Related Stories

Top 5 Stories


RSA Europe 2012: Information Security Industry Must Fix Skills Gap says (ISC)2

09 October 2012

Speaking to Infosecurity at RSA Europe on 09 October 2012, John Colley - managing director of (ISC)2 EMEA – declared the skills gap in the information security industry a “big problem” and suggested that entrance into the industry for graduates is dangerously difficult.

“Evoking their interest is one issue”, he said, “but knowing what to do with them once they have shown interest and intent is an even bigger problem. There is no phase two”.

Information security departments are reluctant to take on trainees – even those with academic qualifications - because they need so much supervision at the beginning, said Colley. “Sometimes trainees have a negative impact on productivity.”

Academia, Colley says, does have a role to play. “Information security should be part of the curriculum in computer science courses. IT graduates should be coming out of university with some security knowledge.”

The skills gap has been high on the agenda of (ISC)2 since 2010 when estimates that the information security workforce would need to double within five years surfaced. With the industry currently at full employment (with unemployment at less than 4%), and demand for qualified professionals increasing, “employers are going to need to do something.”

Recognising a talented information security professional is a problem in itself, said Colley, who insisted that “we have not defined those rules, we don’t have any form of testing. Government want their infosec staff to be better qualified, but the level of expertise has dropped significantly.”

The 2010 (ISC)2 career impact survey showed that less than 10% of the information security workforce are under the age of 29. Colley suspects that most of the industry’s new recruits are joining in the middle of their careers from an IT background.

Information security ‘pioneers’, as Colley refers to them, were able to “learn as we went along. You can’t do that now, so it’s difficult for graduates”.

While Colley is unable to define the rules of what makes a good information security professional, he does insist that both technology and business skills are equally important for the information security professional. “The key qualification for a CISO is an MBA”, he says. “The real question is, where do you go once you’re a CISO? What’s next?”

Before Infosecurity’s  interview with Colley, he presented a session titled: ‘Full employment: Good or bad news for the information security professional?’ within which he showed a slide with the economic cycle of an industry. He positioned the current landscape at the stage where professionals are interested in entering the industry, half way through its life cycle.

When asked where on the economic cycle the information security industry will be in five years, Colley replied “A little bit further around. There is a three-year gestation period in information security until you know what you’re doing. We need companies willing to invest three years of supervised training”. Colley is hopeful that in five years, that will be the model.


This article is featured in:
Industry News  •  Security Training and Education


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×