Need Exists to Refocus Infosec SkillsOrganizations Must Change Way They Think About IT Security
The required skills for IT security professionals are shifting, says Gartner's Tom Scholtz. What key competencies do IT security teams need now and how should they go about investing in them?
Initially, information security professionals focused on technology and infrastructure skills and policy management. "Increasingly, there are competencies starting to cluster around the ability to interact with the business more effectively," says Scholtz, a research vice president and distinguished Gartner analyst, in an interview with Information Security Media Group's Eric Chabrow [transcript below].
Skills such as business terminology, communications and aligning security projects with business initiatives are required now more than ever, Scholtz explains. "It really comes around trying to maintain the link of what security does within the context of business requirements and business needs in a way that the business can actually relate to and understand," he says.
To obtain IT security pros with such skills requires an investment on the part of the organization. And that investment should be in educating staffs, Scholtz points out, through business courses, marketing and communications classes, as well as learning new IT disciplines such as enterprise architecture.
"Invest in training in the security technologies and the security disciplines," Scholtz says, "but beyond that also focus on broadening the capabilities and the skills of people for ... communication, business understanding and other IT disciplines.
In the interview, Scholtz also addresses:
- What key competencies contemporary IT security teams need;
- Where organizations should invest to strengthen skills for their IT security workforce;
- Why a centralized IT security organizations remains needed as others in the enterprise assume security responsibilities.
ISMG interviewed Scholz at the recent Gartner Security and Risk Management Summit outside Washington, D.C.
Raised in South Africa, Scholtz works in Britain, from where he advises Gartner clients on security management strategies, technologies and trends, with a focus on information security policy design, security organizational dynamics and security management processes. With more than 20 years of experience in IT security and systems management, he has extensive experience in the banking and utility industries. Scholtz joined Gartner in April 2005 with the acquisition of META Group, where he was an analyst for eight years. Before META Group, he served in various IT architecture and operations roles for a number of South African companies.
New Skills Demands
ERIC CHABROW: Before we discuss the new skills demands of today's IT security professionals, what have been the key skills of infosec pros?
TOM SCHOLTZ: I think initially we focused on the technology skills, the infrastructure skills, some of the other abilities around policy management and just some of the basic principles around information security. How do we control behavior? How do we keep the bad guys out?
CHABROW: What are the key competencies required for contemporary security teams?
SCHOLTZ: Increasingly there are competencies starting to cluster around the ability to interact with the business more effectively, so it's competencies like understanding business terminology, competencies like communicating effectively with the business, the ability to link security technology projects to actual business initiatives and maintaining line of sight between security projects and actual business requirements and business strategies. It really comes around trying to maintain the link of what security does within the context of business requirements and business needs in a way that the business can actually relate to and understand.
Change in Skill Set
CHABROW: Why now?
SCHOLTZ: Economic times are tough. Security has never really been seen as a value activity. What we're trying to do is to prevent bad things from happening. We don't really support business objectives in a positive way. Without the business understanding what the actual value of information security is, the pressure on budgets and the pressure on support are going to continue to intensify.
CHABROW: What I hear you say is a lot of what I heard from the IT organization a generation ago when the CIO was elevated to almost a high C-level position. What does this say about security in today's world?
SCHOLTZ: It's probably an indictment on the fact that we've been focusing on the control aspects too long, that we've probably been too autocratic for too long and that for too long we haven't truly understood what the business requirements are, and that we probably have tried to take the easy way out as far as possible, which is understandable given the complexity of the threats and the technology environment that faces us. Just saying no, just trying to reduce the risk without thinking what the risk situation is like is just not tenable any more. We have to become more flexible and we have to become more aligned to the business requirements.
Investing in Skills Development
CHABROW: How does the organization make sure their professionals get these competencies?
SCHOLTZ: Basically by investing in skills development; investing in security staff going on business courses; investing in security staff going on training courses and things like marketing, communications, presentation skills; investing in the security staff; broadening their skills in other IT disciplines like enterprise architecture, for example, which tends to be fairly good at capturing business requirements in a coherent fashion as a guideline for security for technology projects so security staff can get more architectural skills that will enable them to follow those planning methodologies in a more intelligent fashion and be able to maintain the linkage between business requirements and technology projects.
CHABROW: Should there be a separate IT security staff? Or because it sounds as if all IT jobs and even jobs beyond IT should be involved with security, should there be a new way of looking at security in an organization?
SCHOLTZ: In a perfect world, security should really be fully integrated into the fabric of the enterprise. In a completely perfect world, security will be part and parcel of the business processes, the technologies, the behaviors, the attitudes of everybody in the organization. Unfortunately, the environment keeps on changing. The technology changes; the bad guys keep on changing. The business environment changes so because of that we will need this additional security team to play the catch-up for at least the foreseeable future.
Filling the Skills Gap
CHABROW: You hear a lot about IT security skills, a lack of people to enter the profession. How critical is that and what should organizations be doing to fill in that gap?
SCHOLTZ: Well I think it is a question of scale. I think the shortage is not necessarily so much in the technical skills and the ability to manage firewalls and security technologies. The biggest shortage is of those individuals that both understand the security technologies and the security disciplines, and also understand the business and can actually relate to the business and communicate effectively with the business. So I think fundamentally at an entry level, yes, invest in training in the security technologies and the security disciplines, but beyond that also focus on broadening the capabilities and the skills of people for more into the main of communication, business understanding and other IT disciplines.