Bridging the skills gap in information security
If the recent cyber security challenge demonstrated one thing, it is that there is a clear skills gap when it comes to people coming into information security jobs.
Earlier this year I was invited to view the work of the challenge and meet some of the contestants taking part. From talking with some of the sponsors and organisers, it was obvious that they felt that there was no middle ground between the existing security practitioners and their future replacements.
One reason for this could be a lack of educational resources to teach security. I met with Kevin Streater, executive director of employer engagement for the IT and telecom sector at the Open University, who told me that people need skills for this industry and current efforts were being made to bring cyber security into the education space.
He said that companies have jobs available but not the right people with the appropriate level of understanding. He said: “People are saying that they are not getting the right people in, so would like to see more training. You may have the capability as a developer, but not on security skills and you need to come in at a level.
“The winner of the cyber security challenge was an Open University student who found he could do a post graduate course on computer forensics, as you can learn as you do it. We have shown that there is a huge gap in security skills but that is not in the skills framework. We need to start looking at this issue and building pathways, as there is not a national standard and no national definition. A university can provide the right skills for industry.”
Streater welcomed the initiatives from the IISP and the British Computer Society, with the IISP's framework for development for security praised, but he said that with these organisations the Open University was trying to embed a broad set of skills ‘that we need to be thinking about, as we need to deliver skills that meet employer requirements'.
Streater said that the Open University currently offers postgraduate courses on forensics, information security management and legal issues that touch on areas within the IISP framework. He was also complimentary about Professor Fred Piper's efforts at Royal Holloway University, saying that is still the leader in terms of academia and security, but the Open University was existing as an alternative route.
He said: “We have been a new entrant to produce a delivery model. The space is healthy with what other universities are doing and the area that they want to enter. Security needs depth and discipline and not everyone can come into it, yet it comes up on the national agenda and was highlighted by Westminster on the defence review, so I think that other universities will follow.”
With a national awareness campaign such as the cyber security challenge driving more people away from the dark side of security, Streater confirmed that there has been a 40 per cent rise in applications to Open University courses around the subject.
Looking to the future, he said that with consistent reviews of the curriculum and a particular eye on developing offerings in the security space, he expected to see more models in the space over the next few years.
It is surprising that more people are not selecting security as a career option and perhaps the reason is the lack of a national standard or university courses. With the initiatives there and a chance to get a job that employers are desperate to fill, perhaps this skills gap could be narrowed in the future.