Discover PerformanceHP Software's community for IT leaders // June 2014
Addressing the security talent gap
HP Enterprise Security Products CTO Jacob West explains why your open security positions are likely to stay that way, and what needs to change.
To keep up with the pace of innovation and success among cybercriminals, we need a lot more skilled security professionals—and we need them soon. Forty percent of IT security positions will go unfilled in 2014, according to a new study on IT security staffing by the Ponemon Institute. And the problem is expected to get worse before it gets better.
Discover Performance asked Jacob West, CTO for HP Enterprise Security Products and head of HP Security Research (HPSR), what we can do now to increase tomorrow’s skilled labor pool. West says our leading IT academic institutions need to do a lot more to produce qualified candidates. Private industry needs to drive academic changes and provide resources to support budding security professionals.
For example, HP announced at the 2014 RSA conference that it would support the Scholarships for Women Studying Information Security (SWSIS) with a $250,000 grant. HP also announced the availability of its enterprise security solutions free of charge for use in classroom instruction or academic research. So far, more than 60 accredited universities have signed up for HP’s program. But, West explains, there’s still a need for more engagement and plenty of reason to think that, given the right exposure and resources, candidates will welcome the challenges offered by a career in security.
Q: It’s clear from the jobs report that security is understaffed across the board. Why sponsor a scholarship for women only?
Jacob West: We have a structural problem in computer science education—at the university level—where we’re not producing enough security professionals. Eventually we have to fix the structural problem and, you're right, one particular group of people isn’t going to entirely address that concern.
However, with 40 percent of positions vacant, we need to find more people as quickly as we can. Only one in five IT security specialists today is a woman, and because of that significant underrepresentation, we think it’s a great opportunity to change the game in a significant way rather than just an incremental one.
Q: Why should young people seek out a career in security today, as opposed to another IT role?
JW: People who are going to be most successful in security should have a passion for it. If you look at the people that thrive in security roles, they tend to be really motivated by the adversarial model—the idea that someone is actively trying to circumvent what a system is intended to do. And that’s exciting, frankly: the idea that there’s an often-silent war going on between adversaries and good guys is straight out of a spy novel.
Of course, demand for this skill set is only increasing, and if you like the general field, it’s going to be a lucrative one where you won’t have any trouble finding employment. But you really have to love it!
Q: Structurally, is the education system behind the curve in terms of what’s needed in IT security?
JW: The top programs in the country aren’t teaching security today. It’s very likely that if you graduated in 2013, or will graduate in 2014, with a computer science degree from one of the top programs in the country—and by extrapolation, the world—you will have heard somewhere between zero and very, very little about security.
If you have the interest and you’re at a top program already, you may or may not have access to resources. Even if resources are available, you’re almost certainly not going to be encouraged or required to access those resources to learn about the field. This has to change.
Q: What are they doing to change that?
JW: Universities are becoming aware of the problem, but change occurs slowly in academia. Much of the security field has evolved very recently—in the last 10 years in many cases. Many professors are simply not going to have the knowledge to effectively teach security topics—or other topics like system design or programming in a secure fashion.
Security professionals are only one piece of the pie. Many other roles have as much or more impact on an organization’s security profile. In particular, programmers: they make decisions on a daily basis that influence the security of the software they are building.
Turning the ship starts with the industry. The industry needs to understand the way academic institutions make decisions and evolve over time. And they need to put emphasis and prioritization on security—to highlight the need for security skills in all of the IT roles that we hire in. We’ve got to figure out how to turn out more IT security professionals, but we’ve also got to figure out how to change what it means to be a computer scientist.
Q: What is industry doing to compensate for what’s not happening in the universities? And what can people who are hiring do right now to fill their open positions?
JW: One, certification programs such as CISSP (Certified Information Systems Security Professional) are gaining momentum. These help define what the core set of skills in a given area should look like. They help normalize the pool of resources, and they bring new resources into the fold.
The other thing that needs to happen is industry partnerships with universities. One way to do that is to help the computer science programs develop course materials around the areas of security that are interesting to that organization.
A big misconception is that academia really understands the workplace and the industrial side of what they teach. For the most part, they don’t. Getting professors to actually translate their knowledge into real-world problems can help them turn out better graduates who are ready for today’s workforce.
Q: So what’s your advice to CISOs who are concerned about the shortage of security professionals?
JW: The single biggest thing the industry can do to address this problem is to partner with universities to express both what it is the industry needs and to provide tangible resources— whether it be information, people, or dollars—to help the universities turn the ship, because it’s a big ship and it’s going to be slow to turn.
To learn more about the HP Scholarship for Women Studying Information Security, visit the SWSIS site, and see the Ponemon report "Understaffed and at risk: Today’s IT security department."
HP CEO Meg Whitman discusses how connected intelligence will drive IT operations, application development, IT security, marketing, compliance—and the bottom line. Register now.
Connect with nearly 1,500 security pros to learn how to better disrupt or mitigate threats. Learn to think like a bad guy. (Washington, D.C., Sept. 8 – 11)
The Heartbleed vulnerability set users and enterprises scrambling. How can we avoid or mitigate the next Heartbleed?
HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episode.
Preparing today for tomorrow’s threats.
Introduction to Enterprise 20/20
What will a successful enterprise look like in the future?
Challenges and opportunities for the CIO of the future.
Dev Center 20/20
How will we organize development centers for the apps that will power our enterprises?
Welcome to a new reality of split-second decisions and marketing by the numbers.
IT Operations 20/20
How can you achieve the data center of the future?
What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.
Looking toward the era when everyone — and everything — is connected.
Data Center 20/20
The innovation and revenue engine of the enterprise.