SAN FRANCISCO – In last year’s workforce study from ISC2, 56 percent of those surveyed said their security organization was short-staffed. A year later, figuring out what to do about that remains a challenge, and it is one not far from the minds of some of the attendees at the RSA Conference.
One answer may be to make sure that all aspects of IT consider security as a critical part of their operation. But that process often gets off to a rocky start for aspiring IT professionals, as many universities are not doing a good enough job of educating students on security – particularly those not going directly into the security field, argued Jacob West, HP’s CTO of Enterprise Security Products.
“Honestly I think we’re doing almost nothing at the university level today to teach security,” he told SecurityWeek at the conference, where he presented on the topic earlier in the day.
For those pursuing a career in cyber-security, there is at least a clear career path and opportunities, he said. But for anyone seeking a career in IT where security is not their primary responsibility, the danger of security falling through the cracks is very real.
“[Developers] are not getting realistic expectations placed on them at the university level around the kind of coding that they do,” he said. “They are basically asked to provide certain functionality…and are supposed to provide it with a certain level of performance perhaps – some cases not even that – but they’re not expected to provide it in a robust way. They are not graded against frankly the same standards that code in the real world is graded against today, which is being in an adversarial environment and where a small mistake can lead to a huge security problem.”
Adding to the challenge of preparing a workforce is the dynamic realities of IT security, where change is perhaps the only constant. In a panel discussion, representatives from security certification body (ISC)² stressed that seeking professional certifications can help not only bolster an employee’s credentials, but also serve as proof of expertise regarding real-world situations.
The test for the group’s CISSP certification is updated with new questions every few months, and the test has to be retaken every three years for the credential to stay in good standing, explained Vehbi Tasar, director of professional programs development for (ISC) ², explained to SecurityWeek. When it comes to education, he said, the best learning usually comes on the job.
“All good security people learned their job doing the job,” he said. “They didn’t learn at the university. That is a big gap in my opinion because universities are teaching just the basic stuff. They are not necessarily teaching different angles that people will encounter. They cannot really; you cannot expect them to do it.”
West said during his presentation he would like to see additional programs from both the government and the tech industry to support those seeking to get into the field, and added later that it was critical to recruit women, who he said as a group continue to be underrepresented in IT security. To that end, earlier in the week, HP announced it was making $250,000 available in scholarships for women studying information security.
“It’s not as simple as adding a new class on security,” he said. “It’s the idea that we have to build security and the requirements of robust programming into everything we teach at the university level, and that’s a much broader problem.”