The efforts of the cyber security challenge have highlighted a major skills gap in those interested in getting into information security and those hiring. Chris Batten, managing director of Acumin Consulting, looks at what employers should look for in a prospective employee and what challenges entrants can expect to face.
The career path of an infosecurity professional is not ‘cut and dry'. With few related degrees available, such as computer science and computer forensics, the path to breaking into the industry remains unclear and traditional degrees are not engaging enough to attract students, despite the career being fast paced, ever evolving and a business priority.
Ian Glover, chairman for the CLAS forum, said: “Take up of computer science at degree level has decreased significantly, the people we really want to attract often perceive these types of degrees as uninteresting and lacking challenge. We need to make the programmes more exciting to ensure we draw those people interested in the subject into the right courses.”
In addition, some organisations do not look upon these degrees favourably and instead prefer candidates that demonstrate wider degree-based experience.
“Candidates need to offer something different,” said Glover. “Specialising in areas such as network security or network forensics can help. We're always excited to meet candidates with experience that lies outside the immediate infosecurity arena.”
While it is important for professionals to consider industry accreditations, there are a number of things future candidates should bear in mind when embarking upon their careers.
The financial industry is a lucrative market for infosecurity candidates, as it requires the ability to protect systems and manage risk. Stephen Bonner, head of information risk management at Barclays, said that Barclays has been actively recruiting as, in light of recent economic challenges, information security and risk management is paramount.
He said: “There is a real bidding war between banks to recruit infosecurity candidates. We look to recruit people early in their career, those with some experience and knowledge with the potential to become stars of the industry.”
Opportunities exist in the vendor community for recent entrants. Glover said that within these organisations, reasonably low entry points such as systems integrator roles exist. “It is more difficult to transfer from a vendor to end-user environment, however moves can be made reasonably easily from vendor to consultancy and then end-user,” he said.
“Furthermore, the low barriers to entry in vendor environments mean organisations are prepared to take on less-experienced or recently graduated candidates and provide them with in-house training.”
Bonner said: “I'm not looking for a computer scientist. Pure technical knowledge and theory is not going to help candidates to engage with others in the risk management sector. As such, we often employ candidates from educational backgrounds that include the arts and humanities. A message echoed within infosecurity circles is that knowledge can be taught, while people management and leadership are inherent skills required.
Following recent public sector cuts, a number of industries are desperate for infosecurity professionals, such as law enforcement and professional services organisations and this may provide an easier entry point.
Candidates should also consider becoming more specialised.
“Over the last five years, we have started to see a requirement for specialists. Ethical penetration testers, architects and engineers in particular,” said Glover.
The path to an infosecurity career is still unclear, as Bonner said: “There is a lot of noise surrounding the profession, but the difficulty lies within harnessing the interest at A-level, through to degree level and into the professional workplace.”
Candidates need to look at the different options available, whether that is working for a vendor or financial organisation, in the public sector or specialising in one of the sub genres.