[ISN] Researchers Warn of Security Expertise Shortage

From: InfoSec News (alerts@private)
Date: Thu Dec 14 2006 - 22:42:24 PST


http://www.eweek.com/article2/0,1895,2073084,00.asp

By Matt Hines
December 14, 2006

Businesses are increasingly being put at risk of failing compliance 
audits and struggling with other security-related efforts, as demand for 
employees capable of managing such projects is outpacing the supply of 
qualified candidates.

According to a new research report published by the Department of 
Management at the LSE (London School of Economics) and sponsored by 
security software maker McAfee, businesses worldwide are reaching a 
"compliance breaking point" as an increasing number of regulations make 
it harder for them to stay ahead of auditors.

The report's findings are based surveys conducted with IT executives, 
financial officers and compliance specialists at large companies located 
around the globe.

While the lack of adequate help is currently most severe in the United 
States, where the government has been more aggressive in creating new 
directives such as the Sarbanes-Oxley Act, which is aimed at forcing 
companies to do a better job of policing workers' handling of sensitive 
information, the shortage of highly skilled security expertise will soon 
come to a head in other nations that are in the process of applying new 
rules, researchers said.

Based on that reality, more companies will find themselves in the 
newspaper headlines as a result of data breaches and related sanctions 
handed down by regulators, said Dr. Jonathan Liebenau, a senior lecturer 
in Information Systems at LSE's Department of Management, who conducted 
the report.

The report also contended that a large number of companies rely on a 
very small pool of internal talent for handling compliance and security 
projects, making it extremely difficult for those firms to replace their 
specialized workers when employees jump ship. While McAfee, Symantec and 
others are pushing the outsourcing of compliance efforts as an 
alternative, the LSE report said, that model fails to supply support 
comparable to having well-trained expertise in house.

One of the greatest concerns for enterprises is the fallout that can 
result from a high-profile data theft incident, with the ensuing loss of 
customer confidence. For example, aerospace giant Boeing reported on 
Dec. 13 that a laptop computer containing the personal data of 382,000 
of its employees, including the workers' Social Security numbers, was 
recently stolen.

Such events will have long-term business consequences for the companies 
involved, Liebenau wrote in the report. And as more countries pass laws 
requiring that companies report such incidents publicly, the shortage of 
qualified security talent will only become more acute, he said.

"The practice of reporting breaches, now commonplace in the United 
States and quickly spreading to several regions in the world, will 
impact the way individuals and organizations think about information 
handling in general and reputation protection in particular," Liebenau 
said in the report.

The report further contended that compliance requirements may be 
increasing security risk as the guidelines take precedence over other 
security projects, and as the cost of meeting the regulations takes 
dollars away from other efforts.

Liebenau wrote that while IT workers feel that Sarbanes-Oxley has been 
helpful in pushing forward security efforts, they remain convinced that 
portions of the regulation are too vague and force companies to spend 
large amounts of time and money trying to prepare for whatever 
interpretations of the rules they may face from individual auditors.

The report theorized that evaluation of security practices is often very 
subjective due to a lack of good benchmarks, that there is often no 
convergence of disparate security practices within businesses and that 
those people responsible for creating internal policies are often 
estranged from the workers who manage and maintain IT systems security.

The study also suggested that IT executives and business managers resent 
the amount of effort necessary to constantly monitor changes in policies 
and regulations and then redesign systems in order to address the policy 
adjustments.

On Dec. 13, Symantec, based in Cupertino, Calif., introduced a new set 
of security management and outsourcing services, listing companies' 
inability to find qualified talent as one of the primary drivers of new 
interest in such programs.

"Customers are looking to achieve high performance in best practices for 
security and compliance, they truly want to get better at it, but 
they're also finding that this work is complex and that the risks with 
managing core infrastructure are becoming harder to handle," said Jeff 
Russakow, vice president of product management for Symantec Global 
Services. "From a skills point of view, it's very hard to attract and 
retain the type of professionals needed to carry out and oversee this 
work."


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Thu Dec 14 2006 - 22:58:14 PST