When education and training body (ISC)²‘s “2013 Global Information Security Workforce Study” asked industry leaders if they were having problems recruiting, of course the answer was ‘yes'. Some 77 percent of government and 66 percent of private industry security execs said they had too few security personnel. And last month (February), a SANS Institute report said that organisations are being “severely hampered” in applications security because of skills shortages.
John Colley, managing director for EMEA and co-chair of the European Advisory board for (ISC)² told SC, “There is significant demand for more people and the projections are staggering. But the Catch 22 is that demand is for experienced people. The newly qualified can't get a job without experience, and can't get experience without a job. We are working with academia to see how we can address the issue.”
Among leading academics addressing the problem is Professor Fred Piper, Information Security Group, Royal Holloway, University of London. He told SC: “There are now 40 to 50 MSc degrees that could claim to be cyber security, and as many that partially cover the topic. But that's not really what's needed to cover the skills shortages. In the private sector there is the CISSP (Certified Information Systems Security Professional) at a lower level – but there is a need for something between the two – and the National Occupation Standards for Information Security is now working with e-Skills UK to come up with something appropriate, aligned to the IISP Information Security Skills Framework.”
A matter of degrees
The IISP is currently setting up an accreditation process for training providers, aligned to its skills framework. In addition, GCHQ is introducing an accreditation scheme for Masters degrees in cyber security and this will also be aligned to the IISP skills framework. Piper notes that many believe that rather than cyber security first degrees, there is a need for students to first get a grounding in their core technology – engineering, computer science or mathematics – and then take up information security. “My personal view is that we will see fewer and fewer cyber security first degrees as computing, engineering and science degrees increase their strategic security components.”
Further, organisations are advised to employ recent graduates on the basis of their potential rather than their experience. This includes how the person approaches their work, ability to analyse and problem solve, build relationships, etc. “If you choose the right people, you can teach them the skills they need and that's the way forward,” says Colley. “Give people with the right potential the right training and they will deliver.”
To resolve the shortage, the (ISC)² suggests two options: Pay more (although the organisation admits that this just results in poaching staff from competitors and is a zero sum game that does not address the overall shortfall), or attract people from elsewhere and train them up in information security.
The latter option is seen as the most viable. “We can train people from within their vertical disciplines of IT, health, etc., if they have the right aptitude,” says Colley.
Amanda Finch, general manager of the IISP, agrees, telling SC, “Existing employers need to look at transferring the existing skills from people who are talented within their own work pool. It's looking for people with the right mindset.”
Amur Singh, chair of the Security Group at ISACA (Information Systems and Control Association), says that in 20 years everyone will be semi-technical, but right now there are two non-technical generations and one technical. “Which is why non-technical managers often lack technical understanding. Technical leads need to find ways to express technical threats in ways management will understand.”
Futurologist and information security researcher David Lacy also says that marketing and influencing skills need to be promoted in the sector, because “information security management is all about persuading thousands of people to do things that they don't want to do.”
Jitender Arora, an information security and risk executive in the financial sector, suggests that every CISO should view their function as being their own consulting business: “Now, CISOs need a different skill set from purely technology. They need to market their function and services and sell it to the board. Define your value proposition to your customer. How can I provide more value for the same money – to achieve the business objectives.”
And, Andrew Rose, principal analyst - security & risk at Forester Research, told SC, “The CISO is linked to operational transformation projects, governance and where money is spent. So governance is not often seen as their role, but one for the business leader, hence the CISO should also be a business leader.”
The CISSP from (ISC)² is a senior level management requirement in many areas of the industry as candidates need five years of practical experience to apply, as well as endorsement from an existing member. In addition, applicants need to pass a rigorous exam with a pass mark of about 70 percent. But it's certainly not the only option. “ISACA provides a broad route to become a head of security, up to the C-suite level where the role is actually more of a Risk Officer,” Singh points out. “It provides one of the few routes that cover the management oversight and knowledge to bridge the technical/management gap.” He notes that there are a host of technical courses in the information security field, but it is the management context which is missing in several of these, adding,”Many CISOs today may be too technical.”
Martyn Croft, chief information officer of the Salvation Army UK Territory, agrees. “Information security gets pigeon-holed into information technology – it shouldn't always be sitting in the IT department.” In contrast, Francois Gratiolet, CSO for EMEA at Qualys, provides another reason to get out of the IT department, suggesting to SC: “It may be that the cure for the technology industry's security problem is, in fact, more technology. Automation is growing much more advanced, and we are finding that companies can protect themselves against the vast majority of attacks without the need for a specialist engineer at all.”
But right now, while management skills are a hot topic, education in specialist skills and new disciplines also remains in demand. “We at (ISC)² are also evolving to ensure we meet the needs for more specialist certification,” says Colley. “If people ask about cloud security courses and qualifications we work with them to see if this is appropriate to develop. We have just announced certification for IT and data security specifically in the health sector, as well as forensic computing practitioner as a subject.”
However, certification isn't always the solution, Singh says. “Certification shouldn't be mandatory. If you exclude some of the best minds, you reduce the talent pool. Knowledge – as demonstrated by certification – is important, but so is creativity. There is a trend to over-certify in almost all industries and fields, including info security.”
Lacey goes further, telling SC: “We need common-sense problem-solving skills, not tick box I've-passed-an-exam skills. My advice would be: Scrap the whole lot and start again. I'm more into revolution than evolution because I think it's a change that's needed.”
Continuing professional education (CPE) is also a growing requirement in professional sectors. Colley at (ISC)² says, “We do provide educational opportunities for CPE including review seminars, as well as providing conferences and workshops free of charge. We also accredit others.”
(ISC)² requires 120 hours of CPE to be taken over three years with 20 hours per year minimum – so it can't just be taken in one go and forgotten about.
Full disclosure: SC has an interest here as it is an (ISC)² accredited provider of CPE credits via many of its own events.