Human Resources

W. Hord Tipton (UK) - The Impending Skills Gap in Information Security: A Holistic Approach is Crucial

In the last 20 years, information security has been one of the fastest growing and richly developing careers available. Even during tough economic conditions, our research shows professionals are enjoying job stability, increased salaries and growing demand for their services. This same research, however, portrays a profile of a profession that may not be attracting enough people to take advantage of the opportunities.

More than 10,000 professionals responding to our 2011 (ISC)2 Global Information Security Workforce Study, reveal a picture of a profession that is maturing: the average years of experience of people working in the field is getting longer at about 11 years; their levels of education higher - 40% have a masters or equivalent degree; and the average age is 42.

Looking at the trends that effect professionals in their jobs this study, conducted by market analysts Frost & Sullivan, also illustrated the technological upheaval that has those already working in the information security facing a significant shift in skill requirements. More than 70% of our survey respondents report the need for new skills to properly secure cloud-based technologies, for example, including the need for new instincts in areas such as contract negotiation. They admit organisations are not ready for social media threats with nearly 30% having no policies in place guiding its use. In today's modern organisation, however, end-users are dictating IT priorities by bringing their technologies, mobile devices, cloud services and branded social networking properties to the enterprise, rather than the other way around. They are in turn producing a phenomenal amount data, creating a monumental challenge for those tasked with identifying and securing that which could be considered critical or sensitive.

The good news in all of this is that security is recognised as having real value in enabling the dynamic changes new technologies are making in business. Information security professionals finally have the necessary management support that traditionally has been lacking. These changes, along with the complexity of the threats that are developing around them, are happening on a grand scale: The study forecasts that nearly twice as many professionals that are working today will be required by 2015. (4.24; compared to 2.28 million today). This recognition of security's value must now be followed by some clear thinking on how to realise it.

There are some natural barriers to entry that explain the absence of new entrants. Most employers are loath to trust the security of their systems to the inexperienced. The profession itself is still relatively immature: The founding generation continue to dominate the top management layer and their own experience will not have included focussed university education in the field or the internship training that can follow, so they have yet to inspire much development here. Looking at the profile of university level education that has developed, we can see that except for the specialist courses in forensics, it is dominated by graduate-level programs that cater to the working student, rather than the young person considering his or her first career choice. It is hard to understand how people could even learn about the opportunities open to them let alone consider whether they are of interest.

The professional community and employers must now play a central role in turning this around. We can start by enhancing the general understanding of the career possibilities, covering the varied specialist, consultative, management and technical possibilities. One of the fastest growing areas at the moment is in assuring secure software development. Our research shows that one in five professionals is now involved in this area. There is also a real need for risk management skills at both the IT practitioner and business department level to support the decision making that is taking place as these and other new technologies enable change.

There are organisations, such as the Cyber Security Challenge UK that are reaching out to young people to get this message across. We are also seeing an increasing number of government organisations across the globe manning efforts to map skills and the educational support required to ensure healthy economies. As a professional membership organisation with more than 78,000 certified members, (ISC)2 actively participates in many of these initiatives. We are also supporting the development of university level education, sharing the privileged access to the very current knowledge we have in the management of our professional certifications. I would venture to say however, that this is only a beginning. Educators, employers, governments and individual professionals should be considering what they could and indeed should be doing to ensure an adequate information security workforce in possession of the right skills.

In information security, we have always recognised the need to be ahead of the game - anticipating the next threat, the next way of doing business and the next big technology. This must also include anticipating a next generation.

By W. Hord Tipton, Executive Director at (ISC)2. Mr Tipton also oversees all departments, makes ultimate business decisions, and is responsible for the overall direction of the organization.



« Jeremy D'Hoinne (Europe) - Why Europeans Should Welcome Personal Mobile Devices into the Company


Ali Faramawy (Africa) - Technology Innovation and the Future of Emerging Nations »


Do you think your smartphone is making you a workaholic?