Industry Must Act to Avoid Shortage of IT Security Workers

[InfoSec News <isn () c4i org>]

http://www3.gartner.com/DisplayDocument?doc_cd=105807

Industry Must Act to Avoid Shortage of IT Security Workers 
8 April 2002 
Vic Wheatman 
   
IT security depends on good trained workers. Since neither the U.S. 
government nor academic institutions fill the need for adequate IT 
security training and workers, enterprises must take action.
 
Industry Must Act to Avoid Shortage of IT Security Workers 
   
IT security depends on good trained workers. Since neither the U.S. 
government nor academic institutions fill the need for adequate IT 
security training and workers, enterprises must take action.
 
----------------------------------------------------------------------
 
Event 

Recently, universities awarded the first 100 scholarships to graduate 
students to study information security under a program overseen by the 
U.S. National Science Foundation (NSF). Upon graduation with a master 
of science degree, students will work for a federal agency for at 
least two years.
 
First Take 

Enterprises must make greater efforts to supply themselves with IT 
security workers because the few university programs available are too 
small to make a noticeable difference in the short term. IT security 
depends on good workers much more than on good technology. Software 
will always have bugs. Intrusion detection requires people to watch 
for flags. Vulnerabilities will occur in even the most carefully 
designed systems. The best security strategy does not involve plugging 
holes but developing sound policies and procedures and then educating 
the workforce about them. In short, enterprises must strengthen their 
IT security teams to manage the problem.

However, neither the government nor academic institutions fill the 
need for IT security workers. The NSF program is very small - only six 
universities participate so far. Very few universities offer a 
concentration in information security or security management. Indeed, 
in most universities, security does not form part of the core computer 
science or management of technology curriculum but is tacked on or 
neglected altogether.

Government and industry need workers with a strong academic background 
in computer forensics, information and network security, and the 
management of such technologies. However, enterprises must do more to 
supply the worker shortfall. Many enterprises only allow some staff to 
go to a conference or training course occasionally. To accelerate the 
graduation of students with IT security skills, enterprises should 
strengthen academic security programs by doing the following:

* Lobbying for academic IT security programs and sending people to 
  them 

* Creating internships for students that lead to full-time employment 
  in IT security 

* Partnering with academic institutions to develop innovative IT 
  security curricula 

* Analytical Sources: Vic Wheatman and Ray Wagner, Information 
  Security Strategies

Need to Know: Reference Material and Recommended Reading

* "Managing the Dynamic IT Skills Portfolio" (R-13-5613). 
  Best-in-class enterprises have learned that they must anticipate 
  their need for IT skills, determine the best way to "source" those 
  skills, create techniques to develop skills and regularly reassess 
  how their skills portfolio might change in the future. By Barbara Gomolski, 
  Cassio Dreyfuss, Susan Dallas, Joseph Feiman, Diane Tunick Morello, 
  Roberta Witty, Colleen Young, Simon Mingay, Nick Jones and Richard Matlus 

* "U.S. Government Report Shows Money Alone Cannot Buy Security" 
  (FT-15-5755). As its first priority, the government should find ways 
  to allocate the current level of funding more efficiently. By John 
  Pescatore 
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.