Joint effort needed to plug security shortfall
Wednesday, July 16, 2008 05:46 PM
Organizations, government and IT security vendors each have a role to play to overcome the shortage of security professionals in Asia, say industry observers.
Businesses, IT security vendors and governments in the region all have a part to play to mitigate the shortfall of security professionals, said experts in the field.
Gerard Tan, president of Singapore accreditation body, the Association of Information Security Professionals (AISP), cited the Frost & Sullivan 2008 Global Information Security Workforce Study, which revealed the number of information security professionals in the Asia-Pacific region is expected to expand at a compound annual growth rate (CAGR) of 8 percent in the next five years, compared with the global CAGR of 10 percent.
"Although this whitepaper, which was sponsored by the International Information Systems Security Certification Consortium, did not explicitly state there is an acute shortage of information security personnel, one could infer there is a healthy demand for this specialized skill globally as well as in the Asia-Pacific region," Tan told ZDNet Asia in an e-mail interview.
Various market players provide schemes and tools to help businesses attract and retain IT security talent.
RSA, for example, offers a training program covering technological background, subtleties and shortcuts to help organizations succeed in their first security deployment and offer end-user support, said Jason Pearce, the security vendor's Asia-Pacific director of sales engineering.
Through a structured training program, participants learn to focus on what is important, avoid common pitfalls and become more adept at resolving problems, Pearce said. Rather than spend huge amounts of time in a trial-and-error effort, RSA's training helps a company bypass experiments and achieve real results, he said.
He added that RSA's training courses include presentation of theoretical and technological basics, as well as practical demonstrations and hands-on student exercises.
The Association of Information Security Professionals (AISP) also aims to raise the awareness of IT security and help create the right environment to promote the standing of information security professionals.
The AISP President Gerard Tan said the organization will work with its industry partners to increase the professionalism of IT security practitioners through educational programs, certifications and other related projects.
Eric Hoh, vice president of Asia South region global account at Symantec Asia-Pacific and Japan, pointed to a recent study by CompTIA (Computing Technology Industry Association) that did identify a significant gap in available security skills in countries with established IT industries such as Japan, and countries with emerging IT markets such as China and India.
In Singapore, the Infocomm Development Authority's (IDA) 2007 annual survey on infocomm manpower ranked security administrators as one of the top five IT skills with the greatest shortage, Hoh said in an e-mail interview.
"Without the right people to fill the job, businesses may have difficulty formulating and effecting security policies," he said.
To address the shortage of tech talent, he noted that businesses should "stock-take" their current security infrastructure and find ways to automate processes. "This can not only lead to greater efficiency and compliance, but their limited IT resources can be more effectively deployed," he explained.
Tan said many security breaches occurred not due to a lack of security technology, but the absence of proper risk assessment, application of optimum controls and strict enforcement.
"Human error and complacency account for the vast majority of security breaches," he emphasized, adding that much of the security threat comes from ignorance and a lack of good information on security governance.
With the use of Web-based applications, wireless and biometric technologies becoming more common among businesses, Tan noted that "this is the new frontier" that security professionals need to catch up and where there is currently a shortage of skills.
Government role crucial
Jason Pearce, Asia-Pacific director of sales engineering at security vendor RSA, said governments can help build more schools specializing in IT security.
"The industry, academia and government can work together to raise the profile of the industry, and encourage more students to pursue information security courses," Pearce told ZDNet Asia in an e-mail interview.
"Additionally, a dialog can take place among leading figures from all economies to define current and emerging requirements for information security education, and to influence and encourage the development and expansion of information security curriculum at the tertiary level," he said.
The AISP's Tan suggested schools include information on security awareness in their curriculum as part of the civics and moral education or equivalent programs.
 |
| Without the right people to fill the job, businesses may have difficulty formulating and effecting security policies. |
 |
| Eric Hoh , Symantec |
"Internships are another way to introduce our young to the world of security technologies, and how they can help promote a sound and profitable business environment for organizations," he added.
Symantec's Hoh agreed the nurturing of IT talent should begin in schools to ensure that future IT professionals are equipped with the right tools and knowledge before they enter the workforce. To this end, the security vendor partnered Singapore Polytechnic's (SP) School of Media and Infocommunications Technology in 2007 to introduce the SP-Symantec Infocomm Security Lab, he said.
"This training facility allows students of Singapore Polytechnic's Diploma in Infocomm Security Management (DISM) to understand and master the requirements for planning, installing, configuring and managing Symantec antivirus, antispam, antispyware and firewall solutions," he explained. "Symantec also supports the Infocomm Security Lab with resources such as expertise, manpower and consultation services, as well as software and courseware."
Hoh noted that as IT vendors increasingly form partnerships with schools, such efforts will go a long way in growing the pool of infocomm professionals in the future. "Of course, in order to sustain and increase this pool, IT professionals must have support once they've entered the workforce and this is where governments can play a part," he said.
In Singapore, Tan said, the government is doing much to promote infocomm security awareness. The country in April launched its Infocomm Security Masterplan 2 and National Infocomm Competency Framework (NICF), aimed at helping to align the competencies and career paths of Singapore's information security professionals to the national framework.
"Another area where the government can further promote security awareness is the implementation of appropriate regulations to drive and enforce the adoption of security best practices," he added.
Vendor effort needed, too
Judy Wu, research manager of infrastructure software research at IDC Asia-Pacific, noted that some emerging countries are benefiting from the efforts of security vendors to educate their partners, as well as the workforce, to build up security expertise in these markets.
Wu said in an e-mail interview that as the local workforce gains experience and exposure to global security project implementations, these people will gradually fill the gap for such skilled labor.
"For example, the manpower in India and Indonesia has enjoyed increased exposure to world-class technologies, development environments and projects. This will improve capabilities of talent in the region," she said.
Also, many vendors are holding user conferences and seminars in the region to raise security awareness, and help educate the enterprises about the risk of security breaches, she added.
» Blades for superior performance
There are currently no comments for this post.