It's the problem that won't go away – so what is actually being done by the industry, government and academia to resolve the infosec skills crisis, asks Phil Muncaster.
Of all the most hotly debated topics in information security, from the never-ending cyber space arms race to the perennial problem of end-user education, perhaps the most prevalent in recent years has been the industry's skills shortage. It is a problem that simply will not go away, aggravated for a long time by the failure of government, industry and academia to come up with a coherent, long-term solution.
To put it bluntly, there isn't enough fresh young talent coming into the industry, while serious skills gaps persist among current professionals, exposing organisations to unnecessary risk. So where are the key problem areas, and what can be done to turn things around?
Precise figures for the size of the information security skills shortage are notoriously difficult to come by, although certifications body (ISC)2's latest Global Information Security Workforce Study, published in February, provides some insight. Of the 12,000-plus members interviewed, 56 per cent said they believe there is a workforce shortage, compared with two per cent who think there is a surplus. Security analyst (chosen by 47 per cent of respondents) was said to be the role most affected by shortages, followed by ‘security engineering-planning and design' (32 per cent) and security auditor (31 per cent).
No quick fix
The National Audit Office, meanwhile, also published a report in February, on the government's cyber security strategy, interviewing representatives from the state, academia and industry. While failing to quantify the skills shortage, the report cites respondents from academia arguing that “it could take up to 20 years to address the skills gap at all levels of education”, adding that “this shortage of ICT skills hampers the UK's ability to protect itself in cyber space and promote the use of the internet both now and in the future”.
Robert Chapman, CEO of Firebrand Training, argues that more should be done to encourage children to take an interest in the industry at an earlier age. Yet the number of students taking an A-Level ICT exam was down by 10 per cent last year, with a five per cent decline in the number of those taking the more technical computing course. The government has belatedly understood the importance of computing education at this level, announcing plans in 2011 to make GCSE and A-Level courses more relevant – moving the curriculum away from computer literacy and towards more useful IT skills such as coding. However, the fruits of these labours have yet to show.
Getting them early
“More can be done at a much younger age,” says Chapman. “The number of bedroom hackers amply demonstrates that young people can be taught these skills, and I don't see why under-graduates can't be taught these skills during university degrees.”
One project hailed by Chapman as a step in the right direction – which aims to seed IT skills into the education system early on – is Code Club. This charity has already signed up 1,000 primary schools nationwide with the aim of getting volunteers to teach extra-curricula coding classes to nine- to 11-year-olds. “We need to start at an early age so kids have the DNA to think logically,” Chapman says.
Further up the stack, the industry needs to play a bigger part in helping to identify where it can fill potential skills gaps. Training graduates can be far cheaper and more effective than trying to find the finished article from a dwindling pile of applicants, says Chapman.
“There's a lack of awareness about how youngsters can be used,” he adds. “The government plays a role, but so too does industry – it needs to be more open-minded about investing in people's skills.” This needn't be via training courses – mentorships can also be a cost-effective way of developing talent, Chapman says.
(ISC)2 director Richard Nealon also believes that mentoring can overcome the “catch 22” experienced by some infosec hopefuls, whereby employers seek skilled professionals to fill certain roles, for which many potential applicants lack the experience. “There's a role here for established information security professionals to bring in people as interns or at a junior level,” Nealon explains. “If they have the basics and some education, they can be brought into the industry.”
While technology qualifications are a bonus here, they are not essential. Just as important is a candidate's ability to demonstrate a strong interest in an infosec career and that “they're wired in the right way”, Nealon says.
(ISC)2 last year launched a programme through which college graduates, and even those with just an interest in information security, can build relationships with seasoned pros. These information security professionals in turn may be able to source their interns and junior applicants from the programme, Nealon explains.
He also argues that there are not enough undergraduate courses – although (ISC)2 is sharing its knowledge with institutions to help them build curricula – but admits that there is little appetite for such at present. Like Chapman, Nealon believes that more can be done to encourage children to view IT security as a viable career choice. He cites the (ISC)2 initiative Safe & Secure Online, which encourages infosec volunteers to teach the security basics in schools, as helping to promote the profession among the young.
“Kids coming out of school may want to work in IT, but they don't see information security as even a choice,” he argues. “At the moment, universities are not seeing that demand for undergraduate infosec courses, but if we called it ‘cyber security' instead, you might increase interest. It's about the way we market ourselves to them. We don't market ourselves well as a profession.”
More than 50 information security courses exist across the country, including City University London's MSc in Information Security and Risk. The university's head of computer science, Kevin Jones, argues that while academic courses need input from industry, they shouldn't become too narrowly focused or vocational.
“We have steering bodies where luminaries will tell us what we should teach, and we go away and push that through an academic filter,” Jones continues. “It's a balance, though – universities shouldn't become technical training schools.”
Jones' conversations with industry have taught him that, as well as the obvious technical skills, more focus needs to be placed on ‘soft skills', such as communicating with senior management and getting security recognised at board level. However, he is not convinced that degrees in pure information security are the answer to the skills shortage. Like many in the industry, Jones sees the problem stemming from as far back as secondary school and earlier, although he is optimistic that things are improving. Intelligence agency GCHQ, one of the organisations feeling the shortage most acutely, is taking a lead in developing masters courses, and is working on ways to seed IT skills earlier on in the education system, Jones says.
“This is a generational effort – what we do now won't be visible for five years or more. The fact is that cyber security education is becoming a hot topic in schools, rather than the old ICT course, which was little more than a technical training typing class,” he adds.
“People are seeing that security is endemic in every area of life. The government is putting more attention on it too as it fits in with its cyber security strategy. All of these things are coming together so that we can get the best and the brightest to say: ‘This is an interesting and exciting industry to work in.'”
The National Audit Office report reveals other government efforts, including GCHQ's plans to sponsor 30 PhDs, and the state funding of 48 PhDs on “multi-disciplinary cyber topics”, with measures to ensure undergraduates of technical degrees receive cyber security training.
It is a good start, but there is still some way to go, according to Allan Boardman, international vice president of ISACA, a non-profit association focused on IT governance. “One of the key areas for improvement is the coordination between the Cabinet Office, law enforcement agencies and commercial organisations. Some of this already exists, but tends to operate in pockets, with some major corporations or industries left out on the fringes,” he argues. “Some form of licensing should be considered to leverage global professional organisations already well experienced in certifications and education.”
ISACA itself recently launched a Career Management Task Force, and is looking at “providing more pragmatic implementation guidance and best practices on security management, including cyber security”.
Aside from the problem of getting more fresh talent to enter the industry, specific skills gaps continue to plague those currently working in IT security. In (ISC)2's latest study, some three-quarters of the 12,000 professionals interviewed said new security skills were needed to manage the risks associated with ‘bring your own device'. Of most concern were application security (72 per cent), the cloud (70 per cent) and compliance (66 per cent).
To that list, KPMG information security director Paul Hanley adds compliance-related skills such as data protection, as well as sector-specific knowledge such as in the area of Scada industrial control systems. “What we also look for is the right level of experience to go with a qualification,” he adds. “A newly appointed PCI QSA, for example, may not necessarily understand how best to utilise these skills effectively to add value for a client, by cutting through complexity and adding pragmatism.”
The problem for the industry, of course, is that with limited numbers coming into the profession, the volume of those with adequate experience is diminishing. CISOs are understandably worried by the deficit. Hanley argues that in the worst-case scenario, it can lead to critical systems remaining unpatched for years, monitoring controls that are not reviewed despite indicating security incidents, and even a failure of back-ground checks on staff.
“The impact of these can be very serious, from an inability to protect an organisation from a security breach, to the inability to detect when a breach has actually occurred, and an inability to respond in an appropriate manner to contain the breach and reduce its impact,” he says.
Organisations with limited security skills at their disposal are urged to focus their available resources on those areas likely to most reduce risk and help the business meet its objectives. “Where there simply aren't enough resources to meet requirements, organisations need to be very clear about the security risk exposure that this creates,” Hanley says. “Depending on the severity of the risk, the business could choose to accept the risk, utilise the services of consultancies or contractors, or pay a premium to entice a scarce external resource to join the company permanently.”
In the end, it is likely that the skills shortage will persist as long as the demand for professionals continues to outstrip supply. And with regulations stipulating the presence of a dedicated CISO or similar, and the growing volume and sophistication of threats, this is a headache that is unlikely to be remedied any time soon. However, modern information security remains a young profession that has come a long way from the days when it was carried out part-time by a non-specialised member of the IT department. Bodies such as e-skills UK are looking to formalise the profession, practical courses are being set up from primary school through to PhD level, and the government recognises the shortage as a major issue.
The hope is that with a greater effort from academia, industry and government, the pieces will eventually slot together and the gaps disappear, although this will be little comfort to those in the industry currently battling the problem.