Cyber Security Skills Development
The every-day life of Australian information security practitioners: Who are they? By Dr Jodie Siganto AISA Policy Committee
40 | Australian Security Magazine
W
hat do information security practitioners do every day? Who do they communicate with? How do they define information security? What are there major challenges and concerns? What are their most important relationships? While a lot of research has focused on the operation of technical controls and information security management approaches, little consideration has been given to the every-day life of information security practitioners. Recently the Australian Information Security Association (AISA) co-funded an Australia pilot study as part of the EU funded Cyber Securities Cartography project,1 which examines the complex world of the information security practitioner. A focus on the social and human aspects of information security, particularly as they relate to information security practitioners, may help identify the additional skills that may be required by practitioners to help address the current cyber security skills shortage and also high light areas where current practice may need to be re-examined. As part of the study, researchers interviewed nine Australian information security practitioners working in three different cities and with a range of different titles. The analysis of the transcripts from those interviews produced some interesting results. Broadly two general themes emerged: The every-day life of information security practitioners is diverse, complicated and contested; and The information security community is one in flux. The idea that information security is a contested space is not entirely consistent with traditional security management approaches based on the premise that the ‘right’ level of information security can be achieved through the application of a rationalisation process based on risk assessments. At the same time, concerns with the changing world and doubts about the continued applicability of core tenets such as the definition of “information security” suggest that a new approach to information security might be required. A diverse, complicated and contested life The interviewees included a PCI DSS expert, an IT security manager in a health service provider, a risk manager from a local government authority and a security team lead from a large financial institution. All described very different ‘every-day’ roles. There was a great diversity in responsibilities and tasks, even for those participants with
similar titles. However, all (except one) identified themselves as information security practitioners. All of the participants had started off in IT, although was no uniform career path to becoming an information security practitioner. Only one 1 Cyber Security Cartographies is a project run by the Research Institute in Science of Cyber Security (RISC). RISC is one of three Research Institutes formed as part of the UK National Cyber Security Strategy. <http://cyseca.isg. rhul.ac.uk/; http://www.riscs.org.uk/?page_id=21>. of the participants, who had pursued advanced qualification in cryptography, wanted to be an information security practitioner at an early stage in his career. The fact that the information security practitioner group is so broad raises questions as to whether information security practitioners should be treated as a single group or profession. For example, do references to the ‘cyber security skills shortage,’ overly simplify the differing roles of information security practitioners, obscuring the differences between them and making it difficult to identify the skills required for each of the different areas of competency? Despite the differences, there were some commonalities between the participants. Very generally, the main activities of the group interviewed included attending meetings, reviewing documents, prioritising activities, influencing decisions and writing reports. There were few references to technology related tasks or activities that required detailed technical knowledge. The primary relationships referred to by most of the participants as part of their every-days were the relationships developed with their own teams. Interactions with other parts of the business are to raise awareness of the security function; to overcome the perception of information security as a road block and to re-position the information security team as helpful enablers. In most cases the relationship between the information security function and other parts of the business seemed to be based on ‘selling’ security to the business. For some participants, the main difficulty in selling security is making it real or tangible to the business. One of the ways to make security ‘real’ to the business is to use risk and to have conversations with the business about the security controls needed to address risks. Although almost all of the participants referred to risk, and the use of risk in their different roles, reliance on risk to ‘sell’ security seemed to be