SC Survey: Skills shortage in infosec
SC Magazine's latest survey asked the key questions on the skills and people shortage in the infosec industry. Here, we analyse the main findings from the online poll.
The latest SC Magazine survey, which ran for around three weeks at the end of February and early March, garnered 64 responses to a number of questions on perhaps the biggest problem faced by the information security industry. The aim was to find out whether the crisis is down to a shortage of people, skills or both.
The respondents included 11 security consultants and 11 security managers, four CISOs and four managing directors. Asked if they felt that there was a shortage of people with the right skills to cope with modern infosec challenges, almost three-quarters of respondents (74 per cent) agreed with this.
Asked why, the comments SC received were varied. One respondent cited outsourcing as a cause, saying: “Why train for a trade security, systems administrator or database admin [role] if there is a high probability that your work will be outsourced?” Others stated that these roles were in a relatively new business area and did not receive funding from management.
One respondent blamed the shortage on the industry being “high-pressure, high-risk and constantly evolving”, and blamed a “lack of support from upper management that still have a ‘it will never happen to us' attitude”.
Some of the answers to this question also claimed that school pupils and university students fail to consider information security as a future career choice. One participant said there was a “lack of opportunities for school-leavers and graduates” to join the industry, and that the “extremely complex” subject matter requires students to gain “a lot of fundamental IT skills before they can start on such a career”.
Training and recruitment
A common barrier highlighted was a lack of training, either being done or offered internally. Comments included: “There is not enough training in what is a continuously evolving area of ICT”; and “there is a lack of basic training as there are no ‘technical' colleges”. Meanwhile, one respondent said security is “a new challenge that has grown quickly without time for a large group of professionals to have developed along with it”.
The theme of training continued into another question, which asked: Does your company prefer to train current employees to meet new industry challenges, or hire new people with the required skills? To this, 67 per cent of respondents said their company prefers to train current members of staff, while the employers of 33 per cent tend to hire new staff with the required skills.
We also asked: Are there staff training programmes at your place of work to cover the new information security challenges? In response, just over half (56 per cent) said yes.
Careers and challenges
On the main challenges for an industry faced with such a shortage of skilled people, the answers included: getting things right; lack of educational opportunities; budget restraints and cost pressures; and competition from firms in other countries.
One respondent said “there is more work than people to do it”, while others claimed that information security is not seen to offer a progressive career ladder. Echoing other surveys on skills shortages, one participant said the biggest challenge was “promoting realistic career paths within the field and helping [professionals] to realise the longevity of such career paths in an environment of evolving technology”.
Interestingly, one respondent said the greatest challenge was “cross-training individuals into an information security role, but too many IT professionals are not information-security aware”. The participant singled out software designers and builders, claiming they “aren't aware of the software risks, which are very expensive to mitigate later on”. This was echoed in other comments, with one stating that “under-staffed businesses lack specialists who know how to protect their business”, and another suggesting that businesses need to “get more people from mainline IT into security”.
Finally, we asked if the right people are attracted to the industry; 58 per cent agreed that this was the case.
Finding a solution
The skills shortage is not going to be solved overnight, but it is clear that businesses are seeking that light at the end of the tunnel. According to our survey, perhaps the root of the problem lies with schools and universities, where not enough pupils and students view information security as a viable career option, while companies themselves are shirking their training responsibilities.
Furthermore, it seems that even those working in the industry often lack the right skills for the job. One respondent said damningly: “Even with skilled IT staff, the area of security is one that evades most – security is just another aspect of the role where the necessary skills are lacking. The shortage of skilled people will ultimately result in more wide-reaching issues for corporate IT.”
Another said: “It's the lack of experience in using those skills that causes a bigger issue. We've seen a flood of people grabbing the latest and greatest security certifications, but they don't have any experience of using those skills. This causes a situation where people without the experience expect elevated salaries that they're simply not worth.”
The road to solving all of these problems is long, and those travelling it will likely encounter many potholes.