What's it going to take to attract individuals to information security and develop the right skills required to tackle the profession's future needs? ISACA's Allan Boardman offers his insights on growing the field.
The current cybersecurity climate looks like this: Organizations struggle to find qualified staff to fill all the roles open in information security and risk management, and within the existing talent pool there's a lack of skills necessary to succeed in those roles, says Boardman, international vice president of ISACA.
Ensuring organizations have the necessary professionals with required skills to address their cybersecurity gaps means developing a new strategy, Boardman explains.
"Have a clear career path for those individuals so they can be motivated," he says in an interview with Information Security Media Group [transcript below].
"One of the main reasons people like working in this area is because it's an interesting [one] with ever-changing demands, needs and challenges around every corner," Boardman says.
Ensuring that motivation means having career progression, he notes. ISACA, through its career management taskforce, is looking at what resources are needed to provide existing professionals, and interested candidates, with a better idea on career paths, skills and requirements to fulfill the open positions.
In an interview, Boardman discusses:
- His focus at ISACA;
- What ISACA is doing to address the skills gap;
- How to grow the profession to meet future needs.
Boardman began his career with Deloitte in Cape Town, South Africa, and has more than 30 years of experience in IT audit, risk, security and consultancy roles at companies such as JPMorgan, Goldman Sachs, KPMG, PricewaterhouseCoopers, Marks and Spencer and the London Stock Exchange. He is a past president of the ISACA London Chapter and has served on the British Computer Society's Information Risk Management and Audit Committee. He has also served on and chaired ISACA's CISM Certification Committee and the Leadership Development Committee. He currently chairs ISACA's Credentialing Board and is a member of the association's Strategic Advisory Council.
Focus at ISACA
TOM FIELD: You've had a distinguished career in information security; you still have a distinguished career. Tell me a little bit about yourself, the work that you do and your role with ISACA.
ALLAN BOARDMAN: I guess I started life as an accountant, but I've moved into IT audits, security and risk management pretty early on. I've worked with some of the big organizations on a global scale, and my involvement at ISACA goes back over 15 years at a local chapter, but more recently at the international level working with ISACA in various committees and currently, as you mentioned, joining the career management board, which oversees the four main credentials within ISACA.
Shortage of Skills
FIELD: Let's talk a little bit about the situation that you see globally. We know that there's a shortage within information security, and my question for you is: are we looking at a shortage of individuals or are we looking at a shortage of particular skills?
BOARDMAN: I think it's more of the latter. There are a lot of people who work in the information security space, but I think what we see is there are specific skills, particularly with cybersecurity being very much on the forefront of everybody's minds right now, and it's clearly been identified that cybersecurity is one of the big gaps. In my opinion, it's across the whole range. These are very deep technical skills, architecture skills and security specialists, but also the business skills that are in short supply. That's one of the areas that ISACA has identified that we need to focus on.
Filling the Gaps
FIELD: Let's talk about gaps. Where do you see gaps and what's ISACA doing about that to fill those gaps?
BOARDMAN: Some of the gaps I would see specifically are around providing specific security guidance to organizations to address the issues in the current topical areas like big data, cloud security and mobile computing. Those are all topics where people need more detailed specific guidance and tools to be able to help them through that.
ISACA's Credentialing Program
FIELD: Let's talk about the credentialing program. You currently have four major credentials. How's the credential program evolving to help fill gaps and meet the needs that organizations have?
BOARDMAN: From an ISACA perspective, we've traditionally been seen as focusing on the auditing program, CISA. The Certified Information Security Manager, CISM, came after that, and it's been around for about 10-12 years. Then we also have the CGEIT credential for IT governance, and more recently we have the CRISC certificate for risk professionals. How ISACA is positioning those credentials is across the whole spectrum of trust professionals. ISACA's tagline is "trust in, and value from, information systems," and those credentials speak quite clearly across all those trust-professional activities.
Meeting Future Needs
FIELD: You've been in the information security profession for some time. In your opinion, what's going to be necessary to attract more individuals to the information security profession and ensure that they do develop the right skills to meet not just today's needs but certainly tomorrow's needs? I know that you've been a part of discussions about what we need in the profession five years out and ten years out. What can we be doing today to ensure that we're got the right individuals and the right skills in the profession five and ten years down the road?
BOARDMAN: One of the key things would be to have a clear career path for those individuals so they can be motivated. One of the main reasons people like working in this area is because it's an interesting area with ever-changing demands, needs and challenging things around every corner. But I think it's important to provide people working in this space with clear career progression as well. One of the things ISACA is looking at - within our credentialing board - is we actually have a career management task force specifically looking at what resources we need to provide not only to existing professionals but also to new people entering this marketplace so that they have a clearer idea about career paths, skills and requirements to fulfill those positions.
FIELD: What's your advice to someone entering the profession today? It could be someone starting their career or it could be someone looking for a career change. What advice would you give to someone coming in?
BOARDMAN: Get involved. There are a lot of resources out there and I think you have to have a passion for this. My advice would be to look at some of the structured programs, whether it's a university or college degree or a master's degree in information security or information assurance. Look for those opportunities, but also reach out to the broader information security community because there are loads of opportunities. People are looking for bright people to come in and help us in this cybersecurity space.
FIELD: It seems like you've got a fairly tight information security community, at least here in the UK. Is that reflective of the community in Europe?
BOARDMAN: I guess I can really speak for the UK and London specifically. You're right. We do have a very close-knit community, particularly around the financial services sector. Europe, we have language differences, but at the same time it's only a short trip to attend a conference or a meeting whether it's in Paris, Berlin or Amsterdam. There's a strong network, particularly in the ISACA community where we share information and share speakers. It's not unusual for someone from Spain to come across and speak at one of our events and call people from the UK to speak in Europe as well.