Proper career paths need to be identified and built in order for the next generation of security professionals to achieve them.
Speaking to IT Security Guru, Adrian Davis, managing director for EMEA at (ISC)2 said that the challenge with working in the security industry is that often, there is no clear career path on how to get from a masters degree in computer science to a job.
“If you think about other professions, you do a degree and if you are seen as a leader you are moved up, but can we build a career path to have ‘leaders’ in the UK? We have worked with the Council of Professors and Heads of Computing (CPHC) to build better entry points to get people a better start. They can go down the security route or not, but we cannot give guidance without security skills.”
Davis said that there are various roles in information security which do not detail what they do, but not how to get to it. “For people in forensics, their last three jobs were probably in forensics, penetration testing the same, but it is hard to define the breadth of skills when you need people, and that is where universities play a part.
“We need people who can talk business and security and translate to the board. One of the key issues is someone does a degree and wants to be a penetration tester, but it is hard to break out and do a translation and risk-driven information security management role.
“We could focus on creating a job specification for a CISO, but with no pathways we won’t get there.”
He said the (ISC)2 CISSP certification, among others, allows a person to distinguish who they are, what they know, and where universities play a part is in getting a person to a position. Asked who builds these pathways, Davis said: “Universities are great at recognising skills and starting to train talent, but who do you train and invest in? The Cyber Security Challenge is great at driving awareness, but there is also a need to help the industry build career paths for the Fortune 500 and small-to-medium enterprises who need knowledge and skills.”
Commenting, Professor Alan Woodward from the University of Surrey, said that the career path depends on where a person ends up, and agreed that we need something similar for people in security.
“Part of the problem is C-level roles are recent appointments and getting boards to take security seriously is getting better as they are obliged to keep risk registers, and recognise cyber security is a skillset that they need access to. But it starts at the bottom where people come from, there is no obvious entry point and part of me thinks that it needs a broad definition,” he said.
“People say ‘I’m a cyber security such and such’, but what does it mean? It needs a definition. A report by e-skills identified 28 different job titles and it is almost a case of defining what it is and the career path.”
