What do the royal newlyweds and IT have in common? Both need a large number of qualified security professionals to guard the castle--and enterprises are falling behind.

At the recent royal wedding, the world watched, and thousands of Britons and tourists turned out to witness the live event, which was very well secured. News reports indicated that more than 5,000 police were in attendance to ensure the security of the royal family, global dignitaries and spectators.

Now imagine for a moment that instead of 5,000 professional police, the security force was comprised of 5,000 people who worked in security in addition to their primary job. Say, for example, that the royal family and world dignitaries were defended by factory workers, doctors, accountants, lawyers or other professionals. Seems silly, doesn’t it? And yet, many organizations treat IT security as a second job for their staff or they put staff in charge of operations without sufficient training. This results in added risk for the enterprise, employees, information and clients.

As security threats heighten, it’s clearly time for staffing to keep pace and for the gap between needs and skills to be addressed. Organizations must elevate the role of information security professionals and put sufficient support and resources at their royal gates.

The Changing Threat Landscape

I have been the lead analyst for the (ISC)2 Global Information Security Workforce Study (GISWS) since 2007 and have seen many changes both in technology and the threats to organizations during that time. In 2007, the primary threat to organizations consisted of viruses and worms. This year, more than 10,000 information security professionals from more than 120 countries responded to our survey and reported new vectors that criminals were using to attack.

Information Security Professionals’ Top Concerns, 2011

As shown in the bar chart above, application vulnerabilities, mobile devices, and traditional virus and worm attacks keep information security professionals up at night.

The Skills Gap

Information security professionals are on the front lines when it comes to data protection. They are tasked with securing the organization’s systems even as end users bring in new devices and applications and move corporate data into the cloud. And yet, our research indicates that in the next several years there is likely to be a severe gap in skill sets industrywide. Information security professionals are stretched thin, and like a series of small leaks in a dam, the current workforce may show signs of strain.

For example, nearly 75 percent of respondents indicated that new skills were needed to meet the demand for cloud computing. Of that group, an overwhelming 92 percent indicated that a more detailed understanding of cloud computing was necessary by security professionals. In another question, mobile devices were ranked as the second highest threat for the organization despite the fact that more than 60 percent of respondents said they had controls in place to defend the mobile workforce.

Ironically, these challenges are creating healthy growth in the sector. Frost & Sullivan estimates that the number of information security professionals worldwide in 2010 was approximately 2.28 million. This figure is expected to increase to almost 4.24 million by 2015, displaying a compound annual growth rate (CAGR) of 13.2 percent from 2010 to 2015.

The chart below reflects these findings, based on our observations of staffing behavior during the past 12 months and from our primary research on organizations’ intentions to increase their information security budgets, including staffing.

2010-2015 Forecast for Information Security Professionals

The 2011 GISWS clearly illustrates the concerns held by information security professionals in a variety of areas. As I noted above, it is well known that many organizations expect IT professionals to also wear the security practitioner hat. This is a corporate mindset that cannot change overnight; budgets and spending will have to open up and a change in corporate culture has to occur.

What can an organization do in the meantime?

Organizations can take three key steps to foster a culture of security and eventually build the role of information security professional.

1. Enlist upper-management support. Without support from the top, security initiatives are doomed to fail.
   
2. By raising the awareness of end users, organizations can begin to solve the problem from the inside out.
   
3. Create a specialization and an interest in security for the existing staff. By assigning security tasks to interested professionals, an organization can organically build its dedicated information security workforce from within.

Given the challenging economic times, organizations are hesitant to spend money on new positions unless absolutely necessary. However, as cyber-risks increase, it is imperative that information security be given top priority. Organizations willing to take even small steps toward training and building a strong information security workforce will see the benefits in the form of lowered risk to their data and to their customers’ information.

Robert Ayoub, CISSP, is Global Program Director of Network Security and Information & Communication Technologies at Frost & Sullivan. He is a member of Smart Enterprise Exchange and can be reached on the site.