Training up the infosec troops

Opinion by Alan Calder

The UK has a desperate need for more infosec professionals, according to the National Audit Office (NAO).

The UK has a desperate need for more infosec professionals, according to the National Audit Office (NAO).

In its February 2013 landscape review of the UK's cyber security, which assessed the UK government's progress in implementing its cyber security strategy, the NAO seized the opportunity to flag the ever-growing information communications technology (ICT) and cyber security skills gap.

Backed by a sizeable injection of £210 million over 2014-5, and the rallied forces of 15 government organisations, government strategies to tackle the infosec talent shortfall in the coming years include the development of cross-cutting knowledge, skills and capability via the National Cyber Security Programme.

However, before being seduced by the boon in job openings, training opportunities and government support, infosec professionals are wise to choose carefully when boosting their skills-set.

A widening gap

As with the rest of Europe, which despite high unemployment is experiencing a severe shortfall of talent in the face of surging infosec job openings, the skills gap in the UK is being widened by growing demand for professionals across the board.

Although state sector employment is no longer a safe option for many white collar workers, and continues to be hit by rounds of downsizing in many areas, information security is one area that is bucking the trend. Today, infosec professionals are keenly sought by both the public and private sectors.

Of these, highly skilled and qualified players with a broad range of skills and experience are at a premium. However, according to a 2012 market report by corporate governance recruiter Barclay Simpson, individuals with a highly specialised range of security expertise are also in hot demand, thanks to the complex challenge presented by cyber threats.

Compliance and implementation

Such demand for infosec professionals is impacted not just by the surge in cyber attacks and organisations' better understanding of the threats posed by cyber crime, but also by the rising importance of rigorous compliance and implementation.

In the UK, effective compliance and implementation depends on employing people who are certified by the relevant professional certification bodies. Whereas examination bodies presuppose a level of experience, but do not generally follow formal requirements, certification bodies for information security generally have a great deal more clout. Usually membership based, they expect set prior experience, require continuing professional development (CPD) to maintain the qualification and invariably follow a code of ethics. As a result, certification provides greater credibility, helping recipients not only retain current employment, but also win future roles and climb the career ladder.

Professional certification bodies that generally win plaudits from employers include, among others, IBITGQ, ISACA and (ISC)², which offer a range of  core qualifications.

British infosec professionals are wise to consider the collection of competences surrounding ISO 27001 implementation and auditing, given the growing local and global importance of this international information security standard.

At present, official ISO 27001 certifications are awarded by IBITGQ. They include ISO 27001 Certified ISMS Foundation – CIS F; ISO 27001 Lead Implementer - CIS LI; ISO 27001 Lead Auditor - CIS LA; and Certified ISMS Risk Management - CIS RM.

Meanwhile, the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise IT (CGEIT) qualifications – all awarded by ISACA - are globally accepted standards of achievement among information systems audit, control, security and IT governance professionals.  

Finally, the CISSP (Certified Information Systems Security Professional) skills framework has a key part to play in terms of information security skills and disciplines. Developed and maintained by (ISC)², this qualification is particularly challenging to achieve.

That said, it provides information security professionals with an objective measure of competence and a globally recognised standard of achievement. Those seeking to travel along the technical track however, should consider Exin-Cloud and EC-Council qualifications, underpinned by vendor certifications.

The management track

For individuals tempted by a management career path and roles such as chief information security officer (CISO), chief information officer (CIO), certified information security manager or lead implementer, relevant qualifications are likely to relate to the development of their skills and competences. They should emphasise the creation and management of managing information security and its components inside the organisation.

In addition to rigorous certification, those with an eye to operating effectively at senior management level should not expect their technical or engineering skills to be sufficient. Many would-be managers, CISOs and CIOs do not understand the nuts and bolts of management or running a business that would be bread and butter to an individual with a business administration background. Specialist skills are, of course, essential.

The vital next step for any ambitious infosec professional is therefore to broaden their business knowledge through an MBA or similar qualification. Only then can tomorrow's boardrooms receive the input they so badly need. 

Alan Calder is chief executive of IT Governance

IT Governance is exhibiting at Infosecurity Europe 2013, held on 23rd – 25th April 2013 at Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events