Security skills hard to find because industry is focusing on the wrong things, says panel

A panel of security experts at Computing's recent Enterprise Security and Risk Management event says looking for computer science degrees won't necessarily find you the right people for the job

Security skills are hard to find in the market because recruiters aren't looking for the right qualifications and experience.

That's one message to come from a panel of experts, speaking at Computing's recent Enterprise Security and Risk Management Summit.

"It's not so much that security skills are hard to find, but more that we're focusing on the wrong things," said Laura Jones, senior risk analyst cyber security at the Financial Times.

"We keep expecting qualifications and computer science degrees, nothing else. But they're not necessarily as useful as you think. Computer Science degress don't necessarily have anything to do with security. We recruited former military people for a while, because it turns out they have the skills," she added.

Michael Barry, head of IT risk and compliance at Gallagher Global Brokerage UK agreed with Bashir's point about recruiting from the military.

"I'd advocate training your own people up and bringing them on, and let them exercise those skills and then you've got someone you can really rely on," said Barry. "I would go along with the military line, you get a lot of the right attitudes and aptitudes, certainly in engineering, because with that background you get that analytical mindset. You probably won't find that with someone who has a marketing degree," he argued.

"The hardest skills to find are people who understand cyber and can translate it into business language," said Arshid Bashir, CISO at the Department for Transport. "We get lots of techies applying for roles, but trying to articulate risk to a board member who has ten minutes for you, that's hard to find," he added.

The panel also argued that some security-focused qualifications aren't actually especially useful, besides for getting interviews.

"A lot of people get badges to get past hiring departments beacuse they want the jobs, and it's nothing to do with their skills," said Bashir.

"I've definitely got interviews because I had the right certifications and not necessarily the right skills," admitted Jones.

However Carlo Petrini, IT telecommunications coordinator at Allianz sounded a positive note for certain qualifications.

"Getting the basic certifications gives you the basics after which you can adapt and choose your speciality. That's a good idea," he said.

"I got into this industry barely two years ago and I got CISP very quickly," said Jones. "That doesn't necessarily paint it in a good light. We need to be more open minded [to other skills and qualifications]."

"Too often job specs say you need to be quaified in X, Y and Z. We need to think more outside the box. Look for people with the right aptitudes rather than the right badges," said Barry. "Look for people with masters degrees in security, they're more malleable and open minded," he advised.

Earlier at the event delegates heard from Mike Koss, head of IT security and risk at N-Brown Group, and a prominent former black hat hacker.