Title: IT SECURITY WORKFORCE DEVELOPMENT and THE ROLE OF PROFESSIONAL CERTIFICATION
1IT SECURITY WORKFORCE DEVELOPMENT and THE ROLE
OF PROFESSIONAL CERTIFICATION
- Jane Scott Norris, MS CISSP CISM
- Chief Information Security Officer
- U. S. Department of State
- FEDERAL INFORMATION SYSTEMS SECURITY EDUCATORS
ASSOCIATION - March 2004
2Learning Cycle
Learning
Awareness
Confidence
Success
Achievement
Sharing
3Todays Topics
- Evolution of the IT security profession
- IT Security Governance
- IT security workforce development
- The role of certifications, their benefits and
limitations - States incentive program for the IT workforce
4Evolution of IT Security Profession
5Importance of IT Security
- Increasing dependence on IT
- Increasingly interconnected world
- Irrelevance of geographic borders
- Software rushed to market
- Easily accessible, malicious tools
- The sophistication of the attack is growing, but
the sophistication of the attacker is not. Dr
Ron Ross, NIST
6Evolution of the IT Security Profession
- Significant change over the past decade
- Number of people dedicated to information
security has grown from hundreds to thousands - Information security used to be a collateral duty
- Office of Personnel Management has created a
separate IT job series, of which information
security is an identified sub-series - Senior level positions have been created in
Information Security - CISO
- Direct report to CIO or other senior management
official - Professional certifications have proliferated
7IT Security Governance
8Emergence of IT Security Governance
- Repeated Calls for Action
- ISO 17799
- Audit Community
- Business Software Alliance Framework
- National Cyber Security Summit
- Spotlight on IT Security
- Political Interest
- Laws, Regulations and Guidance
- Managerial Focus
9Political Interest
- Privacy and Information Security
- Crypto Wars Of The 90s
- Legislation
- GISRA and FISMA
- Sector Specific Legislation
- Oversight
- Congressional Grades
- Oversight Hearings
- GAO Reviews e.g.1997 Report
- OMB Report Cards
- Presidents Management Agenda
- Cabinet agency scorecards
- E-gov includes security
10Laws and Regulations
- Government
- 1997 PDD 63 Critical Infrastructure Protection
- 2000 GISRA
- 2002 FISMA
- 2003 HSPD 7
- Sector Specific
- 1996 HIPPA
- Privacy and confidentiality in healthcare,
- 1999 GLBA
- Protection of integrity and confidentiality of
consumer financial records - 2002 Sarbanes-Oxley Act
- Security of accounting information systems
11National Guidance
- NIST guidelines
- Security plans
- Risk Management
- Certification and Accreditation
- Awareness,Training and Education
- National Strategy to Secure Cyber Space
- Public Private Partnership
12Managerial Focus
- Modern business model
- IT is no longer a support service
- IT is integral to the business
- IT security is a management issue
- Risk Management
- Incident Management
- Business Continuity
13IT Security Workforce Development
14IT Security Governance And The IT Security
Workforce
- 1997 GAO Report
- 1998 NIST SP 800-16
- 2002 FISMA
- 2003 National Strategy to Secure Cyber
Space
151997 GAO Report
- In 1997 the General Accounting Office (GAO)
identified information technology (IT) security
as a new high-risk area that touches virtually
every major aspect of government operations
(report GAO/HR-97-30 - Identified underlying people factors, not
technological factors, e.g., - insufficient awareness and understanding of
information security risks among senior agency
officials, - poorly designed and implemented security
programs, - a shortage of personnel with the technical
expertise needed to manage controls, and - limited oversight of agency practices.
16NIST Training Continuum
- Awareness
- ...to focus attention on security
-
- Training
- ...to produce relevant and needed security
skills and competency -
- Education
- ...to integrate all (security skills and
competencies) into a common body of knowledge,
adding a multidisciplinary study of concepts,
issues, and principles -
- Professional Development (Organizations and
Certifications) - ...imply a guarantee as meeting a standard by
applying evaluation or measurement criteria
17Awareness, Training Education
Comparative Framework Comparative Framework Comparative Framework Comparative Framework
Awareness Training Education
Attribute What How Why
Level Information Knowledge Insight
Learning Objective Recognition Retention Skill Understanding
Example Teaching Method Media -Videos -Newsletters -Posters Practical Instruction -Lecture and/or demo -Case study -Hands-on practice Theoretical Instruction -Seminar and discussion -Reading and study -Research
Test Measure True/False Multiple Choice (identify learning) Problem Solving Recognition Resolution (apply learning) Essay (interpret learning)
Impact Timeframe Short-Term Intermediate Long-Term
The Human Factor in Training Strategies by
Dorothea de Zafra, Nov. 1991 as quoted in NIST SP
800-16
18FISMA and IT Security Training
- Senior Agency Official (CISO) shall posses
professional qualifications, including training
and experience - CIO/CISO shall train and oversee personnel with
significant responsibilities for information
security
19National Strategy to Secure Cyberspace
- February 2003
- Priority III A National Cyberspace Security
Awareness and Training Program - Awareness, Training and Certification
- A lack of trained personnel and the absence of
widely accepted, multi-level certification
programs for cyber security professionals
complicate the task of addressing cyber
vulnerabilities
20National Certification Program
- Hun Kim
- DHS will encourage efforts that are needed to
build foundations for the development of security
certification programs that will be broadly
accepted by the public and private sectors - National IT security professional certification
suite (vendor neutral) - Accrediting body
21Federal Agency Initiatives
- DoD encouraging IT security workforce credentials
- NSA
- Identifying academic centers of excellence
- Special government extension to CISSP ISSEP
- Veterans Affairs using certification to
professionalize its security workforce - Cyber corps (civilian and defense versions) is
also an important source of new additions to
workforce - State Department using skills incentive pay
22Academic Initiatives
- IRM College at NDU
- Information Operations
- Information Assurance
- Designated Approving Authority
- Academic centers of excellence program has made
impressive strides over past few years - Community colleges helping preparepeople to
enter the IT security workforce
23Industry Initiatives
- Professional Groups
- ISACA
- ISSA
- (ISC)2
- Professional Literature
- SC Magazine
- Information Security Magazine
- CSO Magazine
- Certifications
- Broad based to specific technology
24Security Certifications
Vendor Neutral
Vendor Specific
Technical
Managerial
25Role of Certification
26Certifications and the IT security workforce
- Factors influencing the IT security
challenge --rapid increase in demand for
qualified personnel --complexity of the
problem - Trend has been to hire skilled workers
(particularly contractors) rather than train
existing workforce - Employers see certifications as a prima facie
metric of competence and ability in a complex
world - Certification validates a specific set of
educational and experiential qualifications - Indicative of personal initiative and
commitment
27Certification Vs Education
- Is certification becoming a substitute for
professional education? - IT security is an ever changing discipline
therefore we need a career long learning
strategy - Education
- More general
- Learn to think
- Certification
- Training
- More specialized
- Learn to do
- Continuing education requirements of (ISC)2,
ISACA and others
28Benefit of Certification
29Costs of Certification
- EFFORT!!
- Time
- Money
- Average cost for class/books/test 2750
30Benefits
- Credentials that require experience and
- continuing education
- Benefit to the Profession
- Organizational Gain
- Personal Gain
31Organizational Gain
- Improves IT security workforce
- Identifies initiative
- Provides known skill sets and common lexicon
- Helps as a Filter or Differentiator
- 82 stay with organization
www.CertMag.com Salary Survey Dec 2003
The Human Factor in Training Strategies, a
presentation to the Federal Computer Security
Program 2 Managers Forum, by Dorothea de Zafra,
November, 1991.
32Personal Gain
- Skills
- Knowledge
- Confidence
- Respect
- Advancement potential
- Job Security
33Personal Financial Gain
- Premium Bonus Pay for security certifications
- Has grown 16 over past 2 years
- Compared to a drop of 6 in value for overall IT
certifications. - Over the past year
- 25 increase for holders of CISA
- 22 increase for CISSP holders.
- 13 increase for holders of GIAC - Certified
Windows Security Administrator - In DC, on average
- CISSP holders make 20K p.a. more than MCSE
-
- Foote Partners Survey quoted in SC Magazine
November 2003 - CertMag.com
34Beyond Certification
35Beyond Certification
- Whats your goal?
- Are more certifications better?
- Are certifications enough?
- Need experience
- Continuous learning
- For management positions, need to complement
- security certifications with
- Management training
- Project Management
- MBA
- Masters-level business or IRM courses
- CSO Study 66 security executives have academic
degrees - Customer Service
36CSO Survey
- 408 respondents from across government
- and industry
- 79 security executives
- 20 held CISSP
- 7 held CISA or CCP
- 66 held academic degrees
- 14 held MBA
- Only 18agreed that managers in their company
understand their roles and responsibilities in
regards to security and one-third said security
considerations are a routine part of the
companys business processes
CSO Online June 2003
37Department of States Skills Incentive Program
38History of SIP
- Devised in 1997 1998
- High vacancy rate in IT skill codes
- High percentage of people eligible to retire
- Deploying modern technology
- Cross-bureau working group
- IT, HR, Finance, Unions
- Implemented in FY 1999
- New hire bonuses and retention incentives
39Skills Incentive Pay
- Bonuses for IT and IRM credentials
- Security credentials added in 2000
- Changed this fiscal year
- Continuing education requirement
- Pilot Program one year at a time
40SIP Program details
- Levels 5, 10, 15
- Qualifying Credentials and examples
- Degrees
- Bachelors, Masters in IT or IRM
- Graduate level programs
- NDU CIO certificate/NDU IA certificate
- Vendor neutral certifications
- A, CISSP, GIAC
- Vendor specific certifications
- MCSE, CCNP
41Outcome of States SIP Program
- 62 of IT workforce qualify
- 5.5m paid since inception
- Level of expertise has increased
- Vacancy level is very low or zero
- Training float created
- Recognized as a government best practice
42Summary
43Summary
- Spotlight is on IT security
- Need to professionalize the IT security workforce
- Certification is a good indicator of knowledge
and skills - Certification benefits the organization and the
individual - Certification alone will not ensure
organizational or individual success