Industry experts at a Cisco discussion panel held in Sydney today have painted a bleak picture of the future information security workforce, stating that university graduates are ill prepared and lack basic, necessary skills.
Telstra chief information officer Glenn Chisholm said that one of the greatest problems facing the information security industry is arrogance of ignorance.
"The number of people that believe they understand security, but don't, far exceed the number of people that do," he said. "The ability to access well-trained personnel at that tertiary level is almost non-existent," he said.
Cisco vice president and chief security officer John Stewart agreed.
"The generation of people that we're hiring out of college don't even understand the OSI layer," he said, adding that structured tertiary education has, in a way, robbed students of the lessons they could have naturally learned.
"The concept of buffer overflow is just not even in their mindset, because they've been learning in an environment where that wasn't even possible.
"The nature of that education is removing some of the very elements of what this industry needs for the experience that you have to have on the job."
Head of Edith Cowan University's School of Computer and Security Science professor Craig Valli said that the university has recognised these pitfalls, and is going back to basics in terms of training students.
"Students are learning assembly again. It had been taken out. They're going to have a C programming unit, they're having a scripting unit, all of these basics in computer science that they're going to need when they get out there," he said, adding that he is also pushing for students to be educated in current concepts like IPv6 in addition to IPv4.
However, Valli revealed that only one fifth of students studying cybersecurity actually grasp these basics.
"We've got the biggest program in Australia, but I would say that out of the 500-odd bodies we have doing cybersecurity units, about 20 per cent 'get it'."
Chisholm did admit that students have a much tougher learning curve than those who enter the industry earlier and learn along the way.
"The legislative frameworks and the concepts that exist now didn't exist then. You've had 15 years to learn what we asking someone to learn in one. That's not a reasonable proposition. In effect, that's what a tertiary education is designed to do."
He said that it is still possible for organisations to be prepared if they play their recruiting cards right.
"It's not that there are no staff; it's that the pool of staff is not sufficient. There are organisations in Australia that have excellent information and cybersecurity capability, but those are not the norm."
Yet Stewart warned that time is running out, and that the situation is only going to get worse if nothing is done.
"We're getting to the point where there's a certain generation that's going to retire out. When we take the institutional experience and transfer it to the next group of people, we're going to frankly face significantly bigger problems. Demand is exceeding supply, and then transference into the training of that supply isn't going quickly enough."
Updated at 9:37, 9 November 2011: clarified that Chisholm had said arrogance of ignorance as opposed to arrogance and ignorance.