www.isaca.org/cyber THE CYBERSECURITY SKILL GAP: WHAT EMPLOYERS WANT YOU TO KNOW ROBERT E STROUD CGEIT CRISC INTERNATIONAL PRESIDENT ISACA & VP STRATEGY & INNOVATION CA TECHNOLOGIES February 2015
ISACA Trust in, and value from, information systems Global association serving 125,000 IT security, assurance, governance and risk professionals Established in 1969 Members in 180 countries 200+ chapters
5
The Internet has reached a scale no business, industry or government can ignore Boston Consulting Group: The Internet Economy in the G20 March 2012 6
The world becomes increasingly more interconnected 7
Developing markets are going straight to social quickly as they come online Boston Consulting Group: The Internet Economy in the G20 March 2012 8
9
10
Source: ISACA.ORG
Top 10 Data Breaches Of 2014: Which Company s Had The Most Records Hacked?
Top 10 Data Breaches Of 2014: Which Company s Had The Most Records Hacked? May. Ebay saw their database of email addresses and encrypted passwords for all 145 million ebay users compromised. This was the largest number of records breached in an online attack in 2014. Worst Data Hacks 2014: #1 Ebay Reuters Image: Reuters Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403219
Top 10 Data Breaches Of 2014: Which Company s Had The Most Records Hacked? J.P. Morgan Chase hack in August The second largest breach of 2014 with 76 million personal customers records being compromised along with the records of 7 million small businesses. The J.P. Morgan hack was more concerning as it is a financial institution and financial information in its computer systems goes beyond customers credit card details, revealing more potentially sensitive data. Worst Data Hacks 2014: #2 J.P. Morgan Chase Image: Reuters Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403219
Top 10 Data Breaches Of 2014: Which Company s Had The Most Records Hacked? Ebay - 145 million J.P. Morgan Chase - 76 million Home Depot - 56 million Community Health Systems - 4.5 million Michaels - 2.6 million Texas Health And Human Services - 2 million Neiman Marcus - 1.1 million Goodwill Industries - 868,000 Oregon Employment Department - 850,000 US Postal Service - 800,000 SONY ranked 33 on the list with 47,000 total records breached. Source: http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-them-403219
Source:http://cdn.bgr.com/2014/04/kasperksy-map-3.gif?w=624
2015 Global Cybersecurity Status Report Companies and government organizations worldwide are focusing on cybersecurity as a critical priority in 2015. ISACA conducted a global survey of 3,439 business and IT professionals in 129 countries to capture their insights on cybersecurity attacks, skills shortages and proposals from US President Barack Obama, who addressed cybersecurity issues such as data breach notification laws this week. The survey was conducted online from 13-15 January 2015. At a 95 percent confidence level, the margin of error is +/- 1.7 percent.
CYBERSECURITY SKILLS SHORTAGE 86% believe there is a shortage of skilled cybersecurity professionals Does your organization plan to hire more cybersecurity professionals in 2015? 37% Yes 32% No 30% Unsure 92% of those hiring expect it will be difficult to find a skilled candidate
CYBERATTACKS Do you think cyberattacks are among the three biggest threats facing organizations today? 86% 5% 11% 83% Yes No 46% expect their organization to face a cyberattack in 2015 Unsure Only 38% of all respondents feel prepared to fend off a sophisticated attack
CYBERSECURITY AWARENESS Does your organization plan to increase cybersecurity awareness training for staff this year in light of recent breaches? 60% 50% 40% 53% 30% 20% 10% 0% 26% 9% 12% Yes No, but we should No, we do enough security awareness training Unsure 54% of respondents agree it is difficult to identify who has an adequate level of skills and knowledge when hiring new graduates for entry-level cybersecurity positions
DATA BREACH NOTIFICATION SUPPORT 76% agree or strongly agree with United States President Obama s proposal to require companies to notify consumers of a data breach within 30 days Of the following, what do you think is the greatest challenge companies would face if they needed to notify consumers of a data breach within 30 days of its discovery? Concern over corporate reputation 55% Systems not designed for this 15% Increased cost 13% Not enough human resources 10% Other 8% 0% 10% 20% 30% 40% 50% 60%
EVOLUTION OF ATTACKS
LIFECYCLE
CYBERCRIME
http://www.bangkokpost.com/print/389343/ 25 International Telecommunications Union, the United Nations specialized agency for information and communications technology
US MILLENNIALS ARE INTERESTED IN CYBERSECURITY PROFESSIONS. WE NEED TO CLOSE THE CYBER GAP 26
27
28
1. Certified in Risk and Information Systems Control (CRISC) Premium pay for this ISACA certification has risen 9.1 percent in the last three- and six-month periods. In general, IT certifications from ISACA center on IT governance. Originally offered in 2010, this certification focuses specifically on risk management. "The CRISC is awarded to those experienced in business and technology risk management, and the design, implementation, monitoring and maintenance of IS control," according to CRISC. 2. CWNP Certified Wireless Security Professional Wireless security is hot, according to Foote, who goes on to say, "CWNP is a really small company and for them to be on this list is a headline." This wireless security certification has been riding high. Premium pay is up 35 percent over the last 12 months, 28 percent in the last six months and 20 percent in the last three months, making it a marketable bullet point on your resume. This advanced certification teaches individuals how to securely set up and run enterprise wireless LAN. 3. CWNP/Certified Wireless Network Expert Here is another CWNP certification that is seeing a huge spike in premium pay. Value/demand for this role is up 42 percent in the last 12 months, 37.3 percent in the last six months and 30 percent in the last three months. This is the highest level of certification offered by CWNP. Recipients should have a mastery of skills relating to the installation, configuration and troubleshooting of enterprise Wi-Fi networks. 4. GIAC Certified Forensics Analyst (GCFA) This intermediate forensics certification is targeting individuals in the information security, incident response and computer forensics field who focus on only Windows and Linux operating systems. Value/demand for this role has climbed an impressive 16.7 percent in the last 12 months. 29 http://www.computerworld.com/article/2473341/it-careers/130807-18-hot-it-certifications-for-2014.html http://www.footepartners.com/
CAREER PATH 0 3 Years Cybersecurity Fundamentals Certificate (no experience required; must pass knowledge-based exam) 3 to 5 years Cybersecurity practitioner-level certification (coming in mid- 2015) 5+ Years Certified Information Security Manager (CISM) certification (25,000+ professionals certified since inception)
BOARD AND SENIOR MANAGEMENT GUIDEANCE
CSX ACCELERATION European Cybersecurity Implementation Series: European Cybersecurity Implementation: Overview European Cybersecurity Implementation: Assurance European Cybersecurity Implementation: Resilience European Cybersecurity Implementation: Risk Guidance www.isaca.org/eu-cyber-implementation
COBIT 5 AT THE CORE OF THE US NIST CYBERSECURITY FRAMEWORK
CSX ELEMENTS AVAILABLE NOW Cybersecurity Fundamentals Certificate (workshops and exams taking place in Q3; first workshop sold out) Transforming Cybersecurity Using COBIT 5 Responding to Targeted Cyberattacks Advanced Persistent Threats: Managing the Risks to Your Business 2014 APT Awareness Study Cybersecurity webinars and conference tracks (six-part webinar series) COMING SOON Mentoring Program Cybersecurity practitioner-level certification (first exam: 2015) Cybersecurity training courses SCADA guidance Digital forensics guidance Cybersecurity Knowledge Center community Implementation guidance for NIST s US Cybersecurity Framework (which incorporates COBIT 5) EU Cybersecurity Strategy
CYBERSECURITY FUNDAMENTALS KNOWLEDGE CERTIFICATE Knowledge-based exam for those with 0 to 3 years experience Foundational level covers four domains: 1) Cybersecurity architecture principles 2) Security of networks, systems, applications and data 3) Incident response 4) Security implications related to adoption of emerging technologies The content aligns with the US NICE framework and was developed by a team of about 20 cybersecurity professionals from around the world. The team is involved in all areas of development through content contribution and subject matter expert reviews.
CONCLUSIONS The situation is only going to get more complex If you have IP, it s not a question of if, but when HUGE industry skills shortage This is not yesterdays security Have a plan and perfect it with experience over time ISACA effective controls and assurance are critical in this Digital Age! www.isaca.org/cyber
www.isaca.org/cyber THE CYBERSECURITY SKILL GAP: WHAT EMPLOYERS WANT YOU TO KNOW ROBERT E STROUD CGEIT CRISC INTERNATIONAL PRESIDENT ISACA & VP STRATEGY & INNOVATION CA TECHNOLOGIES February 2015