Subscribe

ISACA addresses security skills deficit

Globally, businesses are battling to find qualified people to fill vacancies in information security and risk management, says ISACA.

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 28 Aug 2013
It's not a question of reskilling, but rather making sure the right people are engaged, says ISACA's Allan Boardman.
It's not a question of reskilling, but rather making sure the right people are engaged, says ISACA's Allan Boardman.

Traditional security approaches are inadequate when facing today's targeted attacks. The threat landscape has evolved, and organisations need an understanding of end-to-end vulnerabilities in order to protect themselves.

The number of security incidents is growing exponentially, as is the scale of the attacks. Companies need to rethink their security strategies, as today's threats evade traditional defences such as firewalls, perimeter protection and anti-virus.

Allan Boardman, international VP of ISACA - an independent, non-profit global association of information governance, control, security and audit professionals - says current security challenges stem from the complexity of interconnectivity we see today, and the "always on" trend that businesses must follow in order to survive.

Unfortunately, hand-in-hand with "always on" comes the fact that cyber threats evolve faster than the systems and controls in place that are designed to defend against them.

There is no silver bullet to prevent being breached, and prevention strategies alone are no longer good enough, he says. In addition, businesses globally are battling to find qualified people to fill vacancies in information security and risk management.

Addressing the skills shortage

Boardman says a recent report by the UK National Audit Office claims the IT security skills gap will take up to 20 years to close, and could be a major obstacle in the country's ability to successfully protect itself from cyber threats.

However, it is his belief that while there is definitely a skills shortage, the situation is not as dire as the report paints it to be. "In my view, it's not a question of reskilling, but rather making sure the right people are engaged. There is a shortage across the full range of skills needed - very technical skills, architecture skills and security specialists, and also the business skills.

"Companies need to be clear about what their requirements are. The security skills needed to mitigate evolving risks can be outsourced as needed - ethical hacking, for example - not all roles need to be filled with full-time employees."

From basic security and technology principles, to softer business skills, cloud security skills, big data and mobility - the gaps are everywhere. However, outsourcing and bringing in specific skills when needed will help business remain footloose and nimble.

Arming the industry

At present, Boardman says ISACA offers four certifications for IT audit, security, governance and risk professionals to help address the deficit, and is looking to introduce further certifications in the future.

Currently, it offers Certified Information Systems Auditor, Certified Information Security Manager, Certified in the Governance of Enterprise IT, and Certified in Risk and Information Systems Control.

In addition, in March, ISACA formed a cyber security "task force" to develop guidelines and resources for enterprises to combat the threats to their networks and infrastructure. The task force is chaired by RSA's CISO, Eddie Schwartz, and includes representatives from various security companies, consulting firms, carriers and public sector cyber security organisations.

Boardman says the task force aims to find out what organisations need in order to deal with the different threats in a fast-evolving sector. It will also look at whether ISACA needs to offer training programmes and certifications over and above what it currently offers.

The task force is also investigating whether thought leadership centres should be developed to address cyber security. It will submit recommendations to ISACA in the third quarter of 2013.

Share