INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC. Career Enhancement and Support Strategies for Information Security Professionals Paul Wang, MSc, CISA, CISSP Paul.Wang@ch.pwc.com Exam Supervisor / Instructor (ISC) 2 Institute SMAU Milano 6 th, 2003 Copyright 2003 (ISC) 2, Inc. All Rights Reserved.
2 Two Part Agenda 1. As the World of the Information Security Professional Evolves 2. (ISC) 2 is also Evolving to o Anticipate and Support: The Individual Careers of Trust Professionals, The Strategic and Tactical Needs of their Employers, The Changing Nature of our Profession The Information Community with an Enhanced Menu of Training, Publications, Services and Credentials.
3 Part One As the World of the Information Security Professional Evolves..
4 Security Evolving to Trust Trust - We chose the term carefully because it is the real essence of relationships in the networked world. Security is primarily defensive and inward looking Control is a process to achieve it But Trust is an ongoing and outgoing interaction that establishes and maintains mutual confidence among several or many entities. It is crucial to the 21 st century world.
5 The Basis of Trust The development of mutual Trust is based on each player s willingness and ability to continuously demonstrate to all the other players satisfaction that the game is honest, open, following the rules and properly controlled. This has some profound implications for security and control technologies, processes, relationships, policies, standards, organizations and professionals
6 21st Century Trust Characteristics Reciprocity - the willingness of all the players to extend protection not only to all the other players but also to the network-based environment itself - the common cause. This does not mean equal protection for all. It means appropriate protection for all Clarity of Responsibility and Liability Standardization of Processes, Interfaces and Technologies External Demonstrability
7 Trust Trust requires security and control but it goes beyond them. It depends on technology and protective mechanisms but it also involves professionalism, reputation, contracts, law, openness, familiarity, fair business practices and ethics, quality, timeliness and a host of other relationship characteristics
8 21st Century Trust Components The Familiar Accountability Authentication Path Integrity Authorization Non-repudiation Availability Auditability Confidentiality Process Integrity Privacy Data Integrity But in Far Riskier, More Complex, Higher Stakes, Higher Speed, Rapidly Evolving, Larger, Widely Variable, and Interdependent Environments
9 Trust Guidance and Documentation Organization Policies (multi-level) level) Strategies Architectures Procedures Standards Designs and Specifications Awareness and Training Documents Public Statements and Releases
10 Trust Technologies Digital Certificates PKI structure Certificate and Registration Authorities Integrated Authorization Digital Notaries & Time Stamping Directory Services Single Sign-on File Encryption Message Encryption Path Encryption (VPN s) Network Security (Firewalls, etc.) Two-Three Factor Authentication Biometrics Smart Cards Platform Security Anti-Virus Protection Disaster Recovery High Availability Monitoring Enterprise Application Security Data Base Security Access Control Facilities Intrusion Detection and Response And More
11 Implications for (ISC) 2 Our Offerings of Credentials, Training, Publications and Services MUST Anticipate and Support the Needs of A Widening Range of Individual Professionals, their Employers, the Profession Itself and the Larger Information Community.
12 IT Security Growth Creates IT Security Jobs 28% from 2000 to 2001 $4.7B to $6B revenue 116% from 2001 to 2005 ($13B) Job growth 75,000 unfilled US jobs Source: The Economist, 2003
13 IT Security Fulfilling the Need for Security Jobs What Is Needed? IT Security Professionals who Understand Vulnerabilities and Weaknesses IT Security Policy Makers Who Can Develop Strategies to Mitigate Risk Improved Security of IT Infrastructures through policies, standards, guidelines, and procedures
14 IT Security Certification Options Vendor Neutral Certifications (ISC) 2 CISSP and SSCP Certification Credential (ISSEP, ISSAP, ISSMP) SANS Global Information Assurance Certification (GIAC) CPP American Society for Industrial Security (ASIS) CIW CIW Professional Certification CompTIA Security + Certification Credential CIA Certified Internal Auditor, Institute of Internal Auditors ISACA Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Disaster Recovery Institute Certified Business Continuity Planner (CBCP)
15 700 1100 1836 IT Security - Growth in CISSPs Worldwide 20000 18000 16000 14000 12000 10000 8000 6000 4000 2000 0 3370 6907 15368 18764 1997 1998 1999 2000 2001 2002 Jul 2003
16 150 1551 IT Security - CISSP Growth Internationally 2000 1800 1600 1400 1200 1000 800 600 400 200 0 200 523 896 393 1115 67 625 1793 58 161 Canada Europe Asia Other Dec 31 2000 Dec 31 2001 Dec 31 2002 July 31 2003 452
17 Part Two How (ISC) 2 is Evolving to Anticipate and Support: The Individual Career Needs and Aspirations of Trust Professionals, The Strategic and Tactical Needs of their Employers, The Changing Nature of our Profession The Information Community
Trust Roles and Organizations CISO/CSO including policy Business Security Strategy and Architecture Technical Security Strategy and Architecture Application / User Security DDDM* Infrastructure Security DDDM Network and Directory Services Management Monitoring, Control, Reporting and Audit Intrusion Detection, Attack & Penetration, Incident Response Access, Authorization and Accountability Management Classification and Data Management Regulatory and Dictates Compliance Education and Awareness Employee, Partner, Stakeholder, Government and Public Relations *Design, Development, Deployment, Maintenance May or May Not Include Business Continuity, Privacy, Physical Security Copyright 2003 (ISC) 2, Inc. All Rights Reserved. 18
19 Professional Offerings Credentials CISSP Certified Information Systems Security Professional SSCP - System Security Certified Practitioner Specialized e.g. ISSEP and others to come Concentrations in depth specialized credential enhancements (ISC) 2 Associate early entry to the family
20 Professional Offerings Training Pre-exam or stand alone CISSP current and enhanced SSCP - new offerings Concentrations Advanced Architecture Advanced Management Others to come
21 How to Prepare for Certification Training: Instructor Led Knowledge Transfer Peer Networking Computer Based Training Flexible to adapt to student s schedule and work requirements Self Taught Books, websites
22 Certification Examination Code of Ethics Adherence Continuing Professional Education Credits/ Re-certification
23 (ISC)2 Career Path Chief Information Security Officer Chief Privacy or Security Officer Senior Security Engineer Senior Network Security Engineer Senior Security Systems Analyst Senior Security Administrator Credentials The Gold Standards Certified Information Systems Security Professional (CISSP ) System Security Certified Practitioner (SSCP ) Management Implementation
24 (ISC)2 Career Path New Focus Areas CISSP - Concentrations ISSAP Information Systems Security Architecture Professional ISSEP Information Systems Security Engineering Professional ISSMP Information Systems Security Management Professional Management Implementation
(ISC)² Certified Information Systems Security Professional Copyright 2003 (ISC) 2, Inc. All Rights Reserved. 25 Tailored for experienced information security professionals Minimum four years cumulative experience in CBK domains Undergraduate degree required for one year experience abatement Subscribe to (ISC)² Code of Ethics Endorsed by another CISSP or senior management Certification maintained through continuing education
26 CISSP CBK Domains Security Management Practices Law, Investigation & Ethics Physical Security Operations Security Business Continuity & Disaster Recovery Planning Computer, System & Security Architecture Access Control Systems & Methodology Cryptography Telecommunications & Network Security Application Program Security
(ISC)² Systems Security Certified Practitioner Copyright 2003 (ISC) 2, Inc. All Rights Reserved. 27 Tailored for systems and network security administration professionals Minimum one year cumulative experience in CBK domains Subscribe to (ISC)² Code of Ethics Certification maintained through continuing education
28 SSCP CBK Domains Access Control Administration Audit and Monitoring Risk, Response and Recovery Cryptography Data Communications Malicious Code/Malware
29 Professional Offerings Industry Support Industry Advisory Groups Government Advisory Board for Cyber Security (GABCS) (ISC)² Government Advisory Board for Cyber Security Planning Support for Employers and Groups Special Packaging of Training and Credentials Special Credentials and Exams CISSP ISSEP Concentration (developed in conjunction with U.S. National Security Agency) Others (TBD) Tailored Training
30 Professional Offerings The Profession, Academia and our Constituents Publications, Forums and Communications Contributions to the Profession and Professional Affiliations (including other Certifications) Academic Affiliations Constituent Services Constituent Advancement and Support
31 Sorting It Out Roles, Credentials, Training The Diagram that follows maps what we believe are the most appropriate but by no means only (ISC) 2 offerings for some of the roles outlined earlier. These are intended as guides, not mandates Development of specially designed credential/training programs for specific industries, enterprises, agencies, institutions and geo-political entities are a major strategic priority for (ISC) 2 Our strategy is to carefully monitor marketplace and professional demands and to modify and enhance our offerings as appropriate in response to them.
32 Whether you re a CISO or just starting your Information Security career, there s an (ISC) 2 career path for you.
33 (ISC) 2 Trust is the Ultimate Firewall