We have been hearing about a “cyber skills crisis” for some time now. But in reality, there is less of a “skills crisis” and more of an understanding crisis.
What has been created is a situation where employers are seeking people with “cyber skills” because both governments and the media are telling them that there is a shortage and they better rush out and find some people with these so-called “cyber skills” to address “cyber threats.”
Thus, people with 15 years or more experience in information security or information assurance—who have long been identifying these existing threats, but who have not rebranded everything about their curriculum vitae (CV) as “cyber”—find themselves discounted as having no relevant experience by people ill-equipped to judge.
It would be easy for us all to go through our CVs and replace “information security” with “cyber security” – but why should we devalue all of the experience, certification, education and training we may all have been through in order to appear to be current?
That is the difficulty that is being presented by determinedly following this cyber-only path because recruiters operate on the basis of scanning systems that filter out CVs that do not mention the term du jour. Within a short space of time, the rhetoric will have shifted more to securing the Internet of Things, interconnectivity issues, computer network exploitation (CNE) challenges and the ethics of artificial intelligence.
“Cyber” will not be the only game in town. It is the medium – not the totality.
This was more starkly brought home in doing some background catching up on the keynote videos from Infosec 2015, where a renowned colleague made a direct challenge to a panel on the subject of actionable intelligence.
It is yet another of those industry ‘spin’ terms that have seeped into the core of our organizations as a result of clever marketing endeavors. If you are from a military background, then intelligence has a specific meaning, connotation and implication. If you are of an academic persuasion, your context of understanding for the use of the term will be different again. The implication is that all security programmes prior to 2015 have not been structured with intelligence in mind at all – an attitude which many should find insulting.
In spite of all attempts to create a “cyber security” profession in its own right, it is at best a sub category of the existing professions of information security and information assurance – which both already struggle to be understood and to achieve board level oversight, understanding, adoption, support – call it what you will – after nearly two decades of consolidated effort at it.
As a starter for 10, to seek to draw together the spread of available professional membership bodies, their length of establishment, scope and coverage, Table 1 below is a piece of work done by the author as part of recent PhD research.
Learning Pathways are seeking to cover cyber security skills within the existing standards for information security. E-skills will partner with the Institute of Information Security Professionals Skills Framework. The resultant National Occupational Standards (NOS) are intended to be utilized at a more practical and operational level (demand led and evidence based) than the CESG Information Assurance Scheme. The author still senses a level of duplication at work here though…
|Full time occupation identified (critical mass of workers performing similar work / community of practitioners)||25,000||75,000 (IT Professionals, or which some are Security specific)||140,000||110,000, nearly 18,000 in EMEA and over 5,000 in the UK||1968||11,000|
|Chapters, regionalised events||234 worldwide||Over 40 local branches and 50 specialist groups||Over 200 chapters worldwide||140 chapters; 34 in EMEA, 6 in the UK and Ireland||Local events in London, Manchester and Cheltenham||Over 135 chapters worldwide|
|Journals, magazines||Security Management||IT Now||ISACA Journal||InfoSecurity Professional magazine||Pulse magazine||ISSA Journal|
|Training or educational programs provided||Yes||Yes||Yes||Yes||No||Yes|
|CBK/BOK||Yes||Yes, SFIA||Yes||Yes||Yes, Skills Framework||Yes|
|Entry requirements and validation process, competencies assessed)||Yes||Yes||Yes||Yes||Yes|
|Code of ethics established (internal and external)||Yes, since 1957||Yes||Yes||Yes||Yes|
|Code of Conduct||Yes|
|Practices and Principles||CoBiT
|Tradition, willingness to act for the common good, recognition of public responsibility||Yes||Yes||Yes||Yes||Yes||Yes|
|Register – record of all professionals||Member directory||CLAS
|Member directory||Member directory||CLAS
|Support of law provided (professional lobbies for legislation, legal protection and legal recognition)|
|Chartered Status||Yes||Intending to achieve this|
Table 1: Elements of Professionalism – spread of duplication
Considering the cost of membership alone, an individual, in seeking to ensure that they are best represented across the industry, can end up spending upwards of £800 per annum on renewal fees. This can be both costly personally – but equally professionally for companies supporting multiple individuals in their career goals. Heresy, but industry consolidation is urgently required.
If we all worked in the audit sector, we would have one body to be a member of – and thus one membership fee and one set of standards to adhere to, globally – the Chartered Institute of Internal Auditors.
The author began their PhD study in 2009 and the outputs include an extensive historical journey of the origins of the usage of the term IA, how it is intrinsically linked with the term information security (InfoSec), in an attempt to explore the reasons for the lack of successful adherence to existing principles. Taking as a guiding driver two key objectives from the 2011 UK Cyber Security Strategy
- Objective 1: “tackling cybercrime and making the UK one of the most secure places in the world to do business,” and
- Objective 4: “building the cross-cutting knowledge, skills and capability to underpin all cyber security objectives”
The author has sought to research these objectives with a view to understanding how they could be achieved, if the principles behind the requirements are not fully understood. The author’s thesis has specifically targeted the complexity of terminology usage and the challenges presented by lack of understanding of the fundamental principles behind the terminology used as being a central cause of the skills crises.
The premise is that issues related to professionalism in the industry, the skills crisis and achieving the culture change required, in order to embed information assurance as a core functional area of any organisation, are all related to a lack of understanding of the terminology being used and the contextual meaning of the words.
We are living in the age of Twitter where a news story, however brief on fact or content, will be around the world in minutes.
Studies are showing that attention spans are dropping still further. People will neither attend nor sit through training sessions for more than 15 minutes now. You cannot learn anything meaningful in detail in that time (It still takes seven  years to become a doctor, for a reason, after all).
Everything is being “dumbed down” – invariably to remove technical detail, though usually as a claim to seek clarity of understanding, which is a misnomer. Shrinking minds are leading to shrinking value and yet we live in an information abundant era.
If ignorance continues to prevail, information protection will not succeed. However, none of this is solely down to the security profession to address – the evidence is to the contrary, given the lack of success so far. HR, Legal, Procurement, Quality, Audit – Security is everyone’s responsibility. Everyone needs better skills.
About the Author: Andrea C Simmons, FBCS CITP, CISM, CISSP, M.Inst.ISP, MA, ISSA Senior Member has more than 17 years direct information security, assurance and governance experience, helping organisations establish appropriate controls, achieving and maintaining security certifications. Andrea’s most recent role as Chief Information Security Officer for HP Enterprise Security was one of worldwide influence addressing Security Policy and Risk Governance seeking to support and evidence the delivery of organisational assurance across a wide portfolio of clients and services. Her work has included development of a patentable enterprise governance, risk & compliance (eGRC) approach to addressing business information governance needs. Whilst also spending the last 6 years researching Information Assurance, Andrea has published two books. She may be reached at firstname.lastname@example.org
Title image courtesy of ShutterStock
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.