Upload
nigel-clark
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
(c) 2004 Allan Berg (c) 2004 Allan Berg
Building the Building the Security Workforce Security Workforce
of Tomorrowof TomorrowAllan BergAllan Berg
University of Dallas University of Dallas
Graduate School of ManagementGraduate School of Management
(c) 2004 Allan Berg (c) 2004 Allan Berg
Information Assurance and Information Assurance and Infrastructure ProtectionInfrastructure Protection
… … is a national priority as is a national priority as well as a complex and well as a complex and critical challenge. One that critical challenge. One that requires a true partnership requires a true partnership between all stakeholders, between all stakeholders, government, public, government, public, private, private, and academeand academe..
(c) 2004 Allan Berg (c) 2004 Allan Berg
Certification, Education, and Training in Certification, Education, and Training in Information AssuranceInformation Assurance
People involved in IA must be able to People involved in IA must be able to
understand and systematically employ and understand and systematically employ and
manage IA concepts,manage IA concepts, principles, methods, principles, methods,
techniques, practices and procedures drawn techniques, practices and procedures drawn
from U.S. statutes, current orfrom U.S. statutes, current or pending. IA pending. IA
experts also must understand procedures experts also must understand procedures
mandated by the Department of Defense, mandated by the Department of Defense,
federal, state and local governments, federal, state and local governments,
businesses, and industries.businesses, and industries.
(c) 2004 Allan Berg (c) 2004 Allan Berg
QuestionsQuestions
What is the supply core of IA What is the supply core of IA
workersworkers
What education and training does What education and training does
the IA worker need the IA worker need
How will this education and training How will this education and training
be imparted be imparted
Who will certify this education and Who will certify this education and
trainingtraining
(c) 2004 Allan Berg (c) 2004 Allan Berg
The IA Workforce ChallengeThe IA Workforce Challenge
Continuing sustained rapid Continuing sustained rapid growth and acceleratinggrowth and accelerating
Intense demand for unique Intense demand for unique combinations IT, IA skills, combinations IT, IA skills, experience, and industry experience, and industry knowledgeknowledge
(c) 2004 Allan Berg (c) 2004 Allan Berg
Assessing Educational and Training NeedsAssessing Educational and Training Needs
What What occupationsoccupations comprise the core IA work comprise the core IA work forceforce
Standardized definitionStandardized definition of the standards that of the standards that define the information security worker define the information security worker agreeableagreeable to government, industry and academeto government, industry and academe..
Enforcing security processes on a Enforcing security processes on a document document oriented informationoriented information system may be very system may be very different from a different from a communications network systemcommunications network system. .
Often overlooked : Often overlooked : physical, personnel, standards physical, personnel, standards and policy, and administrative securityand policy, and administrative security expertise expertise is also a necessity in today’s information security is also a necessity in today’s information security workforce environment.workforce environment.
(c) 2004 Allan Berg (c) 2004 Allan Berg
Information AssuranceInformation Assurance
Encompasses the scientific, technical, and management Encompasses the scientific, technical, and management disciplines required to ensure computer and network disciplines required to ensure computer and network security including the following functions:security including the following functions:
– System/network administration and operations System/network administration and operations – Systems security engineeringSystems security engineering – Information assurance systems and product acquisition Information assurance systems and product acquisition – Cryptography Cryptography – Threat and vulnerability assessment, to include risk Threat and vulnerability assessment, to include risk
managementmanagement– Web security Web security – The operations of computer emergency response teamThe operations of computer emergency response team– Information assurance training, education and managementInformation assurance training, education and management– Computer forensics Computer forensics – Defensive information operationsDefensive information operations
(c) 2004 Allan Berg (c) 2004 Allan Berg
Academic Degree vs. Industry CertificationAcademic Degree vs. Industry Certification
Are academe and industry competing for the Are academe and industry competing for the
same market?same market?
– Absolutely NOT!!Absolutely NOT!!
Are academe and industry complimentary?Are academe and industry complimentary?
– Absolutely YES!!Absolutely YES!!
Many people have some level of experience, but Many people have some level of experience, but
little time to devote to semester-long courses.little time to devote to semester-long courses.
Many people have no experience, and might not Many people have no experience, and might not
benefit frombenefit from Wham! Bam!Wham! Bam! 5-day training courses.5-day training courses.
– But have time to attend semester-long courses.But have time to attend semester-long courses.
(c) 2004 Allan Berg (c) 2004 Allan Berg
Information Security + WhatInformation Security + What
Network and network infrastructure securityNetwork and network infrastructure securityPhysical, personnel and administrative Physical, personnel and administrative securitysecurityCryptography and Public-Key InfrastructureCryptography and Public-Key InfrastructureTesting and verification methodologiesTesting and verification methodologiesIntrusion DetectionIntrusion DetectionVulnerabilities analysis and Risk ManagementVulnerabilities analysis and Risk ManagementPolicy and auditing technologiesPolicy and auditing technologiesHost securityHost securityEthics and legal issuesEthics and legal issuesAuthentication technologiesAuthentication technologiesE-commerce and Public PolicyE-commerce and Public Policy
(c) 2004 Allan Berg (c) 2004 Allan Berg
The Niche IA Labor MarketsThe Niche IA Labor Markets
Mix of knowledge and skills Mix of knowledge and skills required can varyrequired can vary
Certain technical skills may be in Certain technical skills may be in high demand high demand
IT is changing rapidlyIT is changing rapidly
(c) 2004 Allan Berg (c) 2004 Allan Berg
Incentives for IA Certification Incentives for IA Certification and Educationand Education
Establishes a professional identity and upholds Establishes a professional identity and upholds the quality of the profession.the quality of the profession.Establishes a minimum level of knowledge with Establishes a minimum level of knowledge with regard to the practice of the profession, and regard to the practice of the profession, and through continuous learning, upgrading of through continuous learning, upgrading of knowledge base and skills.knowledge base and skills.Promulgates a code of ethical practice.Promulgates a code of ethical practice.Provides a review process and participation in Provides a review process and participation in published standards of practice. published standards of practice. Promotes ongoing role and function studies for Promotes ongoing role and function studies for practitioners to validate their practice.practitioners to validate their practice.Promotes ongoing role and function studies for Promotes ongoing role and function studies for practitioners to validate their practice.practitioners to validate their practice.
(c) 2004 Allan Berg (c) 2004 Allan Berg
Incentives for IA Certification Incentives for IA Certification and Education (Con’t.)and Education (Con’t.)
Demonstrates that certified individuals meet Demonstrates that certified individuals meet acceptable uniform national standards.acceptable uniform national standards.Establishes a standard level of competency for Establishes a standard level of competency for employee hiring and evaluation. employee hiring and evaluation. Promotes consumer protection.Promotes consumer protection.
JOB ADVANCEMENT – certification gives you a JOB ADVANCEMENT – certification gives you a competitive edge for promotion and hiring.competitive edge for promotion and hiring.SALARY – Profile studies shows that certification SALARY – Profile studies shows that certification holders earn more per year than those who do not holders earn more per year than those who do not have certification.have certification.ESTEEM – Attaining certification demonstrates to ESTEEM – Attaining certification demonstrates to your employer, your colleagues, and yourself that your employer, your colleagues, and yourself that you are committed as a professional.you are committed as a professional.
(c) 2004 Allan Berg (c) 2004 Allan Berg
Disadvantages of CertificationDisadvantages of Certification
Multiple choice tests are unable Multiple choice tests are unable to test problem solving and to test problem solving and analytic skills. They reward analytic skills. They reward students who can memorize and students who can memorize and replay a set of facts with ease. replay a set of facts with ease. Furthermore, these tests have Furthermore, these tests have become integrated into vendor become integrated into vendor marketing strategiesmarketing strategies..
(c) 2004 Allan Berg (c) 2004 Allan Berg
Disadvantages of Certification Disadvantages of Certification (Con’t.)(Con’t.)
Emphasize facts important to a particular Emphasize facts important to a particular product line and frequently do not assess product line and frequently do not assess globally important knowledge. Hence, the globally important knowledge. Hence, the industry has coined the terms “paper-_ _ _ industry has coined the terms “paper-_ _ _ _” to describe someone who only knows _” to describe someone who only knows enough to pass the tests, but not enough enough to pass the tests, but not enough to function effectively on the job. Since to function effectively on the job. Since many of the short-term training programs many of the short-term training programs teach only the answers to the tests, the teach only the answers to the tests, the problem is only getting worse.problem is only getting worse.
(c) 2004 Allan Berg (c) 2004 Allan Berg
The FixThe Fix
Developing curriculum that includes not only Developing curriculum that includes not only the test information, but also additional the test information, but also additional materials designed to give the student real materials designed to give the student real insight and hands-on experience with the insight and hands-on experience with the software and hardware used in the industry. software and hardware used in the industry. While our student do pass the tests and While our student do pass the tests and become certified, they fully understand that become certified, they fully understand that it is knowledge beyond the tests that makes it is knowledge beyond the tests that makes them valuable. Such knowledge will last a them valuable. Such knowledge will last a lifetime, since it will not become obsolete lifetime, since it will not become obsolete with the next software upgrade.with the next software upgrade.
(c) 2004 Allan Berg (c) 2004 Allan Berg
Initiatives and OpportunitiesInitiatives and Opportunities
Assessing educational and training needsAssessing educational and training needs
State initiatives for IA educationState initiatives for IA education
Benefits of certification and continuing Benefits of certification and continuing
educationeducation
Internet-enabled education and trainingInternet-enabled education and training
International security education and International security education and
collaborationcollaboration
(c) 2004 Allan Berg (c) 2004 Allan Berg
Initiatives for IA EducationInitiatives for IA Education
Department’s of Information TechnologyDepartment’s of Information Technology
Academic initiativesAcademic initiatives
Internships Internships
Federal initiativesFederal initiatives
CAE/ISECAE/ISE
DoD IASPDoD IASP
NSF Scholarship ProgramNSF Scholarship Program
(c) 2004 Allan Berg (c) 2004 Allan Berg
Benefits of Certification and Continuing Benefits of Certification and Continuing EducationEducation
Benefits of CertificationBenefits of CertificationDemonstrates a level of expertise/competencyDemonstrates a level of expertise/competencyRecognition by government, industryRecognition by government, industryPeriodic recertification?????Periodic recertification?????
Benefits of Continuing EducationBenefits of Continuing EducationLife-longLife-longThrough community colleges and universitiesThrough community colleges and universitiesDemonstrates a level of expertise/competencyDemonstrates a level of expertise/competencyRecognition by industry, government, academiaRecognition by industry, government, academia
Corporate “Universities”Corporate “Universities”Focuses on immediate and near future needsFocuses on immediate and near future needsIn-house and/or mini-courses by local purveyorsIn-house and/or mini-courses by local purveyorsRecognition by industry, governmentRecognition by industry, government
(c) 2004 Allan Berg (c) 2004 Allan Berg
Internet-enabled and In-class Internet-enabled and In-class Certification, Education, and TrainingCertification, Education, and Training
Assessing the quality:Assessing the quality:– Can the studentsCan the students reliably and efficiently access all reliably and efficiently access all
the curriculumthe curriculum materials so that they can materials so that they can
complete the course requirements in the specified complete the course requirements in the specified
time period?time period? – Does the technology allow the students toDoes the technology allow the students to become become
reasonably engaged with the material?reasonably engaged with the material?
– Are thereAre there special difficultiesspecial difficulties associated with the associated with the
administration of the program and exams?administration of the program and exams?
– Is theIs the time investmenttime investment on the part of the facultyon the part of the faculty
instructor and studentsinstructor and students manageable or manageable or
prohibitive?prohibitive?
(c) 2004 Allan Berg (c) 2004 Allan Berg
Internet-enabled and In-class Internet-enabled and In-class Certification, Education, and Training Certification, Education, and Training
– DoesDoes effective learning occureffective learning occur when using when using the Internet as the primary means of the Internet as the primary means of delivering the course curriculum?delivering the course curriculum?
– How far should distance education really go How far should distance education really go in beingin being a substitute for the classroom a substitute for the classroom experience?experience?
– What is theWhat is the nature of the marketnature of the market for for distance education for the IA professional?distance education for the IA professional?
– What is theWhat is the potential for learningpotential for learning with with distance education for the IA professional?distance education for the IA professional?
(c) 2004 Allan Berg (c) 2004 Allan Berg
““It’s A Jungle Out There”It’s A Jungle Out There”
Microsoft Certified Systems Engineer (MCSE)Microsoft Certified Systems Engineer (MCSE)Cisco Certified Network Associate (CCNA) Cisco Certified Network Associate (CCNA) Cisco Certified Network Professional (CCNP) Cisco Certified Network Professional (CCNP) Cisco Certified Security Professional (CCSP) Cisco Certified Security Professional (CCSP) Certified Internet Webmaster (CIW) Certified Internet Webmaster (CIW) Certified Wireless Network Administrator (CWNA)Certified Wireless Network Administrator (CWNA)Certified Information System Security Specialist Certified Information System Security Specialist (CISSP)(CISSP)CISSP Concentrations: ISSAP, ISSMP, ISSEPCISSP Concentrations: ISSAP, ISSMP, ISSEPCertified Information System Auditor (CISA)Certified Information System Auditor (CISA)Certified Information Security Manager (CISM) Certified Information Security Manager (CISM) SANS (GIAC) ………………………………SANS (GIAC) ………………………………And the list goes on, and on, And the list goes on, and on, and onand on, , and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on …………………………………………..and on …………………………………………..
(c) 2004 Allan Berg (c) 2004 Allan Berg
Looking to the FutureLooking to the Future
To move forward, to stay To move forward, to stay successful, information successful, information assurance professionals in assurance professionals in an organization, and its an organization, and its leaders, must have vision. leaders, must have vision. Standing still isn’t an Standing still isn’t an option!option!
(c) 2004 Allan Berg (c) 2004 Allan Berg
Building the Security Building the Security Workforce of TomorrowWorkforce of Tomorrow
Allan BergAllan BergUniversity of DallasUniversity of Dallas
Graduate School of ManagementGraduate School of [email protected]@gsm.udallas.edu
1.703.788.68011.703.788.6801