Sunday, March 02, 2008

Security Skills Lacking

Apparently Security skills of the IT work force lacks generally. This is not surprising as for the most part many organisations where I work there is a lack of understanding of IT security. The government departments are very aware, generally have good policy and practise in place but I have seen many stupid breaches of good practise due to poor policy and procedures. This is where the problems often lie and its not the practitioners, who are struggling to do there job but the management who fails to understand many of the ramifications as they do not well understand the problems they are being faced with at the coal face.

This is a common problem that many parts of IT face. Management ever come up to you and say "can you sort this out for me it shouldn't take more than a few hours." Well this lack of understanding of IT from our managers is what is leaving the organisations exposed to breaches.

Clearly many managers do not understand IT law, I find this a terrible oversight that leaves many companies exposed to poor outcomes when there is a failing of there IT policy and procedures.
Recently I was doing some work on a clients site and they had me sign a piece of paper for internet access about acceptable use. It would now be considered that for that organisations they will be covered against a misdemeanour. My legal studies would lead me to the conclusion that they are likely on shaky ground, for a few reasons they have not clearly identified what are a couple of items open for interpretation. what is offensive and what is acceptable use. Now maybe another time they might just put me on a induction course that will clearly outline these, however until that is clearly stated then what may be considered offensive by the organisation may not be yours or mine interpretation.

It is these problems that management have about IT and security that are leaving the IT practitioners hanging out as without this being understood how do they understand the firefights the practitioners are wrangling inside and outside the organisations. If they can't understand this how do they get to a place where they have sufficient skills. Offering training will be good, but how does it benefit people. Does a new Checkpoint course really help solve the problem or should we look deeper at other types of training to take people out side the box to solve the problems. I certainly think a lot of management needs to go there.

See ya round

Peter

Security skills of IT workforce lacking, survey finds - Network World

No comments: