It’s hard to deny the shortage of professionals trained in information security when CIOs and IT managers call asking if I know anyone with an information security background who is looking to change jobs. That’s right, change jobs. Seldom do I hear them say “looking for a job.”

During a local symposium on the Internet of Things (IoT), one speaker touched on this very subject. What concerned her was how the proliferation of IoT devices was going to exacerbate the problem of not enough skilled security professionals. Up until then, I gave little thought to the connection or what it implies. This article is an attempt to change that, and pass along what I learned.

Define the Internet of Things

When writing about the IoT, it is important to agree upon a definition for the Internet of Things. At least make an attempt, as definitions abound. The book Future Internet – FIS 2008: First Future Internet Symposium is interesting in that it mentions security when it defines IoT, and defines it as, “A world where physical objects are seamlessly integrated into the information network, and where the physical objects can become active participants in business processes. Services are available to interact with these ‘smart objects’ over the Internet, query their state and any information associated with them, taking into account security and privacy issues.”

The benefit of this definition is that it regards the IoT as a two-way interchange needing to be secured, not just IoT devices phoning home.

Why the IoT adds to the shortage of security pros

In Cisco’s 2014 Annual Security Report there is insight as to why the IoT will further increase the gap between the demand for information security professionals and their availability. The report concludes the IoT will increase the complexity of the entire internet, thus making it more challenging to defend. In particular:

  • Increased complexity of information infrastructure
  • Lack of visibility into cloud services
  • Rapidly increasing number of IoT devices connected to the internet

Sujata Ramamoorthy, director for global information security for Cisco’s Threat Response, Intelligence, and Development (TRIAD) group, talked to eWEEK about the report. Ramamoorthy said in the article, “These trends are fueling the need for additional security skills in the industry, and because the networks themselves are getting more complex, the applications communicating over them are getting more complex.”

The SANS Institute was already expressing concern about the IoT increasing infrastructure complexity during its Securing the Internet of Things summit last October. In thereport, SANS first divided the IoT into two categories:

  • Critical Infrastructure: Power production/generation/distribution, manufacturing, transportation, etc.
  • Personal Infrastructure: Personal medical devices, automobiles, home entertainment, device control, and retail

The SANS report explained how critical infrastructure has been, and will continue to be a high priority target for nation, state and industrial espionage, denial of service attacks, and the current popular APT or ATA threats. Reading between the lines, this means that the bad guys are winning this battle, and part of the reason is lack of qualified defenders. Also adding to the burden will be the encroachment of IoT devices into personal networks. Attackers will have more opportunities to access home networks and the personal information stored on them.

After some study, I came to the conclusion that there are a few more issues that will influence the personnel shortage. Most IoT devices use firmware that is closer to Programmable-Logic Controller software than computer operating systems. How IoT-device firmware will be updated and vulnerabilities fixed is a big unknown, and will require security personnel with specialized skills.

Most security experts realize the bad guys are fast becoming big data experts. With the IoT capturing new types of data, bad guys can add what looks like disparate data to their databases, and can use analytics to come up with new ways to victimize people. Being a big data issue will require professionals experienced in database analytics plus security.

How many information security professionals are needed?

Cisco’s 2014 Security Report estimates that 1 million security professionals are needed to meet today’s demand. The eWEEK post said, “James Gosler, a cybersecurity specialist who worked at the Central Intelligence Agency, has argued that the United States needs some 30,000 technical cybersecurity workers, essentially hackers.” That gaping difference was a bit surprising. Upon further searching, other reports showed that an average of approximately 300,000 cybersecurity professionals are needed to meet current demands.

To that end, one company is starting to do something about the shortage. Symantec announced a new program called the Symantec Cyber Career Connection. The program is designed to increase the number of qualified cybersecurity professionals by:

  • Raising awareness and recruiting underserved populations into long-term cybersecurity careers.
  • Offering an industry-recognized training program–implemented through a network of partners–that prepares underserved populations for in-demand certifications.
  • Following the training, partners will place students in cybersecurity internships to teach and develop needed on-the-job skills.
  • Training partners will connect program graduates to cybersecurity positions through Symantec’s network of customers and partners.

Symantec’s program follows a pattern similar to one I wrote about, Genesys Works, that is also geared to create interest in IT professions by connecting IT managers and IT professionals with students through an internship program.