Date post: | 04-Aug-2015 |
Category: |
Documents |
Upload: | in2security |
View: | 475 times |
Download: | 0 times |
New Zealand
Information
Security
Workforce
Development
Strategy November 2012
A Comprehensive Strategy Addressing the Recruitment, Retention
and Professionalization Needs of the New Zealand Information
Security Industry
Prepared and presented by In2securITy Limited
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 1
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 2
Abstract New Zealand has faced many challenges when protecting its valuable information. Time and again,
many private and public sector organisations have failed to approach these challenges with the
maturity, governance and technical excellence that modern systems require.
As the pace of technical innovation increases, the complexity and quantity of these challenges will
only increase. As a result, New Zealand needs to seize this opportunity to modernise its approach to
the recruitment, retention and professionalization of its information security industry – an industry
that will be tasked with protecting our systems and sensitive information for years to come.
This document outlines the issues faced by New Zealand organisations when addressing this
challenge as well as the threat posed by failing to act now.
In addition, this strategy contains an evaluation of a 12 month pilot scheme, in2securITy, launched in
2012 to address these issues. This scheme has proven without doubt that New Zealand has a large
appetite and need for this kind of development programme.
Finally, this strategy outlines a set of objectives and operating principles for the implementation of a
National Information Security Workforce Development Strategy, to consist of a set of proposed
initiatives – each designed to make New Zealand a global leader in the strategic development of
world class information security professionals.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 3
Executive Summary New Zealand has a problem with information security.
Popular opinion in the cyber age is that security issues stem from a lack of technology, the
application of which can solve all problems.
Technology however, is nothing without skilled systems architects, implementers and operations
staff. Without people, technology is not a solution; it is just one of many tools available to the
modern organisation.
While technological innovation is high within the New Zealand market, the national spend on
educating, training and developing skilled technical personnel is surprisingly low, creating an in-
balance and directly contributing to the fragility and vulnerability of our nations IT systems.
An increasing number of high profile system breaches have reinforced that from initial systems
development and design, through to implementation and operational management, New Zealand
businesses and public sector organisations are struggling to cope with the demands of a “connected-
by-default” society.
This lack of skilled security professionals affects public, private and academic sectors, impacting on
small business systems and multi-million dollar cross-organisation projects alike. It is a national
problem and requires national attention.
New Zealand is embracing the internet and the business opportunities it brings. It will continue to
do so at an increasing pace as technology and connectivity becomes cheaper and more widely
available. The days of “learning by doing” and “she’ll be right” in systems security are over.
We have a responsibility to adapt to this challenge and build a new generation of skilled security
professionals to enable our country to operate in this new environment as safely as possible.
Meeting this obligation is key to survival in the global technology market.
The New Zealand Information Security Workforce Development Strategy provides an overview of the
information security industry in New Zealand and globally.
In addition, a high level analysis of the strengths and weaknesses of the New Zealand information
security industry are provided. This has identified great community enthusiasm and strength within
a number of active groups. It has also however revealed vulnerability introduced by a combination of
poor awareness, poor cross industry communication and low availability of objective information
with which to plan career development.
Looking forward, New Zealand has the chance to become a global leader in strategic development of
information security professionals. By capitalising on the agility and innovation innate within our
technical industries and presenting a quality, security focused global brand, New Zealand could
experience high volume growth in emerging markets such as highly distributed systems and remote
IT service provision.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 4
This can only happen however if, as a nation we can address some of the upcoming threats to our
industry. These include rapid service growth from Asian, South American and Indian markets,
reputational damage from regular publicised systems compromises and increased emigration.
This strategy outlines a set of objectives, operating principles and initiatives aimed to address these
issues. Together, these items will allow New Zealand to define a lean programme that focuses on
education over bureaucracy in a transparent and accountable way. This programme aims to develop
New Zealand as a global leader in the field of information security workforce development.
In2securITy Limited launched a limited scope pilot to implement parts of this strategy in 2012. This
pilot achieved great success despite limited resources and reliance on unpaid volunteers. A detailed
evaluation of this pilot, its achievements and limitations are included as part of this strategy.
This whitepaper proposes the following ten initiatives to extend the 2012 in2securITy pilot:
Dedicated Security Education and Project Spaces
National Security Apprenticeship Scheme
Security Training and Development Fund
National Schools Integration Programme
University Integration Programme
National Security Awareness Programme
Mentoring Programme Expansion
Improved Web Portal
New Zealand Computer Emergency Response Team (CERT)
Information Security Workforce Development Board
A comparison of these proposed initiatives has been included in this document. This measures each
initiative against the core objectives identified by in2securITy for the operation of a successful
Information Security Workforce Development project as well as geographic inclusion, cost and
overall estimated impact.
Finally, this strategy strongly recommends the introduction of a government funded Information
Security Workforce Development Scheme based on the objectives and operating principles outlined
herein. This scheme should expand upon the in2securITy pilot and consider a range of the proposed
initiatives.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 5
Contents Background ............................................................................................................................................. 8
Information Security in New Zealand ................................................................................................. 8
Information Security in a Global Market .......................................................................................... 10
Key Employment Demographics ....................................................................................................... 12
Dedicated Security Roles .............................................................................................................. 12
Integrated Security Roles .............................................................................................................. 12
Academic Security Roles ............................................................................................................... 13
Analysis ................................................................................................................................................. 15
Strengths ........................................................................................................................................... 15
Weaknesses ...................................................................................................................................... 16
Opportunities .................................................................................................................................... 19
Threats .............................................................................................................................................. 19
Requirements ........................................................................................................................................ 23
The Five Core Objectives ................................................................................................................... 23
Operating Principles .......................................................................................................................... 24
Dependencies and Key Relationships ............................................................................................... 25
Funding Options ................................................................................................................................ 25
Measuring Success ............................................................................................................................ 26
Current Initiatives ................................................................................................................................. 28
Introduction to In2securITy .............................................................................................................. 28
Pilot Funding and Resources ............................................................................................................. 28
Pilot Initiatives .................................................................................................................................. 29
Pilot Limitations ................................................................................................................................ 31
Proposed Initiatives .............................................................................................................................. 34
Initiative Overview ............................................................................................................................ 34
Comparison Metrics ...................................................................................................................... 34
Comparison Matrix ....................................................................................................................... 35
Initiative One: Dedicated Security Education and Project Spaces .................................................... 36
Initiative Two: National Security Apprenticeship Scheme ................................................................ 38
Initiative Three: Security Training and Development Fund .............................................................. 40
Initiative Four: National Schools Integration Programme ................................................................ 42
Initiative Five: University Integration Programme ............................................................................ 44
Initiative Six: National Security Awareness Programme ................................................................... 46
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 6
Initiative Seven: Mentoring Programme Expansion ......................................................................... 48
Initiative Eight: Improved Web Portal .............................................................................................. 50
Initiative Nine: New Zealand Computer Emergency Response Team (CERT) ................................... 51
Initiative Ten: Information Security Workforce Development Board .............................................. 52
Conclusion ............................................................................................................................................. 54
Recommendations ................................................................................................................................ 54
References ............................................................................................................................................ 54
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 7
Background
In This Section:
Information Security in New Zealand
Information Security in a Global Market
Key Employment Demographics
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 8
Background
Information Security in New Zealand
Cultural Imperatives
New Zealand is known as a nation of people that are unafraid of a challenge or taking risks.
From the much lauded “Number 8 wire” approach to fixing problems to the prevalence of “she’ll be
right”, we are a country of people who are ready to try out new things, get our hands dirty and
experiment.
Whilst these traits create a fertile development environment for new business and innovation, they
have also contributed to the nation’s immature approach to information security.
Furthermore, the fiercely proud “Made in New Zealand” ethos that permeates small business often
translates into a phenomenon in technical fields known as “Not Invented Here”.
“Not Invented Here” manifests in two ways.
In the first instance, individuals, groups and organisations will prioritise country of origin or
operation over security, innovation or quality. In this case, decision makers will intentionally choose
inferior or less secure products and services because they come from a particular location.
In the second and more dangerous case, individuals, groups and organisations will design their own
version of a product instead of utilising an existing mature product or system from elsewhere (in this
case overseas).
In the small business and innovation space, “Not Invented Here” has led to fundamental security
mistakes including self-built cryptographic solutions, immature trust models/ authentication systems
in software applications and use of niche/unsupported development tools and languages.
While promoting New Zealand businesses and solutions is a fantastic way to develop our nation as a
leading technical force and foster further innovation, development and business growth. The naïve
assumption that geographic source alone creates a mature, secure IT product/system must stop.
Further work must be carried out to ensure that “Made in New Zealand” means a product/system
that was built locally, in a secure, robust and mature manner. They should be thoroughly tested, well
maintained and monitored and regularly updated to account for new security threats and changes to
the technological landscape. Until this is the case, “Not Invented Here” remains a danger to IT
projects nationwide.
Security in an Agile and Innovative Market
New Zealand organisations are increasingly adopting agile development and design principles. These
principles focus on rapid development, frequent integration and short delivery iterations. This
allows organisations of all sizes to bring new development ideas and products to market in a short
period of time and is helping the country gain traction as an innovative and fast paced market.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 9
Agility, particularly in software and IT systems development can, however, come at a cost. Security
considerations and design patterns are perceived as complex and slow to implement, a direct
contrast to the fast paced and flexible approach associated with agility and innovation. It is
unsurprising therefore that these security requirements are left until very late in the project or
removed entirely.
In reality, security can be integrated into an agile lifecycle (1) with relative ease. By combining
security requirements with functional requirements on an iteration by iteration basis, security can
be built in from first release. The adaption of test driven design mechanisms to include security
testing in every iteration release provides a light weight and constantly evolving sense of security
awareness across the entire project. This approach could allow New Zealand to continue to be
innovative and rapidly bring new products and services to market whilst building security in by
default.
High Pressure, High Consequence
The past 12 months have represented a dramatic increase in not only the size and frequency of
information security breaches within New Zealand, but also a change in the amount of media and
public interest in such events.
It is no longer the case that breaches (particularly those exposing private information) only receive
limited coverage in the technical column. Today, breaches are widely covered by print and online
media and result in high volumes of public debate.
Recent events have highlighted issues with many aspects of security within New Zealand
organisations (2):
Lack of systems monitoring and operational security to detect and prevent breaches.
Immature understanding of/ approach to the acceptance of risk.
Poor integration of security design and testing into the systems development and
maintenance lifecycles.
Insufficient incident response planning and integration of incident response procedures
across the entire organisation.
Poor level of awareness with regards information security fundamentals across New Zealand
media.
The reputational damage from such compromises can have a lasting effect on an organisation and
any third parties it is associated with, a result that is compounded further by kneejerk, unplanned
public statements and incident response.
In terms of financial impact, the exact cost of such systems compromise is unclear. While the total
cost is rarely revealed and difficult to calculate accurately, associated costs include a wide range of
remediation activities aside from simple technical systems changes. From legal costs to marketing
activities and staff training, the cost and resource impact of a security breach far exceeds realms of
the IT department budget.
The most significant feature of these breaches has been the mismatch between the perceived
complexity of breaching a large system and the reality. The majority of public systems compromises,
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 10
data loss and breaches within New Zealand do not come from Advance Persistent Threat (APT)
actors but from rudimentary failures in the design, implementation and monitoring of our systems.
Issues, for which, there have been tried and tested solutions for many years. These compromises
have cost organisations thousands in remediation activities (3) and could have been avoided with
simple, cost effective and well known security design patterns and an increased focus on defensive
operational practices.
Small Island Syndrome
In geographic terms, New Zealand is a very remote location. It’s relatively small size and low
population numbers, coupled with the cost of international travel can create a sense of isolation and
separation – even in the digital age.
While these features make New Zealand a beautiful and popular location to live and operate, it also
creates a false sense of security. A land with no natural predators, with no history of large scale
invasion and with no direct political threats has a natural sense of ingrained security.
When large organisations overseas are compromised, the severity and relevance of these events can
be diluted by the distance and differences between the two countries. In fact, New Zealand
organisations rarely identify similarities and implied risk to their systems and business from foreign
systems breaches. In most cases, a New Zealand based incident is required to focus attention and
motivate organisational change.
Evidently, this behaviour is not unique to New Zealand; however its impact on the agility and
awareness of the country in the face of information security vulnerability is high. By devaluing
lessons and case studies happening outside of New Zealand and focusing on local incidents, valuable
security lessons are ignored until they occur closer to home. This reduces the time available for
remediation efforts and increases the remediation cost.
Fixing an issue over 12 months after an incident in a similar European system is much cheaper and
less stressful that remediation of an issue within 2 weeks as a result of a breach within a New
Zealand organisation.
Information Security in a Global Market
Connected By Default
Internet based and distributed systems are no longer the reserve of cutting edge innovators. With
the rise in portable computing devices and the reduction in cost of IT hardware and bandwidth, high
availability, interconnected systems are now expected of the modern organisation.
As demand for these systems has grown and organised a “connected-by-default” mentality, the
demand for high calibre security professionals has in turn risen (4).
These professionals are expected to design, implement and manage sophisticated information
systems, often spanning massive geographic distances and combining modern and legacy
technologies.
These systems often cross international borders, time zones and legal jurisdictions. Downtime and
compromises in these kinds of systems is now measured in millions of dollars. (5)
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 11
The End of the Silent Failure
Information systems breaches and data loss cases are big news. The internet, social networking and
the growth of subjective content production means that news of security incidents reaches an
international audience quickly and spreads fast. Within hours of a public breach disclosure, the
international online technical press will normally feature coverage.
In addition to the fast, uncontrolled nature of the coverage, most media outlets provide (and
encourage) interactive, international debate of their stories. This creates an evolving story, reaching
a wide target audience. Subjective commentators can write about, comment on and analyse these
incidents publicly and at length with no oversight or authority. The quality of their reporting and
evidence to support claims are rarely present or verified.
Once a story breaks in essence, there is no stopping it.
New Zealand, like all other nations can suffer reputational damage from this sort of publicity. In fact,
the only proven way to avoid the negative impact of an information security breach in the
international press is to minimise the likelihood of such a breach happening in the first place.
Crossing Linguistic, Social and Cultural Boundaries
Information Technology is a field that crosses linguistic, social and cultural boundaries. Whether an
organisation is based in Hamilton, Moscow or Delhi, the technologies and concepts in use remain
the same.
This has created an employment market like no other. Information security professionals are globally
mobile with skills that can apply to any country. As a result, when New Zealand requires talented
information security professionals, its employers are competing with similar positions globally, not
just within New Zealand.
This is particularly noticeable in New Zealand where an already high emigration rate is compounded
by the fact that information security roles pay less than neighbouring countries. A successful New
Zealand recruiter must offer a job package that can not only compete with similar national
organisations but also those in neighbouring countries.
A young IT professional will require more than just job security to retain them; they are looking for
career development challenges and a benefits package comparable to those offered abroad.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 12
Key Employment Demographics
Dedicated Security Roles
Definition
In the context of the New Zealand employment market, dedicated security roles refer to those
people employed in a position whose sole function is the implementation, testing or management of
security for one or more organisations.
Dedicated security roles span both technical and non-technical specialists. Successful security
specialists often come from a more general technical background and may have been implementers
or developers in previous roles.
Dedicated Security roles currently represent approximately 20% of the New Zealand Information
Security market and can be found in both public and private sector organisations.
Key Skills
Technical generalists (Technical Roles Only)
Highly adaptable, fast learners
Skilled communicators (both verbally and written)
Analytical and logical
Risk focused
Example Job Titles
Penetration Tester
Forensic Analyst
Security Consultant
Incident Responder
Security Architect
Integrated Security Roles
Definition
Integrated Security roles include those positions which require a working knowledge of security best
practice and methodologies in the context of a traditional technical, project or managerial role.
This category of roles is rapidly increasing and now includes most technical professionals as well as
those employed to design, support or manage technical systems.
Integrated Security roles currently represent approximately 75% of the New Zealand Information
Security market and can be found in both public and private sector organisations.
Key Skills
Security knowledge supports core technical discipline (Technical roles only)
Innovative
Skilled integrators balancing business and security requirements
Skilled communicators
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 13
Example Job Titles
Software Developer
Infrastructure Engineer
Project Manager
Systems Architect
Support Engineer
Technology Manager
Academic Security Roles
Definition
Academic security professionals are charged with the task of furthering security technologies and
techniques. From teaching within formal learning environments such as universities and
polytechnics through to conducting cutting edge research, academic roles are a small, key group of
positions within New Zealand and can be some of the hardest to fill.
Academic security specialists may have migrated from commercial or government roles but have
often had a long standing academic relationship. Academic roles are fundamental to the growth of
New Zealand and our contribution to the security field. The academic community however is
fragmented and insular which can damage integration between researchers and business needs.
Academic roles currently represent approximately 5% of the New Zealand Information Security
market.
Key Skills
Deep knowledge in a small number of disciplines
May specialise in security or integrate security as a part of a more complex subject set
Skilled communicators
Highly educated (most roles require a PhD and proven published academic record)
Methodological, analytical thinkers
Example Job Titles
Lecturer
Researcher
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 14
In This Section:
Strengths
Weaknesses
Opportunities
Threats
Analysis
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 15
Analysis
Strengths
Well Established Community
The New Zealand information security community is well established and active. Despite geographic
disparity, several community groups have formed and meet on a regular basis. While a formalised
leadership and governance structure does not exist, each group has specialised to serve a specific
need or demographic.
When issues arise, communication between organisations and professionals is essential. In many
cases formal communication channels between competing businesses do not exist. These groups
have evolved to provide a safe mechanism for issue discussion and resolution.
Services provided by these groups include:
Knowledge sharing and talks
Conferences and community gatherings
Working groups and research
Networking
Example groups include:
New Zealand Information Security Forum (part of the New Zealand Security Association) (6)
New Zealand Information Security Interest Group (NZISIG) (7)
New Zealand Internet Task Force (NZITF) (8)
InternetNZ (9)
Kiwicon (New Zealand hacker conference) (10)
First Tuesday (Security Executive Networking Group) (11)
ISACA (part of the international ISACA organisation) (12)
ISC2 (part of the international ISC2 organisation) (13)
In2securITy (Information Security Development and Education Organisation) (14)
Internationally Recognised New Zealand Security Professionals
Despite its size, New Zealand has created a surprisingly high number of world class security
researchers and professionals. This legacy of talented and globally respected individuals has created
a strong set of role models to which many current New Zealand professionals aspire.
New Zealand achievements include:
Presentation at global information security conferences such as Black Hat (15) and Defcon
(16)
Development of security tools in use by thousands of professionals worldwide
Identification of security flaws in widely used software products and the responsible
disclosure of said issues
Employment in senior security positions within global organisations such as Google and
Microsoft.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 16
Acceptance and Prioritisation of Issue
The New Zealand information security community is made up of volunteer representatives from a
range of organisations and groups. This community has widely and openly acknowledged the issues
they face in the areas of talent development and retention. This issue has prioritised and many
individuals have given time, resources and effort to participating in activities related to its resolution.
In addition, a need for more maturity and governance in information security projects and related
organisations remains a constant focus for this group.
By recognising and prioritising this issue, the New Zealand information security community has taken
the vital first step.
Unfortunately, the information security community does not officially represent the information
security industry. The wider information security industry must work together to official own and
prioritise this issue.
Weaknesses
Ambiguity in Language (including Employment Titles/Roles)
The IT industry is renowned for its complex language and buzzwords. Information security is no
different, particularly when it comes to job titles. This ambiguity and complexity in job titles impacts
the industry in two ways.
From a job candidate’s perspective it can be difficult to tell what a job involves, likely responsibilities
and expected seniority. This impacts a candidate’s ability to judge their own suitability for a role.
From an employer’s perspective, previous job titles are one of the pieces of information with which
they will judge the suitability of job applicants. A CV or application littered with grand titles can seem
impressive at first glance but can often be a poor representation of the actual roles undertaken.
While an overhaul of the language used in job titles is out of scope for any initiative or programme,
provision of an objective information source that can decode this language would be a simple and
effective solution.
The Information Security Certification Industry
The information security certification industry is huge.
Many professional and commercial bodies have launched ranges of information security
certifications and qualifications aimed to promote professionalization within the industry. (17)
Qualifications vary in price from several hundred dollars to several thousand. In addition to upfront
training and exam costs, many certifications expire after a period of 1-3 years. These certifications
require a retest or renewal fee to sustain and update.
At this time, no objective assessment of information security qualifications exists. Professionals will
choose their certifications based on job role requirements, word of mouth or marketing campaigns.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 17
Many employers will require a range of named certifications and qualifications for a particular role.
These requirements are often based on perceived industry standards, subjective opinion or similar
existing positions.
While certifications remain a clear way to demonstrate technical ability or specialism, the breadth
and size of the certification market combined with the lack of objective information surrounding the
suitability of certifications persists. This uncertainty makes choosing qualifications/certifications
difficult and expensive.
Current Reliance on Individuals
The majority of New Zealand information security initiatives are funded by donations and rely on the
time and enthusiasm of unpaid volunteers. Without such people and their efforts, most of the
existing groups and community would cease to exist.
While voluntary provision of these groups and services is both useful and noble, the reliance on such
individuals to continue in this way is naïve. People will move roles and locations, circumstances and
funding levels will change.
Support must be provided both financially and in terms of resources so that these initiatives and the
individuals and groups running them can continue. This support should come from a combination of
national government and private sector industry.
Communication across IT Communities
While dialogue and knowledge sharing within the information security community is well developed,
it operates largely in isolation from the rest of the IT world and the information security industry.
Integration with other IT communities is essential is awareness of information security is to
propagate.
All IT professionals of all specialisms have an obligation to be aware of information security and its
implications. As information security professionals, we have an obligation to help raise awareness of
information security and encourage the creation of systems that are “secure-by-design”.
Lack of Defined Career Development Streams
Information security is a new specialism. As such there is much confusion surrounding how best to
start out and develop a career within it.
Even once an individual gains an entry level security position, there is little guidance on the paths
available for career development from that point.
Compounding this issue further is the IT qualification and certification industry which provides a
range of competing options (as previously discussed). Very few of these certifications have been
independently verified for suitability, content or effectiveness.
Without clear guidance or objective information, professionals can face a confusing and sometimes
expensive career.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 18
Poor Security Awareness
Information security is a complex field and when applied to the diversity of organisations in New
Zealand, this complexity is only amplified. Every organisation is different and has a different range of
(often conflicting) requirements.
It can be challenging for business leaders and technical implementers to identify which aspects of
information security are relevant to their projects and businesses and even once identified,
objective, trustworthy sources of advice and information are hard to find.
When the commercial information security industry and vendors are added to this mix, an already
confusing subject becomes intertwined with marketing materials and vendor specific terminology
and jargon.
The net result of this is a lack of security awareness. Without a solid security awareness foundation,
all attempts to introduce security initiatives and mitigations will invariably fail.
Educational, Business and Government Integration
With the exception of NetSafe (18) and its subsidiaries, all information security groups and initiatives
in New Zealand are independent and have no business, educational or government integration.
While this means they remain unbiased and objective it also means that their influence and reach is
limited.
Furthermore, there is little consistent integration between educational organisations, businesses
and government on the issues of information security. The result of this is a confused and
sometimes contradictory dialogue within New Zealand and a lack of efficiency and consistency in our
national approach to information security.
While the New Zealand Cyber Security Strategy (June 2011) (19) goes some way to address this
issue, many of the initiatives outlined in this document are categorised as “longer-term” and
requiring further investigation. This includes all initiatives for the provision of training and
development of cyber security professionals.
While the Cyber Security Strategy led to the creation of the New Zealand National Cyber Security
Centre (NCSC) (20) which was founded to centralise cyber security support for government and
critical national infrastructure, the vast majority of New Zealand organisations are not included in
this group.
The lack of a national Computer Emergency Response Team (CERT) (21)means that without
considered effort, this situation is unlikely to be resolved quickly. This will continue to have a serious
impact on the nation’s ability to produce secure systems and response to information security
threats. Of the 34 OECD countries (22), New Zealand remains the only country without this capability
(23).
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 19
Opportunities
Massive New Zealand Online Expansion
New Zealand businesses and organisations are embracing online operation at a rapid rate. Even the
smallest businesses are experimenting with online retailing, expanding their reach and reducing
their operating costs.
Large organisations are looking to globally distributed technologies such as the cloud to facilitate
inter-organisation integration and increase efficiency.
Now more than ever, every IT professional within the country has a responsibility to be conscious of
security. Furthermore, the demand for skilled IT and information security professionals has never
been higher. Failure to respond to these demands could limit the success of this growth period and
damage New Zealand’s ability to compete.
Becoming a Global Leader in Information Security Education and Development
While the UK, USA and other OECD countries are facing the same challenges as New Zealand in
terms of developing and retaining information security professionals and increasing the security of IT
and information systems, there are few co-ordinated programmes to address this issue.
While high publicity campaigns (24) such as those by Government Communication Head Quarters
(GCHQ) (25) have generated interest in the field, these have been a marketing campaign for one
employer. There remains no centralised or independent programme or effort to address this issue.
In the USA, several national events and initiatives exist funded by a mix of government (defence and
intelligence) programmes and community groups. Events such as the National Collegiate Cyber
Defence Competition (CCDC) (26)(a large scale network defence competition) and range of
scholarships and competitions from large organisations and interest groups are increasing interest
and gaining international exposure.
By creating a national strategy and programme, New Zealand could become a global leader in the
development of information security talent.
By remaining independent from but working closely with government and national organisations, a
world class education and development programme could be created. This programme would be
unique in the Asia Pacific region and if closely integrated with other westernised countries, could
provide New Zealand with a clear, marketable advantage in the international market place.
This could help attract talent and business to New Zealand as well as help retain existing home
grown organisations and individuals.
Threats
Increased Attack Surface and the Defender Deficit
Rapid expansion and increased ambition globally are creating a larger visible attack surface for New
Zealand. This attack surface includes web applications, distributed systems and shared data stores.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 20
New Zealand organisations consistently struggle to find, attract and retain high quality IT and
information security professionals to design, maintain and protect such systems. As time passes,
this deficit of defenders will lead to increased vulnerability.
Increased vulnerability and a lack of defensive implementation practices will only increase the
number of information security and data breaches in New Zealand.
Reputational Damage
Security breaches are big news.
Breaches in New Zealand organisations now feature on the pages of international technical and
security publications. It is only a matter of time before they reach more mainstream audiences via
the proliferation of blogs and online news vendors.
The reputational damage from such breaches damages all New Zealand organisations, whether they
are government, small businesses or internationally trading.
An organisation can only tolerate a certain amount of reputational damage before it impacts
profitability or customer trust. Once this tolerance is exceeded private sector organisations often
cease to trade and private sector organisations face widespread restructuring, increased auditing
and oversight.
It is in every New Zealand organisation’s interest to avoid further reputational damage.
Increased Emigration
information security is not the only area of the New Zealand employment market affected by the
increased emigration of talent, however it is one of the areas that cannot simply rely on the
immigration of new foreign talent to make up for the shortfall.
While a high number of talented immigrants are entering the country under the skilled migrant
category and accepting information security positions, there are a number of organisations and roles
that require New Zealand citizenship as a prerequisite. This includes government agencies and those
dealing with sensitive data. These positions are those most affected by increased migration and are
often those requiring high calibre information security talent the most.
Increased Global Competition
Information Technology is a truly global business. With the exception of the physical installation of
computer hardware, the majority of IT services (including security) can be provided remotely from
anywhere with sufficient connectivity.
As such, the competition to provide such services is high. Rapidly developing economies such as
India, China and Latin America are emerging as dominant global providers of high quality IT services
such as software development, security testing and systems hosting.
While some cultural and language issues have traditionally plagued such providers, these are
improving. When combined with strong exchange rates and lower costs, many businesses are
choosing to offshore their services in this way.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 21
While public sector organisations will remain dependant on New Zealand service providers, those IT
service organisations servicing the private sector must now compete with an entire global
marketplace.
In order to successfully compete, New Zealand based IT service providers must ensure that not only
are they providing a high quality, cost effective solution but that they are delivering systems that are
secure. This will become an increasingly important factor in a service organisations ability to
compete (nationally and internationally).
As well as facing increased competition for New Zealand based contracts, New Zealand service
providers need to embrace the global market to expand.
The national IT market is relatively small. To reach their full potential, service providers must seek
international contracts and begin to service geographically distant clients, capitalising on our agility,
favourable exchange rates and innovation.
International markets, especially those in more developed nations have high expectations from their
service providers and will expect a high level of competence in all aspects of service delivery. This
includes information security.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 22
Requirements
In This Section:
The Five Core Objectives
Core Operating Principles
Dependencies and Key Relationships
Funding Options
Measuring Success
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 23
Requirements
The Five Core Objectives In order to address the threats and weaknesses identified in this report and grow New Zealand as a
global leader in information security professional development, the following five core objectives
have been identified.
ON
E Awareness Awareness of information security issues from the classroom through to the boardroom
TWO
Career Development
Clear, defined, flexible career development and training plans for all those seeking a career in, or currently employed within the information security industry (including dedicated,
integrated and academic roles)
THR
EE Centralisation and Governance
National Posture of “Secure by Design” for all information security projects led and incentivised by the government. Strategic leadership rather than reactive.
FOU
R Advisory
Centralised source of advice, guidance and advisory and government liaison for all public and private sector organisations and individuals.
FIV
E
Training
High quality, cost effective security training nationally available (including flexible and on-demand learning options)
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 24
Operating Principles To maximise its impact and chance of success, the following operating principles should be adhered
to by those charged with the implementation of this strategy:
1. Education Before Administration
The provision of high quality educational opportunities should always be prioritised above
unnecessary administration, bureaucracy and red-tape.
2. Transparency And Accountability For All
The provision of educational initiatives has a burden, particularly when it comes to
accountability. All initiatives should be able to account for their spending and activities and
identify the objectives they intend to meet.
3. Practice What We Preach
Information security is a complex, advice filled field. All information, education and guidance
provided by this initiative should represent best practices. Those charged with providing this
information should be respected professionals with a track record of practicing their own
recommendations.
4. No-Profit… No Negotiation
Profiting from the provision of any of the initiatives presented in this document or the
development of the New Zealand information security workforce would be inappropriate
and weaken the intention of such activity. While profit driven organisations may provide
services to support this strategy, its overall governance must remain free from financial or
commercial motivation.
5. Communication Technologies Before Travel
Travel and accommodation can be a huge financial drain on any organisation. Given the
availability of high quality internet communications mechanisms, the use of travel (both
international and national) should be limited to maximise the funds available for educational
work.
6. Lean Operation
Following on from principle 5, administration and operating costs should be minimised. This
should include at a minimum the use of shared administration/office services and minimal
use of printed materials.
7. Leverage Community And Industry Relationships
The existing information security community is a great source of industry knowledge and
contacts. They are the people most in touch with current industry conditions and will be a
vital source of performance metrics for any activities conducted.
8. Collaboration Not Competition
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 25
Where objectives are met by alternative groups or schemes within New Zealand, this
strategy recommends collaboration not competition. Competition is a waste of resources
and can lead to contradictions in the intended message.
Dependencies and Key Relationships The success of this strategy will rely on close integration between public sector, private sector and
academic institutions. The following organisations and groups have been identified as particularly
critical to its success:
National Cyber Policy Office
Ministry of Foreign Affairs and Trade
Ministry of Social Development
Ministry of Education
GCSB/NCSC
Industry Leaders and Groups
Schools, Universities and Tertiary Education Providers
NZQA
Security Industry Professionals
Ministry of Justice
Equivalent International Organisations and Initiatives
Funding Options Funding is a complex issue and can have a dramatic effect on the effectiveness of a strategy and its
message.
At its most basic, the following funding options should be considered:
Government Funding (Preferred)
Government funding is the preferred option for an initiative such as this. Government funding can
provide the stability and objectivity in more than just financial terms. In addition to funds,
government funding and involvement can facilitate national adoption and provide crucial contacts
both nationally and internationally.
Government involvement does however come with some overhead. With a reputation for a
committee based, heavy-weight bureaucratic approach, the agility and innovation previously
employed in pilot activities can be compromised or lost altogether.
Industry Sponsorship
Industry sponsorship can raise vital funds and industry credibility without the overhead associated
with government organisations.
In order to maintain objectivity however, sponsorship must be found from a range of organisations
and funding agreements formulated in such a way that the educational message is not compromised
by the commercial interests of sponsors.
Industry association requires a fine balance of negotiation, relationship management and
commercial awareness.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 26
Cost Recovery
The cost recovery model is the simplest funding method available but could also have a detrimental
effect on any initiatives uptake and success. In a cost recovery model, small charges to cover the cost
of administration and logistics are charged to participants for events and activities. These charges
are limited to only covering the actual cost of providing the service.
Cost recovery must be very carefully managed and can compromise the overall message of the
initiative. Introducing participant cost will reduce uptake from those with limited budgets or those
unsure of their level of interest.
Hybrid Funding
A hybrid funding model could balance the above options and be used on an activity by activity basis.
Government funding for core initiative activities supplemented by industry sponsorship for larger
events is a popular model.
Measuring Success Measuring the progress and effectiveness of a strategy is important. It allows initiatives to be
reviewed and adapted to maximise their effectiveness. It also supports accountability and can be
used to justify continued funding, support and operation.
As an educational strategy, success cannot be measured by traditional metrics such as profitability.
The following alternative methods are proposed for measuring the effectiveness of this strategy and
the proposed initiatives herein.
Creation and execution of industry surveys to measure the perceived state of the
information security workforce. Execution of such surveys at regular intervals will allow for
periodic assessment and identification of positive and negative trends.
Collaboration with industry and community organisations to measure increases/decreases in
participation.
Analysis of event participation and feedback
Indications of success could include the following:
Increased availability of skilled information security professionals (characterised by
reductions in the time taken to fill vacant employment vacancies)
Increased uptake of information security training courses across tertiary and professional
education providers.
Increased attendance at information security events.
Increased attendee diversity at information security events and community groups (to
include increased representation of integrated information security roles).
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 27
Current Initiatives
In This Section:
Introduction to In2securITy
Pilot Funding and Resources
Pilot Initiatives
Pilot Limitations
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 28
Current Initiatives
Introduction to In2securITy In2securITy (14) is a New Zealand based education initiative founded in November 2011 and publicly
launched in January 2012.
At Kiwicon 5, prominent member of the New Zealand information security community, security
researcher/tester and business owner – Brett Moore (27) spoke at length about the history of the
national information security industry. This talk made two important points.
New Zealand has historically “punched above its weight” in the field of information security,
producing several world respected professionals who have gone on to hold high level
positions in world class organisations.
New Zealand can’t find enough talented new professionals to continue this tradition and
cope with the increase in demand.
In2securITy was formed by current New Zealand professionals and is based upon the principle that
by combining simple initiatives such as mentoring and work experience with an objective source of
regularly updated career development and training information, New Zealand could cultivate a new
generation of dedicated and integrated information security professionals.
In2securITy was formed as a New Zealand limited company with a strict non-profit operating
mandate. It is run by a team of 3 volunteers and supported by an ad-hoc contributing group of
speakers, mentors and writers from across the Information and information security community.
In2securITy operates with a simple mission statement:
To educate, encourage and inspire a new generation of information security
professionals for New Zealand
Pilot Funding and Resources Funding for the initial 12 month pilot was sourced from donations and community sponsorship as
follows:
Organisation Sponsorship Value (NZD)
InternetNZ $4000
Lateral Security (IT Services) Limited $500
Insomnia Security Limited $500
Where’s My Server Web Hosting
Total Funding 2011-2012 $5000
Funding for this initial pilot was used to provide all listed pilot initiatives plus formation of a New
Zealand limited company.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 29
Pilot Initiatives
Community Web Portal and Online Media (www.in2security.org.nz)
The core of in2securITy activity is centred on the community web portal. This portal contains a series
of blogs and articles and is divided into 6 security specialisations.
These specialisms are:
Penetration Testing
Network Defence
Policy and Compliance
Secure Software Development
Forensics
Vulnerabilities Research
Educational articles are provided on an ad-hoc basis by an informal team of volunteer writers. All
writers are experienced professionals in a particular field and all content is vetted for suitability
before publishing. Only those articles that can clearly explain their chosen topic and are suitable to
an audience of mixed technical ability are accepted. External content such as online courses and
articles are vetted by the in2securITy team and only recommended to participants if they are found
to be of a high quality.
In addition to educational articles, the community web portal is the central point for the
organisation and promotion of in2securITy media and events.
Table 1 In2securITy Portal Statistics 2012
Country Visits Pages / Visit
1. New Zealand 5,525
2. United States 423
3. Australia 266
4. Taiwan 149
5. United Kingdom 144
6. India 128
7. Estonia 73
8. Canada 60
9. Germany 59
10. Brazil 43
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 30
Since its launch on 15th January 2012 this portal has been visited by 7544 unique visitors and has
served 22155 pages of content. Visitors to the site have come from 101 different countries; statistics
for the top ten countries are included above.
Information Security Awareness National Tour
The Information Security Awareness National Tour was not initially part of the in2securITy pilot plan.
However upon receiving a grant from InternetNZ, a decision was made to attempt a large scale
awareness outreach programme.
This tour was originally planned for 5 locations (Auckland, Wellington, Hamilton, Dunedin and
Christchurch).
The North Island events were a great success attracting 220 registrations across the 3 events.
Unfortunately a lack of local support in Christchurch and spiralling organisation costs in Dunedin
forced the cancelation of both South Island events.
To compensate for the lack of geographic coverage, all talks from the 3 North Island events were
recorded and have been made available free of charge on the in2securITy YouTube Channel (28).
This channel now contains 15 videos varying between 25 minutes and an hour in length. These
videos have since attracted a global audience and positive comments from across New Zealand.
National Mentoring Scheme
The in2securITy National Mentoring Scheme brings together those with an interest in entering
IT/information security with those who have professional experience. Mentoring provides a way for
those starting out to make contacts, ask questions and receive informal, targeted development
advice from someone who has a large pool of experience on which to draw.
At launch, in2securITy aimed to form 6 mentoring pairs (12 people). As of 1st November 2012 the
actual number of active mentoring pairs in the scheme had reached 20 (40 people total).
Summer Project and Placement Programme
In2securITy summer programme launches December 2012 and runs for 3 months. During this period
a number of work experience placements and projects will be offered across a range of New Zealand
organisations.
A project is a distinct task or objective that can be completed by an in2securITy participant remotely
and delivered to an organisation. It includes research, took development or remote testing under
the supervision of a mentor.
A placement is a period of unpaid work experience in which an in2securITy participant can work
within an organisation in a relevant and challenging position and gain valuable experience and
references. Placements last between 2 and 6 weeks.
In2securITy aims to provide 12 project/placement opportunities in 2012.
Integration with National Technical Groups
In2securITy is now represented in the following National Technical Groups:
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 31
InternetNZ
NZITF (New Zealand Internet Task Force) plus associated working groups
Awareness Talks
In2securITy has presented a range of awareness talks throughout 2012 including:
Cyber Security Awareness Week Launch @ Parliament
AUT University
InternetNZ – Bruce Schneier Introduction
NZISF – Breakfast Briefing
Networking Events
In2securITy has held informal networking events to co-ordinate with awareness talks, national tour
events and on a more casual basis. These have proven a popular way to discuss talks or lectures,
make new contacts and ask questions in a non-threatening group environment.
Pilot Limitations The following limitations have been identified with the initial 12 month in2securITy pilot and its
associated initiatives:
Lack of South Island Coverage
Despite substantial effort, in2securITy’s coverage of South Island was limited. Events such as the
“Information Security Awareness National Tour” were unable to include South Island venues due to
spiralling costs and lack of local support.
Initial attempts at holding a full day in2securITy event at Dunedin University attracted only 10
registrations. Even after reducing the speaker line-up, the cost of domestic flights and
accommodation meant that the cost of holding this event exceeded $200 per participant (assuming
100% attendance). This event alone would have required almost 50% of the total annual operating
budget of the entire in2securITy scheme.
Inability to Attain Registered Charity Status
In2securITy promotes a profession and is therefore ineligible for charitable status. This impacts on
the tax status of the organisation and makes a donation funded model less efficient. Creation of an
Incorporated Society would alleviate some of these issues but was deemed to introduce additional
complexity and reduce the organisations ability to operate with agility in its first year.
Limited Budget
Five thousand New Zealand dollars is a very small amount of money in the world of national
initiatives. Despite this, in2securITy has achieved great things.
While this should be celebrated, the in2securITy team have acknowledged that this is not
sustainable. In2securITy can continue to achieve amazing things but it will require a source of
funding appropriate to the level of activity undertaken.
Lack of budget in 2012 has impacted the following activities:
Provision of printed and take home materials
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 32
Provision of South Island events
Representation at trade and conference events
Marketing
Limited Press Coverage and Marketing
While nationally significant, in2securITy is a niche initiative run without large business or
government backing. As such it has achieved little traction in traditional media or marketing
channels.
Lack of Job Board or Employment Pages
Initial plans for in2securITy did not include any job advertising functionality. Since launch however,
the in2securITy team have been contacted by several organisations wishing to advertise posts
suitable for in2securITy participants. To this point, in2securITy have not advertised these positions
publicly but have acknowledged that this functionality would be valuable in future years.
Availability of Suitable Venues
A recurring challenge faced when organising educational events; particularly in Auckland was a lack
of affordable, suitable venues. While many shared and rentable spaces are available, the price of
these venues has been prohibitively expensive. While some organisations such as Microsoft have
generously donated rooms for the National Awareness Tour – several smaller events were cancelled
as a result of lack of suitable location.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 33
Proposed Initiatives
In This Section:
Initiative Overview
Dedicated Security Education and Project Spaces
National Security Apprenticeship Scheme
Security Training and Development Fund
National Schools Integration Programme
University Integration Programme
National Security Awareness Programme
Mentoring Programme Expansion
Improved Web Portal
New Zealand Computer Emergency Response Team (CERT)
Information Security Workforce Development Board
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 34
Proposed Initiatives This whitepaper proposes the following ten initiatives to extend the 2012 in2securITy pilot:
Dedicated Security Education and Project Spaces
National Security Apprenticeship Scheme
Security Training and Development Fund
National Schools Integration Programme
University Integration Programme
National Security Awareness Programme
Mentoring Programme Expansion
Improved Web Portal
New Zealand Computer Emergency Response Team (CERT)
Information Security Workforce Development Board
The following section details each of these proposed initiatives, their aims, objectives and
deliverables. In addition, each initiative is defined in terms of the benefits it aims to provide to the
New Zealand Information Security Industry.
Initiative Overview
Comparison Metrics
In order to compare the proposed initiatives and prioritise them, the following metrics are
suggested:
Cost
This metric represents a high level estimation of the cost of implementation, management and
maintenance of the proposed initiative. Further financial analysis would be required to determine an
accurate cost estimate for each initiative.
Impact
The impact of a proposed initiative takes into account the number of demographics served, the
proposed number of objectives met and the extent to which the proposed initiative is unique within
the New Zealand market. For simplicity, proposed initiatives have been ordered 1-8 where 1 has the
highest impact potential and 8 the lowest compared to the other initiatives.
Objectives Met
This metric assesses the number of the objectives outlined in this document met by the proposed
initiative. Efficiency dictates that the more objectives met, the more beneficial the initiative.
Geographic Inclusion
Given the geographic challenges faced across New Zealand, all initiatives will be judged by their
ability to include those based outside of the major cities. Rural participants may be served
electronically or remotely by suitable means.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 35
Comparison Matrix
Objective Metrics
1 2 3 4 5
Co
st
Geo
grap
hic
al In
clu
sio
n
Imp
act
Aw
aren
ess
Car
eer
Dev
elo
pm
ent
Cen
tral
isat
ion
an
d
Go
vern
ance
Ad
viso
ry
Trai
nin
g
Dedicated Security Education and Project Spaces
x x x $$ Y 5
National Security Apprenticeship Scheme
x x x $$$ Y 1
Security Training and Development Fund
x x $$$ Y 2
National Schools Integration Programme
x x x $$ Y 8
University Integration Programme
x x x x $$ Y 6
National Security Awareness Programme
x x x $$ Y 9
Mentoring Programme Expansion
x x x x $ Y 7
Improved Web Portal x x x x x $ Y 10
New Zealand Computer Emergency Response Team (CERT)
x x $$$ Y 4
Information Security Workforce Development Board
x x $ N 3
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 36
Initiative One: Dedicated Security Education and Project Spaces
Description
One of the recurring issues faced by the in2securITy pilot was the lack of suitable, cost effective venues for the provision of training classes and events. Not only were venues difficult to find, they were often expensive, only available in specific locations and outside of working hours. Dedicated classroom and project spaces would provide central points for the provision of information security training and events. In addition to formal events, operating costs could be subsidised by a low membership option allowing for individuals and groups to book the spaces for projects or private events. These spaces would provide the equipment necessary to teach in a geographically challenging country as well as a range of equipment and book loan options to support and subsidise the cost of training. This model is in use globally as “hacker spaces”. These spaces are often subsidised by membership schemes and provide dedicated safe spaces for education and projects in cities where individuals are unlikely to have home project space in which to work. The use of shared space not only enables project completion but also makes collaboration and networking easier. These spaces become community hubs not just classrooms. With these spaces, event running cost would reduce and event frequency could increase. In addition, the lack of vendor reliance would allow security education to occur without sensitivity to commercial impact or reputation. Low cost, suitable office space is available in all New Zealand cities.
Target Demographic(s)
Everyone
Objectives Met
Objective 1: Awareness
Objective 2: Career Development
Objective 4: Advisory
Objective 5: Training
Resource Requirements
Open-plan office space
Central city locations close to public transport
Tables & Chairs
Projector
Insurance
Power and networking
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 37
Deliverables
Dedicated security education and project spaces in major cities
Ability to book these spaces for individual or group projects at minimal cost
Regular classes and project meets
Equipment, book and eBook library in each location
Educational licences for software in project spaces
Teleconferencing equipment in each location for shared classes (ability to remotely connect in for those in other locations)
Benefits
A central location and dedicated training space in major cities will provide participants with a safe place to learn and experiment with information security technologies
Venue costs can be high for events in working hours, dedicated spaces allow for a reduction in cost and greater availability.
Specialist kit equipment can be provided to help with information security lessons
Allows for lessons, courses and events to be vendor agnostic
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 38
Initiative Two: National Security Apprenticeship Scheme
Description
In traditional trades such as building and plumbing, apprenticeships are considered fundamental to the acquisition of experience and skills during the early stages of a career. While there remains an element of compulsory theoretical and academic learning to become an information security professional, this must be supplemented by hands on project experience. A 4-5 year competitive apprenticeship scheme would allow talented future information security professionals to undertake a range of placements designed to deliver project based experience of a range of information security fields. Each placement would include work on real New Zealand security projects and be designed to challenge the participants. On commencement, all participants will create a personal development plan outlining their ambitions. A series of placements would then be co-ordinated to fulfil this plan. This series of 6-12 month placements would allow participants to experience both private and public sector organisations and could be complemented by a structured selection of certifications or external training as necessary. Personal development plans would be reviewed at 12 month intervals. For businesses, this would provide the following benefits:
Enthusiastic talent
National publicity
A chance to build the next generation of architects and leaders
Subsidised labour costs Entrance to the scheme would be competitive, require New Zealand permanent residency or citizenship and specifically develop potential and seek out new talent – not just academic qualifications. The scheme would pay a salary to its participants. It is envisioned that this would be funded by both government and the businesses involved. Pay would be on a structured scale over the course of the scheme and have performance based assessments and criteria to advance. This would mirror similar schemes in the Accounting and Legal fields.
Target Demographic(s)
Students
New IT Professionals
Existing Professionals Seeking A Career Change
Individuals Returning to Work
Objectives Met
Objective 2: Career Development
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 39
Objective 3: Centralisation and Governance
Objective 5: Training
Resource Requirements
Integration with NZQA for accreditation
Industry and Government Support (Provision of 6-12 month placements)
Funding for training to compliment placements
Scheme Administrator
Marketing
Web Site
Deliverables
A national apprenticeship scheme for those wishing to pursue information security as a career
A network of industry and government organisations to provide 6-12 month placements across a range of information security specialisms
NZQA accreditation
A range of courses and development plans to compliment the on-the-job placements aspects of the scheme
Benefits
Provides a clear defined and flexible development scheme for those wishing to pursue a career in information security
Provides a range of placements set to challenge participants and let them gain a range of high quality experience at the start of their career.
Provides a source of high quality graduate apprentices to become the information security architects and leaders of the future
Provides apprentices with a range of contacts from which to build their professional networks.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 40
Initiative Three: Security Training and Development Fund
Description
Information security training is very expensive. For the majority of courses, participants must be sent abroad (typically the USA or Australia) for periods of 3-7 days. These courses can charge between $2000 AUD and $7000 AUD per seat. This additional travel incurs heavy financial cost for the sending organisation including travel, accommodation and subsistence. When faced with this high cost of training many organisations have to prioritise who to train or seriously limit the amount of training offered. Many organisations will choose to offer no classroom based training as a result. By subsidising training from international training organisations, New Zealand will be able to bring classroom based training to its cities rather than sending staff abroad. This will reduce the cost of training and also allow professionals in the same field to network with others in the same field while they learn. Successful training subsidisation has been run on a limited scale by NZITF and showed high interest and enthusiasm from the community.
Target Demographic(s)
Students
New IT Professionals
Experienced IT Professionals
Management Level Professionals
Objectives Met
Objective 2: Career Development
Objective 5: Training
Resource Requirements
Fund administrator to negotiate with training providers
Web Site and Application System
Integration with MSD and student funding systems
Deliverables
Provision of world class information security training at a subsidy for eligible organisations and individuals
NZQA integration to allow for accreditation of high quality information security training and
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 41
certifications
Benefits
Reduces the cost of high quality information security training to New Zealand businesses
Reduces the need for international travel when pursuing training and certifications
Allows for professional networking during courses
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 42
Initiative Four: National Schools Integration Programme
Description
There is a common misconception that school age children are not interested in scientific or technical subjects. This is not the case. School students are only bored by scientific or technical subjects when they are not taught in a relevant and engaging way. By providing hands on workshops on information security issues, this initiative aims to foster interest within the 14-18 age groups. Provision of a range of teaching materials and activity ideas will make integrating these activities with the existing curriculum easy and allow for activity adaption and reuse over time. In school talks and visits in conjunction with programmes such as the IITPO connect programme can help inspire school students to explore this subject further as they progress through their education.
Target Demographic(s)
School Age Students
Teachers
Objectives Met
Objective 1: Awareness
Objective 2: Career Development
Objective 5: Training
Resource Requirements
Resource writers and developers
Web Site
Travel and Accommodation for University Visits
Schools Liaison
Deliverables
A range of engaging, hands on activities suitable for the 14-18 age range
Guest speakers
Reusable materials and activity packs
Benefits
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 43
Engaging with school students can be a great way of fostering early interest in technical subjects.
The provision of high quality reusable materials means that activities can be run with minimal effort and maximum impact
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 44
Initiative Five: University Integration Programme
Description
For the majority of new professionals, university was their first opportunity to explore complex technical or professional subjects. It introduced aspects of the IT world that remain largely abstract to those not employed in the field. University is also the last time that most professionals engage in an extended period of dedicated education. It is globally recognised that security is crucial to modern IT systems, however many New Zealand universities offer little or limited integration of security issues into their curriculums. A university integration programme would give institutes of higher education a source of training and development for their lecturers so that they can better understand how to teach and integrate security into their classes. Furthermore by providing world class open source materials, students will be able to gain high quality teaching regardless of their institution. Guest speakers from industry would provide real life examples of information security as a profession and the challenges information security professionals face. They would also give authenticity and credibility to material taught in lectures as well as giving students a chance to ask questions. Inter-university competitions and events could promote networking and generate further interest.
Target Demographic(s)
Students
Lecturers and Academics
Objectives Met
Objective 1: Awareness
Objective 2: Career Development
Objective 3: Centralisation and Governance
Objective 5: Training
Resource Requirements
Resource writers and developers
Web Site
Travel and Accommodation for University Visits
University Liaison
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 45
Deliverables
A library of world class, open source training materials suitable for university level students on a range of information security topics.
Teacher/Lecturer Seminars to help all lecturers to introduce security into their modules and courses
Guest Speakers available to visit Universities with real life examples and debate
National University Level competitions to increase participation in the field and introduce opportunities to explore information security in a fun, challenging and safe environment
Benefits
This initiative would allow universities across New Zealand to integrate information security into their syllabus regardless of the availability of dedicated information security lecturers
The creation of high quality shared materials would reinforce a consistent message across education establishments
Guest speakers from industry could provide engaging means of reinforcing and strengthening taught lessons
Teacher Seminars would allow lecturers to integrate security into their core subjects
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 46
Initiative Six: National Security Awareness Programme
Description
While NetSafe provides a coherent and consistent message on Internet security for the small business and home user market, no such organisation within New Zealand is targeting technical implementers and business leaders. A range of security groups and events exist within New Zealand that can provide elements of this awareness and knowledge sharing, however these groups can appear closed or foreign to those new to information security or those not directly involved within its implementation. Rather than competing with individual information security interest groups, this awareness programme would provide coordination between them. Providing a coherent, linking dialog between each group and how their intended audience would increase the membership and interest in groups such as OWASP and ISACA. For business leaders and existing professionals, this initiative would be an introduction and gateway to the range of groups and events available. It would provide fundamental knowledge, introductions to suitable groups and networking opportunities between implementers and business leaders in the same position or facing the same challenges.
Target Demographic(s)
Technical Implementers
Business Leaders
Students
Objectives Met
Objective 1: Awareness
Objective 3: Centralisation and Governance
Objective 4: Advisory
Resource Requirements
Programme Administrator
Marketing
National and International Liaison
Web Site for Sharing Talks and Materials
Deliverables
Regular talks at industry events and professional groups
Online portal of shared talks and awareness material aimed at each demographic listed above.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 47
Expansion of the NetSafe (Small Business and Home User) message to the corporate world
Positive, controlled message on the subject of information security in New Zealand and central source of media information.
Benefits
Close integration with national and international schemes will allow New Zealand to find efficiencies between schemes, share ideas and increase innovation within initiatives
Regular talks with different demographics will increase awareness and allow for the tailoring of messages to each group
Sharing talks and materials online will allow for knowledge sharing outside of events
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 48
Initiative Seven: Mentoring Programme Expansion
Description
The existing in2securITy mentoring programme has proven to be very successful. Continuation and expansion of this programme would provide a simple and cost effective asset to this strategy. The following mentoring programmes are proposed: New To Security (The existing in2securITy scheme) Helping those curious about or new to the profession to gain initial contacts and information through pairings with exiting professionals with a minimum of 3 years’ experience. Career Development Helping existing professionals to plan and pursue their career. Matching professionals with 1-2 years’ experience with those at more advanced stages of their career. Security for Managers and Board Members Helping those who manage security projects and professionals to understand the profession and its impact on their organisation. This scheme will pair existing information security professionals with appropriate experience, commercial knowledge and communication skills with managers and board members.
Target Demographic(s)
Students
New IT Professionals
Experienced IT Professionals
Management Level Professionals
Objectives Met
Objective 1: Awareness
Objective 2: Career Development
Objective 4: Advisory Objective 5: Training
Resource Requirements
Mentor programme supervisor/advisors
Venues for training classes
Software licence for online streaming software
Deliverables
Introduction to Mentoring Training (in person and online)
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 49
Regular mentor scheme events including knowledge sharing and networking
Provision of experienced mentor advisors to support mentoring relationships
Mentoring resources such as worksheets and activity packs
Benefits
Supports career development at all stages of professional life
Improves community and generates cross field/organisation contacts
Informal and flexible
No geographical limitations
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 50
Initiative Eight: Improved Web Portal
Description
An online presence is central to the success of modern organisations. Done well, it provides a high quality, stable and intuitive gateway to all the products, services and information provided by an entity. Said online portal is the focus of marketing efforts, provides a central repository of information and a safe place for participants to interact online. It will co-ordinate, help communicate and market.
Target Demographic(s)
Everyone
Objectives Met
Objective 1: Awareness
Objective 2: Career Development
Objective 3: Centralisation and Governance
Objective 4: Advisory
Objective 5: Training
Resource Requirements
Web Developer
Content Writers
Graphic Designer
Deliverables
Professional quality web portal
Central source of high quality information
Job board for relevant NZ job advertisements (agency free)
Events calendar and sign up system
Gateway to all other initiatives
Social Network Integration
Secure Members Area
Benefits
Provide a quality, stable interface to all initiatives
Co-ordinate branding and marking efforts
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 51
Initiative Nine: New Zealand Computer Emergency Response Team (CERT)
Description
Centralised and co-ordinated communications can improve the relevance and consistency of information security advisory. It can also create a known point of authority for all New Zealand businesses, allowing all organisations to seek advice and guidance on information security issues without relying on personal contacts. The preferred delivery method for this initiative would be the creation and operation of a New Zealand Computer Emergency Response Team (CERT). This would be consistent with all other OECD countries and provide a public facing, central response to information security threats. This organisation would also be part of the wider CERT network and allow easier unclassified knowledge sharing with other national CERT groups worldwide.
Target Demographic(s)
Everyone
Objectives Met
Objective 1: Awareness
Objective 4: Advisory
Resource Requirements
Skilled information security professionals with excellent communication skills
Central contact mechanisms such as email, telephone and web presence
Industry and government recognition and information sharing arrangements
Marketing
Deliverables
New Zealand Computer Emergency Response Team (CERT).
Benefits
A centralised communications point would improve the consistency of information security news and advisories within New Zealand.
Reduced reliance on personal industry contacts
Provision of a consistent and accurate response to media and journalist enquiries
Expansion of central support from just government and critical national organisations to include the wider industry.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 52
Initiative Ten: Information Security Workforce Development Board
Description To maximise the relevance of this strategy to the needs of New Zealand government and industry, these stakeholders must be involved in its governance, development and promotion. The creation of an Information Security Workforce Development Board would provide this strategy with centralised governance that represents the needs of the wider IT and information security industry. This board would form a mature governing body for any initiatives to be held accountable to. While boards such as this have previously proven to increase bureaucracy, the benefit of having both senior industry and government support could ensure that this strategy remains tightly adapted to the needs of these organisations and widely accepted. By ensuring that a wide range of organisations are represented, the likelihood of this strategy remaining objective and independent is increased.
Target Demographic(s)
Senior Industry and Government Leaders
Objectives Met
Objective 1: Awareness
Objective 3: Centralisation and Governance
Resource Requirements
Industry leaders and government representatives
An operating constitution
Suitable meeting space for board meetings
Deliverables
A mature body to help govern and drive forward this strategy
Benefits
Clear accountability to a group representing both the New Zealand government and the wider information security industry.
Increased relevance of initiatives
High level support driving acceptance of this strategy from the top of organisations down
Translation of this strategy and its benefits to senior leadership and the wider (non-technical) organisation.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 53
Conclusion
In This Section:
Conclusion
Recommendations
References
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 54
Conclusion New Zealand has faced many challenges when implementing information security systems and
regrettably not all of these challenges have been handled with the knowledge and technical
excellence they require.
The complexity and quantity of these challenges is only set to increase over the next 3-5 years. As a
result, New Zealand needs to seize the opportunity to modernise its approach to the recruitment,
retention and professionalization of its information security industry.
This document has outlined the issues faced by New Zealand organisations when addressing this
challenge, the threat these challenges pose and the opportunities available.
In addition, this strategy contains an evaluation of a 12 month pilot scheme, in2securITy, launched in
2012 to address these issues. This scheme has proven without doubt that New Zealand has a large
appetite and need for this kind of development programme.
Finally, this strategy outlines a set of objectives and operating principles for the implementation of a
National Information Security Workforce Development Strategy, to consist of a set of proposed
initiatives – each designed to make New Zealand a global leader in the strategic development of
world class information security professionals.
Recommendations This strategy recommends the following actions:
Introduction of a government funded Information Security Workforce Development Scheme
based on the objectives and operating principles outlined within this document and
expanding from the in2securITy pilot.
Full analysis and prioritisation of the initiatives proposed within this strategy
Implementation of a range of initiatives such as those suggested here to proactively improve
the recruitment, retention and professionalization of the information security industry
Reduction in the use of phrases such as “in the long term”
Adoption of a lean, agile and iterative approach to this strategy that will allow rapid delivery
and measurable results
Collaboration with existing community and industry groups, universities and public/private
sector organisations to source funding, effort and ideas.
References 1. SANS Secure Software. [Online] http://software-security.sans.org/blog/2012/02/22/agile-
development-teams-can-build-secure-software/.
2. MSD Deloitte Breach Report 2012. [Online] http://www.msd.govt.nz/documents/about-msd-and-
our-work/newsroom/media-releases/2012/independent-review-deloitte.pdf.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 55
3. Symantec Threat Report. [Online]
http://www.symantec.com/content/en/us/enterprise/other_resources/b-
istr_main_report_2011_21239364.en-us.pdf.
4. ISC2 Career Impact Survey. [Online]
https://www.isc2.org/uploadedFiles/2012CareerImpactSurveyResults_FINAL_020112.pdf.
5. PWC Information Security Breach Survey 2012. [Online]
http://www.pwc.co.uk/en_UK/uk/assets/pdf/olpapp/uk-information-security-breaches-survey-
technical-report.pdf.
6. NZISF. [Online] http://www.security.org.nz/NZISF_NZISForumContent.php.
7. NZISIG. [Online] http://isig.org.nz/.
8. NZITF. [Online] http://www.nzitf.org.nz/.
9. InternetNZ. [Online] http://internetnz.net.nz/.
10. Kiwicon. [Online] https://kiwicon.org/.
11. 1st Tuesday. [Online] http://www.1sttuesday.co.nz/content/1st-tuesday-club.
12. ISACA. [Online] http://www.isaca-wellington.org/.
13. ISC2. [Online] https://www.isc2.org/.
14. In2securITy Limited. New Zealand Education Non-Profit Organisation. [Online]
http://www.in2security.org.nz.
15. BlackHat. [Online] http://www.blackhat.com/.
16. Defcon. [Online] https://www.defcon.org/.
17. CSO Security Qualification Directory. [Online] http://www.csoonline.com/article/485071/the-
security-certification-directory.
18. NetSafe. [Online] http://www.netsafe.org.nz/.
19. New Zealand Cyber Security Strategy. [Online] http://www.med.govt.nz/sectors-
industries/technology-communication/pdf-docs-library/cyber-security-documents/nz-cyber-
security-strategy-june-2011.pdf.
20. NCSC. [Online] http://www.ncsc.govt.nz/.
21. CERT Definition. [Online] http://en.wikipedia.org/wiki/Computer_emergency_response_team.
22. OECD. [Online] http://www.oecd.org/general/listofoecdmembercountries-
ratificationoftheconventionontheoecd.htm.
23. AP CERT. [Online] http://www.apcert.org/about/structure/members.html.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 56
24. Cyber Security Challenge. [Online] https://cybersecuritychallenge.org.uk/.
25. GCHQ. [Online] http://www.gchq.gov.uk/Pages/homepage.aspx.
26. National CCDC. [Online] http://nationalccdc.org/.
27. Insomnia Security. [Online] http://www.insomniasec.com/about-us.
28. In2securITy on YouTube. [Online] http://www.youtube.com/user/in2securITy.
New Zealand Information Security Workforce Development Strategy
November 2012 In2securITy Limited Page 57
In Association With:
For further information
In2securITy Limited
Email: [email protected]
Twitter: @in2securitynz