The IT security industry faces a major staffing crisis, according to the latest research. But what can schools, businesses and industry associations actually do to start addressing the problem?
The new Global Information Security Workforce Study from (ISC)², the information security certifications body, shows that a worldwide dearth of skilled IT security workers is now a staffing crisis that could cripple organizations' ability to respond to breaches and other security threats.
Addressing this issue will take the work of all who have a stake in the industry, says Julie Peeler, director of the (ISC)² Foundation, starting with schools.
"A major piece of it is the curriculum development and making sure that curriculum in cybersecurity is seeded at the earliest levels," Peeler says in an interview with Information Security Media Group [transcript below].
Industry associations have a role in enlisting their members to speak at schools and teach children about the IT security profession early on.
"Our certified professionals go into classrooms and teach young children about cybersecurity, cyber-safety and cyber-ethics," Peeler explains. "It seems like such a simple thing, but when I think about our 90,000 members, imagine 90,000 of them around the world getting out there and into classrooms."
Employers in government and the financial industry also have a responsibility to ensure they advocate for continuing education and credentialing among their information security work force. "It's those kinds of things that we think are critical to raise the importance of the profession and make sure it's viewed as a serious profession," says Bruce Murphy, principal in Deloitte & Touche's enterprise risk services group.
In an interview about the latest IT security staffing trends, Peeler and Murphy discuss:
- Why the staffing shortage is a crisis;
- What is at risk if the crisis is not addressed;
- How the government, employers and schools can help.
Peeler is responsible for building, leading and managing the (ISC)² Foundation to ensure it becomes a wide-reaching and effective organization for the benefit of everyone who interacts with data and the Internet in their daily lives. Peeler is a market researcher and business strategist with nearly three decades of experience in both the for-profit and non-profit arenas. Her experience includes forging strategic partnerships, encouraging corporate social responsibility and employee volunteerism, nonprofit board development, strategic planning and marketing. She has worked in senior management positions at Americans for the Arts, Arts & Business Council Inc., J. Walter Thompson, and Foote Cone & Belding.
Murphy is a principal in Deloitte & Touche LLP's Enterprise Risk Services practice, focusing on security & privacy services. He helps some of Deloitte & Touche's largest global clients design and implement secure, reliable technology infrastructures and business operations. He was formerly the Worldwide Security Services lead for Cisco Systems Inc., where he was responsible for strategy, direction and delivery of the security services portfolio for the Customer Advocacy/Advanced Services suite. Prior to Cisco, he was the CEO of Vigilinx, a digital security solutions company. He was also a senior partner and the global leader of PricewaterhouseCoopers' Security Services Consulting Practice.
TOM FIELD: (ISC)² just conducted its 6th annual Global Workforce Study, and the key conclusion is that we don't have a staffing shortage; instead, it's a crisis. What leads you to that conclusion?
JULIE PEELER: Past studies have shown that there's a growing staffing crisis, but this year we've uncovered a lot more information that shows this triangulation of three different factors that are leading us to move toward the point where this is a really urgent situation. Obviously, as you've pointed out, the staffing shortage, the study contains quite a bit of data on that, including the notion that at least 50 percent of all professionals that are working in this industry are looking at a staffing shortage and two-thirds of the C-suite level executives report that they've got a security staff shortage.
But then add on to that the rapid advances in new technologies like cloud, BYOD, the use of social media at work, and issues around secure software development, and then add the third piece, which is just an explosion of the negative actors in this space - all of the hackers and that sort of thing. Take those three things - a lot more threats, a lot more new technologies where professionals in the industry really need to come up to speed quite quickly on how to secure those new technologies, and then add the fact that you have this growing shortage of professionals - and you've got this perfect triangulation of these three factors that are leading us toward a really strong sense of urgency here.
How to Address Skills Shortage
FIELD: I'd like to take a step back. We've known that information security has been critical for over a decade now. Knowing that, what has created this staffing crisis in IT security and what's being done today to address it?
PEELER: I don't know that you can necessarily put your finger on any one reason that the staffing shortage has been created. I do think that there are two factors that I've uncovered by doing some secondary research in this area. One is that this is a hidden industry. No one wakes up when they're six-years-old and says to themselves, "I want to be an IT security specialist." They still want to be policemen, firemen and teachers and what they see everyday in the classroom or in their everyday lives. We hear all the time of even young students who are majoring in IT who have never heard of IT security. Something needs to be done on the industry level to raise awareness of the existence of the industry and what an incredible profession it is to work in, what an interesting profession, what a lucrative profession it is to work in. I do think, unfortunately, that a lot of the crises and the front-page headlines around IT security really are helping us to raise awareness.
The second thing is an odd thing that I uncovered doing some secondary research. A lot of kids today, when they say to their parents, "I want to major in IT," the parent then says to the child, "You don't want to do that; they're outsourcing those jobs." Well no, no they're not. It's actually not possible to outsource an IT security job. Any job that touches the U.S. government in anyway it's actually not legal to outsource that job and that's actually true in any country around the world. In India, you have to be an Indian to work in securing the critical infrastructure in India, and the same is true for any country.
There may be a desire on the part of a lot of people to go into IT. They may have the basic skills set, but what they don't have is security skills, and I think we need to work as an industry to draw more students over into that area. To look outside of IT, we're seeing a lot more people going into the industry who have JD backgrounds. They're lawyers, managers, engineers and we need to really be drawing from a gamete of skill sets to make sure we have all the right skill sets to secure our infrastructure.
BRUCE MURPHY: I've got a couple of things and agree with what Julie has stated, but I think the industry has evolved. I've been in it for 25 years or so, but the pace at which it's moving now is dramatic. The infrastructure on education and infrastructure around tracking talents and educational programs and formalized community programs have not been as forceful as they should be. Organizations like (ISC)² become critically important around this because we get to credentialize and really name the fact behind the industry and give it real weight and real credibility.
There has also been a lot of historical lack of reporting of actual incidents, and, as Julie indicated, we're seeing executive orders around security. We're seeing communications around identification of our competitors in China, or the Chinese army actually attacking us. There's documented evidence of that. What's happened is we've had a lot of information that was so visible and a lot of folks really didn't believe that this was really as serious as it has become.
We're starting to see people take it more seriously. We're seeing more degree programs, more undergraduate and graduate programs that deal specifically with the discipline of technology or risk manager and then security specifically. There are some things that are happening to address that, but it needs to keep pace.
What's at Risk?
FIELD: We've talked about a staffing shortage for some years now, but here we are in 2013 and we're calling it a crisis. What's at risk if we don't address this crisis in 2013?
MURPHY: What's at risk is the infrastructure of our countries, the safety of our children working, playing and learning online, and you could even extend to even more pervasive security issues and financial crises on a number of different fronts. It's pretty severe, and we haven't even talked about the infrastructure of things like the water system, the power grid, the utility environments. All these areas can be compromised much more easily than we ever could in the past. It can become a dramatic problem, especially when we're seeing trafficking in malicious code and other different types of malware. People can actually go out on in the Internet and buy these pretty insidious tools and use them not once, but many times, and on a repeat basis.
FIELD: Let's talk about some specific responsibilities within the industry. Bruce, I'll toss this to you first. What do the info-security pros have to do differently to help address this crisis?
MURPHY: I think that they need to do something that we've been talking about for a while. Basically, shift the dialogue around what the impact of these types of attacks and problems really are. What I mean by that is, in the past, we've talked specifically about technology issues and the underpinnings of Internet protocol, firewalls, configurations and so forth. Unfortunately, the broad majority of business leaders turn off when they hear that language. We need to start communicating in terms of what it means to a business and what it means to a country and what it means to our general safety that security issues aren't addressed properly. That starts to really rate the level of the dialogue in terms of people investing its people, building educational programs, and folks investing their careers in this direction, and people really starting to understand what this means for practical terms and take it out of the dark corner, the hidden profession, and take it to the forefront because it's so critical and important on so many fronts, as we talked about.
FIELD: Julie, what do info-security pros have to do differently?
PEELER: If you were to talk about it on an individual basis, I think Bruce makes a great point. But on an individual basis, every single professional working in information security today needs to reconnect back to the educational system. They need to remember where they came from and they need to be out there in the community at the grammar school, high school and college level advocating for this profession.
We also run a program called Safe and Secure Online where our certified professionals go into classrooms and teach young children, as young as five-years-old, about cybersecurity, cyber-safety, and cyber-ethics, and they always end that presentation by talking about what it is they do for a living, and you see their little faces light up. It seems like such a simple thing, but when I think about our 90,000 members, imagine 90,000 of them around the world getting out there and getting into classrooms at the grammar-school level, the high-school level and at the college level. I think that can have a huge difference.
One of the things that we're doing also as an industry organization and certifying body is we're working a lot more with the education community to build curriculum around the common body of knowledge behind each one of our certifications so that we make sure that the curriculum in cybersecurity is as thorough as it can possibly be, and also that they are really prepared for the profession, because our common body of knowledge changes and is updated four times a year. It's updated on an almost perpetual basis. It really helps them stay ahead of things and make sure that after four years of study, they're not four years behind in terms of their skill set and that they're right on top of things and ready to go into the work force.
Responsibility for Employers
FIELD: What's the responsibility for employers? What do they need to do differently?
MURPHY: It's important that they will take this seriously and I think employers on a number of fronts need to raise the importance of education and credentialing around the security profession. In some cases, make it a requirement for when it comes to careers. For example, we're a mainstream privacy practice at Deloitte. We have a mandatory requirement that if anyone's going to advance to the next level, they've got to have a [certain] credential, otherwise they will not be able to continue there as a career. It's those kinds of things that we think are critical to raise the importance of the profession and make sure it's viewed as a serious profession that's credentialed and it's a viable source of talent and information.
I will also say that employers need to do more outreach in terms of the educational community and invest in various programs that we're starting to see emerge at the graduate/undergraduate levels that are focusing on this area, whether it's specific grants or more in terms of working with those programs.
Ultimately, make some investments in bringing in and attracting talent and making sure that the capabilities and resources to really get access to the right knowledge to not only have the credential but have the ability to actually deal with the various attacks and problems that we're seeing. It's quite an expensive body of work that's required to do that, so having an educational program devised and having the business community supporting that I think will be critical.
How Schools are Addressing Crisis
FIELD: Julie, let's come back to the schools. What are the schools, the industry associations, and even certifying bodies like your own, doing to address this crisis?
PEELER: I really do think that a major piece of it is the curriculum development and making sure that curriculum in cybersecurity is seeded at the earliest levels. There's a base amount of information and skills that every human being needs to have regardless of whether or not they're going to end up majoring in information security and entering the profession later on as they grow up. That is one of the major things to be done. Also, as an industry association we can take a leadership role in the notion of raising the awareness of the industry and the attractiveness of this as a profession.