HOW TO ADDRESS THE CURRENT IT SECURITY SKILLS SHORTAGE

HOW TO ADDRESS THE CURRENT IT SECURITY SKILLS SHORTAGE ISACA S CYBER SECURITY NEXUS Ivan Sanchez-Lopez Senior Manager Information Security, IT Risk & Continuity, DHL Global Forwarding ISACA Luxembourg AGM 29.04.2015

SESSION OVERVIEW: 1. ABOUT ISACA 2. STATUS OF THE IT SECURITY INDUSTRY 3. THE IT SECURITY SKILLS SHORTAGE 4. ISACA CYBER SECURITY NEXUS (CSX) 5. ISACA YOUNG PROFESSIONALS

ABOUT ISACA For more than 40 years, ISACA has been a leading global organization setting standards for information governance, security and audit practice. A non-profit, global member association of: - IT Audit and Assurance professionals - IT Security professionals - Risk & Compliance professionals - Governance professionals and more! Nearly all industry categories represented: financial, public accounting, government/ public sector, technology, healthcare, utilities and manufacturing

ABOUT ISACA A TRULY GLOBAL ORGANIZATION One International Headquarters Office 204 Chapters in 86 Countries 84 in North America 44 in Europe 34 in Asia/ Middle East 21 in Latin America 12 in Africa 9 in Oceania (Source: ISACA International data as of April 2014)

ABOUT ISACA ISACA S MEMBERS GLOBAL REACH More than 110,000 members in over 180 countries (Including At-large members where no chapters exist) Region 4 54,994 Region 1 26,766 Region 3 32,342 Region 2 5,536 Region 5 3,932 Source: ISACA International map data as of April 2014 NOTE: Europe and Africa are one region

ABOUT ISACA WORLDWIDE CONFERENCES, EDUCATIONAL SEMINARS & CERTIFICATIONS

ABOUT ISACA GLOBALLY RECOGNIZED CERTIFICATION PROGRAMS *Counts as of June 2014 111,083 CISAs certified since inception in 1978 25,399 CISMs certified since inception in 2003 6,099 CGEITs certified since inception in 2007 17,729 CRISCs certified since inception in 2010

1. ABOUT ISACA 2. STATUS OF THE IT SECURITY INDUSTRY 3. THE IT SECURITY SKILLS SHORTAGE 4. ISACA CYBER SECURITY NEXUS (CSX) 5. ISACA YOUNG PROFESSIONALS

STATUS OF THE IT SECURITY INDUSTRY WHERE WE ARE NOW According to the 2015 Verizon Data Breach Investigations Report, there were 79,790 security incidents and 2,122 confirmed data breaches during 2014. Number of Security Vulnerabilities increased 55% in a 5-years trend, according to Secunia s Vulnerability Review 2015 PwC reported in its Global State of Information Security Survey 2015 that that the number of detected information security incidents has risen 66% YoY since 2009. Zero-day vulnerabilities rose almost by 100% (from 14 in 2013 to 25 last year) with vulnerabilities like Hearthbleed, Poodle or Shellshock disclosed

STATUS OF THE IT SECURITY INDUSTRY THE THREAT FOR OUR SOCIETY IS REAL

STATUS OF THE IT SECURITY INDUSTRY THE THREAT FOR OUR COMPANIES IS REAL Information Security, IT Security and Cybersecurity is not anymore an IT-only subject: it is about protecting the company, protecting the brand. 2014 will probably be remembered as the first year where security breaches took the attention of the media, with companies like Sony Entertainment, Target or Home Depot hacked and required to pay hundreds of millions of US dollars to cover costs of the attacks. Trust: takes years to build, but just seconds to destroy

STATUS OF THE IT SECURITY INDUSTRY WE ARE WE GOING TO ISACA s Advanced Persistent Threat Awareness Study Results show that 92% of the respondents feel APTs are a serious threat, and 66% think it is only a matter of time In the State of Cybersecurity: Implications for 2015 survey conducted by ISACA and RSA, 77% of respondents reported an increase in attacks in 2014 over 2013. Even more 82 percent predicted that it is likely or very likely they will be victimized in 2015. According to Verisign's DDoS Q4 2014 Trends: Attacks Average DDoS attack size saw a 14% increase over Q3 2014 and a 245% increase year over year. Cyberattacks emerge as a top technological risk in the World Economic Forum s Global Risks 2015 report: interstate conflict is no longer physical but uses economic means and cyber warfare to attack people s privacy as well as intangible assets

STATUS OF THE IT SECURITY INDUSTRY MORE SKILLED PLAYERS AND NEW BUSINESS MODELS As the we are becoming the first always-connected generation, the traditional threat agents are moving in that direction, too. Cyber terrorists, Hackers, Governmental agencies are: More skilled, more professional Better funded More proactive More ubiquitous New technologies like IoT, Wearables, Big Data, M2M / V2V, ehealth, create completely new (and bigger) concerns on IT Security an Privacy. New business models rely on technologies that were designed with a completely different security approach in mind.

STATUS OF THE IT SECURITY INDUSTRY THE SECURITY ICEBERG And this is just what we see..because we all know there is much more down there

STATUS OF THE IT SECURITY INDUSTRY ARE WE READY TO EMBRACE THIS? So the question is Are we prepared for this? As an organization, how can ISACA contribute?

1. ABOUT ISACA 2. STATUS OF THE IT SECURITY INDUSTRY 3. THE IT SECURITY SKILLS SHORTAGE 4. ISACA CYBER SECURITY NEXUS (CSX) 5. ISACA YOUNG PROFESSIONALS

THE IT SECURITY SKILLS SHORTAGE DO WE REALLY HAVE AN IT SECURITY SKILLS SHORTAGE? According to Cisco 2014 Annual Security Report, The security talent shortage makes this problem worse [ ] It s estimated that by 2014, the industry will still be short more than a million security professionals across the globe. (ISC)² concludes in their Global Information Security Workforce study that there is a dangerous shortage of skilled professionals in the cybersecurity profession and this shortage is negatively impacting organizations and their customers, leading to more frequent and costly data breaches The UK cyber security strategy, launched in 2011, identifies 6 key challenges in implementing the cybersecuritry strategy, one of those is addressing the UK s current and future ICT and cyber security skills gap

THE IT SECURITY SKILLS SHORTAGE THE CHALLENGE OF HIRING SECURITY PROFESSIONALS The State of Cybersecurity: Implications for 2015 survey conducted by ISACA and RSA indicate that cybersecurity is faced with a skills shortage. ISACA: Increased attention to cybersecurity by governments and enterprises as well as an evolving threat landscape, are combining to create an expected exponential increase in cybersecurity jobs that will require skilled professionals The survey data in this ISACA/ RSA Conference study seem to confirm that enterprises are having a difficult time hiring skilled people as it takes 53% of organizations between 3 and 6 months to fill a position and 10% cannot fill them at all

THE IT SECURITY SKILLS SHORTAGE FINDING THE RIGHT CANDIDATE WITH THE RIGHT SKILLS According to the study, even if companies eventually are able to hire professionals, most applicants submitting resumes do not have adequate skills to meet the needs of the business. In fact, more than 50% of the survey respondents reported that less than one-quarter of applicants are truly qualified for the open positions Among hired individuals, security professionals continue to see a skills gap. Largest gap exists in the ability to understand the business, followed by technical skills and communication

THE IT SECURITY SKILLS SHORTAGE INCREASING PRESSURE ON SALARIES (ISC)² 2015 Global Information Workforce Study, conducted in cooperation with Frost & Sullivan and recently presented in the RSA Conference 2015 is another good reference in order to understand the current IT Security skills shortage. Completed by 13,930 respondents, indicates that security concerns continue to escalate while the workforce shortage is even worse than we think. As there is an growing demand for cybersecurity professionals that the current supply cannot meet, the pressure on price (salaries) keeps increasing amongst individuals with certified security skills.

THE IT SECURITY SKILLS SHORTAGE SECURITY PROFESSIONALS: A PRECIOUS ASSET Good thing is: salaries for qualified security professionals seem to be increasing, as those are becoming a precious asset. Bad thing is: is this sustainable? You security professional: my precious asset

1. ABOUT ISACA 2. STATUS OF THE IT SECURITY INDUSTRY 3. THE IT SECURITY SKILLS SHORTAGE 4. ISACA CYBER SECURITY NEXUS (CSX) 5. ISACA YOUNG PROFESSIONALS

ISACA CYBER SECURITY NEXUS (CSX) CURRENT CERTIFICATION PROGRAMS Traditional certification programs have high-entry requirements for people with limited experience or no experience at all in a security-related function. Besides passing the exam, obtaining the certification requires practical experience in several IT Security domains. Approach is rather managerial : even people with hands-on experience on security might not be familiar with a number of topics covered in the exams.

ISACA CYBER SECURITY NEXUS (CSX) WHAT IS CSX ABOUT??? The Cybersecurity Nexus (CSX) is a complete program that has been designed to provide cybersecurity resources for professionals at every level of their careers. Cybersecurity Nexus represents the one central place where professionals can find the information they need related to cybersecurity training, certification, guidance, career development and community. The new Cybersecurity Nexus Certification model include skills-based training and performance-based certifications, specifically created for professionals who want to enter into the IT Security area and / or specialize in any of the 5 NIST cybersecurity domains (Identify, Detect, Protect, Respond and Recover) www.isaca.org/cyber

CSX FUNDAMENTALS CERTIFICATE A RECENT SURVEY OF ISACA S STUDENT MEMBERS SHOWS THE MAJORITY (88%) PLAN TO WORK IN A FIELD REQUIRING CYBERSECURITY KNOWLEDGE 88%

CSX FUNDAMENTALS CERTIFICATE BUT FEWER THAN HALF SAY THEY WILL HAVE ADEQUATE SKILLS FOR THE JOB

ISACA CYBER SECURITY NEXUS (CSX) CSX CERTIFICATION PATH

CSX CERTIFICATIONS TARGET AUDIENCE AND CORE DOMAINS CSX Fundamentals certificate is already available and targeted towards those preparing for a career or new to the field, or as a cybersecurity refresher course Foundational level covers five domains: 1) Cybersecurity concepts 2) Cybersecurity architecture principles 3) Security of networks, systems, applications and data 4) Incident response 5) Security of evolving technology CSX Practitioner training will be available in June 2015, with the exam available in July 2015. CSX Specialist series and CSX Expert training and exams will be available during the second half of 2015

CSX CERTIFICATIONS TRAINING AND EXAMINATION METHODOLOGY The CSX training and skills verification is an adaptive, performance-based cyber lab environment that measures professionals ability to perform cybersecurity tasks based on their problem-solving approach in real time. The online exam is remotely proctored. Results are shared immediately, and those who pass receive a certificate. Continuing professional education (CPE) will require certification-holders to annually demonstrate skills in a lab or other skills-based environment in addition to participating in knowledge-based learning. Certification-holders are required to re-test every three years at the highest level they have achieved.

CSX FUNDAMENTALS CERTIFICATE EDUCATION, SEMINARS AND CONFERENCES ISACA offers a series of free cybersecurity webinars through the CSX program. In addition, a number of events and conferences have been scheduled during 2015 in order to boost the implementation of the program. ISACA will also host the inaugural CSX 2015 conference in Washington DC, from 19-21 October 2015. North America is just the first step. Worldwide events will follow in 2016 and 2017. https://www.isaca.org/cyber-conference/index.html

CSX FUNDAMENTALS CERTIFICATE RESEARCH AND GUIDANCE Through CSX, ISACA has issued practical guidance for implementing the US Cybersecurity Framework (developed by NIST, which includes ISACA s COBIT 5 as an informative reference). CSX also offers guidance to implement the European Union cybersecurity strategy. ISACA has already published several original cybersecurity resources, including COBIT 5 for Information Security, Transforming Cybersecurity Using COBIT 5, Responding to Targeted Cyberattacks and Advanced Persistent Threats: How to Manage the Risk to Your Business. More publications are in progress. ISACA also offers a Cybersecurity community in the Knowledge Center, which includes a discussion forum and links to resources.

CYBERSECURITY NEXUS PROGRAM ELEMENTS OF CSX AVAILABLE NOW Cybersecurity Fundamentals Certificate and study guide Cybersecurity webinars and conference tracks (six-part webinar series) Implementing the NIST Cybersecurity Framework Using COBIT 5 European Cybersecurity Implementation Series Transforming Cybersecurity Using COBIT 5 Responding to Targeted Cyberattacks Advanced Persistent Threats: Managing the Risks to Your Business Cybersecurity Knowledge Center community Cybersecurity training courses COMING SOON Cybersecurity practitioner-level certification (first exam: 2015) SCADA guidance Digital forensics guidance 2014 APT Awareness Study

1. ABOUT ISACA 2. STATUS OF THE IT SECURITY INDUSTRY 3. THE IT SECURITY SKILLS SHORTAGE 4. ISACA CYBER SECURITY NEXUS (CSX) 5. ISACA YOUNG PROFESSIONALS

ISACA YOUNG PROFESSIONALS SUBCOMMITEE SUPPORTING OUR YOUNGER MEMBERS ISACA s Young Professionals Subcommittee (YPS) was created in order to facilitate the development of a community to meet the needs of young professionals (members under the age of 35). The YPS maintains its own area within ISACA s Knowledge Centre, currently with more than 2000 members (3 rd largest ISACA online community) In order to support young members, the group is hosting a series of Webinars, mentoring programs and networking events.

ISACA YOUNG PROFESSIONALS SUBCOMMITEE YOUNG PROFESSIONAL AMBASSADORS The Young Professional Ambassador is a nominated chapter member that: http://www.isaca.org/groups/professional-english/young-professionals Supports the YP Community within the local chapter Creates networking opportunities with senior professionals Give input to the local Chapter Board on YP members needs

REFERENCES 1. 2015 Data Breach Investigations Report (DBIR): www.verizonenterprise.com/dbir/2015 2. Secunia Vulnerability Review 2015: http://secunia.com/?action=fetch&filename=secunia_vulnerability_review_2015_pdf.pdf 3. PwC Global State of Information Security Survey 2015 : www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml# 4. ISACA s 2014 Advanced Persistent Threat Awareness Study (registration required): http://www.isaca.org/knowledge-center/research/documents/apt-survey-report-2014_whp_eng_0614.pdf 5. State of Cybersecurity: Implications for 2015: http://www.isaca.org/cyber/documents/state-of-cybersecurity_res_eng_0415.pdf 6. Verisign's Q4 2014 DDoS Trends: http://www.verisigninc.com/en_us/website-availability/ddos-protection/ddos-report/index.xhtml?loc=en_us&dmn=ddostrendsinfographic?cmp=so- DDOS-ABLOG 7. World Economic Forum s Global Risks 2015 report: www.weforum.org/reports/global-risks-report-2015 8. Cisco 2014 Annual Security Report: www.cisco.com/web/offer/gist_ty2_asset/cisco_2014_asr.pdf 9. (ISC)² Global Information Security Workforce study: https://www.isc2cares.org/industryresearch/gisws 10. The UK cyber security strategy: http://www.nao.org.uk/wp-content/uploads/2013/03/cyber-security-full-report.pdf

THANK YOU Ivan Sanchez-Lopez Senior Manager Information Security, IT Risk & Continuity, DHL Global Forwarding ISACA Luxembourg AGM 29.04.2015