Effective IT security requires many elements — but none is more important than training people with appropriate skills, as Nigel Phair from the University of Canberra explains.
Meeting picture from Shutterstock
The United Kingdom has estimated the global cyber security industry to be worth around US$200 billion per annum, and has created a strategy to place UK industry at the forefront of the global cyber security supply base, helping countries to combat cybercrime, cyber terrorism and state-sponsored espionage.
Likewise, the United States government is facilitating trade missions to emerging markets for companies that provide cyber security, critical infrastructure protection, and emergency management technology equipment and services with the goal of increasing US exports of these products and services.
Meanwhile, Australia is going through yet another iteration of a domestic cyber security review. Australia can't afford to wait any longer to both enhance domestic capability and grasp international leadership.
The recent Australian debate about the government's proposed data retention scheme has seen heavy focus on the security aspects of collecting, retaining and where authorised, distributing such data.
But much of this debate masks the broader issue facing the information security industry.
Failing to keep up
The constant evolution of the online environment presents cyber threats which are constantly evolving with increasing volume, intensity and complexity.
While organisations of all shapes and sizes are considering spending more money on cyber security, the supply side of information security professionals is not keeping up with the current, let alone future demand. High schools are not encouraging enough students (particularly girls) to get interested in the traditional STEM (science, technology, engineering and maths) subjects. The higher education and vocational sectors are likewise not creating enough coursework and research options to appeal to aspiring students who are faced with evermore study options.
One example of the types of programs needed to address the shortage is the Australian Government's annual Cyber Security Challenge which is designed to attract talented people to become the next generation of information security professionals. The 2014 Challenge saw 55 teams from 22 Australian higher education institutions take part. At 200 students, this is but a drop in the ocean given what is required.
Even for those who graduate in this field, there is a lack of formal mentoring programs (again particularly for girls), and those which are available are often fragmented and insufficiently resourced. The information security industry is wide and varied, catering for all interests and many skill sets. It is not just for technical experts but also for professionals from other disciplines such as management, accounting, legal, etc, who could make mid-career moves adding to the diversity of thinking within the industry.
More and more organisations are adopting technology to create productivity gains, improve service delivery and drive untapped market opportunities. Their success, or otherwise, will hinge on a large pool of talented information security professionals.
We need to attract more people into cyber security roles. Universities need to produce graduates who understand the relationship between the organisation they work for, its people, its IT assets and the kinds of adversaries and threats they are facing. The vocational education sector needs to train technically adept people in real-world situations where a hands-on approach will enable them to better combat cyber attacks in their future employment roles.
Industry associations should focus on their sector — analysing the emerging information security trends and issues, and the governance surrounding information security strategy — to determine their own unique skills gap.
The government should develop a code of best practice for women in information security in collaboration with industry leaders, promoting internal and external mentoring services.
Nigel Phair is Director, Centre for Internet Safety at University of Canberra.