Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Friday 30 October 2009, 6:19 PM
Now is the time to invest in security skills training
The recent PwC survey into the Global State of Information Security (http://news.zdnet.co.uk/security/0,1000000189,39809565,00.htm) is a timely reminder of the skills adjustment facing our industry. Despite maturing in its short 20-year history, disparate roles are emerging in the security profession: the traditional technical IT security requirement is decreasing while jobs with a managerial focus are increasing. Even the rise in specialist university education has tended to be technically focussed. Security people get passed over for management training and the recruitment process continues to be highly weighted toward the measurable technical skills.
The PWC Survey highlighted a clear lack of security management expertise that led to lack of records on where sensitive data was stored and lack of the bigger picture on security incidents. So why is it that hiring managers struggle to find people with the right skills? 80% in one of our surveys indicated that they are challenged to fill their roles, despite the current economic downturn creating a larger available workforce.
Advancements in technology and the online world have always been ahead of the related considerations for security, because people, IT and business leaders have yet to develop the skills to think securely. Tomorrow’s business leaders need to be able to instinctively strategise for secure business development.
The challenge of ensuring secure e-skills will be about far more than the information security workforce though; security should become part of the core curriculum across the entire education system, from primary schools to a broad set of university courses It’s interesting that the majority of computing-related courses do not adequately address security issues, yet we know that strategic decisions taken by IT, from the procurement and/or development of software to the adoption of cloud services, is having a huge impact on vulnerability levels when the security requirements are not built in at the outset.
Security should also be a core element of business education. Employee induction should include security with the systems training; and security responsibilities should be part of the employment contract.
John Colley, CISSP, Managing Director (ISC)2 EMEA
The PWC Survey highlighted a clear lack of security management expertise that led to lack of records on where sensitive data was stored and lack of the bigger picture on security incidents. So why is it that hiring managers struggle to find people with the right skills? 80% in one of our surveys indicated that they are challenged to fill their roles, despite the current economic downturn creating a larger available workforce.
Advancements in technology and the online world have always been ahead of the related considerations for security, because people, IT and business leaders have yet to develop the skills to think securely. Tomorrow’s business leaders need to be able to instinctively strategise for secure business development.
The challenge of ensuring secure e-skills will be about far more than the information security workforce though; security should become part of the core curriculum across the entire education system, from primary schools to a broad set of university courses It’s interesting that the majority of computing-related courses do not adequately address security issues, yet we know that strategic decisions taken by IT, from the procurement and/or development of software to the adoption of cloud services, is having a huge impact on vulnerability levels when the security requirements are not built in at the outset.
Security should also be a core element of business education. Employee induction should include security with the systems training; and security responsibilities should be part of the employment contract.
John Colley, CISSP, Managing Director (ISC)2 EMEA
PreviousComments on this post
Yup I haft to agree with this simply relying on the software venders to worry about it alone is not enough.
