Users need standardised security education

Information security relies on closing the gap between technology capabilities and end-users ability to use them in a secure way, say security experts.

Information security relies on closing the gap between technology capabilities and end-users ability to use them in a secure way, say security experts.

Education on secure information practices needs to go beyond the information security industry, according to 90% of ISC2 members.

The knowledge of all information systems users needs to be improved, said John Colley, managing director, EMEA for ISC2.

CIOs also need to understand there cannot be data quality without security. Security professionals need to improve on their business and management skills, he said.

"We need to close the e-skills gap both among end users as well as within the security profession," said John Colley.

Research by ISC2 has shown there is a significant mismatch between the skills in job adverts and the kinds of cross-disciplinary skills candidates need to do the job concerned.

Security professionals are increasingly expected to have more managerial skills as well as technical competence, as roles become more governance-oriented, he said.

Many people do not understand the value of data, whether it is personal or business data, said Adrian Davis, senior research consultant at the Information Security Forum (ISF).

Businesses are still struggling with how best to open up to interactive Web 2.0 technologies, Adrian Davis said.

Using information systems securely should be taught from the very start, in the same way children at school are taught safety in science laboratories, said Colley.

"We need to move beyond awareness to making information security part of standard behaviour by all users of information systems," he said.

In formal IT courses, business education, and workplace training, achieving better security behaviours should be included as an objective, said Colley.

Businesses need to pay more attention to people and processes to ensure employees understand what sort of information should and should not be posted online, said Davis.

Information security will increasingly focus on people and not just technical capabilities, he said, which ISC2 and ISF predict will lead to a new breed of IT security professionals.

"We are on the cusp of what could be a good time for information security in which we will see people with a blend of technical and management skills that will help secure and enable the business without getting in the way," said Davis.

This new generation of security professional will be a mix of technical specialists with forensic skills; consultants to balance technical capabilities with business need based on risk; generalists who will help business and IT understand each other; and leaders to show the way ahead for business and the professional as a whole, he said

Read more on IT governance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.