We are off the pace, educating for IT security, and we have to think in terms of tomorrow besides today, writes Dr Arosha K Bandara, Senior Lecturer in Computing at The Open University.
The skills gap in IT security is well documented in the UK and the shortage has been evidenced repeatedly. One example is the KPMG research from the turn of the year, which indicated that over half (53 per cent) of UK companies would consider hiring ex-hackers to assist in dealing with their cyber security issues.
In 2015 alone there has been a stream of surveys and reports from the IT sector that indicate security is high on the agenda of businesses in a year that has seen some high profile breaches including internationally in the US presidential office. These may be the result of industry shortcomings in terms of people, processes and IT tools. Earlier this year, PwC’s 2015 Information security breaches survey, commissioned by the Department of Business Innovation and Skills, illustrated that businesses are currently still failing to prepare to deal with this.
Increasingly this topic is on the lips of the commentariat, so it’s likely that there will be a renewed focus in the next 12 months in investing in, and reviewing tools in place to tackle problems like application vulnerabilities, reviewing systems in place to see if the organisation as a whole is reactive enough in the event of a breach, and reviewing if the right people are in place to monitor and react to issues.
One thing that is clear is that attackers will not stand still and wait for the workers to catch up, so it is crucial that there is a competent and educated pipeline of individuals ready to enter the market. The industry will undoubtedly continue to grow, so it is necessary to have an education system that is responsive to industry’s needs. It would seem to be a no brainer that companies should look to prioritise training in order to mentor future graduates and provide internships for potential employees. By providing an avenue through which to mentor students, companies can create their own pipeline for the future and help entice students to the profession.
When we talk about a blueprint for the skills of the ‘would be’ cyber-security professional we can say that they need to be able to quickly develop technical skills to deal with evolving threats, but also have an understanding of the business and human environment in which these threats exist. I believe that this sits alongside the understanding of the thought processes of hackers and additionally, being able to assess the risks of the industry.
A vital component of future professionals will be an understanding of how staff will react to new security systems, and the exact type of technology that is right for each industry, staying away from the ‘one size fits all’ approach. Right now, we simply don’t have enough of these skills to defend ourselves. The only solution is to provide the future workforce with the fundamentals of knowledge and analytical skills for tackling today’s threats, as well as being able to adapt and respond to the security challenges of tomorrow.
As the education system stands we are off the pace when it comes to keeping up the ever changing vectors of security; however the impending government relaxation of the Equivalent or Lower Qualification (ELQ) policy in September 2015 presents a chance for people in full time work to not only build on their own skills by making it easier and more affordable to obtain the relevant IT qualifications, and enabling them to move into this area, but it also creates more skilled people for businesses to draw from which is likely to signal a significant step in alleviating the IT skills shortage. The plan of action must be to use the education system and invest in human capital.
