International security consortium ISC2 has said that the cloud is becoming something of a saviour for enterprises and security workers struggling with technology sprawl and a skills shortage.
However, the 2015 ISC2 Global Information Security Workforce Study (PDF) found that short-handed technology teams are throwing money at security solutions when what they really need is a well resourced and maintained internal system of their own.
“In a bit of a dichotomy, cloud adoption relieves in-house security professionals of certain security operations that are entrusted to the cloud providers,” the report said.
“But lingering concerns about security in cloud environments contribute to the need for in-house security professionals to invest in cloud security education and training, and be active in managing security and compliance in cloud environments.”
Too much technology and too little direct control has created a difficult system to manage, and this leads to problems, according to the study.
ISC2 has a number of recommendations and warnings for the industry, including that the time taken to remediate an attack or data compromise is getting longer, and that phishing is the hackers’ current weapon of choice.
Training is needed in cloud computing, according to the report, and it is a common lack of in-house skills that is pushing firms into outsourcing key elements of their defences.
Staff churn is also a problem because workers are likely to leave unless they are offered training or the chance to gain professional security qualifications.
“This year’s workforce study validates the increasing reliance of the information security programme on IT departments and other business units,” said David Shearer executive director at ISC2.
“Information security is an organisation-wide responsibility that requires a holistic commitment, execution and sustainment strategy.
“Year after year, the study has shown a workforce shortage. But now we’re finding that the shortage is being compounded with configuration mistakes and oversights that can be detrimental to the security posture of global businesses.”