Information Security - A Good Introduction

Are you interested in taking on a course in the next academic year bit are not too sure what you should do? Do you work in IT and want to challenge yourself to learn something new?

I have had the very great pleasure this year of being an Associate Lecturer on the UK Open University’s postgraduate Information Security module (M811). So I’d like to do some shameless pimping of this course because I think it is a great introduction to the subject.

The course covers information security from a range of angles that I think are appropriate for both the security person and non-security person. The course is broken down into a couple of blocks;

• ·      Block 1 – Introduction to Information Security. This gives a gentle introduction to the subject and covers information security imperatives and incentives and information asset identification (i.e. that all important identification of the information ‘crown jewels’ in an organisation and why it is so important to protect them on a prioritised and proportionate basis.
• ·      Block 2 – Information Security Risk assessment. This is where it really gets into the detail and covers risk assessment and threat & vulnerability impacts. It does all this while allowing you to focus both on your organisation and your home environment so is instantly relevant and provides immediate value.
• ·      Block 3 – Information Security Risk Management. This covers information security controls and compliance and explains how to establish an information security management system for an organisation.

What I really like about the way it is structured is that it splits each sub-module into four areas to help optimise your learning;

·      The Organisation Strand (where you learn about the relevant Information security standard, ISO27001 and how to ‘do’ risk assessment and risk management

·      The Personal Strand (where you will learn to protect your home assets)

·      The Research strand (where you cover exsiting academic knowledge in the area as a means of challenging assumptions)

·      The Practitioner Strand (to help you track developments and current issues in Information Security).

The course runs from November 2016 to April 2017. It has three assignments and an end-of-course assessment at the end (i.e. no formal exam). S

This module is one that can count towards a range of Open University qualifications or it can simply be taken on its own. So if you’re interested to understand what an information security function does all day or you just want to understand the subject a bit better, I’d highly recommend it.

If you want to find out more click here.

Skills Gap in the Cyber Security Industry

I read an FT article a few months ago (here – worth signing up for occasional articles – it’s free) about the skills in the cyber security sector or, should I say, the lack of available skills. This is something I revisited this week for various reasons. Some interesting points made here included;

• 103,000 people hold a CISSP certification, including 68,000 in the US but there are 50,000 extra job openings for CISSP certified professionals at present.
• It is not just about technical skills. You also need people who can also “speak the language of the boardroom and translate tech-talk into understanding for the C suite” (Mark Brown – E&Y). This is certainly something I agree with and have seen first hand that few people can do well.
• In  the UK salaries have increased 10 per cent year on year for security staff and 16 per cent for consultants
• Security professionals moved jobs twice as much as average workers in the year to April 2015.

       These are very real issues in my experience and it is getting worse. I think it is somewhat compounded by the C suite thinking that all IT professionals fall into the same or similar categories and that there is nothing special in relation to recruitment of security staff. The realization that this is incorrect will be a bitter pill to swallow when there are significant impacts which highlight the gaps. The Information Security Forum's (ISF) recent 2018 Threat Horizon reports asserted that

      

    “Disruption to critical systems is magnified due to the shortage of specialized skills needed to maintain algorithms and codebase………To fully close the gap between the board’s expectations and the security function’s ability to deliver, skills and capabilities have to increase”

      and

     “Inability to recruit, develop and retain the right skills, losing the war on talent and leaving a critical skills gap” will lead to more significant and long lasting security incidents for companies.

So both the research and the practical experience has demonstrated the validity of this problem but, as security managers, what can we do about it? I don’t have all the answers here but for me the solutions fall into several categories;

1. Enticing new graduates to the Security industry. I think the role we in the industry can play here is, where possible, engage with the universities to fill student internships. I know in Ireland these exist even for the summer period (e.g. DCU Intra). This is a great introduction to the real world for these students.
2. Enticing experienced IT professionals into security. Given I count myself in this group, I think this is something we should also encourage. Many people have associated skills (e.g. compliance, application development) which can, with additional training, be an asset to the security function in an organisation.
3. Development of existing security professionals’ skills. I am a big fan of the Richard Branson phrase “Train people well enough so they can leave. Treat people well enough so they don’t want to”. Given the flux in the industry information security managers need to proactively drive their people to further training. I certainly believe it is significantly cheaper to regularly train a person to develop existing and new skills than to hire a new person (if you can find them) and have to pay them (and pay for training) while they get up to speed. Anything less demonstrates, in my view, a lack of management skills and foresight. So take time out to work on development plans for security professionals – see where they want to go and build solid plans with clear time-delineated outcomes and give them the freedom to achieve these goals. This will include finding the balance between formal training (including certifications) and training-on-the-job. The latter needs to include some level of mentoring to speed up development over time.
4. Ensure people maintain understanding of the security environment. There are many ways to do this including online webinars (but you have to give them the time and freedom to attend and focus on these rather than do their email). However, it also means facilitating attendance at security conferences but also encouraging security people to speak at these conferences to share best practice. This builds other skills and increases confidence.
5. Identify those with potential and encourage them to engage with the C-Suite personnel. As the ISF pointed alluded to, we need to develop the ability in technical people to engage with senior management in their language. As managers, we need to push people and trust in their ability to do this.

Information security is an immature profession. It occurs to me that as its current custodians we have a responsibility to ourselves, our colleagues and the next generation to proactively develop that maturity.