1 / 43

Evolution of IT Security Profession

This article discusses the evolution of the IT security profession, the importance of IT security, IT security governance, workforce development, and the role of professional certifications. It also explores the incentives for the IT workforce in the State's incentive program.

wjune
Download Presentation

Evolution of IT Security Profession

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT SECURITY WORKFORCE DEVELOPMENT and THE ROLE OF PROFESSIONAL CERTIFICATION Jane Scott Norris, MS CISSP CISM Chief Information Security Officer U. S. Department of State FEDERAL INFORMATION SYSTEMS SECURITY EDUCATORS ASSOCIATION March 2004

  2. Learning Cycle Learning Awareness Confidence Success Achievement Sharing

  3. Today’s Topics • Evolution of the IT security profession • IT Security Governance • IT security workforce development • The role of certifications, their benefits and limitations • State’s incentive program for the IT workforce

  4. Evolution of IT Security Profession

  5. Importance of IT Security • Increasing dependence on IT • Increasingly interconnected world • Irrelevance of geographic borders • Software rushed to market • Easily accessible, malicious tools “The sophistication of the attack is growing, but the sophistication of the attacker is not.”Dr Ron Ross, NIST

  6. Evolution of the IT Security Profession Significant change over the past decade: • Number of people dedicated to information security has grown from hundreds to thousands • Information security used to be a collateral duty • Office of Personnel Management has created a separate IT job series, of which information security is an identified sub-series • Senior level positions have been created in Information Security • CISO • Direct report to CIO or other senior management official • Professional certifications have proliferated

  7. IT Security Governance

  8. Emergence ofIT Security Governance Repeated Calls for Action • ISO 17799 • Audit Community • Business Software Alliance Framework • National Cyber Security Summit Spotlight on IT Security • Political Interest • Laws, Regulations and Guidance • Managerial Focus

  9. PoliticalInterest Privacy and Information Security • Crypto Wars Of The 90s • Legislation • GISRA and FISMA • Sector Specific Legislation • Oversight  • Congressional Grades • Oversight Hearings • GAO Reviews e.g.1997 Report • OMB Report Cards • President’s Management Agenda • Cabinet agency scorecards • E-gov includes security

  10. Laws and Regulations Government • 1997: PDD 63 – Critical Infrastructure Protection • 2000: GISRA • 2002: FISMA • 2003: HSPD 7 Sector Specific • 1996: HIPPA • Privacy and confidentiality in healthcare, • 1999: GLBA • Protection of integrity and confidentiality of consumer financial records • 2002: Sarbanes-Oxley Act • Security of accounting information systems

  11. National Guidance • NIST guidelines • Security plans • Risk Management • Certification and Accreditation • Awareness,Training and Education • National Strategy to Secure Cyber Space • Public Private Partnership

  12. Managerial Focus Modern business model: • IT is no longer a support service • IT is integral to the business IT security is a management issue: • Risk Management • Incident Management • Business Continuity

  13. IT SecurityWorkforce Development

  14. ITSecurity Governance And The IT Security Workforce • 1997: GAO Report • 1998: NIST SP 800-16 • 2002: FISMA • 2003: National Strategy to Secure Cyber Space

  15. 1997 GAO Report • In 1997 the General Accounting Office (GAO) identified information technology (IT) security as “a new high-risk area that touches virtually every major aspect of government operations” (report # GAO/HR-97-30 • Identified underlying people factors, not technological factors, e.g., • “insufficient awareness and understanding of information security risks among senior agency officials,” • “poorly designed and implemented security programs,” • “a shortage of personnel with the technical expertise needed to manage controls,” and • “limited oversight of agency practices.”

  16. NIST Training Continuum Awareness ...to focus attention on security Training ...to produce relevant and needed security skills and competency Education ...to integrate all (security skills and competencies) into a common body of knowledge, adding a multidisciplinary study of concepts, issues, and principles Professional Development (Organizations and Certifications) ...imply a guarantee as meeting a standard by applying evaluation or measurement criteria

  17. Awareness, Training & Education “The Human Factor in Training Strategies” by Dorothea de Zafra, Nov. 1991 as quoted in NIST SP 800-16

  18. FISMA and IT Security Training • Senior Agency Official (CISO) shall posses professional qualifications, including training and experience • CIO/CISO shall train and oversee personnel with significant responsibilities for information security

  19. National Strategy to Secure Cyberspace • February 2003 • Priority III: A National Cyberspace Security Awareness and Training Program • Awareness, Training and Certification • “A lack of trained personnel and the absence of widely accepted, multi-level certification programs for cyber security professionals complicate the task of addressing cyber vulnerabilities”

  20. National Certification Program Hun Kim • “DHS will encourage efforts that are needed to build foundations for the development of security certification programs that will be broadly accepted by the public and private sectors” • National IT security professional certification suite (vendor neutral) • Accrediting body

  21. Federal Agency Initiatives • DoD encouraging IT security workforce credentials • NSA • Identifying academic centers of excellence • Special government extension to CISSP: ISSEP • Veteran’s Affairs using certification to professionalize its security workforce • Cyber corps (civilian and defense versions) is also an important source of new additions to workforce • State Department using skills incentive pay

  22. Academic Initiatives • IRM College at NDU • Information Operations • Information Assurance • Designated Approving Authority • Academic centers of excellence program has made impressive strides over past few years • Community colleges helping preparepeople to enter the IT security workforce

  23. Industry Initiatives • Professional Groups • ISACA • ISSA • (ISC)2 • Professional Literature • SC Magazine • Information Security Magazine • CSO Magazine • Certifications • Broad based to specific technology

  24. Checkpoint F/W CISCO Symantec GIAC (forensics, f/ws, incident handling) SSCP CompTIA’s Security+ CISSP CISM CISA Security Certifications Vendor Neutral Vendor Specific Technical Managerial

  25. Role of Certification

  26. Certifications and the IT security workforce • Factors influencing the IT security “challenge” --rapid increase in demand for qualified personnel --complexity of the problem • Trend has been to hire skilled workers (particularly contractors) rather than train existing workforce • Employers see certifications as a prima facie metric of competence and ability in a complex world • Certification validates a specific set of educational and experiential qualifications • Indicative of personal initiative and commitment

  27. Certification Vs Education • Is certification becoming a substitute for professional education? • IT security is an ever changing discipline therefore we need a career long learning strategy  • Education • More general • Learn to think • Certification • Training • More specialized • Learn to do • Continuing education requirements of (ISC)2, ISACA and others

  28. Benefit of Certification

  29. Costs of Certification • EFFORT!! • Time • Money • Average cost for class/books/test: $2750

  30. Benefits Credentials that require experience and continuing education • Benefit to the Profession • Organizational Gain • Personal Gain

  31. Organizational Gain • Improves IT security workforce • Identifies initiative • Provides known skill sets and common lexicon • Helps as a Filter or Differentiator • 82% stay with organization* www.CertMag.com Salary Survey Dec 2003 “The Human Factor in Training Strategies,” a presentation to the Federal Computer Security Program 2 Managers’ Forum, by Dorothea de Zafra, November, 1991.

  32. Personal Gain • Skills • Knowledge • Confidence • Respect • Advancement potential • Job Security

  33. Personal Financial Gain Premium Bonus Pay* for security certifications: • Has grown 16% over past 2 years • Compared to a drop of 6% in value for overall IT certifications. • Over the past year • 25% increase for holders of CISA • 22% increase for CISSP holders. • 13% increase for holders of GIAC - Certified Windows Security Administrator In DC, on average: CISSP holders make $20K p.a. more than MCSE** * Foote Partners Survey quoted in SC Magazine November 2003 ** CertMag.com

  34. Beyond Certification

  35. Beyond Certification • What’s your goal? • Are more certifications better? • Are certifications enough? • Need experience • Continuous learning For management positions, need to complement security certifications with: • Management training • Project Management • MBA • Master’s-level business or IRM courses • CSO Study: 66% security executives have academic degrees • Customer Service

  36. CSO Survey 408 respondents from across government and industry • 79% security executives • 20% held CISSP • 7% held CISA or CCP • 66% held academic degrees • 14% held MBA • Only 18%…agreed that managers in their company understand their roles and responsibilities in regards to security and one-third said security considerations are a routine part of the company’s business processes CSO Online June 2003

  37. Department of State’sSkills Incentive Program

  38. History of SIP • Devised in 1997 – 1998 • High vacancy rate in IT skill codes • High percentage of people eligible to retire • Deploying modern technology • Cross-bureau working group • IT, HR, Finance, Unions • Implemented in FY 1999 • New hire bonuses and retention incentives

  39. Skills Incentive Pay • Bonuses for IT and IRM credentials • Security credentials added in 2000 • Changed this fiscal year • Continuing education requirement • Pilot Program – one year at a time

  40. SIP Program details • Levels: 5%, 10%, 15% • Qualifying Credentials and examples: • Degrees • Bachelors, Masters in IT or IRM • Graduate level programs • NDU CIO certificate/NDU IA certificate • Vendor neutral certifications • A+, CISSP, GIAC • Vendor specific certifications • MCSE, CCNP

  41. Outcome of State’s SIP Program • 62% of IT workforce qualify • $5.5m paid since inception • Level of expertise has increased • Vacancy level is very low or zero • Training float created • Recognized as a government best practice

  42. Summary

  43. Summary • Spotlight is on IT security • Need to professionalize the IT security workforce • Certification is a good indicator of knowledge and skills • Certification benefits the organization and the individual • Certification alone will not ensure organizational or individual success

More Related