During the McAfee FOCUS 14 event in Las Vegas I was able to spend some time the McAfee CTO for EMEA, Raj Samani. Our discussion primarily revolved around the skills shortage within the information security industry.
One constantly hears the very abstract notion of there being a skills shortage within the information security industry but nobody really focuses on why this is. Given the fact that the information security domain touches on virtually every aspect of the business, the key to recruiting information security resources is in identifying those resources that have a broad understanding of how information security impacts the business and the wider technology landscape. Raj believes this is where the skills shortage is - and I agree with him.
To distil the conversation I had with Raj even further, I would add that there ought to be two distinct tracks within information security; a technical track and a business track. Each track would have a different path which a resource would follow in order to build up the skills relevant to their chosen track, either the business track or technical track. To address the skills shortage gap, aspiring - and perhaps even experienced, information security professionals should seek to gain broader exposure across either the technical or business landscape.
For the technical track, this could mean being seconded to the organisations service desk for a period of time, perhaps upto 3 months. Spending time on the service desk and gaining an understanding of resolving wider technology issues, will enable the resource to gain an appreciation of how decisions made upstream impact technology and infrastructures downstream. The business track would follow a similar principle. Only resources selecting the business track would be seconded to business units within the organisation. For example: being seconded to the legal or business risk department. Being seconded to the business units will allow a resource to gain an understanding of how the business, particularly the C suite consume risk related information.
The point being made here is for you to be an effective information security professional you need to gain an understanding of the broader aspects of technology or the business. The information security industry needs more resources that have this broader understanding of how the decisions they make impact the wider technology or business landscape. This will enable better and more effective operational or strategic information security decisions being made that benefit the organisation as a whole.
Given the fact that information security is now a mainstream career option, the industry needs to do more to foster the appropriate training requirements to ensure information security professionals are appropriately skilled up on the wider elements of IT and the business.
Finally, the reason I believe information security should be split into two separate tracks is because the skill sets required for one or the other are very different. Fundamentally, I believe that the information security (technical) and information security (business) should in fact be two separate departments with separate reporting structures. But more on that in another blog entry.