Www.olympussecurity.com Merit Annual Meeting Preparing the Security Workforce of the Future Jeff Recor President, Olympus Security Group Email: [email protected]@olympussecurity.com

www.olympussecurity.com

Merit Annual Merit Annual MeetingMeeting

Preparing the Security Workforce of the Future

Jeff RecorPresident, Olympus Security GroupEmail: [email protected] Office – 248-608-6784

mailto:[email protected]


Current EventsCurrent Events

• Virus Du Jour:– Stopping trains!– Widespread infection

• Blackout• Identity Theft = $1B a year in

losses for banks


Organizational Organizational ChallengesChallenges

• Same problems year after year:– Companies still vulnerable to

“common” viruses– Vendors not securing their

products– Security Professionals not working

from standard set of knowledge

• Culture of the Hacker


Discussion PointsDiscussion Points

• The Fed’s are coming !• 3 distinct views:

– Employers– Practitioners– Knowledge Development

Centers


Personnel Personnel ChallengesChallenges

(One of the major barriers to improving cyber security is…) an inability to find sufficient numbers of adequately trained and/or appropriately certified personnel to create and manage secure systems." The National Strategy to Secure Cyberspace - February 2003


The Fed’s are The Fed’s are Coming!Coming!

• Cybersecurity takes a backseat:– FUD– 9/11…..WMD

• No standards, yet…• Legislation pending


FUDFUD

• Zero-day Viruses and affinity worms will sunder business records….brokerage house trading records will be scrambled, corporate networks molten…CEO’s humiliated.

Howard Schmidt, Vice Chairman, CIP Board


Accreditation BoardAccreditation Board

• Movement afoot to formalize security profession:– Board forming now– Body of practice needs to be

defined– Licensing process designed– Standards, standards, standards


EmployersEmployers



Hiring Trends…Hiring Trends…

• 47% report hiring increased in the past year

• 29% reported staffing levels remained unchanged

• 19% reported decreases in security staff levels

Global Security Survey, 2003: Deloitte


ITAA Employer ITAA Employer SurveySurvey

• 60% not satisfied they can hire “right” security talent:– 40% said it was hard to quantify

candidates– 36% interview process not well

defined

• 81% recognize security as a “separate” profession


ITAA Employer ITAA Employer SurveySurvey

• CISSP = Most Important (57%)• Security + • Vendor Specific • CFE • Sans GIAC

ITAA Workforce Study, 2003


EmployeeEmployee


Acquiring Acquiring KnowledgeKnowledge

• How do I learn the fundamentals needed to secure my environment?

• How do I acquire the skills to become a valuable employee in the security field?


CertificationsCertifications

• CISSP• CISA• CFE• Sans• Security +• CIA• CBCP

• Cisco• CheckPoint• ISS• RSA• Microsoft• Verisign• Entrust

Industry

Vendors


Which item is the most important for Which item is the most important for showing your security skills to a showing your security skills to a potential employer during an interview?potential employer during an interview?

a. Resumea. Resumeb. Non-vendor security b. Non-vendor security

certificationscertificationsc. Formal education in security c. Formal education in security

disciplinedisciplined. Vendor-specific product d. Vendor-specific product

certificationscertificationse. Presenting at security e. Presenting at security

conferences / conferences / classes classes

Audience Poll


KDCKDC


Current StateCurrent State

• Training Programs– Boot camps– Certification factories

• Higher Education– Master’s Degree Programs– Certificate Programs

• Standards Movement


Higher EducationHigher Education

• Security Programs– Masters Degree– Undergraduate Degree– Certificate Programs

– K through 12 !!


Education Trends Education Trends • Before - Mechanical - bits and bytes

– Forensics programs– Intrusion-detection and prevention programs– Security technology standards development

and other technical programs

• After - Business value and critical thinking– ROI– Business Process Analysis– Value Add– Business value and critical thinking.– ENABLEMENT


Security EducationSecurity Education

• Less than 60 Phd candidates in INFOSEC / IA

• 17 Phd’s in IA granted so far (2003)

• 50 NSA COEs mostly focus on CIS-style programs

• Much more is needed…


National Training National Training StandardsStandards

Information Security Professionals –NSTISSI No. 4011

Information System Security Officers –NSTISSI No. 4014

Designated Approving Authority- NSTISSI No. 4012

System Administrators –NSTISSI No. 4013

System Certifiers- NSTISSI No. 4015

Risk Analyst – NSTISSI No. 40xx

Being Updated

Under vote

Most Recent

Under vote


Faculty Faculty Development & Development &

Recruitment IssuesRecruitment Issues• Lack of program development

and credentialing opportunities • 1800+ Universities and

15,000+ Faculty will be Affected• Lack of “real world” Experience• Traditional development model

for educators is inadequate • Tools and skills necessary


Local Excellence ?Local Excellence ?

• Walsh College (NSA COE)• Eastern Michigan University• University of Detroit Mercy

(COE)• Michigan State University• Washtenaw Community College • Independent Training


Closing…Closing…

• “An information War is coming someday…”

– Richard Clarke, President’s Cyber security Czar, June 5, 2002.


Documents

Www.olympussecurity.com Merit Annual Meeting Preparing the Security Workforce of the Future Jeff Recor President, Olympus Security Group Email: [email protected]@olympussecurity.com