Study finds Infosec skill gap bigger than expected - businesses must act now to succeed in 2020
- 03 September, 2015 12:43
The Industrial Revolution has been heralded as a period of great global transformation; radically changing the world economy and which influenced nearly every aspect of daily life. We believe the Digital Age represents an era considerably more influential and unlike anything seen in the history of mankind.
New business models have emerged (Uber, Alibaba, Airbnb), whilst iconic household names like Encyclopaedia Britannica, and Kodak have fallen by the wayside because of their inability to respond to the Digital Age.
In the Digital Age, “assets” – which were traditionally physical and tangible in the industrial revolution – have been replaced with digital manifestations, which are often both abstract and intangible. “Information Security” has now taken centre stage because of the diverse threats and global ‘actors’ seeking ways to exploit and monetise the value of digital assets.
THE SURVEY
In late 2014 and early 2015 TrustedImpact, an information security consultancy, interviewed thirty (30) influential thought-leaders in the Australian technology, security and risk industries with the aim of gathering intelligence on the emerging trends in the security landscape leading up to 2020. In particular, TrustedImpact wanted to understand how these trends would influence the types of skills and roles needed to operate the information security team of 2020.
RESULTS
Our own reflections on the conclusions below were clear that it is a ‘leadership challenge’.
The five (5) main conclusions evident from the synthesis of the survey input and results are:
1: There are significant changes and trends reshaping the information security industry at a rapid pace.
Surviving in a fast-changing environment: The Leaders we surveyed overwhelmingly agreed that the industry is in a period of significant change. On one hand, many saw challenges managing the fast moving ‘EXTERNAL threats’ such as organised crime and ‘hacktavists’. On the other hand, they also found themselves faced with the need to engage INTERNAL stakeholders to raise awareness and minimise the impact of ‘clickjacking’ and other employee-related security issues.
With the prevalence of third parties, outsourcing, and “the cloud” the traditional approach to ‘protect the perimeter’ has become difficult, at best (and at worst, obsolete) when a majority of an organisation’s data resides outside of traditional company walls.
2: The role of the “Chief Information Security Officer” (or equivalent) is changing.
The CISO as a marketer and leader: The role will become less focused on technology and security tools, and more focused on marketing. The main challenge in this role is to engage the “hearts and minds” of the organisation so they are more empowered to become the protectors of the business’s and sensitive data. The role is becoming an overall business leadership role.
3: For the security team to be effective in 2020, the composition of skills and roles will change and must become more engaged with their businesses.
The successful security team of 2020 must become more “well rounded”: Communication, negotiation, analytical and business engagement skills were all, on average, identified as large gaps leading up to 2020. We believe the shift towards ‘softer’ people skills is consistent with the industry trends around business engagement and the use of third parties for a majority of a company’s IT systems. In these circumstances, skills such as negotiation and communication will be become more important to protect the company’s sensitive data.
Security roles – less island mentality, more eco-system interconnected: In 2020, information security will no longer work effectively as just an “island” function residing somewhere in the organisation. Instead, it will become an interconnected matrix of roles working collaboratively and cohesively across departments and third parties to adequately protect the organisation’s information.
4: Overall ‘demand’ for security personnel will outstrip ‘supply’, however, what’s MORE important is the mix and composition of skills.
The Gap – bigger than anticipated: A wealth of industry data (in addition to input from our Leaders), see the overall ‘demand’ for information security personnel far outstripping today’s ‘supply’ or existing labour pool. It is recognised that this gap is (an will continue to be significant). HOWEVER, because the skills and rolls are changing at the same time, this gap will be even larger than anticipated.
5: Success in 2020 requires businesses to prepare TODAY to keep ahead of these trends and change the composition of skills and roles.
The future is here today: Organisations looking to succeed in the Digital Age will need a security capability that is responsive to the fast moving industry trends. But significant shifts in skills are also needed to align with these trends.
The strategy that an organisation takes depends on its culture and desire to ‘build versus buy’. For example, some will choose to build a talented security team by investing in people development. On the other hand, some organisations will look to develop strategic partnerships with specialist firms to either specialised contractor resources, in/outsource certain information security capability or functions, if even the entire information security function.
There is no one ‘right’ approach. However the LACK of a concerted approach, or clear strategy is what will be the demise of an organisation if it waits until 2020 to respond.
If you wish to read the report, you can obtain it here www.trustedimpact.com/news
