Are you looking for a job in IT? There is a shortage of IT professionals trained in technical knowledge about forensics, threat intelligence, and malware are the greatest pain points in the information security skills gap according to the results of a study by Dark Reading that was published in late June 2014.
In addition to asking about technical skills, the study also looked at communications skills (which came in fourth place), professional certifications and general business experience and workplace diversity.
According to the IT security professionals surveyed, the most lacking skills or qualities in their organizations are:
1. Forensics (cited by 39 percent)
2. Threat intelligence (38 percent)
3. Malware analysis (36 percent)
4. Communication (35 percent)
5. Incident response (34 percent)
6. User awareness (28 percent)
7. Business acumen (24 percent)
8. Professional certifications (19 percent)
9. Vendor management (17 percent)
10. Diversity (12 percent)
The respondents are concerned about their ability to stay on top of the latest attack trends, defenses and technologies.
When looking at this list from a process perspective, it seems that at least half of the skills or qualities could benefit from an increased process-awareness or process-focus. In other words, it would be worthwhile working on this fundamental capability first. Commonly implemented IT processes that could help boosting the missing skills are:
1. Knowledge Management could support the development of threat intelligence skills
2. Problem Management could support the development of malware analysis skills
3. Change Management and Release Management could support the development of communication and user awareness skills
4. Incident Management could support the development of incident response skills
5. Business Relationship Management could support the development of business acumen skills
6. Supplier Management could support the development of vendor management skills
Remarkably, from what we have seen only very few IT security professional certifications have recognized this and often completely ignore this aspect. A glimmer of hope can found in the ISO/IEC 27001 standard for Information Security Management Systems, which is predicated on eight quality principles of which one happens to be the principle of instilling a process approach.
Note that most IT security professionals choose for a CISSP certification which unfortunately pays little attention to developing or improving skills in the areas of process design, implementation, analysis or improvement. Maybe that explains, at least partially, the shortage of knowledgeable IT security professionals? For sure the process-awareness and process-focus topics are a worthy of a consideration for inclusion in the next version of information security certifications.
Feel free to contact me when considering your next Information Security Management training course. I might be able to help you looking for one that will address the development of process skills…