Merit Annual Meeting

1
Merit Annual Meeting

• Preparing the Security Workforce of the Future
• Jeff Recor
• President, Olympus Security Group
• Email jrecor_at_olympussecurity.com
• Office 248-608-6784

2
Current Events

• Virus Du Jour
• Stopping trains!
• Widespread infection
• Blackout
• Identity Theft 1B a year in losses for banks

3
Organizational Challenges

• Same problems year after year
• Companies still vulnerable to common viruses
• Vendors not securing their products
• Security Professionals not working from standard
  set of knowledge
• Culture of the Hacker

4
Discussion Points

• The Feds are coming !
• 3 distinct views
• Employers
• Practitioners
• Knowledge Development Centers

5
Personnel Challenges

• (One of the major barriers to improving cyber
  security is) an inability to find sufficient
  numbers of adequately trained and/or
  appropriately certified personnel to create and
  manage secure systems." The National Strategy to
  Secure Cyberspace - February 2003

6
The Feds are Coming!

• Cybersecurity takes a backseat
• FUD
• 9/11..WMD
• No standards, yet
• Legislation pending

7
FUD

• Zero-day Viruses and affinity worms will sunder
  business records.brokerage house trading records
  will be scrambled, corporate networks
  moltenCEOs humiliated.
• Howard Schmidt, Vice Chairman, CIP Board

8
Accreditation Board

• Movement afoot to formalize security profession
• Board forming now
• Body of practice needs to be defined
• Licensing process designed
• Standards, standards, standards

9
Employers
10
(No Transcript)
11
Hiring Trends

• 47 report hiring increased in the past year
• 29 reported staffing levels remained unchanged
• 19 reported decreases in security staff levels

Global Security Survey, 2003 Deloitte
12
ITAA Employer Survey

• 60 not satisfied they can hire right security
  talent
• 40 said it was hard to quantify candidates
• 36 interview process not well defined
• 81 recognize security as a separate profession

13
ITAA Employer Survey

• CISSP Most Important (57)
• Security
• Vendor Specific
• CFE
• Sans GIAC

ITAA Workforce Study, 2003
14
Employee
15
Acquiring Knowledge

• How do I learn the fundamentals needed to secure
  my environment?
• How do I acquire the skills to become a valuable
  employee in the security field?

16
Certifications
Vendors
Industry

• CISSP
• CISA
• CFE
• Sans
• Security
• CIA
• CBCP

• Cisco
• CheckPoint
• ISS
• RSA
• Microsoft
• Verisign
• Entrust

17
Which item is the most important for showing
your security skills to a potential employer
during an interview? a. Resume b. Non-vendor
security certifications c. Formal education in
security discipline d. Vendor-specific product
certifications e. Presenting at security
conferences / classes
Audience Poll
18
KDC
19
Current State

• Training Programs
• Boot camps
• Certification factories
• Higher Education
• Masters Degree Programs
• Certificate Programs
• Standards Movement

20
Higher Education

• Security Programs
• Masters Degree
• Undergraduate Degree
• Certificate Programs
• K through 12 !!

21
Education Trends

• Before - Mechanical - bits and bytes
• Forensics programs
• Intrusion-detection and prevention programs
• Security technology standards development and
  other technical programs
• After - Business value and critical thinking
• ROI
• Business Process Analysis
• Value Add
• Business value and critical thinking.
• ENABLEMENT

22
Security Education

• Less than 60 Phd candidates in INFOSEC / IA
• 17 Phds in IA granted so far (2003)
• 50 NSA COEs mostly focus on CIS-style programs
• Much more is needed

23
National Training Standards

• Information Security Professionals NSTISSI No.
  4011
• Information System Security Officers NSTISSI No.
  4014
• Designated Approving Authority- NSTISSI No. 4012
• System Administrators NSTISSI No. 4013
• System Certifiers- NSTISSI No. 4015
• Risk Analyst NSTISSI No. 40xx

24
Faculty Development Recruitment Issues

• Lack of program development and credentialing
  opportunities
• 1800 Universities and 15,000 Faculty will be
  Affected
• Lack of real world Experience
• Traditional development model for educators is
  inadequate
• Tools and skills necessary

25
Local Excellence ?

• Walsh College (NSA COE)
• Eastern Michigan University
• University of Detroit Mercy (COE)
• Michigan State University
• Washtenaw Community College
• Independent Training

26
Closing

• An information War is coming someday
• Richard Clarke, Presidents Cyber security Czar,
  June 5, 2002.

27
(No Transcript)