The Key to Developing Security Engineers to Address a Shortage of Security Personnel

Fujitsu Internal Use Case Study

While cyberattacks take place one after another, the shortage of security engineers who can deal with these attacks is a common problem in many parts of the private and public sectors. However, just complaining about this problem will not solve it. How can we build a positive growth cycle for developing human resources? Fujitsu below introduces the key to developing security engineers in-house.

A Worsening Shortage of 22,000 Security Engineers

In recent times, ransomware has surfaced as a threat, with attackers holding your data for ransom by encrypting it or locking your computer. No organization can afford to waste time when it comes to enhancing its security measures. We need to protect ourselves. While more and more companies are forming Computer Security Incident Response Teams (CSIRTs), many find it difficult to find proficient security personnel to handle the relevant duties. Thus, currently, few CSIRTs function efficiently.

This shortage of security personnel is a serious problem. According to the "Basic Study on IT/Security Human Resource Development" (2014) by the Information-technology Promotion Agency (IPA), there is a shortage of 22,000 security engineers. If we include those security engineers with insufficient skills, this increases the figure to 140,000 persons. Many companies complain that it is difficult to find anyone in-house suitable for IT security work.

The First Step to Developing Is to Visualize Security Personnel

In January 2014, Fujitsu began its FUJITSU Security Initiative, an original system for certifying cybersecurity engineers. The purpose of this system is to uncover engineers with a skillset in security, analyze the skill levels of security personnel in different departments, and systematically develop these human resources. The ideal for security personnel is defined according to American NICE Cybersecurity Workforce Framework and other sources.

Personnel with knowledge and interest in security are not only to be found in the ICT department. It is important to look for candidates in each operating department within the company using the skillset definition and certification system. Having personnel scattered across every operational department only serves to strengthen the company's security.

Fujitsu has three defined categories for cyber security personnel. The first is the Field Specialist - a general system engineer (SE) familiar with security. The second is the Expert Specialist with advanced security capabilities. The third is the High Master Specialist. These are security specialists with extremely advanced capabilities. Fujitsu specialists are allowed to get involved in separate jobs. High Master Specialists speak at seminars away from the department and conduct highly specialized research, a job completely different from that of Experts.

When we first looked for security personnel within the company, we were surprised to find many more people than we expected. We certified twice our goal for Field Specialists at 1,300, exceeded the goal for Expert Specialists at 140, and uncovered seven High Master Specialists. By creating a certification system and visualizing capable talent scattered within the company, we were able to recognize as a company once more the importance of security and the value of our personnel.

As an initiative for finding employees with an interest in security, Fujitsu periodically holds internal contests in a system called the "Cyber Range."

Cyber Range - A virtual environment emulating the internal system

Developing Security Human Resource Can Be an Opportunity to Improve Corporate Risk Readi-ness

While this process of uncovering, visualizing, and training employees may present quite the challenge for companies short on security personnel, it can also be an opportunity to improve corporate risk readiness. This is where Fujitsu comes in. We look to provide user companies ongoing support in maintaining stabilized security personnel by utilizing tools such as the FUJITSU Security Initiative and Cyber Range, which are based on our years of experience uncovering and training security personnel.