(c) 2004 Allan Berg Building the Security Workforce of Tomorrow Allan Berg University of Dallas Graduate School of Management

(c) 2004 Allan Berg (c) 2004 Allan Berg

Building the Building the Security Workforce Security Workforce

of Tomorrowof TomorrowAllan BergAllan Berg

University of Dallas University of Dallas

Graduate School of ManagementGraduate School of Management


Information Assurance and Information Assurance and Infrastructure ProtectionInfrastructure Protection

… … is a national priority as is a national priority as well as a complex and well as a complex and critical challenge. One that critical challenge. One that requires a true partnership requires a true partnership between all stakeholders, between all stakeholders, government, public, government, public, private, private, and academeand academe..


Certification, Education, and Training in Certification, Education, and Training in Information AssuranceInformation Assurance

People involved in IA must be able to People involved in IA must be able to

understand and systematically employ and understand and systematically employ and

manage IA concepts,manage IA concepts, principles, methods, principles, methods,

techniques, practices and procedures drawn techniques, practices and procedures drawn

from U.S. statutes, current orfrom U.S. statutes, current or pending. IA pending. IA

experts also must understand procedures experts also must understand procedures

mandated by the Department of Defense, mandated by the Department of Defense,

federal, state and local governments, federal, state and local governments,

businesses, and industries.businesses, and industries.


QuestionsQuestions

What is the supply core of IA What is the supply core of IA

workersworkers

What education and training does What education and training does

the IA worker need the IA worker need

How will this education and training How will this education and training

be imparted be imparted

Who will certify this education and Who will certify this education and

trainingtraining


The IA Workforce ChallengeThe IA Workforce Challenge

Continuing sustained rapid Continuing sustained rapid growth and acceleratinggrowth and accelerating

Intense demand for unique Intense demand for unique combinations IT, IA skills, combinations IT, IA skills, experience, and industry experience, and industry knowledgeknowledge


Assessing Educational and Training NeedsAssessing Educational and Training Needs

What What occupationsoccupations comprise the core IA work comprise the core IA work forceforce

Standardized definitionStandardized definition of the standards that of the standards that define the information security worker define the information security worker agreeableagreeable to government, industry and academeto government, industry and academe..

Enforcing security processes on a Enforcing security processes on a document document oriented informationoriented information system may be very system may be very different from a different from a communications network systemcommunications network system. .

Often overlooked : Often overlooked : physical, personnel, standards physical, personnel, standards and policy, and administrative securityand policy, and administrative security expertise expertise is also a necessity in today’s information security is also a necessity in today’s information security workforce environment.workforce environment.


Information AssuranceInformation Assurance

Encompasses the scientific, technical, and management Encompasses the scientific, technical, and management disciplines required to ensure computer and network disciplines required to ensure computer and network security including the following functions:security including the following functions:

– System/network administration and operations System/network administration and operations – Systems security engineeringSystems security engineering – Information assurance systems and product acquisition Information assurance systems and product acquisition – Cryptography Cryptography – Threat and vulnerability assessment, to include risk Threat and vulnerability assessment, to include risk

managementmanagement– Web security Web security – The operations of computer emergency response teamThe operations of computer emergency response team– Information assurance training, education and managementInformation assurance training, education and management– Computer forensics Computer forensics – Defensive information operationsDefensive information operations


Academic Degree vs. Industry CertificationAcademic Degree vs. Industry Certification

Are academe and industry competing for the Are academe and industry competing for the

same market?same market?

– Absolutely NOT!!Absolutely NOT!!

Are academe and industry complimentary?Are academe and industry complimentary?

– Absolutely YES!!Absolutely YES!!

Many people have some level of experience, but Many people have some level of experience, but

little time to devote to semester-long courses.little time to devote to semester-long courses.

Many people have no experience, and might not Many people have no experience, and might not

benefit frombenefit from Wham! Bam!Wham! Bam! 5-day training courses.5-day training courses.

– But have time to attend semester-long courses.But have time to attend semester-long courses.


Information Security + WhatInformation Security + What

Network and network infrastructure securityNetwork and network infrastructure securityPhysical, personnel and administrative Physical, personnel and administrative securitysecurityCryptography and Public-Key InfrastructureCryptography and Public-Key InfrastructureTesting and verification methodologiesTesting and verification methodologiesIntrusion DetectionIntrusion DetectionVulnerabilities analysis and Risk ManagementVulnerabilities analysis and Risk ManagementPolicy and auditing technologiesPolicy and auditing technologiesHost securityHost securityEthics and legal issuesEthics and legal issuesAuthentication technologiesAuthentication technologiesE-commerce and Public PolicyE-commerce and Public Policy


The Niche IA Labor MarketsThe Niche IA Labor Markets

Mix of knowledge and skills Mix of knowledge and skills required can varyrequired can vary

Certain technical skills may be in Certain technical skills may be in high demand high demand

IT is changing rapidlyIT is changing rapidly


Incentives for IA Certification Incentives for IA Certification and Educationand Education

Establishes a professional identity and upholds Establishes a professional identity and upholds the quality of the profession.the quality of the profession.Establishes a minimum level of knowledge with Establishes a minimum level of knowledge with regard to the practice of the profession, and regard to the practice of the profession, and through continuous learning, upgrading of through continuous learning, upgrading of knowledge base and skills.knowledge base and skills.Promulgates a code of ethical practice.Promulgates a code of ethical practice.Provides a review process and participation in Provides a review process and participation in published standards of practice. published standards of practice. Promotes ongoing role and function studies for Promotes ongoing role and function studies for practitioners to validate their practice.practitioners to validate their practice.Promotes ongoing role and function studies for Promotes ongoing role and function studies for practitioners to validate their practice.practitioners to validate their practice.


Incentives for IA Certification Incentives for IA Certification and Education (Con’t.)and Education (Con’t.)

Demonstrates that certified individuals meet Demonstrates that certified individuals meet acceptable uniform national standards.acceptable uniform national standards.Establishes a standard level of competency for Establishes a standard level of competency for employee hiring and evaluation. employee hiring and evaluation. Promotes consumer protection.Promotes consumer protection.

JOB ADVANCEMENT – certification gives you a JOB ADVANCEMENT – certification gives you a competitive edge for promotion and hiring.competitive edge for promotion and hiring.SALARY – Profile studies shows that certification SALARY – Profile studies shows that certification holders earn more per year than those who do not holders earn more per year than those who do not have certification.have certification.ESTEEM – Attaining certification demonstrates to ESTEEM – Attaining certification demonstrates to your employer, your colleagues, and yourself that your employer, your colleagues, and yourself that you are committed as a professional.you are committed as a professional.


Disadvantages of CertificationDisadvantages of Certification

Multiple choice tests are unable Multiple choice tests are unable to test problem solving and to test problem solving and analytic skills. They reward analytic skills. They reward students who can memorize and students who can memorize and replay a set of facts with ease. replay a set of facts with ease. Furthermore, these tests have Furthermore, these tests have become integrated into vendor become integrated into vendor marketing strategiesmarketing strategies..


Disadvantages of Certification Disadvantages of Certification (Con’t.)(Con’t.)

Emphasize facts important to a particular Emphasize facts important to a particular product line and frequently do not assess product line and frequently do not assess globally important knowledge. Hence, the globally important knowledge. Hence, the industry has coined the terms “paper-_ _ _ industry has coined the terms “paper-_ _ _ _” to describe someone who only knows _” to describe someone who only knows enough to pass the tests, but not enough enough to pass the tests, but not enough to function effectively on the job. Since to function effectively on the job. Since many of the short-term training programs many of the short-term training programs teach only the answers to the tests, the teach only the answers to the tests, the problem is only getting worse.problem is only getting worse.


The FixThe Fix

Developing curriculum that includes not only Developing curriculum that includes not only the test information, but also additional the test information, but also additional materials designed to give the student real materials designed to give the student real insight and hands-on experience with the insight and hands-on experience with the software and hardware used in the industry. software and hardware used in the industry. While our student do pass the tests and While our student do pass the tests and become certified, they fully understand that become certified, they fully understand that it is knowledge beyond the tests that makes it is knowledge beyond the tests that makes them valuable. Such knowledge will last a them valuable. Such knowledge will last a lifetime, since it will not become obsolete lifetime, since it will not become obsolete with the next software upgrade.with the next software upgrade.


Initiatives and OpportunitiesInitiatives and Opportunities

Assessing educational and training needsAssessing educational and training needs

State initiatives for IA educationState initiatives for IA education

Benefits of certification and continuing Benefits of certification and continuing

educationeducation

Internet-enabled education and trainingInternet-enabled education and training

International security education and International security education and

collaborationcollaboration


Initiatives for IA EducationInitiatives for IA Education

Department’s of Information TechnologyDepartment’s of Information Technology

Academic initiativesAcademic initiatives

Internships Internships

Federal initiativesFederal initiatives

CAE/ISECAE/ISE

DoD IASPDoD IASP

NSF Scholarship ProgramNSF Scholarship Program


Benefits of Certification and Continuing Benefits of Certification and Continuing EducationEducation

Benefits of CertificationBenefits of CertificationDemonstrates a level of expertise/competencyDemonstrates a level of expertise/competencyRecognition by government, industryRecognition by government, industryPeriodic recertification?????Periodic recertification?????

Benefits of Continuing EducationBenefits of Continuing EducationLife-longLife-longThrough community colleges and universitiesThrough community colleges and universitiesDemonstrates a level of expertise/competencyDemonstrates a level of expertise/competencyRecognition by industry, government, academiaRecognition by industry, government, academia

Corporate “Universities”Corporate “Universities”Focuses on immediate and near future needsFocuses on immediate and near future needsIn-house and/or mini-courses by local purveyorsIn-house and/or mini-courses by local purveyorsRecognition by industry, governmentRecognition by industry, government


Internet-enabled and In-class Internet-enabled and In-class Certification, Education, and TrainingCertification, Education, and Training

Assessing the quality:Assessing the quality:– Can the studentsCan the students reliably and efficiently access all reliably and efficiently access all

the curriculumthe curriculum materials so that they can materials so that they can

complete the course requirements in the specified complete the course requirements in the specified

time period?time period? – Does the technology allow the students toDoes the technology allow the students to become become

reasonably engaged with the material?reasonably engaged with the material?

– Are thereAre there special difficultiesspecial difficulties associated with the associated with the

administration of the program and exams?administration of the program and exams?

– Is theIs the time investmenttime investment on the part of the facultyon the part of the faculty

instructor and studentsinstructor and students manageable or manageable or

prohibitive?prohibitive?


Internet-enabled and In-class Internet-enabled and In-class Certification, Education, and Training Certification, Education, and Training

– DoesDoes effective learning occureffective learning occur when using when using the Internet as the primary means of the Internet as the primary means of delivering the course curriculum?delivering the course curriculum?

– How far should distance education really go How far should distance education really go in beingin being a substitute for the classroom a substitute for the classroom experience?experience?

– What is theWhat is the nature of the marketnature of the market for for distance education for the IA professional?distance education for the IA professional?

– What is theWhat is the potential for learningpotential for learning with with distance education for the IA professional?distance education for the IA professional?


““It’s A Jungle Out There”It’s A Jungle Out There”

Microsoft Certified Systems Engineer (MCSE)Microsoft Certified Systems Engineer (MCSE)Cisco Certified Network Associate (CCNA) Cisco Certified Network Associate (CCNA) Cisco Certified Network Professional (CCNP) Cisco Certified Network Professional (CCNP) Cisco Certified Security Professional (CCSP) Cisco Certified Security Professional (CCSP) Certified Internet Webmaster (CIW) Certified Internet Webmaster (CIW) Certified Wireless Network Administrator (CWNA)Certified Wireless Network Administrator (CWNA)Certified Information System Security Specialist Certified Information System Security Specialist (CISSP)(CISSP)CISSP Concentrations: ISSAP, ISSMP, ISSEPCISSP Concentrations: ISSAP, ISSMP, ISSEPCertified Information System Auditor (CISA)Certified Information System Auditor (CISA)Certified Information Security Manager (CISM) Certified Information Security Manager (CISM) SANS (GIAC) ………………………………SANS (GIAC) ………………………………And the list goes on, and on, And the list goes on, and on, and onand on, , and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on, and on …………………………………………..and on …………………………………………..


Looking to the FutureLooking to the Future

To move forward, to stay To move forward, to stay successful, information successful, information assurance professionals in assurance professionals in an organization, and its an organization, and its leaders, must have vision. leaders, must have vision. Standing still isn’t an Standing still isn’t an option!option!


Building the Security Building the Security Workforce of TomorrowWorkforce of Tomorrow

Allan BergAllan BergUniversity of DallasUniversity of Dallas

Graduate School of ManagementGraduate School of [email protected]@gsm.udallas.edu

1.703.788.68011.703.788.6801

Documents

(c) 2004 Allan Berg Building the Security Workforce of Tomorrow Allan Berg University of Dallas Graduate School of Management