Defining Cybersecurity Expertise
While a proposed U.S. Senate bill that would require boards to disclose their cybersecurity expertise has plenty of flaws, the proposal sends a clear message that government leaders are concerned about how public companies protect their data. A recent Wall Street Journal article suggested that though the bill is unlikely to pass, it raises some important questions about the level of cybersecurity expertise companies need to have at their disposal.
What qualifies someone as a “cybersecurity expert” anyway? Will industry security certifications matter? Will they be measured against those that are DoDD 8570 compliant, or will cybersecurity certifications from organizations like CompTIA, IACRB and ISACA still hold weight? There’s already a shortage of qualified security pros. Cybersecurity jobs grew three times faster than other IT jobs between 2010 and 2014, but 84% of organizations believe that fewer than half the applicants for open security jobs are qualified.
With a shortage of experienced information security pros available, would this sort of legislation encourage some companies to enter ethically questionable territory, such as hiring convicted hackers in order to ensure they have the requisite skills on staff? Would past affiliations influence hiring decisions—support for Anonymous, for example, or membership in a hacking collective under investigation—or would most companies prefer a “don’t ask, don’t tell” approach?
The penalties for failure to comply with any new law could certainly influence those decisions, as well as the amount of time organizations would have to source and secure the right talent. At this point, there are still many details to be ironed out before cybersecurity can be legally mandated for public companies. That being said, the wise ones will begin to consider some of these points and answer these questions on their own.
How do you think organizations can better address the cybersecurity skills gap? Let us know in the comments.Like This