“Evoking their interest is one issue”, he said, “but knowing what to do with them once they have shown interest and intent is an even bigger problem. There is no phase two”.
Information security departments are reluctant to take on trainees – even those with academic qualifications - because they need so much supervision at the beginning, said Colley. “Sometimes trainees have a negative impact on productivity.”
Academia, Colley says, does have a role to play. “Information security should be part of the curriculum in computer science courses. IT graduates should be coming out of university with some security knowledge.”
The skills gap has been high on the agenda of (ISC)2 since 2010 when estimates that the information security workforce would need to double within five years surfaced. With the industry currently at full employment (with unemployment at less than 4%), and demand for qualified professionals increasing, “employers are going to need to do something.”
Recognising a talented information security professional is a problem in itself, said Colley, who insisted that “we have not defined those rules, we don’t have any form of testing. Government want their infosec staff to be better qualified, but the level of expertise has dropped significantly.”
The 2010 (ISC)2 career impact survey showed that less than 10% of the information security workforce are under the age of 29. Colley suspects that most of the industry’s new recruits are joining in the middle of their careers from an IT background.
Information security ‘pioneers’, as Colley refers to them, were able to “learn as we went along. You can’t do that now, so it’s difficult for graduates”.
While Colley is unable to define the rules of what makes a good information security professional, he does insist that both technology and business skills are equally important for the information security professional. “The key qualification for a CISO is an MBA”, he says. “The real question is, where do you go once you’re a CISO? What’s next?”
Before Infosecurity’s interview with Colley, he presented a session titled: ‘Full employment: Good or bad news for the information security professional?’ within which he showed a slide with the economic cycle of an industry. He positioned the current landscape at the stage where professionals are interested in entering the industry, half way through its life cycle.
When asked where on the economic cycle the information security industry will be in five years, Colley replied “A little bit further around. There is a three-year gestation period in information security until you know what you’re doing. We need companies willing to invest three years of supervised training”. Colley is hopeful that in five years, that will be the model.