There is zero unemployment in IT security, suggesting a huge shortage of skills in the profession, says Hord Tipton, executive director of professional certification body (ISC)2.
But there needs to be a focus on training people to be specialists in areas such as digital forensics, cloud computing and access control, who can see the bigger picture, Tipton told Computer Weekly.
The organisation runs regular courses in such topics to ensure its 86,000 certified information security professionals (CISSPs) remain up to date, as it did in the run up to second annual (ISC)2 Security Congress in Philadelphia.
“Information security professionals need to keep tuned to changes taking place and know about the latest tools available to them,” said Tipton.
That is why certification is important, he said, because it not only certifies core information security skills, but also ensures skills remain up to date and relevant.
The importance of certification for basic skills
According to Tipton, organisations increasingly require certification because previous attempts to employ uncertified people at cheaper rates has backfired.
Job opportunities in information security has attracted unemployed people from other professions, but many of these have accepted IT security jobs with only the most elementary training.
“When things go wrong, these people don’t know what to do and organisations are wising up to this now, insisting on certification to ensure job applicants have at least basic skills,” said Tipton.
As an indication of just how serious the skills shortage is, the organisation’s latest study shows the number of information security professionals will have to almost double in the next two years.
Basic training gateway to improved security
Basic training is vital, according to Tipton.
“We need to start baking in security skills from an early stage, when people are at school and during undergraduate degrees,” he said.
For this reason, (ISC)2 is working with schools and universities to develop courses aiming to produce graduates with a good foundation in IT security.
“A good foundation is vital; a generalist can be trained to become a specialist in the same way as a GP can train to be a brain surgeon. It is a series of steps of continuous learning once they qualify to join the ranks of IT security professionals,” said Tipton.
South Korea shows the way for IT security skills
South Korea, he said, is an example of a country where they are doing a good job of ensuring they will have enough people with cyber security skills.
Although a small country, there is a high level of education in a country of big internet users and they are tied with the UK as the third largest community of certified information security professionals.
Universities, said Tipton, are dedicated and geared to producing the high quality of information security professionals required by the South Korean government.
“They use CISSP as a measure of learning; they see the value of certification and take pride in it,” he said.