Lecturing yesterday on the MSc course at Royal Holloway University of London reminded me of the importance of professional training for Information Security staff. As the late George van Eps, a jazz guitarist, once put it: “Luck won’t do it, and ignorance can’t”. Unfortunately there’s nowhere near enough professional training around. And the capacity of our university courses is very limited. So we are heading for problems in the future, unless we change our ways.
Information Security is a rich, complex subject, getting bigger by the day. Most of the leading professionals I know were self-taught. You could get away with a couple of decades ago, because there was no established body of knowledge, very little in the way of professional training and few specialist areas. Today, the scope of the subject is huge, encompassing many niche areas, each worthy of an individual course in themselves.
So what should we be doing to improve the situation? In my view the answer is to put more people through MSc or Post-Graduate Diploma courses. That’s the level of study required to do the job today. I did this at Royal Mail Group and it works. I put all my Information Security staff through Royal Holloway training and it transformed the quality of the in-house function. There is no substitute. Certification bodies, personal development scemes and professional societies are the icing on the cake. None of them can make a real difference without the underpinning professional education.