Human Resources Development in the Field of Cyber Security October 2014 Masayuki KOIKE Director, Local Informatization and Human Resource Development Office, Information Service Industry Division, Commerce and Information Policy Bureau, Ministry of Economy, Trade and Industry (METI)
The Challenge in Cyber Security Human resources (1): for Practical Business Players as Enterprises Many information systems in Japan are closely connected with practical business in enterprises and organizations. It is often the case that construction and operation of these information systems, including security measures, are entrusted to specialists (IT vendors). In principle, engagement of personnel of enterprises- IT users with thorough knowledge on the details of their practical business is indispensable on occasion of the construction and operation of its information system with reflection on the details of practical businesses. According to an estimation by the Information-technology Promotion Agency (IPA), there are around 265 thousand people working in the information security field in Japan and only 105 thousand people among them has necessary skills. Hence, it is necessary to organize certain education programs and trainings for the other 160 thousand people. Besides, there are around 80 thousand human resources in potential shortage. It is an urgent challenge in light of information security policy of Japan to take necessary measures toward solution of this problem. Source: New Information Security Human Resource Development Program (the decision of Information Security Policy Meeting on May 19, 2014) 1
Basic knowledge requested to every business person who utilizes IT IT Passport Advanced Knowledge/ Skill IT Strategist Systems Architect Project manager Network Specialist Database Specialist Specialist Information Security Specialist IT Service Manager Systems Auditor On Information Technology Engineers in Japan Reflecting on the lack of Information Technology Engineers and the demand for establishment of Programmer certifying examination, the Information Technology Engineers (ITEE) started in 1969. Now around 500 thousand examinees participate every year and it is utilized by a number of enterprises and educational institutes. 17.53 million people applied and 2.17 million participants passed in the period of 45 years by the end of 2013 FY. The ITEE plays an important role in IT human resources development in Japan. For all the business people For IT Engineers (Vender side/ User side) (IP) Applied knowledge/s kill Fundamental knowledge/s kill (ST) (SA) (PM) (NW) (DB) (ES) (SC) (SM) (AU) Applied Information Technology Engineer (AP) Fundamental Information Technology Engineer (FE) Embedded Systems available all year round applicable both in spring and in autumn available in spring available in autumn 2
Basic knowledge IT Passport Advanced (reference) the overview of the Information Security Specialist (SC) The Targeted People The Information Security Specialist is Increase in the targeted cyber attack New type of unauthorized access appearance of new type viruses The threat of theft of secrets and stop of devices (The Threat of increase in loss of enterprises) THREAT Where located in the whole map of Information technology Engineers Appropriate Security Management by Specialists is Necessary Evaluation through national examination National to evaluate Security Specialists For All the Business people For IT Engineer (Vender Side / User side) Those who has established specialties as advanced IT engineer, supports realization of security functions in plannig, requirementsdefining, developing, operating and maintaining information system in accordance with information security policy, or equip information system basis, and supports information security management as a specialist of information security technology. the statistical data of the Information Security Specialist (for the last 3 years) 2013 FY 2012 FY 2011 FY No. of applicants 56,452 57,944 57,243 No. of participants 36,905 39,092 37,198 No. of the successful 5,147 5,407 5,110 (% of the no. of SC applicants to all) (12.0%) (11.9%) (9.9%) % of pass 13.9% 13.8% 13.7% Applied Funda mental S T S A P M N W D B AP FE E S S C S M A U The scope of questions Planning, requirements-defining, development, operation and maintenance of information security system (such as secureprogramming) Operation of information security (such as countermeasures against unauthorized access) Information security technology (countermeasures against viruses) Management of development(such as Information security management of development environment) Information security-related legal requirements (such as Copyright Act, Personal Information Protection Act) 3
Reference: The overview of IT Passport (IP) For IT Passport adopted the Computer-Based Test (CBT) for the first time as a national examination in Japan. is available at any time, anywhere, any times you want. You can choose the data/time of test in accordance with your schedule!! At any time all year round! ( Exam schedule differs according to the test center) Approximately 120 test centers all over Japan The score divided by sphere Available wherever you want! available(strategy, management, You can check not only the result but also the score! technology). Useful for (Able to check out the score after the exam at once. ability measurement. Able to check the score divided by sphere. Always new technologies are reflected. You can try any times you want to make sure your level-up! How to Apply How to Apply through internet (at the official website) the Fee 5,100 JP Yen (tax included) Test Schedule Application and Exmination available all year round Boucher Ticket system for group application available! For more details on the Web site Official Website (in Japanese) (https://www3.jitec.ipa.go.jp/jitescbt/) iパス Official Character of IT Pass Exam. SEARCH 4
METI Activity No.1: Strengthening the frequency of Information Security-related questions in Information Technology Engineers >Background> Sharp Increase in Importance of Information Security The shortage of Information Security Human Resources both in quantity and quality Necessary to improve IT literacy among the whole nationals including knowledge of Information Security. Necessary to excavate, foster and make use of Information Security Human Resources. Increased the frequency of Information Security- related questions in all of the types of Information Technology Engineers Exams, including IT Passport Exam. IT Passport Exam. Sharp Increase in the Percentage of Information Security related Questions (by twice) Fundamental IT Engineer (FE) Applied IT Engineer Exam.(AP) Advanced Exam. Source: IPA Press Release http://www.ipa.go.jp/about/press/20131029.html In the morning exam increased the percentage of Security related questions In the afternoon exam the status of Information Security sphere has been changed from selective to obligatory. In the morning exam.Ⅰand Ⅱ increased the percentage of Security related questions In IT Strategist Exam.(ST) and Project Manager Exam. (PM) added Security-related questions to the scope of morning exam.Ⅱ. (Security questions appear in all the category of advanced exam) (Note) IT Pass exam changed from May 7 th 2014. The rest of exams changed from the spring exam in 2014. 5
Information Technology Engineers in Asia The globalization of software technology and market has led to the increase in necessity of securing trans-border highquality IT human resources and enhancing their liquidity. Therefore, METI is arranging coordination with the related institutions towards mutual recognition of IT Engineers and enlargement of similar examination to ITEE. To enlarge these arrangements in Asian region etc. for the sake of securing advanced human resources oversees and enhancing their liquidity. The results achieved: Mutual Recognition with 12 Asian countries/regions (Bangladesh, China, India, Korea, Malaysia, Mongolia, Myanmar, Philippine,Singapore, Thailand. Taiwan, Vietnam) Arrangement of Common through assistance in Asia: 7 countries (Bangladesh, Malaysia, Mongolia, Myanmar, Philippine, Thailand, Vietnam) Special Measuresfor Immigration Control on the base of Mutual Recognition To the passers and holders of the examination and the qualifications listed in Public Notice of the Ministry of Justice, a preferential immigration treatment is applied. It is about the criteria pertaining to the status of residence, which is required to work in Japan as Engineer or for Designated Activities. Every examination and qualification listed in the Public Notice of the Ministry of Justice can be counted as the points in Points-based preferential immigration treatment for highly skilled foreign professionals system. 6
METI Actibity No.2: To consider the creation of a new examination towards solution of Shortage of Human Rsources Issues To create a new category Information Security Management with scope of necessary knowledge for operation of security policy of organization, in order to solve the problem of shortage of information security human resources in companies- IT users. (Aiming at its start from 2016 FY.) <Background> The rapid spread of portable devices such as smart-phones and use of cloud services has lead to mutual connection of systems and devices inside and outside enterprises. The period of Internet of Things is coming up. Taking into account the complicatedness and development in cyber attack techniques, it is necessary for all the enterprises, including manufacturing industry and critical infrastructure industry, to design items/service and business plan with care for external threats. <The shortage of information security human resources > In Japan there is shortage of around 80 thousand information security human resources. Among 260 thousand engineers involved in information security measures 160 thousand perople have limited capability (Estimation by IPA) <Challenge> Proactive measures should be taken not only by IT vendors but also IT users. In light of spread of mobile devices, it is urgent task especially for companies- IT users to develop human resources who are capable of educating general users inside the company and taking security measures in cooperation with IT engineers. <Countermeasures forward> To create information security management examination category which will evaluate the necessary knowledge and capability of human resources in charge of security in enterprises, within the framework of Informaton technology Engineers as a national examination i7
The Challenge for security Human Resources No.2 Need for the human resources with advanced specialty and cutting-edge ability Information security sphere keeps changing rapidly. To handle the everydayoccuring new incidents and advaced incidents, it is not enough only to improve the quality of the general ability of personnel in charge of information security and solve the HR shortage. It is necessary to secure the cutting-edge human resources with advanced speciality who are capable of creating new solutions in accordance with environment change. The human resources with advanced specialty can lead the engineers in charge of telecommunication sector. They can also contribute to improvement of ability of next generation of Information security human resources, and to protection from global attacks and to creation of new industry. [Source: New Information Security Human Resource Development Program (the decision of Information Security Policy Meeting on May 19, 2014)] 8
METI activity No.3 : Overview of Security Camp To expand the range of young security human resources scouting and to create global top-level resources are necessary to appropriately deal with cyber attacks with high complexity. To hold training camp for youth (under 22 years old) by private companies and IPA and to transfer security technology, including the ethical aspect, and leading-edge know-how by front-line engineers. So far 480 students participated (in 2004FY- 2014FY). To arrange security camps in regional areas and to expand the skirt of security human resources through exchange programs. Lecturers Top-level engineers To promote scouting and fostering young security human resources through Public- Private Partnership Security Camp National Contest (training camp-style lecture) Total participants: 438 students (in 2004-2013 FY) Security Camp Organization Conference Exchange with companisconference members The selected cutting-edge human resources participate in security camp (general meeting) Security Camp Organization Conference Established to organize spread and enlarge Security- Camp with distinguished lecturers in Business and Education sectors to scout and foster young security human resources. The conference consists of 30 members-companies- organizations(as of Feb. 2014). 2014 Security Camp : Main Results <National Contest> Period: August 12-16 place:pref. Chiba Participants:42 <Regional Contest> Period: May 31st - June 1 st. Place: pref. Aichi Participants:101(the first day), 19(the second day) Regional Contests Local Lectures exchanges caravans Period :August 29-31 Place: pref. Fukuoka Participants:106(the first day), 19 (the second day) Enlarge skirt and circle of young cutting-edge human resources hunting Period :September 13-14 Place:pref. Fukushima Participants :20 To be organized in Hokkaido, Okinawa 9
METI Activity No.4 :CTF(Capture the Flag) Contest through Private- Public Partnership In 2012 FY the first contest was organized as METI s commissioned project to research feasibility and effectiveness of the CTF contest as a platform for practical training. From 2013 FY through Private- public Partnership. In 2013 FY more than 1300 people participated CTF(Capture The Flag) is a contest in which participants struggle to get the flag- information stored in the system. It is practical training with assumption of occurrence of information security attack. 2012 FY (research) 2013 FY~ (Private- Public Partnership) CTF Contest Organizer Gov. bodies/organizations Information Security Policy meeting entrust Private Sponsor support Japan Network security Association (NPO)Implementation Committee support Operated by NRI Secure Technologies and so on Targeted Patticipants Business person no younger than 23 Other CTF Contest for students were also organzed To organize Regional Contest from August. In March 2014 National Contest in Tokyo. Regardless of position, age and nationality National Contest Regional Regional Regional Regional Private Company, organization Targeted Participants Gov organization Students 10