What was the common bumper sticker 25 years ago? "Think Global, Act Local."
This phrase came to mind frequently during the recent Infosecurity Europe event. A recurring theme among my conversations with thought-leaders was what they are doing, specifically within the U.K. and Europe, to address the security staffing/skills shortage.
The conversation inevitably returned to, 'How are we going to get the qualified staff to ensure cybersecurity?'
The tone was set by the first keynote address. Chloe Smith, minister for political and constitutional reform within the U.K.'s cabinet office, pledged the government's support for greater security awareness and controls. "We want to make the U.K. one of the most secure places to conduct cyberbusiness in the world," Smith said (see Infosecurity Europe: The Cyber-Agenda).
I spoke with scores of attendees, sponsors and speakers at the three-day event, and no matter what we were discussing - threats, strategies or solutions - the conversation inevitably returned to, "How are we going to get the qualified staff to ensure cybersecurity?"
As context, they often cited the recent (ISC)Â² Global Information Security Workforce Study, which concludes that we suffer a worldwide dearth of skilled IT security workers. And this shortage is now a legitimate crisis that will cripple organizations' ability to respond to data breaches and other evolving security threats.
Among the people with whom I spoke:
- Richard Nealon, (ISC)Â² board member, who is concerned that each new global workforce study shows a steadily aging profession. "We're not seeing people come in at the ground level, choosing the career in information security and staying with that career," Nealon says (see Growing the Global Security Community). Nealon hopes to address this issue by helping organizations find new ways to attract young people to the profession.
- Allan Boardman, international vice president of ISACA, who says we are suffering less from a staffing crisis than a skills shortage. "There are a lot of people who work in the information security space," he says. "But I think what we see is that there are specific skills [missing] - particularly with cybersecurity being very much in the forefront of everybody's minds right now." (See Addressing the Skills Crisis.) Boardman's prescription: Renewed focus on core skills to address today's relevant security topics, including big data, cloud and mobility.
I also spoke with John Colley, the (ISC)Â² managing director for Europe, the Middle East and Africa. Like Nealon and Boardman, Colley is an information security veteran, with more than 15 years experience. He has headed risk and security at organizations including Barclays Group, Royal Bank of Scotland and ICL.
From Colley's view, the U.K. has already begun to take positive steps forward with a pair of programs that mirror efforts in the U.S.: the Cyber Challenge competition for young people intrigued by cybersecurity, and the federal government's Centers of Academic Excellence program, which recognizes universities that provide the best information security education.
Of course, one can argue that, as successful as the Cyber Challenge and CAE program have been in the U.S., they haven't done enough to address the American security staffing crisis. How, then, can they meet the U.K.'s needs?
Colley sees a pair of fundamental problems that universities and businesses must address to truly close the staffing/skills gap:
Mandatory Security Training - "We're turning out computer science graduates with no security training whatsoever," Colley says, recommending that information security become an essential element of such programs.
New Entry-Level Positions - Cybersecurity is vital, and organizations desperately need experienced security pros. But where do nascent professionals go to gain that experience? "It's the classic Catch-22," Colley says, and it needs to be addressed by a concerted effort to create new entry-level security roles.
Good, solid ideas, but they aren't sufficient. We've been talking for years about the need for new government/education/business partnerships, and yet here we are facing a global staffing crisis.
What the profession needs, frankly, is better marketing. And we're steeped in the messaging. I mean, check out the daily news: We have the breach du jour. We have nation-states conducting cyber-espionage. And then there are hacktivist groups bringing major banks to their knees through distributed-denial-of-service attacks. Could there be any more compelling argument for the security profession?
And where could one find better career growth potential? Cybercriminals, hacktivists and malicious insiders aren't going away. There has never been a better time to be a security pro. Yet we don't hear that enough from our leaders. This is the message that needs to be hammered home to individuals looking to start or re-start a career.
Think global, market local. That's what we truly need to address our skills and staffing needs. More talk and action.