When a small or medium-sized business realizes it has a strong need to improve IT security, a natural response is to begin looking for someone to hire, someone with a recognized qualification in the field. According to the Center for Internet Security, however, even individuals with a master's degree in IT security from a prestigious American university may not be able to do the job needed. William Pelgrin, who serves as the chief executive officer for CIS, a not-for-profit organization dedicated to trend analysis and information sharing, recently expressed concerns that such individuals may have reams of textbook-based learning but insufficient levels of actual work experience.
As a result, they are less likely to be effective from their first day at a new company, and the time they must spend in learning hands-on systems has to be considered a cost of employment. In some cases, this may add to the cost of providing in-house IT support to such an extent that a different structure altogether could be preferable. "People are coming out of the academic institutions really well educated," acknowledged Pelgrin, who clarified his remarks by adding: "What we want is not only well-educated graduates, but those who also can walk into a position and actually start a case immediately and understand how to do that case, what to look for, how to analyze it, how to do the forensics that make a difference in the ultimate goal of the security of that company."
To address this situation, Pelgrin is recommending that IT security specialists should enjoy something like the residency that medical professionals undergo. This residency would put them in the field in a way that provides mentoring and support as they get their feet wet, therefore helping them to learn the ropes in an actual business setting before they attempt to become solo practitioners.
Few small and medium-sized businesses would be partners in such a process, but they should still keep in mind the need for their own IT security provisions to rely only on specialists who are well positioned to access help and resources as needed. One way to do this is to give serious consideration to the model commonly referred to as ‘managed security’. In a managed security approach, small and medium-sized businesses work with an entire IT company rather than a single individual. Any employees assisting them therefore have access to a great depth of experience as well as resources. A managed security approach is also advantageous because it uses automation and remote monitoring to streamline security protections, making them highly cost-effective.