There’s no doubt we’re facing a serious cyber security skills gap and unless we do more to address it, we will face increasingly serious and costly data breaches. Earlier in June, I made the trip down to Wales to attend Digital 2015, a two-day conference where leading technology experts across a number of different sectors were invited to network and share their industry insights. Digital 2015 was the first event delivered as part of a longer-term vision to cement a digital legacy for Wales.
With so much technical expertise in one place, this presented a perfect opportunity to find out how cybersecurity ranked amongst attendees’ digital skillsets. I teamed up with Dr Adrian Davis, managing director for EMEA at (ISC)2 to do a little experiment: after every session in the cybersecurity track, we sent a quiz to delegates using the event’s app asking them a series of questions based on the third edition of the Official (ISC)² Guide to the CISSP CBK. Our sample included a range of job roles, from software developers to network administrators.
In total, over 150 attendees responded to 24 questions. The audience got only 46 percent of the questions correct, with wide variations across the three domains investigated. The management domain scored highest, with 75 percent answered correctly; followed by the technical domain with 38 percent; and finally, the software development domain with only 25 percent of questions answered correctly by respondents.
Much has been said about the skills gap, and these results are a clear demonstration of how much we still need to overcome. Adrian argued that if experienced professionals can’t get the basics right, then we will see the same issues – such as poor software coding – appear time and time again. He noted that these issues will also cause a reduction in the quality of teaching and professional experience both now and in the future.
The (ISC)2 Global Information Security Workforce Study 2015, released earlier this year, sampled nearly 14,000 professionals globally. Survey respondents identified poor software development as a major cause of security problems as well as a dire need to widen and deepen cybersecurity education across all academic levels.
These global results are consistent with what we found on a micro scale: Without properly developing software by building security in from the start, entry points will continue to be available to malicious actors, causing end-users to suffer. A lack of adequate security education will result in continued costly data breaches for businesses.
Our impromptu survey suggested that a mixed IT audience was lacking fundamental security knowledge. As a profession, we need to redouble efforts to ensure that security is incorporated into all educational programmes from employee training to computer science degrees. Only by establishing security as fundamental to all things computing related, we will be able to support the growth of a secure cyberspace.
Jason Hart, (ISC)2 member and VP identity and data protection at Gemalto