Euro-View: John Colley on the Information Security Skills Gap
As global economic hardships continue into the new year, most would welcome the news that a sector is experiencing growth and creating employment.
Information security is such a sector, particularly given business’ rapid move to adopt cost-cutting cloud and mobile technologies that rely on the ability to secure it. Yet since the economic crisis began in 2008, hiring managers have reported that they struggle to fill their positions. Poor recognition of information security as a career option is among the reasons for this situation, but it is only part of the problem. We need to understand what is required to foster a healthy job market in Europe’s information security sector.
It is good news for those already working in information security. (ISC)2 – the International Information Systems Security Certification Consortium – has tracked the effects of the economic downturn via career impact surveys which consistently show increased levels of employment. For example, the one released earlier this year suggests that only 4 percent of respondents did not have a job.
However, employers face an inflationary “hiring” spiral, with 85-90 percent struggling to find the right people, and taking up to six months to fill positions. Salaries rose in 2011 for 70 percent of the sector’s workforce, while a significant number – nearly 14 percent – saw salary increases of more than 10 percent.
Information security is a serious discipline where organisations demand a minimum of three to five years’ experience and a good understanding of security concepts. At the same time, newcomers are not being provided with the opportunities to develop either. It is tempting to suggest that employers must change their approach and recognise the need to invest in new talent.
Yet such a simple solution is not as easy as it sounds. Information security is a relatively new discipline, which makes is very difficult to recognise employee potential or to understand how much investment is required. Even where there is a will, security departments can be small or lack the management “bandwidth” to adequately supervise an individual’s development. Moreover, many of them seek to fill multiple positions, as our surveys show.
This evolving skills gap is also seen in our Global Information Security Workforce Study, conducted for (ISC)2 by the industry analysts, Frost and Sullivan. It estimates that the information security workforce’s size will nearly double from 2.8 million in 2010 to 4.2 million by 2015. Respondent demographics showed an average age of 40, with only 10 percent under 29 years compared to 17 percent in 2008.
A healthy job market will require a good intake of new and young candidates. Part of the solution is to boost interest. With employers reluctant to develop talent, poor recognition of information security as a career option is limiting the supply of interested, if not-yet-qualified candidates. There is a growing effort to do this, such as the UK’s Cyber Security Challenge, which is funded by the government and industry sponsors.
Once we inspire career interest, however, we need to provide the support to develop it. This calls for educational choice and a job market that isn’t over-reliant on experience. Industry, government, academia and the profession itself all have a role to play. Certainly governments concerned with a disenfranchised youth can see this as an employment opportunity, while employers would respond to public investment in apprenticeships and training programs.
Further, government regulatory and funding frameworks could be reviewed to address the lack of security content in undergraduate university education. To date, the majority of information security-related university courses are at the post-graduate masters’ level, often targeted at the working student. Yet most students don’t pursue a post-graduate education: it is at the undergraduate level where awareness for the career opportunities can be nurtured to the numbers required.
Other established professions such as engineering have a strong history of supporting the development of three and four-year university courses that not only teach fundamentals but also serve as a filter for people who have the right instincts. Graduates move into a workplace that have a level of confidence in their educational training, while the professional community is there to support their on-the-job development. Information security must mature in this way.
As a professional body (ISC)2 has worked for more than 20 years to foster recognition for the profession; we now have 14,000 members in EMEA, many of whom make themselves available to visit universities, host career talks and do guest lectures – whatever it takes to stimulate interest. (ISC)2 is also opening up its knowledge base to publish undergraduate resources and inform curricula, and has created an EMEA advisory board to drive working groups that contribute to skills standards and policy in this area.
I believe information security is a growth area that can help us address the economic challenges ahead – provided that we as a profession can engender a co-ordinated response from government, academia, and industry.