This is the fourth article in a four-part series this month celebrating National Cybersecurity Awareness Month. Click here for last week's article, "You Are What the Search Engine Finds!: Tips to Ensure Online Privacy."

A recent study conducted by the Center for Cyber Safety and Education states that by 2022 there will be a shortage of 1.8 million information security workers.

But, you ask, where is the connection to internal audit? The IIA's Richard Chambers recently outlined four areas where internal audit needs to focus attention when it comes to cybersecurity:

    1. Provide assurance over readiness and response

    2. Communicate to board and executive management the level of risk to the organization and efforts to address such risks

    3. Work collectively with IT and other parties to build effective defenses and responses

    4. Ensure communication and coordination about cyber risk across the organization.

For those looking for a new career in IT auditing, most of the positions you see on job sites like Monster or Dice are seeking candidates who hold certificates such as CISA, CISM, CRISC, or CISSP.

The question becomes, how do we, as an assurance community, prepare tomorrow’s security-savvy workforce?  

The reality is, education surrounding information security need to be introduced at the middle and high school levels. Additionally, it's critical to build more adult education programs to recruit those with an analytical aptitude. This will allow us to form a workforce capable of assessing the effectiveness of controls that help protect our clients’ data and information assets from a host of threat actors.

So, if we know there is a shortage, why aren’t there more programs offered in our schools and universities? The U.S. Department of Labor has a limited number of Standard Occupational Classifications (SOCs) and these codes are directly connected to the determination of what types of programs are offered and funded by our school systems. Today, information security is a part of SOC 15,0000 Computer and Mathematical Occupations and it is defined as the planning, implementation, upgrading, or monitoring of "security measures for the protection of computer networks and information. May ensure appropriate security controls are in place that will safeguard digital files and vital electronic infrastructure. May respond to computer security breaches and viruses.” This means the classroom offerings are designed to achieve the above-stated learning objectives, which is a far cry from the full skillset companies are looking for today.

Secondly, information security isn’t top-of-mind for many educators and parents, as this field is newer, doesn’t have the visibility when compared to traditional careers, and does not have a distinct educational path spelled out. Organizations that are seeking IT auditors with stronger information security skills are rarely invited to high school career day events.

The reality is, though, that we have little time to course correct. What do we do?

  1. Educate society on information security, specifically cybersecurity and data privacy concerns through media and mentorship between industry and education. Organizations including ISACA, ISSA, and IIA all offer discounted student memberships and encourage the formation of student memberships at local college campuses.

  2. Teach parents about cybersecurity so they can, in turn, teach their kids too.

  3. Further, educate teachers and guidance counselors on IT audit and information security careers including the “characteristics” that make a good candidate.

  4. Start “information security” clubs in middle school and high school. Make it fun! Many school districts have technology boards that are a partnership between local business leaders and the schools that serve as volunteers for these types of activities.

  5. Educate career counselors and parents about IT audit and information security careers and education options.

  6. If you're an IT auditor, volunteer to be a guest lecturer or speak at a career day.

  7. Work with colleges and high schools in your areas and bring in an intern or two to give them exposure to the IT audit field.

  8. Develop a cross-training partnership between IT and audit and rotate resources between job functions.

  9. Continuous education… do not forget about your current staff… the threat landscape changes within the blink of an eye; make sure your IT auditors are armed with the latest knowledge. We cannot be an effective third line of defense if we do not understand the adversary, their tactics, and the controls to defend against them.

Overcoming the skillset shortage is going to take a partnership between industry, education, and society. At the end of the day, cyber threats are not going to go away anytime soon, so the best defense is a solid offense.