There simply aren’t enough properly trained security professionals to go round, according to a new report by professional body (ISC)². Its its sixth Global Information Security Workforce Study (GISWS) claims that the lack of skills isn’t just a security problem or a risk to organisations’ balance sheets and reputations when the inevitable attacks happen – it’s also having a significant negative impact on the economy. ContraRisk Security Podcast host Steve Mansfield-Devine talks to John Colley, MD of (ISC)² EMEA about why there’s a lack of infosecurity skills, whether C-level executives understand how this affects their businesses, and how we need to develop security skills where they’re most needed – among developers. And we discuss whether being a security professional is a good job to have.
Certification plays a key role in the development of skills, but it also has increasing significance when it comes to products and services. CESG, the UK Government’s information assurance body (and part of the signals intelligence agency GCHQ) runs a number of certification schemes aimed primarily at firms looking to be suppliers to local and central government, police forces, the armed forces and intelligence and security agencies. However, some of its certification schemes, such as CHECK, are also coming to be seen as a kind of gold standard in a broader market. Colin Tankard of Digital Pathways, who has had first-hand experience of the CESG certification process, discusses whether becoming certified is worth it, and whether the cost and difficulty might be locking out smaller and more innovative companies.