cyber security professionals viewed via supply chain
Post on 14-Jan-2015
Embed Size (px)
DESCRIPTIONThis research examines the issue of supply and demand for cybersecurity professionals to determine how to optimize the output of cybersecurity professionals through a supply chain. It was found that progress is impeded by the lack of a clearly defined and standardized definition of a cybersecurity worker and their associated knowledge, skills, and abilities. There is a known shortage of cybersecurity professionals that is affecting the ability of the United States to fulfil the mandate of President Obama who declared that the protection of our digital infrastructure is a national security priority. The problem with this declaration is that a literature review confirms there is no standard definition of a cybersecurity worker, associated skills, or educational requirements. The cybersecurity workforce to which we speak in this report consists of those who self-identify as cyber or security specialists as well as those who build and maintain the nation’s critical infrastructure. Considering the criticality of the national infrastructure, it is time for the US to take immediate steps to coordinate the development of the cybersecurity field and its associated workforce supply chain.
- 1. THE BIGGEST THREAT TO THE U.S. DIGITAL INFRASTRUCTURE: THE CYBER SECURITY WORKFORCE SUPPLY CHAIN Aleta Wilson, Ph.D.Amjad Ali, Ph.D. 1
2. Overview Study examines supply and demand forcybersecurity professionals Progress impeded by lack of career field forcybersecurity professionals The Obama administration has declared thatProtection of our digital infrastructure is anational security priority2 3. Scope This study explores activities required to employcyber security workers for the federal government and its contractor community These two sectors comprise an estimated 500,000workers who must undergo a significant background check because positions are considered as "national security positions".3 4. Scope and Methodology (cont) Second focus of study is university level education and certifications -------- MethodologyView the cyber workforce through the prismof a supply chain In other words.... How to optimize the supply chain to increase production 4 5. Definition of a Cyber SecurityProfessional 5 6. Definition of a Cyber Security Professional - DOL DOL Occupational Outlook Handbook does notcontain a definition for cybersecurity professionals DOL categories acknowledge positions that involvepeople who plan, coordinate, and maintain an organizations information security database administrators plan and coordinate security measures with network administrators network engineers "may ... address information security issues 6 7. Definition of a Cyber SecurityProfessional - DHS Department of Homeland SecuritySecretary Janet Napolitano definesCybersecurity professionals as employees responsible for "... cyber risk andstrategic analysis; cyber incident response;vulnerability detection and assessment;intelligence and investigation; and network andsystems engineering7 8. Definition of a Cyber SecurityProfessional ISC2 Frost & Sullivan conducted a survey of 10,413information security professionals whichindirectly defined security professionals asthose employed as Information Security professionals and those who had cyber security as their primary job function.8 9. Definition of a Cyber Security Professional DODDOD usually takes the lead in defining elements related to cyberspace and cybersecurity, but according to GAO"DOD has defined some key cyber-related termsbut it has not yet fully identified the specifictypes of operations and program elements thatare associated with full-spectrum cyberspaceoperations" 9 10. Definition of a Cyber Security Professional Monster.com What does the largest job site call them Network engineersBut whereare the web System Administratorsdesigners; IT Security Engineers policy folk;SW IT Security Analysts engineers;etc. Network Administrators etc. 10 11. Definition of a Cyber SecurityProfessional for this study Professionals who have informationsecurity as a major part of their job; those who self-identify as cyber or securityspecialists; and, those who build and maintain the nationalcritical infrastructure of the computersystems on which the public and privatesectors have come to rely. 11 12. Now that weve defined them. How do they get to the workplace.12 13. Supply Chain Management (SCM) Viewing the shortage of cybersecurityworkers through SCM SCM attacks problem of uncertaintyhead-on SCM solves two core resource problems Shortages and excesses Identifies where the chain is broken13 14. Supply Chain Management (SCM) STEM ScienceEngineeringShortageK to 12 Technology Math Higher Education Centers of ExcellenceDilution Other Higher Ed InstitutionsHigher Ed Non- Higher Education Certifiers Certifying CISSP (ISC2) Need GSEC Professional CompTIA Security+ Certification Certifications Vendor certifications 14 15. S.T.E.M. (K to 12) Public private partnership will invest$260M between 2009 and 2019 (likerace to space) Growth in STEM jobs is 3X non-STEM jobs 15 16. University Level Education NSA is Certifying Universities, Colleges,and now Community Colleges 124 NCAs (as of 2010) 14 are 2-year institutions 2 are 4-year institutions 51 are research institutions Some fall into more than one category16 17. Certifications Certifications can come from Universities $$$$ / Value is unkown Private sector $$ / Highly prizedHighly recognized certificates 17 18. Certifications Highly RecognizedORGANIZATIONS AND THEIR CERTIFICATE OFFERINGSCERTIFYINGCERTIFICATION ORGANIZATIONCERTCSIHCompTIA Security+Cisco Systems CCNA Security; CCSP; CCIE SecurityEC-CouncilENSA; CEH; CHFI; ECSA; LPT; CNDA; ECIH; ECSS; ECVP; EDRP;ECSP; ESCOGIACGSIF; GSEC; GCFW; GCIA; GCIH; GCUX; GCWN; GCED; GPEN;GWAPT; GAWN; GISP; GLSC; GCPM; GLEG; G7799; GSSP-NET;GSSP-JAVA; GCFE; GCFA; GREM; GSEISACCISA; CISM; CGEIT; CRISC(ISC)2SSCP; CAP; CSSLP; CISSP; ISSAP; ISSEP; ISSMPISECOMOPST; OPSA; OPSE; OWSE; CTAMicrosoft MCSE, MCSA Indication individual is improving herself.18 19. Whats the Problem STEM will not produce for 10 years and then those highschoolers have to go to college University pipeline is waiting for STEM graduates to enter Universities are not graduating enough cyber specialists University certificates are new and general too soon to determine value 19 20. So What US has discovered it is behind the curve in theproduction of S.T.E.M graduates S.T.E.M skills are needed for cybersecurityworkforce War has expanded beyond nation states toorganizations like Wikileaks Warfare is expanding into cyberspace and wedo not have war fighters 20 21. So What (cont) Focusing on S.T.E.M in K-12 is critical to USeconomy The field of cybersecurity is being developedin pieces NIST, Microsoft, Cisco, & NSA are each Designing standards models, processes, certifications, and methodologies for the field and many of them overlap21 22. Conclusion The US government must take immediate steps tocoordinate the development of the cybersecurity field The US should task the National Security Agency to takethe lead Once the field is defined There will be sub-specialties There will be a roadmap for obtaining proficiency (like doctors & lawyers) There will be standardized tests Estimates on workforce needs can more accurately be determined Training and certifications can be organized and synchronized 22 23. Questions and AnswersNSA designated National Center of AcademicExcellence in Information Assurance Education23