Security is doomed

Forget data breaches, hacking attacks or cyber espionage, the number one issue facing information security today is reportedly a skills shortage.

The 2015 (ISC)² Global Information Security Workforce Study (pdf) highlights that the number of surveyed companies (almost 14,000 globally) that don’t have enough suitably skilled infosec professionals has risen from 56 percent in 2013 to 62 percent in just two years. 

Similarly, Frost & Sullivan (the market research company behind the report) estimates the shortfall in the infosec workforce could reach as high as 1.5 million workers in five years.

That’s an almost intractable problem: we somehow need to entice, coerce, coax or conscript an additional 1.5 million people into the industry, over and above the recruits that are already projected to come into the fold.

With an exponential rise in the number of vulnerabilities being discovered over the past few years, coupled with the number of sophisticated groups proliferating a variety of new and complex attacks, it’s little wonder we are in this state. 

The report shows us that the primary focus of extant security teams has shifted from any kind of strategic planning and risk reduction to daily fire fighting and cleaning up after the latest attack. Security teams are reporting they are at breaking point as they attempt to stay inside the curve and counter today’s threats before tomorrow’s arrive.

Workforce churn within security teams also seems to be on the rise. Unrest stems from teams being overworked, mainly due to the constant bombardment of their systems, coupled with a shortage of suitably skilled analysts to fill the vacant roles on their teams.

The fact is, the deficit allows members of the workforce with itchy feet to get more cash if they switch companies, so churn is inevitable. 

But how do we fix this?

(ISC)^{2 -} a training vendor and licensee alongside its security certification business - unsurprisingly says the top two initiatives for retaining security professionals are training related.

My view on this is slightly different. I firmly believe that (ISC)² is partly to blame for these problems.

Hiring managers ask for CISSP (Certified Information Systems Security Professional) as a minimum level of certification required in job advertisements. This seems to be common even when the job is an analyst role or firewall administrator. Why would either of these require CISSP level qualifications?

This is because (ISC)² has not educated industry as to when it is appropriate to ask for CISSP and when they should be asking for other certifications from their own portfolio or from other recognised professional bodies.

This is stifling the pipeline of new entrants from bothering to consider our industry as a possible career path because the barrier to entry is too high. If all the jobs require CISSP and it takes five years to get that certification, how can you ever get started?

I would much prefer to see independent organisations like AISA and ACS provide the appropriate guidance to industry about what they look for in security professionals.

Job role alignment to industry requirements, such as experience, a variety of certifications from different vendors, and an understanding of how new hires should be mentored and developed (both on the job and via training where required) is what’s needed.

Kids leaving school with no degree or professional qualifications can still be great penetration testers, because their hobby is coding and they are natural hackers. CISSP qualification does not make these guys any better.

These are the juniors we need to enter our industry and we need to do everything in our power to encourage them as early in life as possible. In their final years at university, these kids should already know that information security is a real career option and it’s a viable choice for them. 

Over the past two weeks we have seen more papers submitted to the department of Prime Minister and Cabinet in relation to the cyber security review.

Notably AISA (the Australian Information Security Association) responded, calling out training, education and professionalism as a key deliverable that needs to be considered nationally to address the shortage of infosec professionals.

We also heard from the Australian Information Industry Association (AIIA) who listed “addressing the skills deficit” as one of the six initiatives required to fix today’s infosec problems in Australia.

To date we’ve seen three decent responses to the review from the Comms Alliance, AISA and AIIA, but what’s really disappointing is that we’ve not heard anything from the Australian Computer Society (ACS).

Hopefully we will see that position rectified over the next few weeks, but until then, there is still a lot of wisdom in the combined efforts of these three respondents to which we should listen.

The reality is, if we don’t get a grip on this escalating problem soon, the bleak picture that (ISC)² has painted in its study will become an inevitable reality.

We need our professional bodies to step up, play an impartial role in mapping certification and training needs to job roles, and help industry and government steer our national ship through the troubled waters ahead.

Otherwise, as I said, security is doomed.