The largest ever survey of almost 14,000 infosecurity workers, by (ISC)2, has offered a revealing glimpse of changing makeup of the profession that challenges popular misconceptions of cyber security.
Far from being a geeks’ profession composed of dedicated techies, over half of the UK infosecurity professionals surveyed did not come through traditional computer science degrees and 12 percent had done majors in social sciences, business or history. Furthermore, those recruiting entry-level to mid-level professionals ranked soft skills such as communication skills and analytical skills far above traditional techie attributes.
This arises from long-term trends that have already demonstrated the transformation of cyber security from a tech specialism into a diverse and influential profession requiring a wide range of talents, from business savvy to soft skills.
This is driven by a range of factors. The consumerisation of IT has shifted responsibility for cyber security from the IT department to staff and contractors; data breach laws have transformed cyber security into a legal issue; the rising cost of data breaches has raised cyber security into a boardroom concern. This means that infosec professionals are now required to be educators, managers and legal advisors as well as techies.
Back in 2006 the majority of infosecurity workers already said that when it came to securing an organisation, getting management support for security policies and training staff was far more important than technological solutions. By 2008, a third of the world’s infosecurity workforce were reporting directly into executive management and 33 percent said their primary function was managerial.
Training a New Workforce
The massive diversification of the industry offers some important insights into what we could do to address the significant global skills gap our survey has identified.
The first is to broaden our appeal by communicating concisely the excitement, the challenges, the rewards and careers available and the skills we look for. We need to be able to tell adults and children who we are and what we do as a profession.
Second, computing degrees should ensure that security is a thread woven through every relevant module, from network engineering to software development, architecture to policy.
Third, with business professionals increasingly required to have an understanding of cyberspace and cybersecurity, there is both need and justification to include cybersecurity topics in many university degrees from business management to psychology.
Fourth and last, with a growing proportion of the UK infosecurity workforce being recruited from outside universities, we have a real chance to open more vocational doors into the industry, using apprenticeships, competitions and industry certifications for example.
These four issues are going to require a co-ordinated effort from industry, professional bodies and academia for their success. We have a real opportunity to communicate the excitement and nature of the industry, the wide range of skills required and careers available, so that we can attract talent from every sphere of life and draw from a wider pool of potential recruits than ever before.
Dr Adrian Davis, European MD at (ISC)2