When education and training body (ISC)²‘s “2013 Global Information Security Workforce Study” asked industry leaders if they were having problems recruiting, of course the answer was ‘yes'. Some 77 percent of government and 66 percent of private industry security execs said they had too few security personnel. And last month (February), a SANS Institute report said that organisations are being “severely hampered” in applications security because of skills shortages.
John Colley, managing director for EMEA and co-chair of the European Advisory board for (ISC)² told SC, “There is significant demand for more people and the projections are staggering. But the Catch 22 is that demand is for experienced people. The newly qualified can't get a job without experience, and can't get experience without a job. We are working with academia to see how we can address the issue.”
Among leading academics addressing the problem is Professor Fred Piper, Information Security Group, Royal Holloway, University of London. He told SC: “There are now 40 to 50 MSc degrees that could claim to be cyber security, and as many that partially cover the topic. But that's not really what's needed to cover the skills shortages. In the private sector there is the CISSP (Certified Information Systems Security Professional) at a lower level – but there is a need for something between the two – and the National Occupation Standards for Information Security is now working with e-Skills UK to come up with something appropriate, aligned to the IISP Information Security Skills Framework.”
A matter of degrees
The IISP is currently setting up an accreditation process for training providers, aligned to its skills framework. In addition, GCHQ is introducing an accreditation scheme for Masters degrees in cyber security and this will also be aligned to the IISP skills framework. Piper notes that many believe that rather than cyber security first degrees, there is a need for students to first get a grounding in their core technology – engineering, computer science or mathematics – and then take up information security. “My personal view is that we will see fewer and fewer cyber security first degrees as computing, engineering and science degrees increase their strategic security components.”
Further, organisations are advised to employ recent graduates on the basis of their potential rather than their experience. This includes how the person approaches their work, ability to analyse and problem solve, build relationships, etc. “If you choose the right people, you can teach them the skills they need and that's the way forward,” says Colley. “Give people with the right potential the right training and they will deliver.”
To resolve the shortage, the (ISC)² suggests two options: Pay more (although the organisation admits that this just results in poaching staff from competitors and is a zero sum game that does not address the overall shortfall), or attract people from elsewhere and train them up in information security.
The latter option is seen as the most viable. “We can train people from within their vertical disciplines of IT, health, etc., if they have the right aptitude,” says Colley.