Tackling the enterprise digital security skills crisis (1/2)
According to the 2015 Global Cybersecurity Status Report from industry association, ISACA, a huge 90% and 87% of US- and UK-based IT and security professionals respectively testified to there being an international shortage of skilled cyber-security professionals, with fewer than half feeling ready and able to fend off a sophisticated attack as a result.
A recent study by network vendor Cisco even puts a figure on the extent of the problem. It estimates that there are already close to one million unfilled job vacancies across the global industry – with the figure widely expected to double by 2017.
But the problem is that, while the information security threats being faced are becoming increasingly complex and the hacking tools ever simpler to use, potential vulnerabilities are also becoming more widespread.
As growing numbers of devices ranging from cars and fridges to wristwatches are given IP addresses and hooked up to the so-called ‘Internet of Things’, the security implications become breath-taking.
So just how could a skills gap of this magnitude have come about? The answer, it seems, is a complex one.
On the one hand, the information security industry has, to date, done relatively little in a proactive sense to attract young people into its ranks – or make the profession appear sexy for that matter. As a result, says Mike Gillespie, director of information security consultancy Advent IM:
We’re an increasingly ageing demographic and are struggling to recruit and retain well-motivated and qualified individuals. We’re increasingly poaching from each other as we simply don’t have new people coming through with the experience and qualifications.
The fact that everyone is chasing the same pool of talent also means that attracting top people costs – and a lot.
According to Etienne Greeff, chief executive of cyber-security services provider SecureData, the average churn rate in the industry is now about 2.5 years, with people either switching employers with abandon or becoming contractors as they go after the money.
Academic vs practical skills
But the current lack of structured career path into the profession also does not help matters much, not least because many employers are unclear as to what they should be looking for when hiring.
While a large range of qualifications and certifications of varying degrees of quality exist, there are no formal entry criteria into the profession as is the case with lawyers and accountants.As a result, the ISACA study indicated that 48% and 41% of US and UK respondents respectively found it difficult to identify whether graduate job candidates had appropriate levels of skills and knowledge.
But there is scepticism in some quarters as to whether university alone really is the best route into the profession anyway.
Paco Hope, principal consultant at software and application security consultancy Cigital, for example, believes that, as most software has a five-year life span, by the time graduates enter the sphere of work, their skills are already starting to age.
Moreover, a lack of real-world experience within the academic context means that many simply lack the practical expertise required by employers to hit the ground running.
In part 2 of this article, Cath Everett looks at the global potential for apprenticeship schemes.