Cyber Security Advanced Education: Preparing the Emerging Workforce

Similar documents
Building new cybersecurity pipelines. NICE Conference 2017 November 8, Strengthening Cyber Workforce Development sans.

Career Paths In Cybersecurity

Strengthening Capacity in Cyber Talent sans.org/cybertalent

ITU CBS. Digital Security Capacity Building: Role of the University GLOBAL ICT CAPACITY BUILDING SYMPOSIUM SANTO DOMINGO 2018

Keeping Your SOCs Full. May 26, Strengthening Capacity in Cyber Talent sans.org/cybertalent

Building the Cybersecurity Workforce. November 2017

CyberSecurity Training and Capacity Building: A Starting Point for Collaboration and Partnerships. from the most trusted name in information security

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

Which Side Are You On?

Les joies et les peines de la transformation numérique

UPDATED: 10/17/16. Senior Level. Senior Specialty Threat, Consultant, Engineer, Manager. Mid Level Analyst

Mohammad Shahadat Hossain

CYBER SECURITY TRAINING

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

Developing Career-Relevant Academic Programs

SECURITY+ COMPETITIVE ANALYSIS 1. GIAC GSEC 2. (ISC)2 SSCP 3. EC-COUNCIL CEH

itsm003 v.3.0 DxCERTS IT & NIST Cybersecurity Digital Transformation (Dx) Enterprise Training Curriculum

itsm003 v.3.0 NISTCSF.COM NICE Training Curriculum & Workforce Planning Program

The fast track to top skills and top jobs in cyber. Guaranteed. FREE TO TRANSITIONING VETERANS

Operationalizing Cybersecurity in Healthcare IT Security & Risk Management Study Quantitative and Qualitative Research Program Results

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

THE POWER OF TECH-SAVVY BOARDS:

WINNING THE WAR FOR CYBER TALENT

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

Why the Security Workforce Needs More Women and Men

The fast track to top skills and top jobs in cyber. Guaranteed. FREE TO TRANSITIONING VETERANS

itsm003 v.3.0 DxCERTS IT & NIST Cybersecurity Workforce Development Training Curriculum & Management Program

The fast track to top skills and top jobs in cyber. FREE TO TRANSITIONING VETERANS

Cyber Risks in the Boardroom Conference

CYBER APPRENTICESHIP. Dr. Leigh Armistead, President

CERTIFICATION TRAINING - ISC2

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

Hearing Voices: The Cybersecurity Pro s View of the Profession

The fast track to top skills and top jobs in cyber. Guaranteed. FREE TO TRANSITIONING VETERANS

ISACA MOSCOW CHAPTER Chapter meeting 22 September 2016

National Initiative for Cyber Education (NICE) and the Cybersecurity Workforce Framework: Attract and Retain the Best in InfoSec.

School of Engineering & Built Environment

The National Initiative for Cybersecurity Education (NICE) The NICE Workforce Framework, NIST SP , Overview October 4, 2017

PECB UNIVERSITY PECB UNIVERSITY

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

The fast track to top skills and top jobs in cyber. Guaranteed.

Hidden Figures: Women in Cybersecurity

SOC Summit June 6, Strengthening Capacity in Cyber Talent sans.org/cybertalent

Introducing Maryville University s CYBER SECURITY ONLINE PROGRAMS. Bachelor of Science in Cyber Security & Master of Science in Cyber Security

Immersion Academy Annual Report 2018

Manufacturing Cybersecurity Cooperative Overview

A United States Cyber Academy Program

Developing the Next Generation Cyber Army VINCENT NESTLER, PH. D., CALIFORNIA STATE UNIVERSITY, SAN BERNARDINO

Cyber Security Incident Response Fighting Fire with Fire

BECOME TOMORROW S LEADER, TODAY. SEE WHAT S NEXT, NOW

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CYBER SECURITY TALENT SHORTAGE & INDUSTRY DYNAMICS

Account Executive / Account Manager

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

INTELLIGENCE DRIVEN GRC FOR SECURITY

locuz.com SOC Services

The fast track to top skills and top jobs in cyber. Guaranteed. FREE TO TRANSITIONING VETERANS

HCISPP HealthCare Information Security and Privacy Practitioner

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

BRING EXPERT TRAINING TO YOUR WORKPLACE.

What It Takes to be a CISO in 2017

Wolfpack Cyber Academy Training Catalogue

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Security and Privacy Governance Program Guidelines

A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF)

Healthcare Security Success Story

A Global Look at IT Audit Best Practices

BHConsulting. Your trusted cybersecurity partner

BACHELOR OF SCIENCE IN INFORMATION TECHNOLOGY

ISACA Enterprise. Solutions and Resources

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

Rethinking Information Security Risk Management CRM002

STUDENT AND ACADEMIC SERVICES

School of Engineering & Built Environment

Ingram Micro Cyber Security Portfolio

State of the Cyber Training Market January 2018

Global Security Consulting Services, compliancy and risk asessment services

แนวทางการพ ฒนา Information Security Professional ในประเทศไทย

CyberVista Certify cybervista.net

Collaboration on Cybersecurity program between California University and Shippensburg University

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

BHConsulting. Your trusted cybersecurity partner

Driving Global Resilience

Job Specification & Recruiting Profile of Vacancy

Major Program Selection Information. Information Systems An enriching path of study and career

What Does the Future Look Like for Business Continuity Professionals?

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Cybersecurity Employment SecureNinja

Cyber Security School

Reasons to Become CISSP Certified. Keith A. Watson, CISSP CERIAS

BACHELOR OF SCIENCE IN INFORMATION TECHNOLOGY

CYBER APPRENTICESHIP. Dr Leigh Armistead, President

Secure Systems Administration and Engineering

School of Engineering and Computational Sciences

NEW JERSEY INSTITUTE OF TECHNOLOGY. Initiation of Cyber Defense Option. for the Master of Science in

Computers Are Your Future Prentice-Hall, Inc.

THE LIFE AND TIMES OF CYBERSECURITY PROFESSIONALS

Transcription:

Cyber Security Advanced Education: Preparing the Emerging Workforce Scott vonfischer, CISO We are all apprentices in a craft where no one ever becomes a master. Ernest Hemingway

A Unique Perspective on Talent Development Who Am I? Education AS Culinary Arts: Age 21 small gap BS Computer Science: Age 51 MS Cybersecurity Operations Coming soon! Talent Development Experience 25+ IT Experience 15+ IT Security Specific 12+ IT Leadership: CIO, CISO, CTO Risk management team building approach Designed and sponsor IT mentorship programs Sponsor IT Intern program Certification Novel CNE Red Hat Linux Administrator Microsoft MCSE CISSP CIPP/IT ISO Auditor McDLT Experience Yes, I made this up 2

The Talent Gap is Different than the Skills Gap As alarming as the gap in the number of security professionals, is the gap in the basic skills needed Cybersecurity is not part of most CS programs or other university departments core curricula Sophistication of technology and methods used have outpaced the abilities of security professionals Broad Understanding Communication Technical Knowledge Regulatory Knowledge Policy Leadership Certifications Project Mgmt Business Mgmt Legal Security Degree Source: Forrester, 2015 Skills for Success 40% 35% 53% 63% 59% 71% 70% 69% 90% 90% 87% <25% 25-50% 50-75% 75-100% % Candidates Qualified for Recruited Position 4.00% 11.78% 31.78% 52.44% Most hiring managers surveyed, reported that less than a quarter of applicants have the skills for the position they seek 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Source: ISOCA, 2015 Workforce is highly specialized, but suffers from underinvested educational pipelines and disjointed development programs The Internet of Things has created a greater attack surface; more things are connecting to the Internet than people 3

Technical Mastery Four Quadrants of Security Skills Academic Security Researchers Governance, Risk and Compliance (GRC) Hunters and application and network penetration testers Security operators, firewall and systems administrators, forensic analysts = Greater Demand <- Theory - Execution -> Highest demand and growth in the right-most quadrants Shift Right The rigor/discipline of control-based GRC and data science applied to the execution of cyber security Skills Gap crosses all quadrants Based on SANS Four Quadrants of Security Skills 4

Key Trends in Cybersecurity Demand Fastest-Growing Skills in Cybersecurity Job Postings Five-Year Growth Python 309% HIPAA 248% Risk Management 209% Internal Auditing 200% Audit Planning 170% Risk Assessment 169% ITIL 153% Management IS 132% Accounting 121% Configuration Management 106% Source: Burning Glass, 2015 Cybersecurity jobs are in demand and growing across the economy Professional Services, Finance, Manufacturing, & Defense have highest demand Fastest increases in demand are in industries with increasing volumes of consumer data Finance (+137%), Health Care (+121%), and Retail Trade (+89%) Cybersecurity positions are more likely to require certifications (>35%) than other IT jobs (23%) 5

Key Trends in Cybersecurity Demand Positions calling for financial skills or a security clearance are even harder to fill than other cybersecurity jobs Hardest-to-fill cybersecurity jobs call for financial skills, knowledge of regulations like SOx AND traditional IT security skills. More than 10% of cybersecurity have a security clearance requirement. Because finance and IT skills are rarely trained for together, there is a skills gap for workers who meet the requirements of these hybrid jobs. Employers demand a highly educated and highly experienced cybersecurity workforce 84% of jobs specify at least a bachelor s degree, and 83% require at least three years of experience. More than 10% of jobs have a security clearance requirement and take on average 10% longer to fill than jobs without a security clearance. Because of the high education and experience requirements, skill gaps cannot easily be resolved though short-term solutions. Colleges, employers and training providers must work together to cultivate a talent pipeline for these critical roles 6

Execution Skills in Demand Broad Understanding A broad understanding comes from experience, apprenticeship, and a passion for the field Using acknowledged processes, best practice, and professionalism, ensure that workers are competent, prepared and capable of making correct decisions Technical Knowledge Industry-led certifications provide benchmark for skills delivered through training and accreditation Nationally establish certification and licensing requirements Technical Knowledge Broad Understanding Security Professional Plus Analytical Capabilities Analytic Professional, scientific approach as well as analytic and cognitive thinking with structured and disciplined education 7

The Information Security Professional Craft Profession The field is compared to 19th century medicine, rife with self-taught practioners in need of standards in education, certification, and accreditation Information Protection is a profession that requires technical proficiency, but as important is experience, creativity, and passion for learning security Craft The threat landscape changes radically every year; diversity is a force multiplier for the necessary creativity and problem solving skills A smart team of people with different backgrounds, unified in their passion for the craft, make the best incident responders, penetration testers, and security analysts Both! certification and accreditation are important, but wasted without practical experience and genuine passion. CISO s, certification boards and educators need to work together to establish curriculum and tiered standards and criteria for the Information Security professional 8

Technical Knowledge Technical Mastery Broad and deep technical expertise Establish and maintain required levels of training and education Tools into processes; practical experience Credentials Vendor Specific Tools SIEM / Analytics / Forensics Intrusion monitoring Penetration testing (business logic) Firewalls and networking Operating Systems Applications w/ sensitive data (ERP, etc.) Industry Recognized Certifications Broad Knowledge: CISSP (ISC) 2 Privacy: CIPP - IAPP IT Audit: CISA ISACA Pen Testing: CEH EC Certification Postings (1,000) CISSP 102 CISM 85 CEH 10 Security+ 8 GSEC 5 Source: SearchSecurity Survey, 2016 The next national security crisis may not be a terrorist attack on commerce, utilities or shutting down critical infrastructure. The next national security crisis, instead, may be a lack of ability to mitigate or respond to such an attack because there s no one available to mitigate the attack or respond to it. 9

Analytical Capabilities "If our premium universities don t learn from experience, what can we expect from other, less-learned organizations? -- Igor Baikalov; Securonix chief scientist in response to UCLA s second major data breach Benefits Professional, scientific approach Structured, disciplined education Develop and maintain a professional Common Body of Knowledge (CBK) Analytic /Cognitive Thinking The field was born by self-taught hackers; university cybersecurity education must Emulate and nurture that spirit Hone those specific skills Interactive real-world scenario labs and challenges Gamification Abstract thinking, logic puzzling We will never get to the workforce needed until we have the majority of schools and universities teaching the basic skill sets required in the field and this becomes part of a standardized core curriculum, just like basic history, math, and other basic courses. Cybersecurity, after all, is part of everyday life -- Melissa Hathaway 10

An Impractical Approach While some argue for a national clearinghouse association for certifications, there is greater benefit to a decentralized system with centralized oversight and accreditation (like college regional accreditation) Vendors will always know their systems best and the various organizations add greater contributions than just certification 11

A Practical Staff Development Approach Level Example Education Certification Experience Entry Junior SECOPS, IT auditors BS Ethics, Security Awareness SME Engineers, lead auditors BS CISSP or CISA Tool Specific Guru Authors, Security architects, Industry experts Masters Multiple certifications Senior level staff qualifies junior levels as part of the mentoring program Framework integrating common best practices, core curriculum tenets, and minimum standard requirements 1-3 years 3-9 years 9+ years External skills assessments like what is offered by SANS Cyber Talent augments the assessment with actionable statistics Work with higher education to include experience in the curriculum to meet the minimum requirements; Universities should require a minimum number of practical application hours for graduation 12

Additional Resources National Institute of Cybersecurity Education (NICE) o o o Common Framework Organization Planning Tools Training and Assessment Tools http://csrc.nist.gov/nice/ National Institute of Standards and Technology o Cybersecurity Framework o Consistent with ISO27000, COBIT 5, NIST SP800-53, and ISA62443 (ISA99) http://www.nist.gov/cyberframework/ SANS Institute Master s Program o Combination of theory, practical, and leadership disciplines o broad, technical, and analytic -> practical application, certifications, and academic focus http://www.sans.edu/academics/mast ers-programs/msism Cybersecurity Credentials Collaborative o Craft-based advocacy of credentials o Vendor-neutral http://www.cybersecuritycc.org/ (ISC)2 Global Academic Program o University Partnership o Industry-Academic cooperation https://www.isc2.org/ Others o SANS Cybertalent Assessment https://www.sans.org/cybertalent/ o Hack This! https://www.hackthis.co.uk/ o Cyber Siege http://cisr.nps.edu/cyberciege/ o Certification Guide https://www.concisecourses.com/training/#cybersecurityspeciality-courses 13

Questions? Passive Requirements Proactive Leadership Do you require a college degree? 2 year? 4 year? Masters? Do you require certifications? Which ones? Do you advise interns source schools on curriculum? Do you participate in the certification bodies agenda? How much experience? At different levels? Do you have a formalized mentoring program? 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback