Peter Berlich analyses the requirements of IT security staffing, together with workforce surveys and reports on leading-edge research and education projects.
The information security job market has seen substantial growth, reflecting the increased importance and maturity of the profession. Threats have evolved and we are faced with organised crime rings. Society as a whole is shaped by its increasing dependency on information systems for many aspects of public and private life, overturning established paradigms of security and privacy. The information security profession has developed in step with these changes. Where security might have been a task on the side, performed by a network engineer, it is now a well-established function within the corporation that is part of a highly balanced governance system and follows an elaborate code of practice.
Where the basics of security might have been self-taught a decade ago, vocational degrees such as CISSP have become a de facto standard for a security career.
Corporations will look for proven skills and personality traits when staffing their security function. Depending on the seniority of the position, requiring certification will establish a controlled baseline for candidates' experience and skills. More important is confidence to put critical assets in trusted hands.
When defining the role, it's apparent that too many jobs are fraught with conflicting requirements. Is it a project or people management role that primarily requires managerial skill supplemented by high-level technical understanding? Enterprises should keep job profiles focused. Think football team: every player will be able to fill any position on the team, but there will be those who excel as goalkeepers, others as forwards, and some as captains.
Also, information security professionals need to be able to communicate their mission and knowledge effectively, when most of their audience will consist of users and managers untrained in security, who don't understand jargon.
It has often been said that security people are curious, highly talented individuals with a taste for variety and an eagerness to learn. Such a gift requires discipline to be used effectively. Nonetheless, if enterprises want to retain talent they will need to invest in constant training and education, and offer a career path and promotion if the person's skill is in short supply.
For more on the global information security workforce, see www.isc2.org/workforcestudy.
UNIVERSITY NEWS - WESTMINSTER MSc
This degree in information technology security is known for its reputation and approach to learning. Described as having a ‘block mode' structure, the program combines classroom time with the flexibility of distance learning. Students complete six modules over two years, covering subject areas from security awareness, business needs planning and policy, to penetration testing and forensics. Each module spans a five-week term, but only one week is spent in the classroom.
There are 30 hours of lectures, case studies, role-play and other activities. For the remainder of the term, students review material, consult colleagues, their fellow students and a tutor to build up knowledge, and prepare a paper for assessment.
“We've learned that companies struggle to give people large chunks of time to pursue a degree but they don't mind losing people for a week at a time,” explains Evans. “The design for the degree allows students, theoretically from anywhere in the world to be absent from work in short bursts.”
Evans reports that while some students work the program into their holidays, many companies allow students the time to study. Gaining admission is challenging, with about 350 applications for 40 placements a year, but results are strong.