Building the Security Workforce of Tomorrow

1
Building the Security Workforce of Tomorrow

• Allan Berg
• University of Dallas
• Graduate School of Management

2
Information Assurance and Infrastructure
Protection

• is a national priority as well as a complex
  and critical challenge. One that requires a true
  partnership between all stakeholders, government,
  public, private, and academe.

3
Certification, Education, and Training in
Information Assurance

• People involved in IA must be able to
  understand and systematically employ and manage
  IA concepts, principles, methods, techniques,
  practices and procedures drawn from U.S.
  statutes, current or pending. IA experts also
  must understand procedures mandated by the
  Department of Defense, federal, state and local
  governments, businesses, and industries.

4
Questions

• What is the supply core of IA workers
• What education and training does the IA worker
  need
• How will this education and training be imparted
• Who will certify this education and training

5
The IA Workforce Challenge

• Continuing sustained rapid growth and
  accelerating
• Intense demand for unique combinations IT, IA
  skills, experience, and industry knowledge

6
Assessing Educational and Training Needs

• What occupations comprise the core IA work force
• Standardized definition of the standards that
  define the information security worker agreeable
  to government, industry and academe.
• Enforcing security processes on a document
  oriented information system may be very different
  from a communications network system.
• Often overlooked physical, personnel, standards
  and policy, and administrative security expertise
  is also a necessity in todays information
  security workforce environment.

7
Information Assurance

• Encompasses the scientific, technical, and
  management disciplines required to ensure
  computer and network security including the
  following functions
• System/network administration and operations
• Systems security engineering
• Information assurance systems and product
  acquisition
• Cryptography
• Threat and vulnerability assessment, to include
  risk management
• Web security
• The operations of computer emergency response
  team
• Information assurance training, education and
  management
• Computer forensics
• Defensive information operations

8
Academic Degree vs. Industry Certification

• Are academe and industry competing for the same
  market?
• Absolutely NOT!!
• Are academe and industry complimentary?
• Absolutely YES!!
• Many people have some level of experience, but
  little time to devote to semester-long courses.
• Many people have no experience, and might not
  benefit from Wham! Bam! 5-day training courses.
• But have time to attend semester-long courses.

9
Information Security What

• Network and network infrastructure security
• Physical, personnel and administrative security
• Cryptography and Public-Key Infrastructure
• Testing and verification methodologies
• Intrusion Detection
• Vulnerabilities analysis and Risk Management
• Policy and auditing technologies
• Host security
• Ethics and legal issues
• Authentication technologies
• E-commerce and Public Policy

10
The Niche IA Labor Markets

• Mix of knowledge and skills required can vary
• Certain technical skills may be in high demand
• IT is changing rapidly

11
Incentives for IA Certification and Education

• Establishes a professional identity and upholds
  the quality of the profession.
• Establishes a minimum level of knowledge with
  regard to the practice of the profession, and
  through continuous learning, upgrading of
  knowledge base and skills.
• Promulgates a code of ethical practice.
• Provides a review process and participation in
  published standards of practice.
• Promotes ongoing role and function studies for
  practitioners to validate their practice.
• Promotes ongoing role and function studies for
  practitioners to validate their practice.

12
Incentives for IA Certification and Education
(Cont.)

• Demonstrates that certified individuals meet
  acceptable uniform national standards.
• Establishes a standard level of competency for
  employee hiring and evaluation.
• Promotes consumer protection.
• JOB ADVANCEMENT certification gives you a
  competitive edge for promotion and hiring.
• SALARY Profile studies shows that certification
  holders earn more per year than those who do not
  have certification.
• ESTEEM Attaining certification demonstrates to
  your employer, your colleagues, and yourself that
  you are committed as a professional.

13
Disadvantages of Certification

• Multiple choice tests are unable to test problem
  solving and analytic skills.  They reward
  students who can memorize and replay a set of
  facts with ease. Furthermore, these tests have
  become integrated into vendor marketing
  strategies.

14
Disadvantages of Certification (Cont.)

• Emphasize facts important to a particular product
  line and frequently do not assess globally
  important knowledge. Hence, the industry has
  coined the terms paper-_ _ _ _ to describe
  someone who only knows enough to pass the tests,
  but not enough to function effectively on the
  job. Since many of the short-term training
  programs teach only the answers to the tests, the
  problem is only getting worse.

15
The Fix

• Developing curriculum that includes not only the
  test information, but also additional materials
  designed to give the student real insight and
  hands-on experience with the software and
  hardware used in the industry. While our student
  do pass the tests and become certified, they
  fully understand that it is knowledge beyond the
  tests that makes them valuable. Such knowledge
  will last a lifetime, since it will not become
  obsolete with the next software upgrade.

16
Initiatives and Opportunities

• Assessing educational and training needs
• State initiatives for IA education
• Benefits of certification and continuing
  education
• Internet-enabled education and training
• International security education and collaboration

17
Initiatives for IA Education

• Departments of Information Technology
• Academic initiatives
• Internships
• Federal initiatives
• CAE/ISE
• DoD IASP
• NSF Scholarship Program

18
Benefits of Certification and Continuing Education

• Benefits of Certification
• Demonstrates a level of expertise/competency
• Recognition by government, industry
• Periodic recertification?????
• Benefits of Continuing Education
• Life-long
• Through community colleges and universities
• Demonstrates a level of expertise/competency
• Recognition by industry, government, academia
• Corporate Universities
• Focuses on immediate and near future needs
• In-house and/or mini-courses by local purveyors
• Recognition by industry, government

19
Internet-enabled and In-class Certification,
Education, and Training

• Assessing the quality
• Can the students reliably and efficiently access
  all the curriculum materials so that they can
  complete the course requirements in the specified
  time period?
• Does the technology allow the students to become
  reasonably engaged with the material?
• Are there special difficulties associated with
  the administration of the program and exams?
• Is the time investment on the part of the faculty
  instructor and students manageable or prohibitive?

20
Internet-enabled and In-class Certification,
Education, and Training

• Does effective learning occur when using the
  Internet as the primary means of delivering the
  course curriculum?
• How far should distance education really go in
  being a substitute for the classroom experience?
• What is the nature of the market for distance
  education for the IA professional?
• What is the potential for learning with distance
  education for the IA professional?

21
Its A Jungle Out There

• Microsoft Certified Systems Engineer (MCSE)
• Cisco Certified Network Associate (CCNA)
• Cisco Certified Network Professional (CCNP)
• Cisco Certified Security Professional (CCSP)
• Certified Internet Webmaster (CIW)
• Certified Wireless Network Administrator (CWNA)
• Certified Information System Security Specialist
  (CISSP)
• CISSP Concentrations ISSAP, ISSMP, ISSEP
• Certified Information System Auditor (CISA)
• Certified Information Security Manager (CISM)
• SANS (GIAC)
• And the list goes on, and on, and on, and on, and
  on, and on, and on, and on, and on, and on, and
  on, and on ..

22
Looking to the Future

• To move forward, to stay successful,
  information assurance professionals in an
  organization, and its leaders, must have vision.
  Standing still isnt an option!

23

• Building the Security
• Workforce of Tomorrow
• Allan Berg
• University of Dallas
• Graduate School of Management
• aberg_at_gsm.udallas.edu
• 1.703.788.6801