Researchers Warn of Security Expertise ShortageBy Matt Hines | Posted 2006-12-14 Email Print
According to a research report by the LSE, a lack of qualified security workers is putting companies at risk as compliance demands become increasingly complex.Businesses are increasingly being put at risk of failing compliance audits and struggling with other security-related efforts, as demand for employees capable of managing such projects is outpacing the supply of qualified candidates.
According to a new research report published by the Department of Management at the LSE (London School of Economics) and sponsored by security software maker McAfee, businesses worldwide are reaching a "compliance breaking point" as an increasing number of regulations make it harder for them to stay ahead of auditors.
The report's findings are based surveys conducted with IT executives, financial officers and compliance specialists at large companies located around the globe.
While the lack of adequate help is currently most severe in the United States, where the government has been more aggressive in creating new directives such as the Sarbanes-Oxley Act, which is aimed at forcing companies to do a better job of policing workers' handling of sensitive information, the shortage of highly skilled security expertise will soon come to a head in other nations that are in the process of applying new rules, researchers said.
Based on that reality, more companies will find themselves in the newspaper headlines as a result of data breaches and related sanctions handed down by regulators, said Dr. Jonathan Liebenau, a senior lecturer in Information Systems at LSE's Department of Management, who conducted the report.
The report also contended that a large number of companies rely on a very small pool of internal talent for handling compliance and security projects, making it extremely difficult for those firms to replace their specialized workers when employees jump ship. While McAfee, Symantec and others are pushing the outsourcing of compliance efforts as an alternative, the LSE report said, that model fails to supply support comparable to having well-trained expertise in house.
One of the greatest concerns for enterprises is the fallout that can result from a high-profile data theft incident, with the ensuing loss of customer confidence. For example, aerospace giant Boeing reported on Dec. 13 that a laptop computer containing the personal data of 382,000 of its employees, including the workers' Social Security numbers, was recently stolen.
Such events will have long-term business consequences for the companies involved, Liebenau wrote in the report. And as more countries pass laws requiring that companies report such incidents publicly, the shortage of qualified security talent will only become more acute, he said.
"The practice of reporting breaches, now commonplace in the United States and quickly spreading to several regions in the world, will impact the way individuals and organizations think about information handling in general and reputation protection in particular," Liebenau said in the report.
The report further contended that compliance requirements may be increasing security risk as the guidelines take precedence over other security projects, and as the cost of meeting the regulations takes dollars away from other efforts.
Liebenau wrote that while IT workers feel that Sarbanes-Oxley has been helpful in pushing forward security efforts, they remain convinced that portions of the regulation are too vague and force companies to spend large amounts of time and money trying to prepare for whatever interpretations of the rules they may face from individual auditors.
The report theorized that evaluation of security practices is often very subjective due to a lack of good benchmarks, that there is often no convergence of disparate security practices within businesses and that those people responsible for creating internal policies are often estranged from the workers who manage and maintain IT systems security.
The study also suggested that IT executives and business managers resent the amount of effort necessary to constantly monitor changes in policies and regulations and then redesign systems in order to address the policy adjustments.
On Dec. 13, Symantec, based in Cupertino, Calif., introduced a new set of security management and outsourcing services, listing companies' inability to find qualified talent as one of the primary drivers of new interest in such programs.
"Customers are looking to achieve high performance in best practices for security and compliance, they truly want to get better at it, but they're also finding that this work is complex and that the risks with managing core infrastructure are becoming harder to handle," said Jeff Russakow, vice president of product management for Symantec Global Services. "From a skills point of view, it's very hard to attract and retain the type of professionals needed to carry out and oversee this work."