Historically, Information security has been an afterthought for many organisations. For many large entities, their main business is generally mainstream information technology services, with the security business being a minor service line. Even larger multinational firms that do business in South Africa face the same challenges when attempting to resource specific customer engagement due to the paucity of local skills.
The security field is a difficult discipline to master. Many information technology professionals concentrate more on specialising on one single discipline, such as becoming a developer, or a systems engineer as opposed to developing broad skill-set that allow for understanding of the entire threat matrix that corporate information systems are exposed to.
To maintain skills, one needs to have a passion for the discipline. With threats and vulnerabilities evolving so rapidly, information security professionals must ensure that they keep on top of the various subject matters that make up information systems, from networks and client/server architectures, to applications and databases, as an example.
In South Africa, there are pockets of excellence across all sectors of the economy, however on the whole the industry itself is not well represented. The issue is not unique to South Africa, in that it does adversely impact other economies. For example, the recent statistic that referred to the requirement from the US government for over 100,000 security engineers. The shortage of skills is a global problem, however in South Africa it is most keenly felt, from both an engineer perspective as well as at the executive level.
The adoption of stricter compliance requirements and the opening up of our market to international organisations and the requirement for the adoption of security standards will be the major driver for the skills to become even more urgent. If corporations in South Africa want to be more competitive and attract foreign investment, and business, then they will have to take the lack of skills in information security more seriously. Another driver will be the expectation from citizens and government that businesses take data protection seriously and commit to ensuring that they manage individuals and business information more securely.
It is the Information industry, as well as the government’s responsibility that they highlight the need for these skills. The government needs to ensure that there is a concerted effort by education and training organisations to communicate the need for such skills. It is also up to the industry to ensure that professionals who follow what is a challenging and ever evolving career path are compensated accordingly. A highly trained and skilled information security professional in such high demand these days can often be tempted by more lucrative opportunities abroad.
Good governance is not possible without sound information security, and once our economy keeps growing, and we get ever more involved in dealing with international business, then there will be a catalyst for change. Importantly, retaining these skills in South Africa is just as important, so incentives need to be there to make sure that the pockets of excellence grow and that information security professionals are identified nurtured and rewarded accordingly.