Hardly a day goes by without reading about the information security skills gap. Changing IT landscapes (e.g. virtualization, cloud, BYOD, IoT, BlockChain, AI) coupled with increasing technology reliance, attack sophistication and frequency, mean even non-tech companies need information security expertise.
However, the information security industry focuses heavily on hacking. Conferences that focus on new exploits or defences, like BlackHat, are “proper” information security conferences and those focusing more on business, as RSA does, less so. This binary viewpoint – you are either a security person or not and there is only one “true” information security professional – does more harm than good.
Hacking is technology focused, leading to technology-centric thinking or tunnel vision. Information security needs people that can articulate security issue impact, potential solutions and their cost in terms that non-security people can understand. Information security needs people that can talk to non-information security people as equals instead of just being “the security guy.”
How often do frustrated information security staff complain about people not prioritising security? About how people need to be more vigilant? About the lack of repercussion for lapses?
Bridging the divide needs two things: expertise in other business areas; and the credibility to be listened to. Expertise can be valued at an individual level, in the management or the boardroom. Credibility usually requires acknowledged expertise over an extended period…Click HERE to read full article.