Last 10 years saw India becoming one of the biggest pool of skilled IT professionals. While this has largely been into IT services sector (software & infrastructure primarily), Indian profiles in world’s biggest product companies is not something unheard of.
And while world looks at Social, Mobile, Analytics and Cloud (SMAC) as the next big thing, information security is already a big thing with every requirement in IT (be it system development, testing, sustenance) requiring security to be involved. One might ask why separate information security from IT, and while I agree that security is in whole and soul part of IT, one thing today that’s making it different is the manpower.
The field of information security has some very unique requirement of manpower, and this precisely is the crux of the question, why industry is facing acute shortage of skilled professionals. I am listing down certain reasons and possible solutions to this problem:
1. We do need more Education
The ratio of freshers to lateral in information security world is very less, most of these minority folks are outcome of few specialized courses available in the country today. From the candidates I have interviewed, I have realized that while SDLC is something these folks can explain even out of bed, the holy acronym of CIA leaves them perplexed so much so that few of them actually started explaining the American investigation agency. And while specialized courses & certifications like CEH are becoming popular among students, they only teach them the tricks not the trade itself.
Curriculum requires update not in terms of technology but the basics of these technologies. I don’t recollect any of my 44 subjects from my graduation explaining the difference between stateless & statefull firewall and I am pretty sure my poor attendance is not to be blamed for. The club of so called hackers was largely black hats doing things for fun/material motivations but never ever they were explained the importance of fixing things. For example, when a student broke into our hostel’s proxy server to increase his monthly download limit, impressed by his skills the warden made him the proxy administrator. Next month 5 other students did the same but the hacker’s mind was never tuned to fix things.
2. The paycheck providers
Organizations that crib about shortage of skilled resources are equally responsible for the state. Their contribution to the education system has been abysmal while their expectations from are always high. Experienced folks even coming from non-relevant background are preferred over people who have sound understanding of subject matter. Security firms actually are very lethargic about their own security. How can a consultant train a client’s employees on best practices when he himself has never followed them on his own.
3. Blurred road ahead
In security, for whatever reason, career path has been blurry and mostly conservative. When talking to multiple professional who have 2-3 years of experience as analysts and engineers, I was surprised to know that almost all of them wanted to move to a consulting kind of role. The very fact that they saw consulting as an obvious career path is strange as it is supposedly a highly specialized role. A pen tester doesn’t want to become a pen tester with 15 years of experience and specialization on certain platforms (no wonder why pen tester for mainframes and SCADA are hard to find). Companies, existing professionals and even consumers need to promote things like the black hat culture or for that matter encourage technical guys to do sales (better than having a MBA-sales with no technical understanding). In fact I have a theory, blurred career path is precisely the reason why we see very few females in this profession (ask me offline if you want to know the hypothesis behind this conclusion).
It’s unfortunate that the function of IT which is supposed to be highly specialized is getting diluted. Practices from other successful IT business models are being tried here. For example, while the idea of security testing of systems is part of the regular QA cycle, companies are putting deadlines on security testing cycles as well. This has also forced the service providers to use ideas like remote audits & checklist based assessment. How can a pen tester find a zero day if he has to follow a set of pre-defined test cases under tight timelines? In fact I see clients focusing on trackers & reports rather than finding & fixing vulnerabilities.
Specialization is the need of the hour. Experts in data security, network security, application security, GRC matters are in severe shortage. Even specialized courses/certifications are lacking or in most of the cases are not publicly available or are too costly. Jack of all but master of none won’t work in today’s world where attackers are highly focused & attacks are targeted.
No doubt it has to be a collective effort and the onus is only upon the people who are already in the system to initially promote & further down the line nurture these talents, inline to the real word scenarios and requirements. Through Yaksas we want to put his message to the community and work towards a goal where world is never short of trained and qualified information security professionals. After all we are security folks who are at war all the time & as we say at Yaksas, it is indeed everyone’s responsibility.