IT SECURITY WORKFORCE DEVELOPMENT and THE ROLE OF PROFESSIONAL CERTIFICATION - PowerPoint PPT Presentation

1 / 43

About This Presentation

Title:

IT SECURITY WORKFORCE DEVELOPMENT and THE ROLE OF PROFESSIONAL CERTIFICATION

Description:

Click to edit Master title style. Click to edit Master text ... ISSA (ISC)2. Professional Literature. SC Magazine. Information Security Magazine. CSO Magazine ... – PowerPoint PPT presentation

Number of Views:126

Avg rating:3.0/5.0

Slides: 44

Provided by: janescot

Category:

more less

Transcript and Presenter's Notes

Title: IT SECURITY WORKFORCE DEVELOPMENT and THE ROLE OF PROFESSIONAL CERTIFICATION

1
IT SECURITY WORKFORCE DEVELOPMENT and THE ROLE
OF PROFESSIONAL CERTIFICATION

Jane Scott Norris, MS CISSP CISM
Chief Information Security Officer
U. S. Department of State
FEDERAL INFORMATION SYSTEMS SECURITY EDUCATORS
ASSOCIATION
March 2004

2
Learning Cycle
Learning
Awareness
Confidence
Success
Achievement
Sharing
3
Todays Topics

Evolution of the IT security profession
IT Security Governance
IT security workforce development
The role of certifications, their benefits and
limitations
States incentive program for the IT workforce

4
Evolution of IT Security Profession
5
Importance of IT Security

Increasing dependence on IT
Increasingly interconnected world
Irrelevance of geographic borders
Software rushed to market
Easily accessible, malicious tools
The sophistication of the attack is growing, but
the sophistication of the attacker is not. Dr
Ron Ross, NIST

6
Evolution of the IT Security Profession

Significant change over the past decade
Number of people dedicated to information
security has grown from hundreds to thousands
Information security used to be a collateral duty
Office of Personnel Management has created a
separate IT job series, of which information
security is an identified sub-series
Senior level positions have been created in
Information Security
CISO
Direct report to CIO or other senior management
official
Professional certifications have proliferated

7
IT Security Governance
8
Emergence of IT Security Governance

Repeated Calls for Action
ISO 17799
Audit Community
Business Software Alliance Framework
National Cyber Security Summit
Spotlight on IT Security
Political Interest
Laws, Regulations and Guidance
Managerial Focus

9
Political Interest

Privacy and Information Security
Crypto Wars Of The 90s
Legislation
GISRA and FISMA
Sector Specific Legislation
Oversight
Congressional Grades
Oversight Hearings
GAO Reviews e.g.1997 Report
OMB Report Cards
Presidents Management Agenda
Cabinet agency scorecards
E-gov includes security

10
Laws and Regulations

Government
1997 PDD 63 Critical Infrastructure Protection
2000 GISRA
2002 FISMA
2003 HSPD 7
Sector Specific
1996 HIPPA
Privacy and confidentiality in healthcare,
1999 GLBA
Protection of integrity and confidentiality of
consumer financial records
2002 Sarbanes-Oxley Act
Security of accounting information systems

11
National Guidance

NIST guidelines
Security plans
Risk Management
Certification and Accreditation
Awareness,Training and Education
National Strategy to Secure Cyber Space
Public Private Partnership

12
Managerial Focus

Modern business model
IT is no longer a support service
IT is integral to the business
IT security is a management issue
Risk Management
Incident Management
Business Continuity

13
IT Security Workforce Development
14
IT Security Governance And The IT Security
Workforce

1997 GAO Report
1998 NIST SP 800-16
2002 FISMA
2003 National Strategy to Secure Cyber
Space

15
1997 GAO Report

In 1997 the General Accounting Office (GAO)
identified information technology (IT) security
as a new high-risk area that touches virtually
every major aspect of government operations
(report GAO/HR-97-30
Identified underlying people factors, not
technological factors, e.g.,
insufficient awareness and understanding of
information security risks among senior agency
officials,
poorly designed and implemented security
programs,
a shortage of personnel with the technical
expertise needed to manage controls, and
limited oversight of agency practices.

16
NIST Training Continuum

Awareness
...to focus attention on security
Training
...to produce relevant and needed security
skills and competency
Education
...to integrate all (security skills and
competencies) into a common body of knowledge,
adding a multidisciplinary study of concepts,
issues, and principles
Professional Development (Organizations and
Certifications)
...imply a guarantee as meeting a standard by
applying evaluation or measurement criteria

17
Awareness, Training Education
Comparative Framework Comparative Framework Comparative Framework Comparative Framework
Awareness Training Education
Attribute What How Why
Level Information Knowledge Insight
Learning Objective Recognition Retention Skill Understanding
Example Teaching Method Media -Videos -Newsletters -Posters Practical Instruction -Lecture and/or demo -Case study -Hands-on practice Theoretical Instruction -Seminar and discussion -Reading and study -Research
Test Measure True/False Multiple Choice (identify learning) Problem Solving Recognition Resolution (apply learning) Essay (interpret learning)
Impact Timeframe Short-Term Intermediate Long-Term
The Human Factor in Training Strategies by
Dorothea de Zafra, Nov. 1991 as quoted in NIST SP
800-16
18
FISMA and IT Security Training

Senior Agency Official (CISO) shall posses
professional qualifications, including training
and experience
CIO/CISO shall train and oversee personnel with
significant responsibilities for information
security

19
National Strategy to Secure Cyberspace

February 2003
Priority III A National Cyberspace Security
Awareness and Training Program
Awareness, Training and Certification
A lack of trained personnel and the absence of
widely accepted, multi-level certification
programs for cyber security professionals
complicate the task of addressing cyber
vulnerabilities

20
National Certification Program

Hun Kim
DHS will encourage efforts that are needed to
build foundations for the development of security
certification programs that will be broadly
accepted by the public and private sectors
National IT security professional certification
suite (vendor neutral)
Accrediting body

21
Federal Agency Initiatives

DoD encouraging IT security workforce credentials
NSA
Identifying academic centers of excellence
Special government extension to CISSP ISSEP
Veterans Affairs using certification to
professionalize its security workforce
Cyber corps (civilian and defense versions) is
also an important source of new additions to
workforce
State Department using skills incentive pay

22
Academic Initiatives

IRM College at NDU
Information Operations
Information Assurance
Designated Approving Authority
Academic centers of excellence program has made
impressive strides over past few years
Community colleges helping preparepeople to
enter the IT security workforce

23
Industry Initiatives

Professional Groups
ISACA
ISSA
(ISC)2
Professional Literature
SC Magazine
Information Security Magazine
CSO Magazine
Certifications
Broad based to specific technology

24
Security Certifications

Vendor Neutral
Vendor Specific
Technical
Managerial
25
Role of Certification
26
Certifications and the IT security workforce

Factors influencing the IT security
challenge --rapid increase in demand for
qualified personnel --complexity of the
problem
Trend has been to hire skilled workers
(particularly contractors) rather than train
existing workforce
Employers see certifications as a prima facie
metric of competence and ability in a complex
world
Certification validates a specific set of
educational and experiential qualifications
Indicative of personal initiative and
commitment

27
Certification Vs Education

Is certification becoming a substitute for
professional education?
IT security is an ever changing discipline
therefore we need a career long learning
strategy
Education
More general
Learn to think
Certification
Training
More specialized
Learn to do
Continuing education requirements of (ISC)2,
ISACA and others

28
Benefit of Certification
29
Costs of Certification

EFFORT!!
Time
Money
Average cost for class/books/test 2750

30
Benefits

Credentials that require experience and
continuing education
Benefit to the Profession
Organizational Gain
Personal Gain

31
Organizational Gain

Improves IT security workforce
Identifies initiative
Provides known skill sets and common lexicon
Helps as a Filter or Differentiator
82 stay with organization

www.CertMag.com Salary Survey Dec 2003
The Human Factor in Training Strategies, a
presentation to the Federal Computer Security
Program 2 Managers Forum, by Dorothea de Zafra,
November, 1991.
32
Personal Gain

Skills
Knowledge
Confidence
Respect
Advancement potential
Job Security

33
Personal Financial Gain

Premium Bonus Pay for security certifications
Has grown 16 over past 2 years
Compared to a drop of 6 in value for overall IT
certifications.
Over the past year
25 increase for holders of CISA
22 increase for CISSP holders.
13 increase for holders of GIAC - Certified
Windows Security Administrator
In DC, on average
CISSP holders make 20K p.a. more than MCSE
Foote Partners Survey quoted in SC Magazine
November 2003
CertMag.com

34
Beyond Certification
35
Beyond Certification

Whats your goal?
Are more certifications better?
Are certifications enough?
Need experience
Continuous learning
For management positions, need to complement
security certifications with
Management training
Project Management
MBA
Masters-level business or IRM courses
CSO Study 66 security executives have academic
degrees
Customer Service

36
CSO Survey

408 respondents from across government
and industry
79 security executives
20 held CISSP
7 held CISA or CCP
66 held academic degrees
14 held MBA
Only 18agreed that managers in their company
understand their roles and responsibilities in
regards to security and one-third said security
considerations are a routine part of the
companys business processes