Comments provided to a request from a weekly IT magazine seeking comments from independent IT experts
Updated March 10, 2008

IT security skills issues and challenges over the next few years

by Chi Nguyen

What are interviewees' key IT security challenges from a business perspective and what implications do these have for their IT departments in terms of skills?

IT security maintenance covers a wide array of activities such as system (re)configuration (e.g. firewall filters), vendor provided updates (e.g. Windows patches), user setup (e.g. new employees), user support (e.g. forgotten passwords or employees leaving), system monitoring (e.g. intrusion detection), data protection (e.g. encryption keys), legal compliance (e.g. data privacy regulations) and contingency plans (e.g. secure offsite facilities). This vast range of activities present both detail complexity and dynamic complexity. The detail complexity makes it nearly impossible for a single executive or even a management team to keep everything in mind and still maintain a balanced holistic view necessary for strategic decision making. The dynamic complexity increases the risks that executives, managers and employees fail to identify similarities, trends and cyclical patterns of mistakes and threats. This combination is likely to be a long term challenge for business and government.

IT security liability could be the next healthcare burden. In America 20 years ago and recently here in the UK, businesses offered private healthcare insurance as a prized benefit. At one point, it became a matter of fact that a US business would offer private healthcare insurance for its employees. As private healthcare became more expensive and the US government shifted more of the subsidy burden over to businesses, the message changed. US companies have been gradually shifting the cost of private health insurance back to the employees to the point that the current US presidential candidates all have their own proposed solutions for public healthcare. I would not be surprised if email and unlimited Internet access is removed from the range of employee benefits offered by companies. At some point, the cost to manage, insure and mitigate the IT security risks associated with personal email and Internet access will be very difficult to justify as good shareholder value. Perfect IT security solutions cannot be implemented. The next best option is to manage the liability due to IT security risks. Removal of unnecessary email and Internet usage at work is a cost effective and efficient way to reduce IT security liability. Companies will have to decide which employees need email and Internet access for their work duties. Practical evidence supports the increasingly popular theory that employees are the main source of IT security risks for companies. Keep the employees, but take away the email and Internet.

Both challenges share common themes of identity and risk management. The importance of identity management is echoed by current government projects such as the National ID Card and the cyber security initiatives by the Technology Strategy Board. For companies, identity management could be the thread that holds together the wide range of IT security maintenance activities and practical liability mitigation. Is it possible for the same person to simultaneously swipe their entry card at the lobby of the office building, send an email from their corporate email account and use the company intranet to download the current customer database? Identity management is progressing towards solving this kind of problem. In order to cope with both detail and dynamic complexity, IT departments will need more quantitative risk management skills. Best practices, heuristics and intuition will need to be supplemented with quantitative techniques that might be available from areas such as the defense industry. Tools for managing identity and risks will need IT staff with sufficient skills and education.

What will be the most in-demand IT security skills over the next three years, and why?

System analysis and design will continue to be a highly valued IT security skill. An expert with system analysis and design would be someone who could cope with detail and dynamic complexity in order to find system designs that meet business requirements and reduces IT security risks. Education is helpful, but not enough. Experience is required. Intuition and interpersonal communication skills are critical in order to navigate the wide range of people inside and outside a company who are affected by IT security.

The demand for risk analysis and management skills will continue to increase. Strong evidence of this trend is the relative new positions of chief information officers, chief security officers and chief privacy officers. All are additional and distinct from the traditional chief technology officer positions. This trend indicates that IT security risk analysis and management is becoming more specialized as it combines technology, business and legal awareness. This combination is difficult to develop but vital for businesses and governments.

Which sectors/types of business will have the highest demand for different IT security skills, and why?

E-government initiatives will continue to create high demand for IT security skills.

As terrorism becomes accepted as a commonplace risk, both the defense industry and commercial businesses will have demand for IT security skills. This is especially true for governments and the financial services industry facing threats of electronic terrorism.

The healthcare sector will have a growing demand for IT security skills as more and more patient data are stored digitally. The balancing act of using patient data for effective healthcare provision and protecting personal privacy will be a long and difficult problem.