IT security skill shortage continues to stump CIOs

Article

IT security skill shortage continues to stump CIOs

IT department security staff needs are so high that CIOs and IT managers can't keep up with the training and new hires they need to meet even basic security requirements.

A new survey

    Requires Free Membership to View

    Login

    When you register you’ll also receive the latest news, advice and technical tips designed specifically for midmarket IT leaders like yourself. Our award-winning editorial team will give you immediate access to emerging business and technology trends.

    Scot Petersen, Editorial Director, SearchCIO-Midmarket

    By submitting your registration information to SearchCIO-MidMarket.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchCIO-MidMarket.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

by The Computing Technology Industry Association Inc. (CompTIA) found that expertise in security, firewalls and data privacy are considered the most important skills for IT staff to have.

But the gap between what CIOs want and what they actually have in terms of security expertise is vast.

The survey was conducted worldwide late last year with more than 3,500 respondents in 14 countries ranging from the U.S. and Canada to Poland, Australia and South Africa, among others. There were 253 IT directors surveyed in the U.S.

More on midmarket security
Security efforts hindered by untrained users

Security outlook challenging for SMBs in 2008
Steven Ostrowski, CompTIA's director of corporate communications, said researchers weren't surprised that security ranked so high among IT director concerns. But they were somewhat shocked by how behind on security knowledge those directors feel their departments are.

"I don't think that they're really pointing the finger at the IT workers," Ostrowski said. "Because the No. 1 reason they think there's that gap is the environment of security is changing so quickly that it's tough to keep the workers up to speed."

About 42% of the survey respondents felt the best way to remedy the problem was to send their employees to out-of-office training. Others felt employee incentives and enrollment in certification programs would help.

"I think they realize that to keep abreast and keep on top of things that are changing so quickly, they've got to implement some continuing education program for their workers," Ostrowski said.

Surveyors also asked about importance and staff proficiency in areas including networking, operating systems, hardware skills and customer service, among others (see chart, below).

Security skills had the largest gap in every country except the U.S., where the largest gap between importance and perceived ability was for "soft" skills like customer service, sales, project management and communication. But security tied for second place there with application-level skills like development and programming.

Investments have to be made in
regular training. I suggest two weeks per year per person.
Jim Maloney
president and CEO Cyber Risk Strategies LLC
Jim Maloney, president and CEO at Cyber Risk Strategies LLC, a Santa Fe, N.M.-based cybersecurity consulting firm, said CIOs looking to beef up their staff's security abilities should designate some staff as full-time security workers and invest in regular training and education time for those employees.

"Security is a dynamic topic and it changes very rapidly," said Maloney, former global head of information security at Amazon.com Inc. "Staying on top of new threats, vulnerabilities and countermeasures requires frequent education and continuous awareness. Investments have to be made in regular training. I suggest two weeks per year per person.

"And time should be allowed at work for visiting key security websites, an hour each day," he added.

Maloney said security "still isn't a strong part of college IT curriculums," leaving most IT staff self-taught and truly qualified, right-out-of-the-box staff hard to find. That means CIOs need to be ready to pay more if they want to bring in truly qualified security experts, he said.

After viewing the survey results, Maloney said he would be interested in seeing results for more specific topics, suggesting infrastructure security, application security and data privacy. He guessed that the gap between importance and perceived abilities would be largest for application security and data privacy, as those areas are "less mature" fields of study and expertise.

Maloney also said the large U.S. gap concerning "soft" skills shouldn't be ignored.

"Security is a highly cross-functional activity and requires a lot of communication across the enterprise," he said. "The best security people typically have a combination of solid technical skills and good people skills, but this combination is hard to find."

SkillVery importantStaff proficientGap (world)Gap (U.S.)
Security/firewalls/data privacy74%57%179
General networking/network infrastructure66%59%74
Operating systems66%65%1-6
Hardware skills57%60%-3-3
Nonspecific server technology57%49%83
"Soft" skills (customer service, sales, etc.)56%45%1113
Application-level skills54%47%79
Specific programming languages40%40%0-6
Web-based technologies40%34%66
RF mobile/wireless technology27%26%1-6

Source: "Skills Gaps in the World's IT Workforce," The Computing Technology Industry Association Inc.

Let us know what you think about the story; email: Zach Church, News Writer