4.6 C
United Kingdom
Sunday, December 22, 2024

The State of Security in 2024 – O’Reilly


In August 2024, we asked our customers to tell us about security: their role in security, their certifications, their concerns, and what their companies are doing to address those concerns. We had 1,322 complete responses, of which 419 (32%—roughly one-third) are members of a security team. 903 respondents aren’t on a security team, although 19% of that group hold at least one security-related certification. This report focuses primarily on the security team members, though we’ll look from time to time at the others; they also have valuable information about what their companies are doing.

Our goal was to understand the state of security: What challenges do security teams face? What projects are they building to defend their companies against cybercrime? And what kinds of expertise do they have or want to acquire?


Learn faster. Dig deeper. See farther.

Here’s a brief summary of our findings:

  • Phishing, network intrusion, and ransomware are the top security threats.
  • Most companies have implemented multifactor authentication, endpoint security, and zero trust.
  • Roughly half of all respondents work for companies that require security staff to hold one or more security certifications.
  • The most commonly required certifications are the CISSP and CompTIA Security+. These are also the most widely held and most desired certifications.
  • Cloud security and AI vulnerabilities are the biggest skills gaps.
  • Security professionals need to stay up-to-date by engaging in ongoing training, using online courses, books, and videos.

With any survey, it’s important to be aware of the biases. Are our customers typical of the security industry? Possibly; our customers include individuals and a wide range of corporate clients representing many different industries. Are the users who fill out surveys typical of the security community? Probably not, especially since the security community tends to be very private. Nevertheless, the only way to find out what people are doing is to ask.

Who We Talked To

Of the respondents who are directly involved in security, 16.2% are managers, 7.2% are CISOs, and 1.2% are information systems security managers (a role defined by NIST). That adds up to 24.6%, roughly a quarter of the total number of respondents on security teams.

15.3% said their role was “security architect,” and 12.6% described their role as “security engineer.” That gives us 27.9% whose role involves designing security systems—again, roughly a quarter of the total. It almost certainly overstates the percentage of security architects.

Security specialists—both cybersecurity specialists (10.3%) and security specialists (8.6%)—are another distinct group. These are the people responsible for the “blocking and tackling”: the work of protecting systems and data. Together, they represent 18.9% of the total.

Analysts—those responsible for analyzing logs, detecting events, putting in place mitigations, and repairing the damage after an attack—make up the next group of roles. 12.6% of respondents are cybersecurity analysts (10.0%), security operation center (SOC) analysts (1.4%), or incident and intrusion analysts (1.2%).

Assessors and auditors form a small but distinct group. Security control assessors represent 1.4% of the respondents who are directly involved with security, while vulnerability assessors make up 4.1% and IT auditors 3.3%. Auditing reflects a substantially different set of skills more associated with accounting than with cybersecurity. The SOC 2 cybersecurity compliance framework was designed by the American Institute of Certified Public Accountants (AICPA), and the assumption is that the audit will be performed by a CPA. Security audits may be required by insurers, investors, and customers. SOC 2 compliance is “voluntary,” but in reality that means it’s as voluntary as your insurers and investors make it.

1.7% of the respondents identified as penetration testers, and 5.5% as incident responders. Penetration testers (the “red team”) find vulnerabilities in their company’s systems by attacking; this may include breaking into secure areas, attempting to steal credentials and escalate privilege, exploiting software vulnerabilities, and more. Incident responders (the “blue team”) defend against an attack that’s in progress, repair the damage after an attack, and deal with law enforcement and other agencies. In most companies, these are distinct roles, though in smaller companies they may overlap.

Figure 1-1. Security roles (by percentage of all respondents)

And companies are slowly adopting the National Institute for Cybersecurity Careers and Studies (NICCS) Workforce Framework for Cybersecurity (NICE, don’t ask), a tool for standardizing security roles and role descriptions.

Top Threats

We were interested in finding out what threats are the biggest concern to people working in security. In other words, what don’t they want to hear when they get a call at night? So we asked them to select the top three threats their companies faced.

There weren’t really any surprises here. The responses emphasized the importance of the basics. The top threat is phishing, selected by 55.4% of the respondents on security teams, followed by network intrusion (39.9%) and ransomware (35.1%).

Phishing is clearly a danger, and it’s a danger that’s hard to fight; the only real defense is educating the entire workforce (which we’ll discuss later). A phish can be very low-tech; it can be as simple as sending an email asking the recipient for their password, to log in to a bogus site, or to take some other action, and hoping that the victim takes the bait. In the past, phishing was easy to detect. In recent years, detecting good phishes has become much more difficult. With or without the help of AI, attackers have gotten better at generating messages that impersonate someone (a company executive, a help desk staffer, a spouse). Once the attacker has a password, they can do (almost) anything. And when one account has been compromised, it’s often easy to escalate privilege or find other victims. Principles like least privilege and zero trust help, but they only help after the fact, after the compromise has taken place. It’s possible to train employees to be appropriately suspicious, to know what requests are never reasonable (“I need your password to…”) and what requests might be reasonable but require stringent verification. Good training programs exist and are an important part of the solution—but not all training programs are good programs.

Network intrusion is something of a catchall. Successful phishes lead to network intrusions, after all. And ransomware relies on network intrusion. But taken by itself, the fact that there are intruders on your network (which includes the cloud) means that you’re facing real problems.

Given the publicity the topic has received in the past few years, we were surprised that only 35% of the respondents selected ransomware. We suppose that everything can’t be at the top of the list—and a ransomware attack can be a consequence of a successful phish or a network intrusion. While it hasn’t been in the news quite as much, the ransomware industry is still growing rapidly. It appears to have focused on the healthcare industry, which has a lot of money and a lot of data. But even small, poorly funded organizations with inadequate defenses can become victims.

Data and IP theft is fourth on the list, chosen by 31.0% of the respondents. Data theft is increasingly tied to ransomware: If you’re going to go through the trouble of encrypting someone’s data, why not steal it too? Data can be resold to other online criminals or used to blackmail the victim.

Software supply chain compromise (the sixth-most-popular choice) is a top concern for 28.4% of the respondents. Given the number of software supply chain problems we’ve seen recently, it’s surprising that it didn’t rank higher. The CrowdStrike outage, which can be considered a supply chain compromise, took place shortly before our survey went live. Even though the CrowdStrike incident wasn’t hostile, there’s little difference between being compromised by a bad actor and being compromised by a vendor’s mistake. Many commercial software packages have been compromised, including Okta, JetBrains, and MOVEit, in turn attacking their downstream users. Open source software has also proven vulnerable: The XZ backdoor, which was discovered before it could do any damage, was a warning.

What aren’t security staff worried about? Only 16.7% of them selected distributed denial of service (DDOS)—possibly because DDOS attacks are typically aimed at cloud providers and very large ecommerce sites. Any company can become a victim if their cloud provider succumbs to an attack, but short of duplicating expensive infrastructure services, there’s little a cloud provider’s clients can do to prepare. Only 10.0% are concerned about spyware, 7.6% about illegitimate use of resources (for example, cryptocurrency mining), and 1.9% about becoming part of a botnet.

Figure 1-2. Top security threats (by percentage of security team members)

Staying Safe: Top Projects

Now that we know the top threats, let’s look at what security teams are doing about it.

Multifactor authentication (MFA) has been widely implemented, reported by 88.1% of the respondents. MFA is extremely effective against most kinds of account compromise: It’s easy to steal a password but hard to steal a cell phone. (There are some attacks against text messaging, but these are rare.) Passkeys (30.1%) and passwordless authentication (25.8%) are arguably stronger versions of multifactor authentication, since passwords are always the weakest link in an organization’s security posture. Eliminating the need for passwords has long been a goal of the security community; we may finally be close to achieving it.

Endpoint security has been implemented by 60.1% of the respondents’ companies. Endpoint security means protecting the individual devices that employees are using, including laptops and cellphones. As employees have become more mobile, their laptops, phones, and other devices frequently move in and out of their employer’s boundaries. That mobility presents significant problems for security. It’s one thing to protect a server that’s always on the corporate network; a device that moves between a corporate network, a home network, a coffee shop, and a conference hotel is a much more difficult problem. What happens to your home network when your teenager has friends over? When staff attend in-person conferences, hotel networks can be a field day for attackers: There are many victims in one place, and hotel networks offer minimal protection. A device can be infected with malware at one location, where protections are minimal, then infect other systems on the corporate network or the corporate cloud when it’s brought into a facility or a corporate VPN. It’s just as important to protect devices when they’re not on the corporate network as it is to protect the servers that they connect to.

Zero trust has been implemented by 49.2% of the respondents’ companies. Zero trust requires every service (and every user) to authenticate when it needs another service. It prevents compromises from spreading from one system to another; it also protects against lazy users who might leave a laptop unattended and vulnerable. Zero trust is particularly important for cloud applications and applications that present APIs to external users.

Security is labor-intensive, so it isn’t surprising to see automation (36.0%) and AI-enabled tools (20.0%) on the list of recent projects. Automation and AI beat wading through system logs with scripts.

Figure 1-3. Projects implemented in the past year (by percentage of security team members)

That’s what our survey respondents have accomplished in the past. What do they want to do in the future? We asked what projects they want their organizations to complete in the next year. These answers reflect respondents’ priorities rather than their organizations’, but they’re still an indicator of where our respondents are headed.

Automation is clearly on everyone’s mind. AI-enabled security tools are the top project for the next year (34.4%), and security automation is third (28.2%). Microsoft Copilot for Security (16.0%) wasn’t among the top projects, but it’s part of the same theme. These closely related projects show that automation to reduce the workload is a priority, at least for those working on security teams. It makes sense. I’ve written that I’ve never seen a software team that was underworked. AI won’t eliminate jobs by making software developers more efficient; it will reduce the burden. The same goes double for security. If automation reduces the time security teams spend fighting fires and lets them focus on longer-term projects like zero trust and MFA, everyone will be better off.

Compliance is in the middle of the pack—fourth on the list—both for completed projects (36.3%) and for next year’s projects (22.0%). We aren’t surprised: Compliance is, by nature, a project that’s never finished. It’s also not a project that excites anyone, except perhaps an accountant. It’s slow, it’s detail oriented, and it doesn’t really do much to keep criminals out of your systems. Compliance is an ongoing reality, but not a reality that gets listed as a “top project.”

Multifactor authentication (15.0%), endpoint security (10.7%), and passkeys (15.3%) fall at the bottom of this list—possibly because MFA and endpoint security have already been so widely implemented.

Figure 1-4. Top projects for next year (by percentage of security team members)

What About the Cloud?

Two-factor authentication for cloud service provider (CSP) interfaces (44.9%) is the most common method for securing cloud infrastructure. Cloud service provider interfaces are, by nature, outward-facing. They’re not behind by your firewall; they run on hardware you don’t own and can’t control; and you can’t yank the Ethernet cable out of its jack if you notice an attack in progress. Cloud resources need protection, and multifactor authentication is currently the best technique available.

41.5% of the respondents listed DevSecOps. DevSecOps isn’t just about the cloud; it represents a welcome change in how software is developed, in which security is viewed as part of the development process from the start, not something added in later. The “shift left” mantra of DevSecOps has been criticized, but building security in from the start is a key step toward minimizing vulnerabilities. Infrastructure as code (IaC) is another key tenet of DevSecOps; it’s not surprising that 33.9% consider it a method for ensuring cloud security. It’s important to remember that many—perhaps most—vulnerabilities in production systems result from configuration errors that are entirely avoidable; identity and access management (IAM) is a frequent problem. IaC standardizes the way you create infrastructure, increasing reliability and avoiding errors. When infrastructure provisioning is encoded into software, it’s less vulnerable to operator errors. The days when sysadmins configured switches, routers, servers, and other devices by typing commands on a console are long past.

Good key management (38.9%) is important for modern cryptographic systems and a critical part of zero trust (30.1%). And good instrumentation (26.7%) is central to automation. Observability has been an important theme for the past decade; you can’t manage or protect what you can’t observe. Cloud security may be a specialty of its own, but our respondents are telling us that it isn’t fundamentally different; it’s just another part of the larger security picture. Take care of authentication, implement zero trust, automate as much of the job as you can, build observability into your services, and make security a priority for development teams, and you’ll be ahead of the game.

Figure 1-5. Cloud security projects completed (by percentage of security team members)

Security for Supply Chains

Software supply chain security is one of the newer topics in security. For years, we accepted software for what it was. Yes, there were vulnerabilities, but vulnerabilities were bugs, and they were usually fixed by the developers. (Installing updates after the vulnerability was fixed was, and remains, another problem.) In the past few years, starting in 2020 with the SolarWinds breach, software itself has become the means of attack. If an attacker can insert malware into a widely used product, that malware will be installed willingly by downstream victims. SolarWinds put supply chain attacks on the map, but the history is much longer, arguably going back to a backdoored Linux kernel in 2003 and probably extending much further in the past.

The most widely used tool to prevent a software supply chain attack is a third-party audit (44.2%). Audits let you know exactly what’s going into your build, and they ideally tell you about the security practices of the organizations that provide you with software. A software bill of materials (SBOM, 22.2%) serves a similar purpose, if it’s done well: It documents exactly which libraries and modules are needed to build and deploy a software system, so that if something changes, developers and security staff will notice it. A program may only include a few libraries, but those libraries probably include others, which in turn include others, creating a surface area that can easily extend to hundreds of external software sources. An SBOM doesn’t tell you anything about the practices of the organizations or individuals that provide the software, but it does tell you exactly what you’re working with—and given the number of dependencies in any significant software project, that’s important.

Protecting the software development pipeline (37.5%) and validating pipeline components (32.5%) are closely related. It’s easy to forget that injecting backdoors and other vulnerabilities into software that is then shipped downstream isn’t the only way to compromise the software development process. The tools, the servers, the repositories, they all play a role, and they all have their own weaknesses. For example, what happens if you misspell a common package name? Someone may have created a hostile package with your misspelled name that can be inserted into your product. What happens if identity credentials are poorly managed? An attacker might be able to insert code into your product or compromise your development process in other ways. If you want to protect the supply chain, you have to consider the entire chain: everything that touches software on its route downstream.

Zero trust shows up once again (26.3%); it’s the second-to-last item on the list, but it’s still significant. In complex systems, the ability of one compromised component to compromise another is extremely dangerous. You’re always at risk when a vendor ships a compromised product. All the auditing and SBOMs in the world won’t eliminate that one mistake that allows an attacker to compromise a library or an application that you rely on. But zero trust limits the damage they can inflict.

Figure 1-6. Software supply chain projects completed (by percentage of security team members)

Skills Shortages

We’ve seen what security staff worry about, what they’ve been working on, and what they want to accomplish in the next year. The next question is simple: Who is going to do the work? Or to put it another way, what skills are in short supply? Companies are hiring security staff, and even when they’re going through their annual layoff rituals, we don’t see many security experts on the job market. Good people are hard to find—where are the shortages?

38.9% of the respondents on security teams pointed to cloud computing. Although cloud security is rooted in the same principles that we’re all familiar with, it puts those principles into a new context. Cloud security requires taking concepts like access control and least privilege and applying them to servers and services that you’ll never see and may only control through an API provided by your cloud vendor. It requires thinking in terms of hundreds or thousands of virtual instances and using or developing tooling that can reach across all those servers, services (including serverless), and cloud providers. An error in any service can compromise all your infrastructure—that’s why infrastructure as code is so important. In many respects, the game doesn’t change, but the stakes become much higher. While AWS is over 20 years old, “cloud” is still aspirational or experimental at many companies. It was something people talked about, but many companies still stuck with on-premises data centers until forced to do otherwise. After all, there are many reasons (not all good) for staying “on prem”: sunk costs, the perception that the cloud is a security risk, and (in some industries) regulation. Many companies also “moved to the cloud” without realizing the need for specialized talent, particularly where security is concerned. That’s finally changed, and as a result, we’re seeing a serious shortage of experts in cloud security.

Artificial intelligence introduces a whole new set of threats that we’re only beginning to understand. AI has made a lot of progress in the past decade, but when GPT-3 appeared in November 2022, everything went off the rails. Everyone, including the security community, was blindsided—both by the possibilities and by the risks. 33.9% of the respondents pointed to a shortage of AI skills, particularly around vulnerabilities like prompt injection. Unfortunately, we’re only starting to understand the security problems that AI introduces; we don’t understand the solutions, and many AI experts fear that there will never be solutions to vulnerabilities such as prompt injection. The security community is only beginning to catch up with the use and misuse of AI. In the coming years, we expect a surge in AI-specific research, training, and certification.

Companies need more people who understand forensics (30.8%) and red teaming (26.0%). It’s likely that these will always be skills shortages; people who do forensics and red teaming have to have a solid knowledge of the basics, and they must keep up with the latest developments. Finding qualified people with up-to-date knowledge will always be difficult.

Risk management (23.9%) and risk assessment (23.9%) skills are also in short supply. It’s worth taking a quick look at risk. Everything involves risk; no security team can expect to defend their organization against all possible attacks. But it is possible to think about what attacks are likely and what damages those attacks are likely to cause, and defend in a way that minimizes the harm. You can’t defend if you don’t know what’s at risk, and you can’t afford to give the same protection to every asset. We do this all the time: The locks on our front doors are different from the locks on a bank vault. Security teams need to do the same thing. They need to manage risk, paying the most attention to the most likely attacks (attacks that can be expected) and the most damaging attacks (attacks that will do great harm, even if they’re less likely).

Our respondents aren’t seeing significant skill shortages for networking (16.5%), auditing (16.2%), research and analysis (16.2%), or public key infrastructure (11.7%). PKI has a reputation for being esoteric, but given the importance of zero trust and identity management in the cloud and its rank among the top projects, it’s hard to believe that there’s no shortage of PKI expertise. Network security has been an issue for decades; even though it remains important, it’s likely that there are enough people with this expertise to minimize the skills shortage. Auditing, along with research and analysis, are similar. They aren’t new, and there’s a well-established talent pool.

Figure 1-7. Security skills shortages (by percentage of security team members)

Certification

What would security be without certification? Or what would certification be without security? We’ve all seen security experts whose names are trailed by the certificates they’ve earned, not unlike British nobility. (The appendix at the end lists many common certifications, including all the ones mentioned in this report.)

However, while it’s easy to make snide remarks, those certifications serve an important purpose. When you’re hiring for security, how do you evaluate candidates? You can read résumés and perform interviews. But hiring for security has a problem: The biggest success is nothing. A candidate for a software development position can say, “I helped develop Fooify” or “I’ve contributed to Barthing” or “Look at my contributions to ThingaBase on GitHub.” They can do some whiteboard coding or take a day to complete a more substantial coding assignment. A product manager can say, “I planned the development of Bobbify from conception through launch.” What can security staff say? “I worked for six years at Company X, and nothing bad happened.” Security budgets have long suffered from the same problem. Forget about projects like implementing zero trust; the substance of the conversation goes like this:

  • Manager: “What did you accomplish in 2024?”
  • Staff: “Well, nothing bad happened. We weren’t hit by ransomware, data theft, or any other major incident.”
  • Manager: “And ‘nothing happened’ is the basis for saying that you need two new hires and a 20% budget increase for 2025?”

There are signs that companies are growing beyond that limited view; there have been too many high-profile victims for employers to ignore security. (We’ve heard that the attitude is now “Take all the staff and budget you want, but if I ever have to talk to a reporter about a security issue, you’re all fired.”) When we’ve looked at the data, it’s at best a question of whether the glass is half empty or half full—more likely, the glass is three-quarters empty and we’re being asked to pretend that it’s half full. There are also signs that the work of security has changed over the past couple of decades. There are bigger projects to point to when someone asks what you’ve done, like zero trust and multifactor authentication. And there are new technologies like AI, each with its own vulnerabilities that must be addressed.

But that doesn’t solve the basic problem: You can document what you’ve done at length, but the bottom line is still “nothing bad happened.” You can demonstrate that you can attack a system, but it’s much harder to demonstrate that you can defend. Few people can say, “I’ve successfully blocked a DDOS attack” or “I detected a ransomware attack and shut it down before it got started.” More people can say, “I helped clean up the mess after we were hacked”—but that begs the question, “What did you forget that allowed the attackers in?”

As a result, security certification has an importance that other forms of certification don’t. Certification requirements aren’t unknown in other disciplines, but they’re a fixture in the security landscape. Security experts need a standard way to document their expertise; employers need a standard way to recognize expertise. So it’s not surprising that roughly half of our respondents reported that their employers require some kind of certification when they hire for security positions (51.3% requiring certification versus 48.7% that don’t). If anything, it’s surprising that the percentage requiring certification isn’t even higher. The results were similar—within a few percent—for respondents who are responsible for security and for those who weren’t.

Can we connect certification to skills shortages? ISC2’s CISSP (Certified Information Systems Security Professional) certification is the most commonly required certification, reported by 31.0% of the respondents whose primary role was in security. CompTIA’s Security+ is second, reported by 22.7%. These have always been the most popular security exams, based on the use of material on our learning platform over the past few years: CISSP consistently leads platform usage, followed by Security+. Although both of these exams are very broad, they are distinctly different. CISSP is an in-depth exam for professionals, and applicants must have at least five years of experience before taking the exam. Security+ is more of an entry-level exam, an appropriate requirement for junior staff.

The next most commonly required exam is ISACA’s CISM (Certified Information Security Manager), at 11.7%. This exam focuses on issues like risk assessment, governance, and incident response—functions that certainly showed up in our question about job roles. The number of respondents whose companies require CISA (Certified Information System Auditor) certification (10.7%) corresponds to the number of people who are responsible for auditing or assessment.

The EC-Council’s CEH (Certified Ethical Hacker) certification followed very slightly behind CISM, at 11.5%. CEH is an exam for penetration testers and red teamers, skills which came in fourth on the list of shortages. But unlike most other security skills, there are many ways you can demonstrate your ethical hacking skills without acquiring a certification. Most security conferences have “capture the flag” contests, where participants attempt to break into a target; O’Reilly offers one on our learning platform. However, companies clearly want the additional confidence that comes from passing an exam.

Figure 1-8. Required certifications (by percentage of security team members)

Many respondents reported a skills gap in cloud expertise. CCSP (Certified Cloud Security Professional) and CompTIA Cloud+, required by 7.6% and 6.9% of the respondents’ companies, show that companies are serious about cloud security. Companies requiring one of these two exams total 14.5%, which taken together, would put them just behind CompTIA Security+. And keep in mind that cloud security is only part of a company’s overall security posture. Cloud security is clearly an important specialty, and, as with so much else in security, it’s hard to demonstrate competence.

What about “Other”? At 17.4% of the respondents, it falls just after CompTIA Security+. We’ll have more to say shortly, but that isn’t unexpected. There are many, many security certifications: Paul Jerimy’s “Security Certification Roadmap” lists 481 distinct certifications. We only asked about the top 12. We could have given more options, but with certifications like CFR (CyberSec First Responder) at 0.5%, we’d be getting into the weeds.

Certifications Security Professionals Have

We’ve just looked at what certifications employers require. But what certifications do security practitioners actually have, and what certifications do they want?

Given the importance of certification to security, we were surprised to see that 40.8% of the respondents on security teams don’t hold any certifications. Obviously, this means 59.2% have at least one certification—and that’s a much higher percentage than you’d see in any other computing discipline. But who are those 40.8%?

Respondents who identified their role as incident responder were less likely to earn certifications (70%). Unlike many other security specialties, certification isn’t part of incident responders’ culture. The relevant certifications for responders are the CyberSec First Responder (CFR, 0.5%), followed by GIAC Certified Incident Handler (GCIH, 1.4% listed in “Other.”) Vulnerability assessors (65%) and incident and intrusion analysts (60%) were also frequently uncertified, possibly for similar cultural reasons. It’s comforting that CISO is among the roles that are more likely to be certified (33.3% uncertified). So are security control assessors (17%), cybersecurity specialists (26% uncertified), and cybersecurity managers (30%).

Among respondents with a role in security, the second-highest group indicated that they hold certifications other than the ones we listed (25.1%). We allowed write-in answers, and these responses were scattered among the nearly 500 security certifications that exist, with few certifications appearing more than twice, even after deduplication. The most common responses indicated certifications in AWS or Azure, but they rarely indicated a specific certification. Of those in security roles, 1.9% indicated they hold some kind of AWS certification; 0.9% indicated some form of Azure certification. Given the shortage of expertise in cloud security, certifications offered by the leading cloud providers would seem to be very desirable. Another interesting case is CRISC (Certified in Risk and Information Systems Control). The certification is held by less than 1% of respondents, but they represent the critical field of risk analysis, another area where there’s a significant shortage of talent. Finally, several respondents listed ISO 27001, although properly speaking, 27001 is an auditing specification that applies to organizations, not individuals. However, 27001 has its own ecosystem of certifications.

After “Other,” we get into more familiar territory: well-known certifications held by large numbers of respondents. 22.0% of the respondents in security roles have earned the CISSP; 19.1% hold CompTIA Security+; 9.1% hold Certified Ethical Hacker; 6.7% hold Certified Information Security Manager. These results match the required certifications fairly closely. That might be a self-fulfilling prophecy; if companies hire for CISSP, then there will be a lot of CISSPs in security roles. However, we believe that companies are following the security profession’s lead here rather than defining it. CISSP, Security+, CEH, CISM, and the others are highly desirable certifications that have become de facto standards.

Figure 1-9. Held certifications (by percentage of security team members)

Certifications Security Professionals Want

What about the certifications that respondents don’t have yet but want to obtain? Again, this maps closely to the certifications that employers are looking for. Only 24.1% of respondents said that they didn’t want to obtain any additional certifications. 34.8% wanted to obtain the CISSP, and 16.9% wanted Security+. Cloud+ and CISM came next, with 16% each, followed by Certified Cloud Security Professional (CCSP, 13.4%). It’s not surprising that the two general certifications are highly desirable; CISSP is the gold standard for security professionals, and Security+ is an excellent credential for someone closer to the start of their career. The two cloud certifications may be more significant, given the perception of a skills shortage. It’s also worth noting that AWS, the most widely used cloud provider, showed up frequently in the write-in responses, though the respondents rarely mentioned specific certifications. (To be fair, AWS frequently changes its certification structure, so perhaps the certification names are less relevant.) Some kind of AWS certification was listed by 2.3% of the respondents. Azure didn’t do as well (under 0.5%).

Certified Information System Auditor (CISA, 12.9%), Certified Ethical Hacker (CEH, 12.9%), and Cybersecurity Analyst (CySA+, 12.4%) round out the certifications that more than 10% of the respondents in security roles want. It turns out that certifications that employers want, certifications that respondents have, and certifications that respondents want line up surprisingly well.

Figure 1-10. Desired certifications (by percentage of security team members)

Continuing Education

We expected the emphasis on certification to correspond to requirements for continuing education. There’s no technical field where education isn’t important, but education may be most important for security. The explosion of AI was a shock for everyone, and all the changes brought by AI are reflected in the security landscape, with new vulnerabilities ranging from prompt injection to data poisoning. Mobile adoption is almost universal, and that affects security. So do work-from-home policies. And of course, there’s a litany of new vulnerabilities and attacks that security professionals need to understand. Security is a field where the ground is constantly shifting from one day to the next. Contrast that to programming: Language updates happen every few years, and new programming languages of any significance are quite rare. Many programming groups are only now upgrading from Java 8 to Java 21, and Python 6 is still common, even though the current version is 12. There are reasons for this stability: Why upgrade when an upgrade takes a lot of work and might break things? Most language developers are careful to maintain compatibility between versions, so if you don’t upgrade, the only cost is missing out on a few new features. That logic doesn’t apply to security, which is a constant struggle between defenders and attacks. Attackers are never going to make it easy for anyone: they will exploit the newest vulnerabilities. If you don’t stay up-to-date, you’re likely to become a victim.

Therefore, it’s no surprise that only 19.3% of respondents reported that their employers don’t require any continuing education. 32.2% of those in security roles reported that their employers require 41 or more hours of continuing education each year, while 24.1% said their companies require 21 to 40 hours. Only 5.7% of respondents are required to do five hours or less.

Figure 1-11. Required continuing education hours (by percentage of security team members)

88.8 percent of the respondents on security teams take advantage of online courses; 76.6% use books; 75.2% use videos—for all practical purposes, there’s no significant difference between these. 51.1% have attended conferences (including online conferences), and 49.9% rely on blogs and newsletters.

In-person courses, whether provided by the employer (29.1%), a boot camp (14.6%), or a college or university (9.8%), are less popular than other training sources. There are many reasons why. First, it’s much more convenient—for both the employer and the employee—to attend a virtual course or video. It’s also important to think about health: Despite popular opinion, the COVID pandemic has not ended, and if you follow security professionals on social media, that’s exactly the kind of information that they track. It’s another threat, another risk, and security professionals prefer not to add risks unnecessarily.

It’s clear: Online training courses, books, and videos are the sources security professionals turn to for training.

Figure 1-12. Sources for continuing education (by percentage of security team members)

Most of our respondents work for companies that provide at least basic security training for all employees (64.4%), while another 20.3% provide in-depth training for all employees. Only 9.3% reported that their companies don’t provide any security training, and 6.0% reported that their companies only provide training for employees in critical positions.

Figure 1-13. Company-provided security training (by percentage of security team members)

When we asked what step would be the most important in improving a company’s security posture, the most common answer was better security awareness training (40.1%). 22.4% said additional staffing for the security team, 20.3% said comprehensive risk management, and 17.2% said better security tools.

Tools are important, but in the end, tools don’t do the job—even in the age of AI. (Perhaps especially in the age of AI, given AI’s ability to confidently give incorrect responses.) Better risk assessment is a good idea. Increased staffing would help, but who doesn’t want more people to share the load? Skill shortages are real, and companies need to hire people who have the skills they need. But in the end, you have to do the job with the people you have, not the people you wish you had. The most significant observation here is the importance of security awareness training for everyone. It’s notable that 40% of the respondents said that the most important thing a company can do is provide better security training. “Better” is a very important word in this context. Granted, 60% of the respondents chose some other answer, implying that their basic security training was “good enough.” That’s important and healthy. But is that good enough? Good training can always be better, but if respondents were really satisfied with the training that was offered, we wouldn’t see 40% of them looking for better training.

Figure 1-14. What would most improve security? (by percentage of all respondents)

It’s About Training

Security is no longer taken for granted; that’s a significant change we’ve seen over the last decade. Our respondents—both those who work in security and those who don’t—are aware of the threats and the risks. They believe in the importance of certification, even when it isn’t required. They’re aware of the need for training. They’re working on acquiring additional certifications and taking the training that’s needed to earn them. Certifications like the CISSP, which is both wide-ranging and in-depth, are most desirable. But there are areas with skills shortages, such as the cloud. We’ll probably see a rush for training on AI security when those resources are available. And the people who will take those courses don’t just need any old training: They need high-quality, high-value training that delivers real knowledge, not just the ability to answer questions on an exam.

Most of all, our respondents believe that security is everyone’s responsibility. What will it take to make phishing—the number one threat—the exception rather than the rule? What will it take to make ransomware a rare event? Most companies train employees in the basics, but it needs to be every company and every employee. And again, it needs to be high-quality training, training that really helps employees to be aware of and recognize security issues from phishing to password hygiene to physical site security.

Security is a challenge that will never go away. Chances are, we’ll invent new risks as quickly as we retire old ones. But we can do better at meeting the challenge.


Appendix: The Certification Alphabet Soup

Security certifications are almost always referred to by their acronyms. The names can be long and confusing, but the acronyms aren’t much better. Here’s a list of the acronyms, full names, and certifying organizations for the certifications discussed in this report, along with a few of the more common certifications that appeared in the write-in answers.

Thanks to Dean Bushmiller for a thorough review, conversation, and a few (uncredited) quotes. Errors are mine.



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles