The information security profession is ‘reactionary' and not evolving fast enough – and must recruit more women to solve its crippling skills shortage - that's the message from the ‘Agents of Change' survey by security industry body (ISC)2, which finds that just 7 per cent of security professionals in Europe are women. Worldwide, the figure is 11 per cent.
“Organisations globally need to shift attention to this critical problem,” the report says. “The profession as a whole has been slow in tapping into the pool of talent represented by women.”
It adds: “The information security discipline must transform. Past transformational approaches, while well-meaning, have only produced incremental and reactionary approaches.”
The survey says information security is transforming from a purely technical role to one with “a more comprehensive, risk-based business orientation” requiring skills in areas like governance, risk and compliance (GRC) and aligning security strategy with business strategy – which it says directly align with the skillsets and “distinctive perspectives” held by women in the industry.
As a result, the report suggest that more women in the profession would not only tackle the skills crisis, they would also act as ‘agents of change' to help more security departments move to these newer skills.
The survey recommends that “the male leadership in and out of the information security field” needs to “recognise the concrete and complementary value that women bring to information security”.
“In their recruiting and hiring decisions, greater emphasis should be placed on building a more diverse information security team. Technical skills, while still important, must be increasingly supplemented with the multi-disciplinary skills and perspective necessary to make subtle but impactful risk management decisions,” concludes the report.
Andrea Simmons, a director of the UK-based Institute of Information Security Professionals (IISP), agrees that companies should look less at whether staff offer specifics such as a computer sciences degree, and focus on their overall skills and aptitude for the job.
“A more skills-focused approach by organisations makes it easier for them to take people in from different angles, rather than just based on your qualifications,” says Simmons, adding: “If you use the skills frameworks approach appropriately then you are assessing people against what skills have they got across what areas that you need. It's actually looking at what we are doing in a more professional manner.”
Simmons advises: “You need a mix of skills. We can be too purist in what we're looking for from people.”
The low number of women in the information security profession has been brought into sharper focus by the current skills crisis. Just last week Ernst & Young's ‘Global Information Security Survey' found that “lack of skilled resources” in their information security function is a major issue for two-thirds of organisations.
In the UK, elements of the Government's flagship £650 million National Cyber Security Programme have been delayed through lack of skilled staff and the new National Crime Agency is currently hiring 400 apprentice ‘cyber crime fighters' instead of appointing experienced experts. In fact the shortage is so severe that the use of convicted hackers has been mooted for the UK Cyber Defence Unit, a suggestion condemned by many.
"This development does highlight the problem of a skills shortage and the lack of talent outside the criminal community to tackle serious cyber-attacks facing the country. This is why it is so important to encourage the next generation to study, and become expert on, security-related issues so they can be the ones to fight sophisticated cyber-threats in the future," comments David Emm, Senior Security Researcher at Kaspersky Lab. Emm questions the use of criminals to protect the country's most sensitive information, arguing that: "Those who have previously worked for the ‘dark side' of the code-breaking fraternity are often motivated by money and misplaced ideals, and therefore expecting them to switch sides, and remain there is unrealistic.” Instead Emm suggests education is the answer, with the computing element of the new National Curriculum moving from simply using technology to understanding how it works - a move which might also ensure more women were prepared and interested in entering the sector.