(ISC)2 CEO David Shearer Discusses Cyber Security Trends and Need for Certified Professionals
In launching the Cyber Security Trend Community, I recently spoke with David Shearer, CEO of (ISC)²®, the community sponsor. The timing could not have been better for getting his expert perspectives on the incredible dynamism facing all of us regarding cyber security trends and challenges.
Shearer has a unique vantage point regarding all things relating to cyber security as (ISC)², with over 110K members, is recognized as the global, not-for-profit leader in educating and certifying cyber, information, software and infrastructure security professionals throughout their careers. In addition to the work (ISC)² does around the world in the commercial sphere, its Center for Cyber Safety and Education (formerly the (ISC)² Foundation) is involved in educating literally everyone, from the young to the elderly, on how to make the cyber world a safer place.
David’s insights on such things as the momentum of the move to the cloud and its impacts on security, the growing shortage of skilled cyber security professionals in general and women specifically, and a variety of other high priority topics should resonate with readers. This is true regardless of whether you are currently an IT security pro, are interested in becoming one, or are an employee (including a top executive) of an organization of any size or location.
TMCnet: Let’s start with what you see as a big trend or trends people need to understand and pay close attention to regarding cyber security. This would include opportunities as well as challenges. What jumps out at you?
Shearer: A number of things come to mind. I think a good place to start may be is with the observation that for small to medium size companies there is a big surge in looking at outsourcing their security operations centers. Many organizations just don’t have the inside talent. They may have tools where they are actually aggregating massive amounts of logs firewall logs things from a SIM and using other tools they have, but they don’t have the people and the time to parse through that to find out what kinds of events and anomalies may be happening that may give them a forewarning or a lagging indicator that there has been a compromise or a breach.
TMCnet: The move to the cloud and outsourcing security is thus not short term?
Shearer: It has been a trend for a number of years and is gathering momentum. The amount of information to capture and be evaluated is exploding. And, you can find companies to source that have people that can parse through and identify events and report back to you.
This highlights one of the problems you have in cyber security. The challenge is that you can buy all the tools you think you need and stream volumes of logs about what is happening from a governance risk and compliance aspect within the organization. However, if there is nobody there identifying those, and correlating an event and notifying people that something has occurred, then all you have is a nice set of tools and streaming voluminous big data logs that no one is acting on. That isn’t the end game we are looking for.
TMCnet: However, not everything will be outsourced or should be. Correct?
Shearer: There will continue to be a trend to look for the right balance of in-sourcing and outsourcing. But, it is important to note that the CIO or the CISO and the CEO are responsible ultimately. You can’t delegate that responsibility. The security of the organizations we are in charge of will remain the responsibility of the organization. This is why you must have some level of capability and understanding inside of your organization that has expert oversight of contracting outsourced engagements to ensure you are meeting your due diligence relative to cyber security. The trend to outsourcing will continue but with precautions.
TMCnet: Could you elaborate on what you just said? It is interesting given all of the talk about technology that there is still a huge human element involved in cyber security. And, that means not just those on the front lines using tools to monitor, mitigate and hopefully proactively prevent risks, but also those establishing the terms and conditions of engaging with vendors, particularly outsourcers. After all, these are likely not to be the same people in terms of accountabilities and responsibilities.
Shearer: Correct! It is important to look at accountability and responsibility.
We may hold our cloud vendor accountable for notifying us about an event, but the corporation, the acquirer of those services, is still ultimately responsible for what happens relative to that engagement.
We may say that you are accountable for notifying us but the oversight of that cloud service provider still remains the responsibility of the company that is acquiring those services. That is one of the things that led us to team with Cloud Security Alliance (CSA) in creating a deeper dive credential that looks at service level agreements, legal side, emerging privacy issues relative to safe harbor and the evolution of where data is actually stored and viewed relative to privacy issues and international privacy laws. I think we can hold people accountable for certain things that feed into our decision process, but we can’t divest ourselves of the ultimate responsibility of whether we have a meaningful understandable contract in place with service providers and there are clear line of understanding of what constitutes an event with a cloud provider that they need to notify us about.
Those things need to be clearly spelled out in the contractual arrangement and looking at establishing a contract that works for both sides. Nobody wins when it is a finger pointing situation so I think the formulation in the negotiation of these contracts is critical. You want this to be a win-win situation.
TMCnet: This obviously a subject of great importance. Anything else you are seeing driving the growing popularity of Security-as-a-Service (SaaS)?
Shearer: The price point we are seeing in these cloud solutions is undeniable going to continue to put pressure on making the move. The use cases are well-documented. Cloud service providers can reduce your operating costs, capital expenditures and enable a move to operating expenses that are much more predictable. It smoothes out budgetary spikes involved with recapitalizing infrastructure all the time.
We want to create a situation where people do it in a smart way, in a predictable way. And ultimately if you could get people on both sides of the provider and the acquirer speaking the same language, having the same lexicon, understanding how we put these service level agreements in place you are going to have more success.
Now we just have to overcome the security and privacy issues. As noted previously, we need to make sure there are clear lines of understanding of what are the areas of responsibility between the person who acquires those services and the person who provides those services.
TMCnet: So a priority needs to be getting the buyer/seller relationship right. This clearly includes sorting through the complex issues of who owns, controls and is responsible for what. Plus, who is liable if things go wrong. This is obviously an area where expertise is required. Is this part of the certification programs you offer?
Shearer: There is domain coverage within the CCSP certification we offer that provides guidance relative to SLAs. We do believe that in the contract, both sides need to understand what they need to bring to the table that will constitute success of this partnership. Such understanding always makes for better business relationships. It is something we believe is vitally important.
TMCnet: So what you are saying is that knowledge is power, and having the right people with the best knowledge is that much more powerful.
Shearer: Depending on the size of the company you may have a CISO with very extensive collateral duties. For example, we have folks where we drop in a CISSP and the company thinks that is all they need. These people fight an uphill battle because they are really an army of one. They may be looking to outsource because they are trying to keep pace with everything that is going on. Optimally you would have a CISO with staff members that would look at things like cloud security, secure software, cyber forensics. And, if they are in healthcare looking at the whole array of privacy, and healthcare compliance types of things. But, unfortunately that is not always the case. They are under-resourced.
And, we know the availability of those additional resources to help them has a dearth of talent within the area we are trying to fill.
TMCnet: What you just said point to the realities that when it comes to cyber security it is about the people and their skills.
Shearer: This isn’t a negative about our great friends at RSA or other security events. I was in IT leadership roles for the majority of my career. You go to conferences and see the latest and greatest tools and then you can realize you are barely keeping up with getting the other underlying tools. It is easier to look at the next gee wiz tool that is out there, or software that is out there, but sometimes the reality is that you have other things you need to get cleaned up and resolved before you can even consider those other things.
TMCnet: (ISC)² has done significant research that points out that we have a growing shortage of cyber security professionals that is projected to get worse over time if steps aren’t taken to solve the problem. Can you talk about where we are and what we need to do to avoid a major problem?
Shearer: What’s the answer? It lies in solving problems you really have to get to the root cause of what is going on.
When we look at our research we see there are such a small percentage of people under 30 coming into the profession. We kind of tease around it as a Science, Technology Education and Math (STEM) issue. However, there are debates about that. Even where we know where STEM is strong, in APAC and in other countries, we still don’t see the interest for people coming into the profession. We need a better campaign as to why cyber security related professions are an attractive career path for people.
For many years through our foundation, we have reached out to children, parents and educators to help children be safe on line. But, now we have an opportunity when we are teaching those kids to be safe on line to reach those kids that there is a whole career path here. We are really excited that we have a partnership with Garfield the Cat, the animated cat is now our spokesperson… and we think that is going to resonate with young kids almost as Garfield being the sheriff and deputizing kids around the world you can help us be safer and more secure on line. And, oh by the way there is a career path here so reaching hearts and minds of the young is part of the solution.
TMCnet: And, as they get older?
Shearer: In addition, developing secondary school curriculum that can create a glide path for these kids is key. We need to get them excited about cyber security coming out of high school. Then, working through our international academic program with colleges and universities throughout the world, we must make sure there are cyber-related education and career paths relative to curriculum and degrees that they are developing.
Now is the time we start to feed the pipeline, and come up with a solution to fill the need for a next wave of people. I am concerned. When we look at the average age of 42 years within our survey—which at just under 15000 respondents is a pretty good sample— 42 isn’t old. But, we have an overworked workforce that is stressed. There will be burnout and our number projections take nothing into consideration relative to retirement because people will retire at different ages...
We need to find ways to bring people into the profession. And, we need to find ways for people to retool. We also need as part of that to look at existing IT career paths or engineering career paths that can be part of the solution. Most importantly we should be looking at underrepresented minority groups…
We have spoken for many years that only 10 percent of the profession is women. We need to draw on women and encourage them to come into the profession. In addition, there are other underrepresented minorities that take on different ratios depending upon which region of the world you are in. Thus, we have to look at the people dynamics and figure out what we have to do to solve it.
TMCnet: How are we doing on this score?
Shearer: I think we are getting better at coming up with the education both through formalized education and other programs. However, there is always room for improvement and we need to message it better.
TMCnet: Part of that messaging I would think is that this is a well-paying career that is obviously not a fad. In fact, one of the reasons it will be attractive financially over time is the skills required to be a recognized expert very valuable and you need multiple skills.
Shearer: If I was doing my pitch, if you have a daughter or niece we need to be using the right words with them. Women are fantastic in this profession. I have seen it first-hand. We need to offer encouraging language to all of our young, and particularly as noted our women. This is an exciting career path for women. From high school on at least making our young ladies be aware that there is stability in being a cyber security professional and the salaries do continue to grow.
TMCnet: Any other “hot spots” where having cyber security skills is vital?
Shearer: Yes. Terms and conditions is one. The reason is that as we continue to look at cyber security insurance, we are looking at creating bars of what constitutes due diligence for an organization for that underwriter to make good on an incident or underwrite an event.
It is related to our previous discussion. I think the path is there will be a stronger convergence of looking at terms and conditions and contracts. An understanding of baselines of best practices will become absolutely critical to insuring organizations relative to cyber security.
TMCnet: What about the emerging area of Data Scientists? They already are incredibly hard to find and the big companies have cornered the market.
Shearer: I worked my masters through Syracuse University and information library science was a large part of that. We have gotten away from that, and as big data becomes more and more an issue that poses a challenge.
We have diminished the value of library science. Now we just throw up unstructured content all over the place. The art of finding things through understandable taxonomies is increasingly lost. Data science is a similar situation. We need people that understand data and then learn the actual data they are looking at. There is a whole science behind that. I don’t know that people see this as sexy, but I agree with you that it is going to be absolutely critical as we go forward. We need to message that.
Organizations need to promote this. I haven’t seen a whole lot of colleges and universities having specialized tracts. The lines are blurring between computer science and cyber security and engineering. I try to preach this. We have a massive convergence of all engineering disciplines.
Every engineering discipline goes into the products that are coming into residences and products for early responders, military, law enforcement. They all have embedded systems, aka the Internet of Things (IoT). Engineers design and develop those, but there isn’t just one engineering discipline. This is the next area we need to focus on as a society, i.e., that we have a higher confidence that the products that we release into the marketplace take cybersecurity into consideration at the design and engineering stage.
We have been strong advocates on the software piece of this. My point is data scientists are really data engineers. There is a slew of engineering disciplines. We need to have a better integrated conversation on how they work in a complimentary way to ensure we are rolling out secure products and services.
TMCnet: Like a Broadway show, what hit song(s) do you want readers to come out humming?
Shearer: The first thing is that we at (ISC)2 have a strong message as an organization that when comes to cyber security we need to look at most vulnerable, children and seniors, to ensure their safety.
Second it is undeniable regarding where our members are employed that there is high pressure to move to cloud based solutions and services, and that pressure will remain on because of price point. What is most important here is that moving to cloud-based solutions is not something you want to learn from the school of hard knocks. You want to go into it in a predictable way with a full understanding of the roles of both acquirer and provider.
This means making sure taking into consideration from onset privacy and security related issues. How are you going to operate those solutions in a secure way? What information are you collecting that might constitute personal proprietary information? What provisions do you as the contract holder and then the provider have relative to that complimentary way that both parties need to ensure that security is built in? How do you work in the event something goes wrong? All those things need to be identified up front. And, when the ink dries on the contract both sides know their roles and responsibilities.
Third, this is achievable. However, it is not going to happen organically. That is why we try to flesh out the areas we think are absolutely critical relative to doing this entire process well.
As a result, we look at things like cloud data security, and cloud application security. What are their operations? Are they getting 16 types of audits, legal and compliance, architectural concepts and design requirements? We need to understand at least what is in the cloud and how vendors are virtualizing so we can see if there are any holes relative to security posture.
Finally, we are looking ahead at areas we need to be focusing on and certifying. The objective is providing hiring officials, boards and the C-suite an understanding and confidence that the people protecting them have recognized world-class qualifications relative to work they are doing and their area of responsibility.
David Shearer, CISSP, PMP, Chief Executive Officer
Mr. Shearer, CEO (ISC)² has more than 30 years of business experience including the chief operating officer for (ISC)², associate chief information officer for International Technology Services at the U.S. Department of Agriculture, the deputy chief information officer at the U.S. Department of the Interior, and the executive for architecture, engineering and technical services at the U.S. Patent and Trademark Office. He is a U.S. federal executive presidential rank award recipient. As (ISC)² Chief Executive Officer, Mr. Shearer is responsible for the overall direction and management of the organization.
Edited by Peter Bernstein