Cybersecurity an Evolving Practice
Lyndsay Turley Director Communications & PA
for (ISC)² in EMEA
2
Milan, October 28 2016
Professional Community » 120,000 Certified Professionals » Nonprofit leaders in education » Accredited to ANSI/ISO/IEC
Standard 17024. » CBK® continuously updated
taxonomy of topics » Job Task Analysis » (ISC)2 Global Workforce Study
www.isc2.org
CEN ICT Skills Workshop (ISC)2 joined in 2012 to bring front-line experience in cybersecurity
1. Review the European eCompetence Framework (eCF) against current expectations for cybersecurity
2. Develop a guide for interpreting the eCF from a security accountability perspective
3. Document functional interfaces and dependencies
2006: What does this tell us? » Primary concern
IT; 49,73%; 50% Risk
Management; 50,27%; 50%
IT
Risk Management
Professional Activities
50%
50%
38%
43%
29%
28%
25%
26%
16%
8%
7%
54%
49%
29%
44%
21%
25%
19%
20%
13%
4%
6%
43%
58%
34%
50%
29%
28%
23%
23%
17%
8%
5%
59%
52%
39%
50%
31%
35%
28%
25%
14%
7%
5%
GR
C
Secu
rity
man
agem
ent
Secu
rity
oper
atio
ns
Prov
ide
advi
ce o
nse
curit
y to
…R
esea
rchi
ngne
wte
chno
logi
es
Secu
rity
lead
ersh
ip
Vuln
erab
ility
asse
ssm
ent
and…
Inci
dent
resp
onse
Secu
rity
solu
tions
/sal
es
Softw
are
deve
lopm
ent
Sale
sco
nsul
ting
EMEA France Germany United Kingdom
Security Threat Techniques
51%
34%
36%
35%
36%
30%
27%
26%
24%
23%
49%
32%
41%
30%
31%
32%
20%
29%
20%
21%
53%
39%
47%
32%
40%
44%
32%
29%
30%
31%
53%
30%
31%
32%
35%
23%
25%
22%
18%
19%
Phi
shin
g
Sca
nne
twor
k
Web
appl
icat
ion
atta
cks
Priv
ilege
abus
e
Den
ial o
fse
rvic
e an
ddi
strib
uted
…
SQ
LIn
ject
ion
Dow
nloa
der
Com
man
dan
d co
ntro
l
Bac
kdoo
r
Bru
te fo
rce
Top 10 Security Threats (Very/Somewhat Common)
EMEA France Germany United Kingdom
A Maturing Practice After 28 years
8
Have you heard the story about the Jeep (and Tesla!), the steel factory and the Coca Cola delivery guy….
9
Losing visibility & oversight
Policy, Governance
Architecture, Project
management,
Operational security; access
control
Procurement, Services, Design & Development
The pressure is on …
62% too few infosec people
57% can’t find the right people today
Breaches rising, struggling to trace origin, longer recovery periods
Our key challenge today is the pace
of change and….
12
the lack of understanding for how
this is leaving us vulnerable
13
Impact of GDPR (& NIS)
14
» Wholesale Review of everything • Industries to be considered critical • Organisational processes &
ecosystems • Employee habits • Understanding of data and its
attributes • Etc.
A Confusing Time
15
•architecture •software •Forensics •vulnerability testing
Risk management policy Project and Programme Management
•Security business consultancy •Security account management
Polarising Skill Requirements
Technical
Business Management
Diverse Reporting Structure – IT less than 30% 23
%
25%
15%
5% 7%
7%
4%
3%
3%
2%
26%
18%
13%
7%
9%
3% 7%
4%
5%
2%
23%
26%
17%
3%
12%
3%
2% 4%
5%
1%
20%
23%
18%
5% 8%
8%
4%
4%
3%
2%
ITde
partm
ent
Exec
utiv
em
anag
emen
t(C
-leve
l or…
Secu
rity
depa
rtmen
t(in
form
atio
…
Ope
ratio
ns o
rad
min
istra
tion
Con
sulti
ng
Boar
d of
dire
ctor
s
Ris
km
anag
emen
t
Gov
erna
nce
orco
mpl
ianc
e
Sale
sm
anag
emen
t
Inte
rnal
audi
ting
EMEA France Germany United Kingdom
Evolving Job Titles 10
%
9%
6%
5%
4%
4%
4%
4%
4%
3% 6%
13%
8%
5%
3% 7%
3% 5%
6%
3%
3%
11%
13%
7%
1% 5%
1%
11%
7%
3%
8% 10
%
9%
2% 6%
7%
3%
3%
9%
2%
8%
18%
5%
3% 5%
9%
2%
3% 6%
1%
Secu
rity
anal
yst
Secu
rity
cons
ulta
nt(m
anag
em…
CS
O/C
ISO
/CIA
O
Secu
rity
audi
tor
Info
rmat
ion
Assu
ranc
eM
anag
er
Secu
rity
arch
itect
(con
sulti
ng)
Secu
rity
engi
neer
(pla
nnin
g,…
Secu
rity
arch
itect
(pro
duct
s,…
Secu
rity
advi
sor
Net
wor
kad
min
istra
tor
Worldwide EMEA France Germany United Kingdom
New Recruits
75 80 85 90 95 100
Communications
Analytical
Risk assessment/mgt
Specific platform/tech
IT&SecOps Mgt
UK EMEA Global
Skills Frameworks & Roles » Various disparate efforts -IISP, ESCO,
IEEE/ACM, SOFIA, PViB, UNINFO, BCS, eCF, etc
» Competence vs. process standards » Different Perspectives – ICT, info/cyber
Security, Risk management, » Government driven or funded » Big business informed
20
Changing influences
skills
Sector Risk
Backgrounds
21
Regulations
Who’s job is it anyway?
22
Top Security Concerns
70%
66%
63%
60%
58%
56%
52%
46%
42%
41%
43%
40%
34%
37%
42%
74%
49%
48%
56%
54%
49%
45%
47%
35%
27%
42%
43%
25%
23%
34%
68%
55%
58%
57%
50%
53%
41%
42%
41%
37%
47%
34%
41%
32%
45%
70%
68%
67%
58%
58%
51%
53%
48%
46%
42%
37%
38%
38%
42%
45%
Appl
icat
ion
vuln
erab
ilitie
s
Mal
war
e
Conf
igur
atio
nm
istak
es/o
vers
ight
s
Mob
ile d
evic
es
Faul
ty n
etw
ork/
syst
emco
nfig
urat
ion
Hack
ers
Inte
rnal
em
ploy
ees
Clou
d-ba
sed
serv
ices
Cybe
r ter
roris
m
Trus
ted
third
par
ties
Corp
orat
e es
pion
age
Cont
ract
ors
Stat
e sp
onso
red
acts
Hack
tivist
s
Org
anize
d cr
ime
(Top/High Concern)
EMEA France Germany United Kingdom
Recruiting Perspective » Planning for the next
generation workplace –experts, IT, business and employees
» Adding the strengths of the academic community to the process
» CEN workshop membership – including (ISC)2
Cyber experience
Universities, educators
Stakeholders ICT,
Business, Gov’t
UK Academic experience
Guidelines for : Curriculum, Apprenticeships, Occupational Standards
Workbased learning
Apprenticeships
Undergraduate University /Higher
Learning Apprenticeships
Training
Cybersecurity principals and Learning Outcomes
BCS, IET, Comptia, Tech Partnership,
CPHC – 40 universities
BIS, OCSIA (Cabinet Office) ; GCHQ (ISC)2; IISP, ISACA
» 2014/15/16 Workshops - 66 universities, professional bodies, government
» Published June/ Referenced within BCS accreditation – June 2015
» Mapped to Apprenticeships/occupational standards – Consultation December 2015
BCS – Where relevant » Information and risk: models and concepts and the
relationship between information and system risk » Threats and attacks: threats, how they materialise,
typical attacks and how those attacks exploit vulnerabilities
» Cybersecurity architecture and operations: physical and process controls to identify and mitigate vulnerability, and ensure organisational compliance
» Secure systems and products: the concepts of design, defensive programming and testing for resilient systems
» Cybersecurity management: the personal, organisational and legal/regulatory context in which information systems could be used
http://cert.isc2.org/isc2-cphc-whitepaper/
References & Content - Principles
» Association for Computing Machinery (ACM)
» Detailed standards outlined within British Standard PAS 754 Software Trustworthiness
» (ISC)2 International Academic Programme/ bodies of current practice knowledge that underpin our CISSP and other professional certifications.
» Framework for higher education qualifications in England,
Wales and Northern Ireland
» Learning outcomes to satisfy Level 4 requirements/advanced concepts & learning outcomes to Level 5 and 6 requirements - examples of application to subject areas, including database systems, software engineering, operating systems, etc.. 27
Closing an Interpretation Gap » Security is well referenced right across the eCF framework ,
alongside project management, Service Delivery etc » Overall eCF is written for an audience with good, established
understanding of the concepts referenced ... Security does not fall into this category
» Basic terms are used – for eg. A1 Plan includes “ensures a secure environment” in its description and requires security knowledge in the knowledge area
» Portrays generic security management function
Through the eCF Lens– D1
Information and risk
Threats and attacks
Cybersecurity architecture
and operations
Secure systems and products
Cybersecurity management
http://cert.isc2.org/isc2-cphc-whitepaper/
Plan 1.Information & risk
2. Threats & attacks
3. Cybersecurity Architecture & Operations
4.Secure systems & products
Build
3. Cybersecurity Architecture & Operations
4. secure systems and products
Run 2. Threats & Attacks
3. Cybersecurity Architecture and Operations
Enable 1.Information & risk
4.Secure Systems & products
Manage 1.Information & Risk
2. Threats & Attacks
5. Cybersecurity management
Adding Granularity – D2&4 A1 – security requirements analysis Alignment to risk appetite A5 /A6– understanding of threats & attacks
B1-3 – functional security requirements eg. Authentication, data encryption Manage Secure software and systems development lifecycle
C1 - recognise/manage current security threats & attack vectors – eg phishing, malware
D1 – Security Design – knowledge of security metrics, testing regimes; Interpret security analytics
E3 – Fundamentals of security policy economics of security risk management
A1-A4/A9 –understanding of information and risks A4 – knowledge of secure development lifecycle A3 –economics of security risk management
B4/B6 –penetration testing/vulnerability scanning Vulnerability and misuse testing
C2- knowledge of security architecture C2/C3 – understand and be able to apply principles of security controls
D2/D4- includes security benchmarks, process improvement D10/11- Security design/requirements, understanding of information and risk, D12 -data collection restrictions
E5 – Security analytics testing for security failure E7- trends, cloud , AI, IoT
For eg: D2&4 B1-3 – functional security requirements eg. Authentication, data encryption Manage Secure software and systems development lifecycle
B4/B6 –penetration testing/vulnerability scanning Vulnerability and misuse testing
Build
3. Cybersecurity Architecture & Operations
4. secure systems and products
Finding the Fit
Mobile/remote Communications Innovation lifecycle
Identity & Access Mgt Access Control Incident Response & recovery Forensics
Access Control systems Data protection requirements
E8 disparate function & embedded across Run/Enable
Embedding Security as Core » Security Architecture will be core to
ICT architecture » Secure Software lifecycle – will be
core to software development cycle » Data, security management will be
core to risk management » Quality, testing… etc.
federate knowledge widely – Need to Federate knowledge » Move away from the idea of the generic
security management » Key concepts, terms, functions, features,
behaviours that are relevant across functions
» Influence innovation and the development of new service models – applications to smart cities
» Provoke Understanding of competences at a task level
34
Debunking Myths » It’s a Technical discipline » It’s Security’s Job » It’s about the Defences
Debunking Myths » It’s also a management discipline » It’s Everybody’s Job » It’s about the Opportunities