results May 7, 2013