Human Resources

John Colley (Global) - Filling the Cyber Skills Gap in the Emerging Threat Landscape (Part 2)

As the global economy looks set for more hard times, most would welcome news of a sector where new jobs are expected to develop. Information security is one of those areas with growing recognition for its value, particularly given new, often cost-cutting technology relying on the ability to secure it.  Yet since the economic crisis began in 2008, our surveys tell us that the vast majority of hiring managers—85-90%—struggle to fill their positions. They report people don’t have the right skills or demand salaries that are too high. This clear mismatch in the supply and demand of people is drawing significant attention within the international professional community.

Our most recent (ISC)2 research released earlier this year paints a picture of a maturing  information security profession. The average years of experience of people working in the field is getting longer, less than 10% are under the age of 29. Frost & Sullivan, the analysts who conducted this research, also predict the workforce to nearly double by 2015, to 4.24 million. Beyond the numbers, they point out that demands on professionals continue to diversify from the traditional IT roots, with more focus on controlling data rather than systems, the changing regulatory landscape, and other issues such as negotiating with suppliers and advising customers.

These findings raise some serious questions: Where are the people going to come from? Are the educational options available today appropriate for the business and technology strategies of the future? What risk does this present.

The challenge is two-fold. Employers tend to buy in experience rather than develop talent, while poor recognition for information security as a career option is limiting the supply of interested, if not yet qualified candidates.

Part of the solution is to boost interest.  Most young people are not aware of the career choice, while our reputation as an IT discipline turns away many who could be excellent candidates for a very rewarding career in this field.  There is a great difference between understanding technology and understanding the impact that technology can have. The latter calls on strategic thinking and management instincts, rather than deep technical knowledge.

Once we inspire career interest, however, we need to provide the support to develop it. This calls for educational choice and a job market that isn’t over-reliant on experience. Industry, government, academia and the profession all have a role to play. Certainly governments concerned with a disenfranchised youth can see this as an opportunity to highlight a growing area, while employers would welcome public investment in apprenticeships and training programs.

Government funding frameworks could also be reviewed to address the lack of content in university education. To date, there is little here for young people, with the majority of the 50 or so programs in the UK for example, at the post graduate masters’ level, targeted at the working student. (ISC)2 is responding to this by opening up its knowledge base to inform curricula, and publish resources. Further, our members make themselves available to visit universities, guest lecture, and make the subject live, an effort that is relevant to business, ICT and security programs alike.

Other established professions such as engineering have a strong history of supporting the development of three and four-year courses that not only teach fundamentals but also serve as a filter for people who have the right instincts for the profession. Graduates move into a workplace that can have a level of confidence in them, while the professional community is there to support their development. This scenario is where we need to aspire to in Information Security.

At the moment employers cannot assess the potential of a newcomer. Universities do not provide the young graduates and there is no competency or psychometric test available to test for aptitude, where experience doesn’t demonstrate it.  Further, even where there is a will, security departments can be small and lack the management bandwidth to adequately supervise and support an individual’s development. Here too the professional bodies can provide support through exposure to the breadth of their membership or more formal programs.

Ensuring skills for the future is a complex issue that calls for coordinated response from government, academia and the private sector alike. To be effective, this response should draw on the effort of the international professional organizations who already consider the skills gap to be part of the emerging threat landscape.

This article is the second in a series of three articles by John Colley, CISSP, Managing Director, (ISC)2 EMEA. (ISC)2 is the largest membership body of information security professionals, with 80,000 certified members worldwide, and the administrator of the CISSP®.


« Intel (South Africa) - Don't Write Off the PC Just Yet


Axel Pawlik (Europe): The Rate of IPv4 Depletion and IPv6 Adoption in Europe »


Do you think your smartphone is making you a workaholic?