The lack of skilled security professionals

There was an article earlier this week in Government Computer News that talked about both a global shortage of skilled security professionals as well as the desire of many people in governments to regulate the information security industry by requiring particular training and certifications for people working in it. Dealing with a shortage of security professionals can easily be handled by the law of supply and demand, so that's not really a hard problem to solve. What people are really seem to be complaining about is that they can't find enough people to do information security jobs at the salaries that they would like to pay them, and that's really a very different problem.

I've talked to many information security professionals who have left government contracting in the past few years because the agencies that they used to work for had inflexible ways of determining how much a contractor was worth. These typically methods involved things like the level of education and years of experience of the person, so that they might say that a person with a BS in computer science with three years of experience is worth $45 per hour. Note that this approach doesn't differentiate based on relative skill, and that's fairly typical of government projects. But if that same person can get $75 per hour working somewhere else, they're very likely to pass on the government job, and that's happening more and more these days.  

People in the government are fairly insulated from market forces, so the realities of the law of supply and demand may not seem obvious to them, but it certainly seems to provide a good suggestion for how to solve the problem of finding enough skilled information security professionals.

Dealing with governments' desire to regulate the information security profession seems to be an entirely different issue. Lots of people in the government want a government-run board to oversee the training and certification of security professionals in the US. This is definitely a bad idea. A very bad idea.

Hackers love it when businesses are forced to make particular security investments to become regulatory compliant. By the time that large organizations understand a problem and create a law or regulation that addresses a particular threat, hackers have typically moved on to other types of attacks. This leaves compliance-driven businesses spending lots of money to counter threats that might have been a problem a few years ago, but often aren't a problem now. It also leaves money unavailable to counter the latest attacks that hackers come up with. This is good for hackers but bad for the regulated businesses. (The people from Verizon who presented their webinar on their annual data breach report had some very interesting data in this area, but lots of it doesn't seem to be in the slides that they sent out after the webinar so I can't find a good reference in this particular case.)

If governments get involved in regulating the training and certification of information security professionals, we'll probably have a similar problem – standards that might have made sense at one point, but are hopelessly obsolete by the time that they're rolled out. This will probably make things worse instead of better, so we should probably avoid having governments try to do this. The field changes too quickly for them to keep up, and that's probably unlikely to change any time soon.

And because it's common for businesses to have a global presence these days, a single business might have to deal with the training and certification requirements of dozens of countries if governments start moving into this area. That's even worse. You could make an international standard for this, but that brings us back to the problem of timeliness, doesn't it?

So it's probably for the best if governments leave the definition of any training and certification requirements to the private sector. Governments definitely have many useful roles to play in the world, but defining standards for training and certification for information security professionals probably isn't one of them. 

  • Janice Taylor-Gaines

    This is a GREAT article, despite the dismay of breaches and data insecurities, in that it keeps one of my pet concerns front and center: Security. In David Scott’s words, everyone needs to be a mini-Security Officer today. I think that author is right: Most individuals and organizations enjoy Security largely as a matter of luck. For some free insight check out his blog, “The Business-Technology Weave” – you can Google to it. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Google IT WARS – check out a couple links down and read the interview (full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). “In the realm of risk, unmanaged possibilities become probabilities.” Keep “security” front and center! Great stuff.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *