Académique Documents
Professionnel Documents
Culture Documents
Volume 13 Issue 10
Improving
Cybersecurity
Workforce Capacity
and Capability
Addressing the Education-to-Workforce Disparity
T
Andrea C. Hoy, CISM, CISSP, MBA,
Distinguished Fellow hose of you reading this at the along side, to guide
Vice President ISSA International Conference and mentor, and to
Justin White in Chicago, Welcome! help succeed in their
Secretary/Director of Operations For those who are reading this else- careers.
Anne M. Rogers where, I hope you will be able to join us My hope for you
CISSP, Fellow
at future conferences. here at the confer-
Treasurer/Chief Financial Officer enceand especially
Pamela Fusco ISSA is unique in its ability to bring in-
Distinguished Fellow formation security professionals togeth- for those of you new to ISSAis that you
er at all levels of their careers. When I make relationships that count, both per-
Board of Directors first started going to chapter meetings, sonally and professionally, for your self
Frances Candy Alexander, CISSP, I really wasnt sure what to expect nor growth; that you share your knowledge,
CISM, Distinguished Fellow skills, and aptitudes to help grow our
how ISSA would change my life. The
Debbie Christofferson, CISM, CISSP, people I met became my pseudo men- association and industry; and that you
CIPP/IT, Distinguished Fellow consider where you fit in the Cyber Se-
tors, one being Hal Tipton, whom many
Mary Ann Davidson curity Career Lifecycle. We have infor-
Distinguished Fellow refer to as the George Washington of
information security. My manager at mation security plans for our businesses;
Rhonda Farrell, Fellow an information security career plan for
Geoff Harris, CISSP, ITPC, BSc, DipEE,
Rockwell got me involved with ISSA,
and the relationships I have established yourself is just as important, no matter
CEng, CLAS, Fellow
have saved me countless hours when what stage of your career you are in.
Tim Holman, Fellow
Alex Wood, Senior Member met with limited resources. The value For those of you who are considering
Keyaan Williams
of knowing someone to reach out to in your second life or perhaps embarking
challenging timespriceless. There are into the retirement portion of your ca-
Stefano Zanero, PhD, Fellow
so many opportunities to help and be reer life cycle, but still want to stay active
helped. We make career decisions based in the information security communi-
The Information Systems Security Asso-
ciation, Inc. (ISSA) is a not-for-profit, on the information we have and learn ty: in the next few months, we plan on
international organization of information from the past decisions we have made. introducing an Emeritus membership
security professionals and practitioners. Seasoned members, we often discover status. This will allow those with years
It provides educational forums, publica-
tions and peer interaction opportunities it is only when we look back that we see of experience as information security
that enhance the knowledge, skill and what we thought was a wrong turn or a professionals to stay engaged with their
professional growth of its members. bad experience turned out to be for the friends and other professionals and still
With active participation from individuals best. Are there younger members who be active participants in symposiums
and chapters all over the world, the ISSA
is the largest international, not-for-profit might benefit from your expertise and and international conferences like ours.
association specifically for security pro- career lessons learned? Our hope is that this allows for more
fessionals. Members include practitioners mentor/protg opportunities, further-
at all levels of the security field in a broad Our industry is currently suffering a
range of industries, such as communica- shortage of skilled and qualified practi- ing the life cycle.
tions, education, healthcare, manufactur- tioners. In a recent CSO magazine, the And lastly, for those of you here at the
ing, financial, and government.
demand for our workforce is expected to conference, take back what you learn and
The ISSA international board consists of
some of the most influential people in the rise to six million globally by 2019, with share with others from the sessions you
security industry. With an internation- a projected shortfall of 1.5 million, while attend. Make sure your sharing extends
al communications network developed data breaches from threats and vulnera- beyond your infosec team, reaching out
throughout the industry, the ISSA is fo-
cused on maintaining its position as the bilities are rising. Unless our association, to the C-level, other departments, local
preeminent trusted global information se- our industry, and our governments work law enforcement, vendors , partners, and
curity community. together to encourage and equip the dont forget your community.
The primary goal of the ISSA is to pro- next generation of cybersecurity profes-
mote management practices that will See you soon in Chicago.
ensure the confidentiality, integrity and sionals, the need will be even greater in
availability of information resources. The the future. A number of authors in this Windy City here we come!
ISSA facilitates interaction and education issue address that shortage and how we
to create a more successful environment
for global information systems security as individuals as well as an industry can
and for the professionals involved. address it. There will be many to come
L
et me say, the Finally, we offer a number of infosec 866 349 5818 +1 206 388 4584
response to career stories: how folks got where they
Editorial Advisory Board
this topic was are, what helped, what hindered, how
overwhelming, but they are moving on. You might see your- Phillip Griffin, Fellow
we can only include self in these stories, or you might even Michael Grimaila, Fellow
so many. Everywhere discover some inspiration to change John Jordan, Senior Member
you turn there are your own story. Infosec career paths are Mollie Krehnke, Fellow
statistics warning of as varied as the individuals making up Joe Malec, Fellow
the current and future workforce short- the industry.
Donn Parker, Distinguished Fellow
age. How do we get more qualified folks
into the industry and keep them there? Kris Tanaka
Joel Weise Chairman,
Marie A. Wright examines US federal Distinguished Fellow
initiatives that seek to strengthen and
Youll notice we are adding the Cyber Branden Williams,
grow the national cybersecurity work-
Distinguished Fellow
forcecivil and federaland offers Security Career Lifecycle levels to the
suggestions to enhance the partner- articles. The levels are fairly self-evi- Services Directory
ships between academia, industry, and dentyou can get a full description of
the levels in the included International Website
professional associations. John Gray webmaster@issa.org
delves into the specifics of Department Conference Guide or on the ISSA web-
siteand the board has assigned appro- 866 349 5818 +1 206 388 4584
of Defense requirements, painting an
engaging picture of the expectations and priate levels to the articles. While the Chapter Relations
challenges of that agencys workforce. icons are suggestions, you need not pass chapter@issa.org
And Yuri Diogenes discusses how to ex- over those you feel do not apply to your 866 349 5818 +1 206 388 4584
amine your career, improve your skills career levelyou may discover some-
and abilities, and successfully pursue thing thatll help you in your journey or Member Relations
your future: As anything you do in life, that you may pass on to another. member@issa.org
progressing in this field becomes easier Hope to see you in Chicago, 866 349 5818 +1 206 388 4584
if you are passionate, self-driven, and
have the discipline to pursue the vision
Thom Executive Director
execdir@issa.org
of what you want for your career.
866 349 5818 +1 206 388 4584
Vendor Relations
Information Systems Security Association vendor@issa.org
12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190 866 349 5818 +1 206 388 4584
703-234-4082 (direct) +1 866 349 5818 (USA toll-free) +1 206 388 4584 (International)
The information and articles edge of the author and editors. official policy of ISSA. Articles pendent corporation and is not
in this magazine have not been If the reader intends to make may be submitted by members owned in whole or in part by
subjected to any formal test- use of any of the information of ISSA. The articles should be any manufacturer of software or
ing by Information Systems presented in this publication, within the scope of information hardware. All corporate infor-
Security Association, Inc. The please verify and test any and systems security, and should be mation security professionals
implementation, use and/or se- all procedures selected. Techni- a subject of interest to the mem- are welcome to join ISSA. For
lection of software, hardware, cal inaccuracies may arise from bers and based on the authors information on joining ISSA
or procedures presented within printing errors, new develop- experience. Please call or write and for membership rates, see
this publication and the results ments in the industry, and/or for more information. Upon www.issa.org.
obtained from such selection or changes/enhancements to hard- publication, all letters, stories, All product names and visual
implementation, is the respon- ware or software components. and articles become the proper- representations published in
sibility of the reader. The opinions expressed by the ty of ISSA and may be distrib- this magazine are the trade-
Articles and information will be authors who contribute to the uted to, and used by, all of its marks/registered trademarks of
presented as technically correct ISSA Journal are their own and members. their respective manufacturers.
as possible, to the best knowl- do not necessarily reflect the ISSA is a not-for-profit, inde-
S
omewhere in that title a joke prob- ly, staying on the technical side can be rience. Whether
ably exists, but they dont pay me quite rewarding and moving laterally through nurturing
for my sense of humor, so Ill stay (in a good way) could allow you to expe- via informal professional relationships
away from any punchlines. I could, rience a number of different aspects of or more formal mentoring relationships,
however, turn it into a riddle by asking the cyber profession. Furthermore, the please consider helping others in their
the question: How many people actual- predicted dearth of cyber workers has infosec career quest. There are many
ly stepped over the threshold of the bar? materialized. I have heard Steve Battis- programs out there that would allow
That would then give a neat segue into a ta, president of ISSA Northern Virginia you to get involved and dedicate as much
discussion of the variety of career paths Chapter, cite a very telling statistic on time as you have available to help guide
that infosec provides, some of which several occasions: for every two cyber- infosec students and young infosec pro-
could overlap. Take me for examplea security jobs in the greater Washington, fessionals in the pursuit of their own
crypto engineer who didnt think about DC, metropolitan area (to include Bal- careers. Such opportunities are readily
law school until well into my profession- timore and Northern Virginia), there is available and can be incredibly reward-
al life. only one person qualified to fill them. I ing. In my own experience, I know of
As some of you may have heard in my suspect that the statistic refers mainly to at least four of my former students who
presentations at ISSA (and other) events technical jobs, so if we layer in business, have gone to law school and several oth-
over the years, I have been advocating legal, policy, management, and related er acquaintances who have considered it
that the legal profession needs more peo- positions, just think of the opportuni- (and may actually have gone).
ple who truly understand the intricacies ties! Ultimately, a career path in infosec
and subtleties of cybersecurity. Tackling I often describe infosec as a horizontal can lead in many different directions.
the complexities of the legal arena is dif- concept that cuts across any number of I would encourage anyone who has an
ficult enough as it is. Interweave cyber- industry, government, academic, and interest in pursuing something slightly
security into a particular set of facts and business verticals. But I would assert different to go for it. After all, you might
you wind up with something that can be that the same is true for infosec career be the next CISO, marketer, wonk, and
daunting for both the legal and technical areas. Cybersecurity is no longer rel- lawyer to walk into that bar!
team trying to handle it. A common line egated solely to the IT department or
of mine at such events is the legal com- the CISO. Based on my experience, the About the Author
munity needs more people like youthe C-suites and boards of organizations Randy V. Sabett, J.D., CISSP, is Vice
ones who truly understand infosec. continue to get better at integrating Chair of the Privacy & Data Protection
infosec into their corporate mind-set. practice group at Cooley LLP (www.cool-
An even better example would be the
This necessarily means that many other ey.com), and a member of the Boards of
White House cybersecurity policy per-
areas within an organization need rel- Directors of ISSA NOVA and the George-
son with whom I had lunch recently.
evant infosec experience. The lesson to town Cybersecurity Law Institute. He
This person is an attorney, but started
be learnedif you are looking to make a was a member of the Commission on Cy-
with a technical background, has tack-
change, you dont necessarily need to be bersecurity for the 44th Presidency, was
led many policy questions, and has even
limited to things that are pure infosec. named the ISSA Professional of the Year
delved into commercial endeavors. That
Many other job functions would benefit for 2013, and can be reached at rsabett@
combination (along with being at the
from (or perhaps even require) infosec cooley.com. The views expressed herein
White House) has allowed this person to
skill. are those of the author and do not neces-
work on numerous complex and inter-
sarily reflect the positions of any current
esting matters. One final thought: for those of you that
or former clients of Cooley or Mr. Sabett.
The point of these examples is that cyber have a well-established infosec career,
skills can be a terrific complement to a recognize that many other people out
wide variety of career options. Clear- there could benefit from your expe-
W
hen I happens a little bit too close to home.1 It to prove a product concept? All of these
started becomes clearer by the day that our abil- things are important to give you per-
my ca- ity to keep up is perhaps the largest race spective on your daily work. It also will
reer in information condition in the coming years. further prepare you for leadership roles
security, it was because I had to. I was To the victor the spoils! down the line.
responsible for a couple of IT shops. For Get educated. Information security pro-
the most part, I was the sole IT guy. Yes, There are a few things Ive learned that
I would love to pass along to our next fessionals follow Bayes Theorem even if
there were others around me who were they dont realize it. Otherwise, they are
in the middle of it with me, but I was the generation of information security pro-
fessionals as they enter into the work- out of a job. Continuously learn what
one who got the call at 3:00 am when both the good guys and the bad guys are
something blew up. As the story goes, in force and start to learn how to be digital
soldiers in an ongoing conflict. doing. Keep up on new technology, and
1997 I became enamored with informa- do your best to stay on (if not ahead of)
tion security as an IT guy because I left a Learn to ask questions and test as- new technology adoption. Learn how
service running on a server that I should sumptions. As a developer, I assumed people use technology in their daily
not have. This was before small IT shops users would be honest and follow di- lives, and think hard about how it can
had firewalls. I was late to the game on rections. I was foolish. Letters in a tele- be used against them.
system hardeningprobably because phone number field? Why would any-
the first time I tried using a hardcore one do that? What happens if someone Have fun. Yes, its the generic advice
security hardening script the machine does do that? Taken another way, why from any motivational speaker (I am not
became unusable. would we follow a particular behavior one). If you have fun, you will keep do-
or procedure just because weve always ing all of the above. That will propel you
In a way, I have the University of Wash- into the next generation of information
ington to thankeven though I had no done it that way? What happens if we
dont? Engineers will tell you that using security leadership. You will have bad
formal affiliation with them. Their imap days; learn from them. Incorporate what
dmon had a vulnerability that allowed the question Why? three to five times
will typically get you to the root of why you learn into your future behavior.
an attacker to root one of my servers.
something is the way it is. Question,
And thus, my career was born. learn, and understand. Be curious!
About the Author
Branden R. Williams, DBA, CISSP,
This isnt meant to be an autobiography, Learn the business. You cannot make CISM, is the CTO, Cyber Security Solu-
but many of the people I meet in our field the most effective decisions as an in- tions at First Data, a seasoned security
have a similar story. Something piques formation security professional if you executive, ISSA Distinguished Fellow,
their interest in seeing what technology dont understand how your business and regularly assists top global firms with
can do, versus what its designed to do. works. Take the time to talk to various their information security and technolo-
Perhaps it was a prank, falling victim people around the company to learn gy initiatives. Read his blog, buy his book,
to malware, or just curiosity that made how it makes money. Pay attention to or reach him directly at http://www.bran-
them think. And at this point, we have what your executives say that holds stra- denwilliams.com/.
one of two paths to choose. Both paths tegic value for the firm. Be involved in
leads to late nights in front of a screen, things beyond information security. It
but on opposite sides of the conflict. will round you out and prepare you for
This conflict is ever present in every leadership.
facet of human existence. Nation states Learn business in general. Do you
launch cyber attacks at rivals just like know how a profit and loss statement
corporations do. Activists take to the works? Do you know the laws related to
digital world to bring justice for causes employee rights? What are the best ways
they feel passionate about. Crime rings
target individualsand sometimes it
1 This will be a column for another month.
F
or those not familiar with the So what does this mean for information Even a PCI auditor
case, TJ Hooper was a landmark security awareness? It means that many could pick up on
in tort law that established an organizations may be sitting on a liabil- that one, if given
important standard for negligence. The ity time bomb. That is, in the event of half an hour and a detailed checklist.
case was heard in 1932 to assign liabil- a security incident, will their security Failures in the information security field
ity for a lost cargo. A tug towing the awareness programs be considered ad- are different. Some organizations dont
cargo on a barge had set to sea in good equate to shield them from third-party know theyve had a breach. Or maybe
weather but later that night there was a claims of negligence? There is a univer- they do know but dont want to make it
storm and the barge sank. The owner of sal-practice argument to be made for public by engaging in litigation. There
the cargo argued that if the tug had been mediocritymost organizations barely are two important aspects to this that
equipped with a radio, the tug captain go through the motions, with comput- are changing. Firstly, mandatory breach
could have checked weather reports and er-based training and a few security reporting requirements mean that the
taken the opportunity to seek shelter in a slides as part of the induction process. news of the breach is almost certain to
nearby breakwater before the storm hit. Some organizations dont even have a se- be made public as organizations cant
The owner of the tug curity policy. Sooner place any confidentiality restrictions
disagreed and made or later this sad state on their notification process. Once the
a prevailing-practice of affairs will be put breach is public, theres no incentive to
defense. That is, that to the test. refrain from litigation.
tugs at the time were If I had a contract Secondly, weve seen a rise in organi-
not usually equipped with a third party zation doxing, where leaks are inten-
with radios and this that suffered a secu- tionally made public. Think of Sony,
was considered nor- rity breach related Hacking Team, Manning, the diplomat-
mal practice in the to human failings, ic cables, and the list goes on.
industry. Id be asking if their It may well be that the next step change
In a landmark deci- security awareness in professionalizing security awareness
sion handed down by program was ad- campaigns wont be new standards,
Judge Learned Hand, equate, given the certifications, or qualifications but the
it was found that risks. Not was it the lawyers getting involved. Consider how
prevailing practice industry minimum, your security awareness program would
did not completely but whether the ef- fare if put under the spotlight. If its just
shield the tug own- Judge Learned Hand: That everyone else fort the other party a token gesture, going through the mo-
er against a claim of does it badly is no excuse. invested in securi- tions of the industry minimum, then
negligence. In one ty awareness was you could be in trouble.
of the most beautiful legal phrases ever commensurate with the likelihood of a
uttered, the rationale was summed up security incident, the value at risk, and About the Author
as: There are precautions so imperative the benefits of security awareness done Geordie Stewart, MSc, CISSP, is the
that even their universal disregard will properly. Principle Security Consultant at Risk
not excuse their omission. Common Why hasnt the adequacy of security Intelligence and is a regular speaker and
prudence, therefore, was not always the awareness programs been repeatedly writer on the topic of security awareness.
same as reasonable prudence. In this challenged in court? Part of this is the His blog is available at www.risk-intelli-
case the value of the cargo, the likeli- unknown-unknown argument. For the gence.co.uk/blog, and he may be reached
hood of a storm, and the relatively low TJ Hooper case, it was easy to see that at geordie@risk-intelligence.co.uk.
cost of a radio meant that it was negli- damage had been done. The barge was
gent to go to sea without one. below the water instead of on top of it.
I
n established fields, career progres- turned down several high paying senior I felt deep down,
sion is often thought of as a linear leadership job opportunities in order to when the right op-
journey. Climbing the corporate take time to spend with family, focus on portunity came, I
ladder is a metaphor for career success her mentoring within the international would know, Fer-
that tells us that if we work hard, we security community, and invest in her guson says. It would
will ascend, rung by rung, in a clearly non-profit interests with the Nubian have to be the right
upward path, knowing exactly how to Village Cultural Heritage Center. reason to step away and have deeper
reach that next level. If youre working hard, work happily meaning than just more money or bet-
In todays world of exponential tech- and joyfully do what you love. Smiles ter title.
nology requiring explosive growth in come from your internal self. Be the As these stories illustrate, sometimes
the information security field, this clear person who creates circumstances rath- success means saying no to linear pro-
corporate ladder is a foreign concept. er than just going with the flow. Chart gression and conventional career paths.
However, the leaders who find their way your own path. Sali Osman, CRISC, In information security you have the
to success without a map are often the CISM, CISSP, Security and Risk Officer opportunity to work in any and every
most inspirational. With unprecedented Another example of a leading lady who industry imaginable and take on any
access to information, global networks, blazes her own trail is Ashley Fergu- number of different roles, from pene-
and self-publishing platforms, its no son, Global Director, Governance, Risk, tration testing to communications and
longer necessary to follow the herd. Compliance, Security Architecture and public relations, or even start your own
Take Sali Osman, one of my favorite in- Design at Dell SecureWorks. She start- business.
fosec thought leaders. Sali started her ed her information security career in If at any point you run into a road block
career in electronics engineering, and audit at a big-four consulting firm. She that may seem like a failure, think of
then moved into information security. quickly found that her passions were in it as a sign that you need to take a step
Her most recent post was CISO at Time leadership and helping people. Whether back in order to move forward in the
Customer Service Inc., the global orga- it was helping clients understand her au- right direction. If you recognize that
nization that fulfills orders and ship- dit findings or helping a team member your path could look different than ev-
ping for Time magazine and its affiliates. with career planning, Ashley quickly eryone elses, it can help you focus your
Currently, she is the Security and Risk excelled and cleared her path to become energy on finding yourself and getting
Management Advisor for Saudi Aram- the Manager of Risk and Compliance back on the right path.
co and makes time to invest in the next and Information Security Officer for The days of mandated corporate lad-
generation of female and minority lead- Energen, a growing oil and gas firm. der climbing are behind us, so dare to
ers through her work as the co-chair Her role at the CISO level, investment in be different and blaze your own trail to
Mentor-Protg Program at the Interna- building a strong network, and winning happiness in your career.
tional Consortium of Minority Cyberse- the Peoples Choice ISE Southeast award
curity Professionals (ICMCP). contributed to her visibility as a leader in About the Author
As a young girl, growing up in the Mid- the industry. Opportunities often came Christa Pusateri is a trailblazer, problem
dle East, Osman would tinker with cir- her way that most people would say she solver, entrepreneur, student, coach, sto-
cuit boards and take her toys and com- was crazy to turn down. But Ferguson ryteller, teacher, adventurer, and above
puters apart just to see how they worked. knew she had to follow her intuition and all else a devoted wife and mother. She
Her father told her that she could make choose the right next step in her career. currently serves as the vice president for
it in any job she chose if she worked hard the Tampa Bay Chapter, leads communi-
She wanted to make an impact and help
and stood up for herself. cations and public relations for Algenol
people, not just in one industry or at one
(www.algenol.com), the leader in world
Her family and friends called her cra- company but on the overall industry,
changing biofuels, and teaches Entrepre-
zy when she later joined the Abu Dhabi which is a big part of her new role at Dell
neurship and Creativity at Florida Gulf
Police as a network and software engi- SecureWorks.
Coast University. She blogs and may be
neer. She says they still think shes cra-
reached at cmp@christapusateri.com.
zy today when, after a layoff at TCS, she
FOR THOSE CONSIDERING TRAINING AND CERTIFICATIONS, of which there are many that apply in the informa-
tion security space, here is one perspective on the Certified Information Systems Security ProfessionalCISSP. The CISSP
has been around for a fairly long time, but the questions of its validity and currency come up at times. Both valid questions.
Is the CISSP right for you? Possibly. Can it be improved? Certainly. Are there alternatives? Yes. Ed.
O
K, so its doing things. Or answer obtuse ques- So what do I propose?
not really tions about things without being able to
worthless. perform hands-on tasks. I say scrap the whole thing. Start over.
Build a cert and program that tests fun-
It can help you get a Ive had some people tell me Im proud damental skills and means something to
job or a contract of my CISSP. employers who really need things done.
but in the scheme of Really? Of what, exactly? Offer existing cert holders one year and
todays infosec world? a free test to get the new one. Other-
Studying for a test?
Its really broken, in my opinion. Let me wise, theyre out. We need to weed out
Taking and passing a long, obnox-
break down my thought process, since the people skating their way through
ious test?
Im typically pretty upbeat about things. infosec on the back of a bunch of stupid
Doing WORK for three to four years? CPEs. Id love for the CISSP to mean
Over the years, I have had more than a (wow, welcome to a CAREER) something, and see the industry rally
few laughs with both clients and SANS
students about various aspects of the Having a college degree (in some cas- around it as a useful and legitimate in-
CISSP. Few seem to really take it seri- es)? dicator of knowledge and skill.
ously. Thats a big indicator. Acquiring CPE credits for random
things and events? About the Author
Second, there are far too many things in Dave Shackleford is the owner and prin-
that cert/test that are completely and to- Getting someone to attest that you cipal consultant of Voodoo Security and
tally useless to 99% of us in infosec. As are smart and/or awesome? a SANS analyst, senior instructor, and
the information systems security pro- course author. He has consulted with
fessional, I do not need to know about People, its broken.
hundreds of organizations in the areas
fire extinguisher types, fence height, HR offices are essentially discriminat- of security, regulatory compliance, and
or lighting. Sure, it may be interesting ing against people who dont have one, network architecture and engineering.
knowledge, but not relevant to most for really no good reason. This cert is He may be reached at dshackleford@voo-
peoples infosec jobs, and thus extrane- ridiculous. If you have to get one for doosec.com.
ous in the cert. work, or compliance, or DOD 8570, or
Third, the CISSP demonstrates no somethingOK. But dont strut around
hands-on skills. The test itselfcom- and act as though this really means you
have something unique or special
Annual Membership
Meeting
pletely insane in its wording and content
in some casesjust makes you memo- you dont. I know way too many CISSPs
rize a bunch of concepts. We dont need who cant dissect a packet, configure a
firewall or IDS, write a script, perform The Annual Membership
many, if any, theoreticians today. We
need tangible, real skills that can be a real in-depth risk analysis, and so on. Meeting was held 12:00 pm
put to good use immediately. You may That does NOT bode well for the future EDT, September 10th.
argue that theory and research and risk of information security. If you argue
that its meant to be a broad, theory
To access the recorded
have a place. Sure. But I dont need that
or breadth of knowledge cert well, version, visit
in acert like this. I want someone who
can walk in the door and DO things, not I argue we dont NEED those. We need www.issa.org/?page=2015An-
think about doing things. Or talk about more DO-ers. nualMeeting.
D
nual fund-raiser to be held in Chicago, Illinois, this
ear ISSA Member, year in conjunction with ISSAs annual conference.
For those outside the world of security, it is difficult, At our fund-raiser well be selling tickets to our drawing held
if not impossible, to comprehend the true scale of on Tuesday after lunch. Winners need not be present to win!
present and future security issues that are daily transform- All winners will be notified at the conference to pick up their
ing the lives of people, businesses, society, and the world at prizes at the Foundation booth before the conference ends.
large. Simultaneously, the promises of the ongoing techno- Stop by to learn about our scholarship programs and make
logical revolution often tend to decry the recommendations a tax-deductible donation for a chance to win great prizes,
of cybersecurity professionalsyet, we are charged with mit- including:
igating risk and safeguarding the world from those enormous A SANS-donated course from their entire catalogue of on-
security challenges. line, in-person, or on-demand courses for 2016.
Thus, our roles are also transforming. We must continue to Great security books signed by the authors, such as:
grow our security expertise even as we advance our skills in Future Crimes by Marc Goodman
effective communication and organizational leadership.
Data and Golaith by Bruce
The ISSA International Conference offers unique guidance Schneier
and resources that were carefully selected to help securi- Spam Nation by Brian Krebs
ty professionals at all levels to achieve this strategic mix of
With Murder You Get Sushi,
knowledge, skills, and aptitudes. It also provides you with ac-
by Mary-Ann (Maddie) Da-
cess to the strongest global network of experts across indus-
vidson
tries and skill sets. Join us to transform your career and your
organizations. ISSA A Kindle Fire HD6, gift cards,
BOSE headphones, and much,
much more! Marc Goodman
Register Now
www.issa.org/?issaconf_home
See Why You Should Attend! Groups of 10 or more save 20 percent on registration
fees. For more information, email Leah Lewis:
https://youtu.be/hGJ5U_woHPs llewis@issa.org.
Preparing for the Big One PREVIEW Diversified IT: Why the Security Workforce
Track: Incident Response Needs Qualified Women...and Men
David Phillips Track: Business Skills for the Information Security Professional
Managing Director, Cybersecurity Consulting, Berkeley Tammy Moskites
Research Group CIO and CISO, Venafi
Data breaches are going to continue to happen to Theres long been a need for more diverse candidates in informa-
earnest companies. Many are simply not prepared for the situation, tion technology, but lately the need is growing much stronger for
bumbling the press comments, trampling on evidence, and not simply finding qualified security professionalsmen and women
recognizing the severity of the situation. All of this is increasing aliketo enter the cybersecurity workforce. The personnel and
the Fear-Uncertainty-Doubt to the public, David explains. The skills gap shortage is already starting to negatively impact the in-
only way to be prepared is to treat security as other industries have dustry, Tammy explains. Many CISOs Ive met across the globe
treated high-risk environments. The board room cannot wait for have mentioned to me that they are having a difficult time find-
the Big One. From the Securities and Exchange Commission to ing and hiring the right qualified people for the job. Thats a major
the American Bar Association to the White House, regulatory and problem.A recent 2015 Frost & Sullivan report claims that the glob-
oversight bodies are foreshadowing the liability event. CxOs, board al workforce shortage of security professionals will reach 1.5 million
members, shareholders, and insurance companies are going to feel within five years, and the need for a wider skill set and strong com-
the punch as negligence suits become the norm. This session will munications skills has never been greater.
focus on a five-step process for developing an effective executive
cybersecurity program that demonstrates due diligence. So how do we build the next generation of cyber warriors and also
ensure that more females get interested at an early age in joining
Preparing for a major privacy data breach requires a board-level the workforce? While there are some great certification and training
approach to coordination across general council, CISO, finance, HR, programs out there, we still need to find ways to encourage our kids
IT operations, and partners. The IT security industry is focused on and college-aged students to get interested in the field. Thats a
selling point solutions that address a very limited part of the overall critical part of solving this problem, she emphasizes. Its not just
security landscape, he adds. A deeper focus on the holistic prob- about finding more women to create a diverse workforce; we sim-
lem is required in order to be prepared to rapidly detect and re- ply cannot find enough qualified professionals in general.
spond to breaches.
This presentation will discuss firsthand lessons learned over Tam-
Attendees will consider the broader sphere of the security environ- mys 30-year career span in IT and security. She will discuss the chal-
ment that includes corporate politics, insurance mitigation, legal lenges of entering the workforce as a woman and how shes built
protections, security cultural assessments, and security operations. and grown her career. Shell also discuss how shes built and men-
They will take away knowledge of the Layer 8 issues required to tored great teams and where she sees the need for skills to evolve
properly respond to the Big One, how to measure and adapt an in- as the threatscape has changed. Attendees will take away best
fosec program on a new scale, and how to articulate security issues practices and key lessons learned from the personal challenges
to key decision makers. she has overcome over the years. Im extremely passionate about
Security is a people-centric issue; avoid relying on technology as growing and mentoring great security teams, she exclaims. I be-
the solution, he concludes. Instead, focus on what it takes to build lieve strongly that we have a major skills-gap and a hiring crisis that
a high-reliability organization. needs to be addressednow.
Attendees will understand why a more diversified workforce is
needed and how the gender gap can continue to dissolve with
See International Conference Guide Inserted more STEM programs and computer security college curricula. As
Improving
Cybersecurity
Workforce Capacity
and Capability
Addressing the
Education-to-Workforce Disparity
Abstract than twice the rate of all other information technology (IT)
jobs [3]. They also took 36 percent longer to fill than all job
Across public and private sectors, there is a growing demand
postings [3]. Last year, Cisco estimated an industry shortage
for qualified cybersecurity professionals. Finding those in-
of more than one million security professionals worldwide
dividuals with the necessary knowledge, skills, and abilities
[4]. A recent Ponemon Institute survey of 504 human re-
(KSAs) to fill vacant positions has proven to be difficult. This
sources and IT security specialists in the United States found
article examines the chasm between demand and supply in
that the IT security function in most organizations was un-
the cybersecurity labor market. It looks at the professional
derstaffed, with 70 percent of the respondents reporting that
competencies established by the federal government to help
they had neither the depth nor breadth of qualified securi-
align industry cyber needs with education and training ini-
ty professionals [21]. In January 2015, ISACA conducted a
tiatives. It also offers suggestions to enhance the partnerships
global survey of 3,439 business and IT professionals in 129
between academia, industry, and professional associations
countries [12]. Ninety percent of the respondents said there
that will improve the KSAs of undergraduates who will soon
was a national shortage of skilled cybersecurity profession-
enter the cybersecurity workforce.
als. Another survey conducted earlier this year [13] seemed
to corroborate this. More than half of the 926 respondents
S
ince 2007, the demand for cybersecurity professionals reported that it took their organizations anywhere from three
has risen dramatically. The cause is likely due to multi- to six months to fill an open position, and that fewer than 25
ple factors (e.g., greater connectivity, more vulnerabil- percent of the applicants were qualified to fill the positions
ities, increased intruder awareness of the value of attacking for which they applied.
networks, and heightened public awareness of successful at- The demand for cybersecurity professionals is projected to
tacks) [14]. According to Burning Glass Technologies, cyber- intensify over the next several years, largely due to the in-
security job postings grew 74 percent from 2007-2013, more creasing sophistication and persistence of cyber threats, and
the growing pervasiveness of mobile devices and cloud ser- While billions of dollars are being spent on new technol-
vices in the business environment [9]. According to the most ogies to secure the US Government in cyberspace, it is
recent (ISC)2 Global Information Security Workforce Study the people with the right knowledge, skills, and abilities
[9], the estimated compound annual growth rate in global to implement those technologies who will determine suc-
demand for security professionals from 2014-2019 is 10.8 per- cess. However, there are not enough cybersecurity experts
cent, while the estimated compound annual growth rate in within the Federal Government or private sector to im-
global supply during that same five year period is only 5.6 plement the CNCI, nor is there an adequately established
percent. The numbers suggest that by 2019, there will be a Federal cybersecurity career field. Existing cybersecuri-
workforce shortage of more than 1.5 million cybersecurity ty training and personnel development programs, while
professionals. good, are limited in focus and lack unity of effort. In order
The Bureau of Labor Statistics projects a 37 percent growth to effectively ensure our continued technical advantage
in employment for Information Security Analysts through and future cybersecurity, we must develop a technologi-
2022, compared to an 11 percent average growth rate for all cally-skilled and cyber-savvy workforce and an effective
occupations [2]; however, the title of Information Security pipeline of future employees. It will take a national strate-
Analyst certainly does not describe all cybersecurity jobs. gy, similar to the effort to upgrade science and mathemat-
Perhaps a better sense of the demand for cybersecurity work- ics education in the 1950s, to meet this challenge [6].
ers should be based on the number of organizations that In 2010, in response to CNCI Initiative #8, the National Ini-
ought to be undertaking some measures to protect their sys- tiative for Cybersecurity Education (NICE) was established.
tems, networks, and data from unauthorized access, use, or Led by the National Institute of Standards and Technology
harm [5]. In the United States there are approximately 456 (NIST), NICE consists of more than twenty federal depart-
agencies in the federal government [18], more than 90,000 ments and agencies. To achieve its mission of enhancing the
state and local governments [26], almost 13,000 independent overall cybersecurity posture of the United States, NICE has
school districts [26], approximately 7,200 public and private three goals: To increase national cybersecurity awareness, to
colleges and universities [28], and more than six million firms expand the pool of individuals prepared to enter the cyber-
[25]. All should have someone responsible for cybersecurity security workforce, and to develop a globally competitive cy-
within their respective organizations. bersecurity workforce [17].
ing to school to pay for their educational expenses: 52 percent strong communications skills, and being able to understand
work part-time, and another 20 percent work full-time [27]. the business, may be more important for success as a cyber-
The bottom line is that their discretionary income is limited. security professional.
7 Academics should encourage students to pursue certi- 9 Academics should incorporate realistic case studies and
fication. There are hundreds of cybersecurity-related certifi- practical simulations into the cybersecurity curriculum.
cations, and navigating through the confusing array can be a Classroom theory and hands-on practice have a reciprocal
daunting challenge. To make the process easier, the National relationship, where one informs and reinforces the other. The
Initiative for Cybersecurity Careers and Studies (NICCS) de- case method, originally championed by the Harvard Business
veloped a list of organizations that provide the professional School, uses case studies to emulate realistic business chal-
certifications needed for entry or promotion in the cyberse- lenges. The information provided is typically complex and
curity career field [22]. The list supports NICEs goal of facil- insufficiently detailed, so students are challenged while their
itating the development of a globally competitive cybersecu- judgment and leadership skills are strengthened. In the case
rity workforce. Certification standards can help academia to of simulations, learning occurs through hands-on actions,
better align their cybersecurity curricula with current indus- and preferred outcomes tend to be based on experience. The
try needs [24]; however, these standards have a training focus simulation environment provides constant and immediate
that should supplement, but not replace, education. feedback, so students can adjust their actions based on the
8 Academics should employ a multidisciplinary approach information they receive. Both case studies and simulations
to cybersecurity education. Traditionally, security courses are operational scenarios in which specific skills are learned
and programs have been housed in Computer Science or En- and performance is evaluated within a realistic context. Mis-
gineering departments, which necessarily emphasize high- takes will be made, and they often provide the best learning
ly-specialized, technical knowledge; however, cybersecurity experiences.
is more than just a technical discipline. It is a complex sub- 10 Industry professionals should work more closely with
ject, whose understanding requires knowledge and expertise academia to sponsor mock cybersecurity competitions.
from multiple disciplines, including but not limited to com- Unlike large-scale competitions, such as the annual National
puter science and information technology, psychology, eco- Collegiate Cyber Defense Competition sponsored by the De-
nomics, organizational behavior, political science, engineer- partment of Homeland Security Science and Technology Di-
ing, sociology, decision sciences, international relations, and rectorates Cyber Security Division, these mock competitions
law. [15] Although technical knowledge is important, recent should be much smaller and should occur more frequently
studies [9][13] have suggested that other attributes, such as (e.g., monthly). They should have a practical, hands-on focus,
having a broad understanding of the security field, having but they should not require the high level of technical profi-
ciency demanded by national cyber competitions in order to
UPCOMING encourage as much student participation as possible, includ-
ing those who are not majoring in Computer Science or IT.
After all, students majoring in non-technical disciplines may
have the right set of skills to become cybersecurity profes-
sionals [14].
Dont Miss This Web Conference!
Conclusion
Big DataTrust and Reputation, Since 2007, the sharp increase in demand for cybersecurity
PrivacyCyber Threat professionals has been met with a relatively small increase in
Intelligence
the number of individuals qualified to fill those jobs. In spite
of the federal governments initiatives to increase the supply
2-hour live event 9:00 am PDT, 12:00 pm EDT, of cybersecurity professionals, the labor market is tight and is
5:00 pm London, Tuesday, October 27, 2015. projected to remain so for the next decade. It will take years
The Internet is forever. If something is posted on to educate and train a sufficiently qualified workforce. In the
the net, there is no way to get it backor even meantime, there are actions that can be undertaken in part-
correct it. This webinar will talk about the poten- nership by industry, academia, and professional associations
tial uses of big data for good and for bad. that can help to improve the capacity and capability of the
cybersecurity workforce.
Moderator: Hari Pendyala, ISSA Fellow and mem-
ber, Chennai, Asia Pacific Chapter. References
Click here for more information. [1] Bertsche, Alyce Louise. The DOL Competency Model Clear-
inghouse. Webinar presentation for the North East Regional
Employment and Training Association, May 1, 2014 http://
For more information on our webinar schedule:
www.issa.org/?page=WebConferences. docslide.net/government-nonprofit/competency-model-clear-
inghouse.html.
www.fortinet.com
Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright
Advancing the
Monday Night
October 12
Sponsored by
Culture of Security
Keynote Speakers
Vinton G. Cerf & Dan Geer
Advancing the
Culture of Security
Join us for solution-oriented, proactive, and innovative sessions
focused on security as a vital part of business.
For those outside the world of security, it is difficult, if not impossible, to comprehend the true scale of present and future security
issues that are daily transforming the lives of people, businesses, society, and the world at large. Simultaneously, the promises
of the ongoing technological revolution often tend to decry the recommendations of cybersecurity professionalsyet we are
charged with mitigating risk and safeguarding the world from those enormous security challenges. Thus, our roles are also trans-
forming. We must continue to grow our security expertise even as we advance our skills in effective communication and organi-
zational leadership.
The ISSA International Conference offers unique guidance and resources that were carefully selected to help security professionals
at all levels to achieve this strategic mix of knowledge, skills, and aptitudes. It also provides you with access to the strongest global
network of experts across industries and skill sets. Join us to transform your career and your organizations.
Diamond Sponsors
Special Events
Saturday, October 10 (Evening Dinner) & Sunday, October 11 (All-day workshops 4th floor)
CISO Forum Opening Dinner: Saturday 5:00 pm 8:30 pm
CISO Forum Program: Sunday 8:00 am 5:00 pm Cyber Defense
CISO Forum is open to members of the CISO Executive Program and qualified first-time guests.
Center
Sunday, October 11: From 4:00 pm to 5:00 pm on
ISSA Conference Cyber Networking Gala Reception Monday and Tuesday, attend
special product demonstra-
5:00 pm 7:30 pm tions, receptions, prize draw-
All attendees are welcome to join us in the Exhibit Hall at this informal networking reception in
ings and more in the new ISSA
Salon 1 & 2.
Cyber Defense Center spon-
Monday, October 12: sored by Bomgar, Microsoft,
Spikes, Symantec, and Venafi.
CISO Panel Luncheon Sponsored by Look for your special invita-
12:00 pm 1:30 pm, Salon 3 tions in September, in your
Seasoned CISOs and C-level security professionals share their thoughts and insights on how to registration packet, and in the
advance the culture of security in your company from the corner office and beyond. ISSA Conference Mobile App!
Exhibitor Booth #
Alert Logic ...................................304
Be Sure to Visit All Our Solution Providers Bay Dynamics.............................119
Bit9, Inc. ........................................218
in the Exhibit Hall Bomgar............................ 207 & 209
Cimcor, Inc ..................................221
Sunday, October 11: 5:00 pm - 7:30 pm Monday, Oct. 12: 9:45 am 4:00 pm Clearswift.....................................306
Comodo .......................................300
Tuesday, Oct. 13: 10:00 am 2:00 pm Contact Singapore ...................217
CyberArk ..................................... 305
Damballa ..........................Corner A
DocAuthority .............................101
Dtex Systems..............................320
Corner C Corner D Esentire.........................................200
ESET ...............................................123
Fortinet............................ 312 & 314
Exhibit Hall Salon 1 & 2 Forum Systems ..........................103
Great Bay Software ..................114
InfoBlox ........................................110
Inspired eLearning ...................203
Intelisecure .................... 115 & 117
ISSA Foundation ............ Corner D
Keeper Security .........................307
MediaPro ........................ 311 & 313
Microsoft......................... 214 & 216
MNJ Technologies ....................106
Nexum Inc. ..................................317
ObservIt .......................................116
OpenDNS........................ 105 & 107
PhishLine ........................ 204 & 206
PKWARE........................................222
Pulse Secure ...............................205
Qualys ...........................................223
SANS....................................Corner C
Secunia .........................................319
Sergeant Laboratories ............201
Skybox ..........................................316
Spikes............................... 113 & 212
Sunera...........................................104
Symantec ........................ 109 & 208
Tenable .........................................308
Corner A Corner B The Security Awareness
Company .....................................122
ThreatTrack .................................100
Venafi ............................... 213 & 215
Exhibit Hall Entrance Veracode ......................................322
Partner Sponsor
www.ISSAEF.org
Incident Response
Business Skills for the Information Security Professional: Presenting the business case for Information Security, Career
Paths for Information Security Professionals, Privacy
Securing the End User: Security Awareness Training, Social Media, Access Control
Monday, October 12
International Conference Registration Open: 7:00 am 4:30 pm, 7th Floor Registration
Breakfast: 7:15 am 8:15 am, Salon 3
Monday, October 12
Tuesday, October 13
International Conference Registration Open: 7:00 am 12:00 pm, 7th Floor Registration
Women in Security Breakfast: Networking For Success: 7:30 - 8:30 am, Room Kane/McHenry
Join us for a WIS SIG breakfast filled with cybersecurity fun-facts, networking oppo rtunities, and plenty of ways to earn some great SWAG.
Interact with peers and women luminaries in the field whom are working to bring information, opportunity, and success to each of you. Celebrate
with and recognize those leaders whom have made the past five years of WIS SIG possible.
Breakfast: 8:00 am 9:00 am, Salon 3
Keynote Address Dan Geer, 9:00 am - 10:00 am, Salon 3
Exhibit Hall Open: 10:00 am 2:00 pm, Salon 1 & 2
Break in Exhibit Hall: 10:00 am 10:15 am, Salon 1 & 2
ISSA Women
in Security SIG
Presentation:
Looking to 2020
Are we too late?
OHare
Party with the stars in the sky and the stars of cybersecurity in
Tilt!
the 360 Chicago Observatory. Take advantage of ISSAs private
use of 360 Chicagos 30-degree, all-glass, tilt-out stations for a
new angle on Chicago and the Magnificent Mile!
See page 4 of this guide for directions.
Tuesday, October 13
Sponsored Session
Securing our Future: Lessons From the Human Immune System
Jeff Hudson: CEO, Venafi
Michigan/Michigan State
ENTRY LEVEL: An individual who has yet to master general cybersecurity methodologies/principles. Individuals in this
phase of the life cycle may have job titles such as associate cybersecurity analyst, associate network security analyst, or
cybersecurity risk analyst, for example.
MID-CAREER: An individual who has mastered general security methodologies/principles and has determined area of
focus or specialty. Individuals in this phase of the life cycle may have job titles such as network security analyst, cybersecu-
rity forensics analyst, application security engineer, and network security engineer. Individuals who are nearing the senior
level may begin to hold job titles such as senior network security engineer or senior cybersecurity analyst, for example.
SENIOR LEVEL: An individual who has extensive experience in cybersecurity and has been in the profession for 10+ years.
These individuals have job titles such as senior cybersecurity risk analysis, principal application security engineer, or director
of cybersecurity, etc.
SECURITY LEADER: An individual who has extensive security experience, ability to direct and integrate security into an
organization. These individuals have job titles such as Chief Information Security Officer, Chief Cybersecurity Architect, etc.
After extensive periods of leadership, some become recognized industry leaders.
Note: if the session fits multiple levels, the lower and higher levels will be displayed.
Breakout Sessions
Monday, October 12, 2015 careers began, what pivotal events launched them into leadership,
and what has empowered them to grow stronger in the field.
Breakout Session One: 10:00 am 10:45 am Security professionals at any level of experience will benefit from
Featured Speaker hearing the advice, knowledge, and personal challenges these
leaders have faced on their pathways to empowered leadership.
Embracing and Securing the Internet of Things (IoT)
Demetrios Lazarikos: CISO, vArmour The Value Proposition for Federated Digital
Track: Infrastructure Identity Services
10/12/2015, 10:00 am - 10:45 am Stu Vaeth: Senior Vice President, Business Development,
Salon 3 SecureKey
Smarter, connected products offer increasing Track: Mobile Security
amounts of opportunities and capabilities that span 10/12/2015, 10:00 am - 10:45 am
across multiple boundaries. The IoT space is the new norm. The use Kane/McHenry
of these smarter, connected products will force businesses to raise Mobile devices are becoming the defacto method
a new set of strategic choices related to how information security for marketing, retail, payments, and social activities. However, as
is integrated into these complex IoT ecosystems. Veteran CISO consumers hop from channel to channel, keeping their personal
Demetrios Lazarikos (Laz) will review how IoT has been adopted as information both accessible and secure is a huge challenge. In
the fastest disruptive technology in recent years, the information this session, SecureKey SVP of Business Development Stu Vaeth
security considerations that come with it, and what can be expected will showcase the government of Canadas award-winning
for future integration. implementation of a federated digital identity service and discuss
how it is enabling Canadian consumers to simply and securely access
Sponsored Session government services with the credential of their choice.
Harnessing Innovation to Address Emerging Security
Challenges
SELinux Integrity Instrumentation (SII)
Dr. Mike Libassi: Adjunct Professor and Sr. Performance
Engineer, Colorado Technical university
Track: Infrastructure
10/12/2015, 10:00 am - 10:45 am
Lincolnshire 1&2
Moderator: Dr. Michael C. Redmond, PhD As a security reference monitor SELinux configuration
Panelists: Gautam Aggarwal: Chief Marketing Officer, Bay Dynamics; integrity is critical. SELinux users battle complexity of the
Sean Blenkhorn: Senior Director of Solutions Engineering, eSentire, Inc.; configuration and have few methods to verity its setup. There is
Jack Daniel: Tenable Network Security, Inc.; Kevin Sapp: Vice President, a lack of methods to ensure SELinux configuration compliance.
Strategy, This doctorate dissertation research created a set of algorithms to
Track: Incident Response monitor the configuration of SELinux and alert to changes. SII also
10/12/2015, 10:00 am - 10:45 am offers the ability to see relationships between service and SELinux
Indiana/Iowa policies based on type/domain. The panel will cover the research and
2015 is a year in cybersecurity like we have never seen before. The offer a live demo of the framework used during research.
year is not even completed and we have seen numerous cyber Sponsored Session
attacks showing themselves in the form of breaches, denial of Malvertising, Drive-by Downloads, and Web Exploits:
service, ransomware, and many more. These are just a few of the
threats that keep many CISOs up at night. They say two types of
Stop Them All with Browser Isolation
companies exist in the United States: those that have been hacked Ben Strother: Director of Business Development, Spikes
and those who dont know they have been hacked. You know the Security
risks; now find out the solutions in this invigorating session made up Track: Infrastructure
of a panel of experts. 10/12/2015, 10:00 am - 10:45 am
Michigan/Michigan State
Pathways to Empowered Security Leadership All businesses rely on web applications, but connecting to the
Internet introduces the risk of running untrustworthy code from
servers outside your organizations control. Effectively defending
against web malware threats requires isolating web content in
disposable virtual machines run on hardened appliances in your
organizations demilitarized zone. Isolation effectively shields your
endpoints from web-based malware while allowing them to browse
Moderator: Marci McCarthy: President & CEO, T.E.N. the web safely and protects your network.
Panelists: Todd Fitzgerald, Global Director Information Security, Grant
Thornton International, Ltd.; Larry Lidz, CISO, CNA Insurance; Jeff Reich, Silver Bullet for Identifying Hacking and
CSO, Barricade; Richard Rushing, CISO, Motorola Information Theft in ERP Systems
Track: Business Skills for the Information Security Professional Moshe Panzer: CEO, Xpandion
10/12/2015, 10:00 am - 10:45 am Track: Business Skills for the Information Security
Northwestern/Ohio State Professional
The evolving security leader can seamlessly blend technical 10/12/2015, 10:00 am - 10:45 am
knowledge with business acumen to serve as a trusted partner to Purdue/Wisconsin
the board and the businessbut no one starts at the top. During The modern hacker to ERP systems knows the current technologies
this invaluable panel discussion, top CISOs and information security and is well prepared for them. The only unbreakable method for
leaders will share personal stories about when and where their identifying hacking attempts and information theft is monitoring
Securing
YOUR WORLD
Secure Your Critical Business Assets
at Every Network Entry Point from the Inside Out.
As many as 93% of U.S. businesses believe they are vulnerable to internal network
threats. In todays dynamic and dangerous cyber threat environment, a perimeter-only
defense strategy is no longer enough. Jobs, brands and reputations are at risk.
Built for security and performance, only Fortinet can easily handle the protection of
the internal network, as well as protect every other entry-point to corporate data.
www.fortinet.com
Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered
trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet.
InteliSecure introduces
CRITICAL ASSET PROTECTION
I SSA I n tern ati on al Its time to elevate security initiatives above traditional, Visit our booth
Co n feren ce protect everything thinking. The cyber defenses
companies are using can no longer reliably keep 115/117
critical data safe.
RISE ABOVE
for a chance
InteliSecure has pioneered a new perspective on to rise above
protecting those critical data assets that directly impact
THE NOISE
the noise
an organizations bottom line and reputational integrity.
Using expert human intelligence and cutting-edge
and win a
technologies, we develop Critical Asset Protection drone of
ProgramsTM (CAPPs) specifically tailored to protect your own.
your organizations most valuable data.
Learn more about Critical Assets and innovative ways
to protect them by attending InteliSecure CEO,
Robert Eggebrechts presentation.
FURTHER.
Predictive, cloud-delivered network security.
Threat protection for off-network users
Predict attacks before they happen
Worldwide coverage in minutes
Monday, October 12 Session Four and Cyber Defence Center Tuesday, October 13 Session Five
(800) 726-6951
Security Awareness Privacy Awareness Compliance Training
awareness@mediapro.com
The Future of Mobile App Security professional, you will be able to give the proper fixes and understand
Vincent Sritapan: Program Manager for Mobile Security the level of effort needed by developers.
R&D, Department of Homeland Security, S&T - Cyber
Security Division Embedded Like a Tick Cyber Intelligence
Track: Mobile Security Jeff Bardin: Chief Intel Officer, Treadstone 71
10/13/2015, 10:15 am 11:00 am Track: Laws and Regulations
Kane/McHenry 10/13/2015, 10:15 am 11:00 am,
Do you know what your mobile app is doing? Are you relying on Northwestern/Ohio State
app markets to protect you? Todays mobile apps are riddled with Most intelligence collection in IT shops is driven
defects that hackers can exploit. Vincent Sritapan, a Cyber Security exclusively by technology and technical information. This provides
Division program manager at the Department of Homeland Security only a fraction of the necessary data, information, and potential
S&T, will discuss ongoing research for securing mobile technology. actionable intelligence needed. Creating online personas helps
He will present a current project in mobile app archiving that can round out the collection efforts and serves to establish a beach head
continuously inventory apps from mobile app markets like iTunes, in target communities of interest. Know your adversaries as they
Google Play, Windows Phone Store, and includes over 83 global app know you, gathering information about their intent before execution
marketplaces. He will discuss the future of mobile app security and of that intent.
where R&D is taking us.
N-Gram Analysis in Suspect Author Identification of
Practical Application Security for the Real World Anonymous Email
Andrew Leeth: Product Security Engineer, Salesforce Paul Herrmann, CISSP, EnCE, CISA, CPP: President,
eVestigations Inc.
Track: Application Security
Track: Incident Response
10/13/2015, 10:15 am 11:00 am
Indiana/Iowa 10/13/2015, 10:15 am 11:00 am
Lincolnshire 1&2
Web applications are undoubtedly our future for
interacting with businesses and data. Companies trust their data In late 2010, a Fortune 100 companys executives were being
and reputations with applications, which most times provide threatened via anonymous email. Multiple anonymous remailers
Internet-accessible avenues inside the firewall. This presentation will prevented standard IP-tracing techniques. eVestigations Inc.
demonstrate web-based attacks through live demos and touch upon developed a system and protocol utilizing current linguistic
mitigation strategies. Tools for application testing will be discussed techniques to successfully identify the perpetrator. Empirical
and tested against our vulnerable applications. Further, we will authorship analysis has a long history, primarily as it relates to literary
discuss the effort needed to fix these vulnerabilities. As a security works of unknown or disputed authors. One such technique known
Plan
Train
PhishLine is an enterprise
software-as-a-service solution
Test that combats phishing
through a combination of
social engineering,
phishing simulations,
Measure security awareness training,
and metrics.
Take
Action
Tuesday, October 13 Session Seven, CSCL Program Sessions, Cyber Defense Center
phishing messages and 11 percent clicked on attachments. for more than $1000 each on Russian marketplaces. Gartner expects
Nine patterns still cover the vast majority of incidents (96 percent) 50% of network attacks to use encrypted SSL/TLS in less than two
of the breaches in this years dataset. years. Whats to do? The human immune system has evolved to
We found that company size has no effect on the cost of a breach. defend and destroy complex and oftentimes overwhelming attacks.
What can we learn from it? How can we create a future thats more
Computer Security for SMB/Government resistant as we use more software, more clouds, more apps, and
more connected devices.
Marv Stein: Sr. Security Consultant, TDAmeritrade
Track: Securing the End Users Cyber Defense Center Diamond Sponsors
10/13/2015, 1:45 pm - 2:30 pm
Purdue/Wisconsin October 13, 4:00 pm - 5:00 pm, 6th floor
What makes an effective information security BomgarIndiana/Iowa
program for a small organization? This educational presentation is MicrosoftLincolnshire 1&2
intended to promote awareness of the importance of need for IT Spikes SecurityNorthwestern/Ohio State
security, understanding of IT security vulnerabilities, and corrective SymantecPurdue/Wisconsin
measures. VenafiMichigan/Michigan State
Bomgar
CSCL Program Sessions: 3:00 pm 3:45 pm Close the Door to Cyber Attacks with Secure Vendor Access. This
session will feature:
LIVE! Cyber Attack & Defense. Watch a cyber-attack unfold live
Sponsored Session to show you how your vendors can unwittingly leave the door
Securing Our Future: Lessons from the Human Immune open to your network and understand how to prevent these by
System managing, controlling and auditing all vendor access
Jeff Hudson: CEO, Venafi Best practice recommendations on how to secure vendor access
to your organization. Hear top tips to protect your company and
Track: Threats and Responses customer data, infrastructure and assets from cyber-attacks by
10/13/2015, 3:00 pm 3:45 pm securing vendor access while improving productivity.
Michigan/Michigan State
All signs point to a future world of more complex, Spikes Security
harder-to-detect cyber threats. Our adversaries are exploiting All businesses are now reliant on web applications. But how can
what seems to be our strengths. Intel predicts the next big hacker you protect your organization from web malware when browsers
marketplace to be in the sale of digital certificatesalready selling are connected directly to the Internet and can run untrusted code
The author discusses how the Department of Defense cybersecurity workforce is organized, how
to prepare for a cybersecurity position, and the appropriate combination of education, training,
and experience in which to progress into advanced responsibilities.
A
ccording to the US Bureau of Labor Statistics,1 em-
Government mandates drive the demand for security spe-
ployment for information systems security special-
cialists, with the DoD 8570.01M Information Assurance
ists will grow by almost 40 percent by 2022, mak-
Workforce Improvement Program5 manual requiring that
ing it one of the nations fastest growing careers. Numerous
DoD civil service employees, military personnel, and defense
studies and reports find that there is a nationwide shortage
contractors with elevated privileges to government informa-
of qualified information systems security professionals, and
tion systems be trained and certified in information security
nowhere is this felt more than in the Department of Defense
depending upon their role and level of access.6
(DoD). According to a 2011 Government Accounting Office
report, the number of full-time employees in the DOD with Government information systems security specialist posi-
significant information system security responsibilities ex- tions generally require a bachelors degree in information
ceeds 87,000; while the Office of Personnel Management re- security, computer information systems, network security,
ports that the DoD cybersecurity workforce numbers 19,000 computer science, or a related field of study; however, because
personnel.2 In addition to covering losses due to transfers, skilled security professionals are in demand, an associate de-
retirement, and terminations in this sizable workforce, the gree or a combination of education, professional security cer-
DoD is planning to hire 4,000 more people with cybersecu- tifications, and relevant experience will likely result in close
rity skills over the next two years.3 To address the problem consideration. An applicants resume should detail any spe-
of retention, the DoD is endeavoring to make itself the em- cialized experience that demonstrates his or her knowledge
of security measures in protecting information, information
1 http://www.bls.gov/ooh/computer-and-information-technology/information-
security-analysts.htm. 4 http://dodcio.defense.gov/Portals/0/Documents/DOD Cyberspace Workforce
2 http://www.gao.gov/new.items/d128.pdf. Strategy_signed(final).pdf.
3 http://www.bloomberg.com/bw/articles/2014-04-15/uncle-sam-wants-cyber- 5 http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf.
warriors-but-can-he-compete. 6 http://www.itcareerfinder.com/it-careers/it-security-specialist.html.
systems, or networks from threats; skill in ensuring that an ified personnel as most DoD cyber workforce positions spec-
information system is compliant with applicable information ify a specific professional certification as a requirement. Can-
assurance policies, procedures, and best practices; ability to didates must either hold or obtain the particular certification
provide guidance to personnel on how to secure a system; and within a certain period of time after being placed in the posi-
knowledge and application of information assurance princi- tion. Vendor-neutral certifications provide employers with an
ples and test and assessment methods. indication of an individuals general IT and cyber skills, while
Many universities and community colleges have comput- specific operating system, network, or security certifications
er engineering, computer science, and information security serve to establish more advanced or focused skills.
programs. When considering an education geared towards Individuals with prior military service and/or possessing a
cybersecurity, considering the aca- security clearance generally have a competitive advantage in
demic institutions listed on the Na- the hiring process. Employers recognize that job candidates
Certs serve to filter tional Security Associations list of with prior military service typically have a reliable work eth-
out unqualified National Centers of Academic Ex-
cellence in Information Assurance
ic, good communication skills, are loyal to their employers,
and overall are productive workers. While it does not guar-
personnel as (IA)/Cyber Defense (CD) will en- antee being selected, veterans preference laws give eligible
most DoD cyber sure that the curriculum has been veterans an advantage over many other applicants. A security
vetted for strength in specific IA clearance assures government employers that the applicant is
workforce positions and CD focus areas.7 Computer se- familiar with safeguarding national security information and
specify a specific curity education programs should that they do not have a criminal background. Cyber positions
professional include courses in various operat-
ing systems administration, net-
requiring elevated privileges, including having the ability to
modify security settings, typically must be filled by an indi-
certification as a working, network security, host- vidual having a security clearance; therefore the demand for
requirement. based security, intrusion detection, IT professionals with a security clearance is high.8
hardware and software configu- The cybersecurity workforce management guidance, DoD
ration, and computer forensics. Directive 8140.01,9 advocates that qualified government ci-
Security professionals should also develop their communi- vilian and military personnel, augmented where appropriate
cation skills as they are typically responsible for educating by contracted services support, be employed as an integrated
and recommending solutions to technical and non-technical workforce in order to provide an agile, flexible response to
employees regarding information security issues. constantly changing cybersecurity requirements. Policy re-
Professional information technology (IT) and security certi- quires IA practitioners and managers be trained and quali-
fications provide an employer with an indication of an indi- fied to an approved baseline requirement, depending on the
viduals skill, knowledge, and aptitude and usually command position they fill. The Information Assurance Workforce Im-
increased earning power. They also serve to filter out unqual-
8 https://news.clearancejobs.com/2015/06/23/benefits-security-clearance/.
7 https://www.nsa.gov/ia/academic_outreach/nat_cae/. 9 http://www.dtic.mil/whs/directives/corres/pdf/814001_2015_dodd.pdf.
Security of IOTOne and One Makes Zero Continuous Forensic Analytics Issues and Answers
2-Hour Event Recorded Live: Tuesday, September, 22, 2015 2-Hour Event Recorded Live: April 14, 2015
Biometrics & Identity Technology Status Review Secure Development Life Cycle for Your Infrastructure
2-Hour Event Recorded Live: Tuesday, August 25, 2015 2-Hour Event Recorded Live: Tuesday, March 24, 2015
Network Security Testing Are There Really Different Types What? You Didnt Know Computers Control You? / ICS and
of Testing? SCADA
2-Hour Event Recorded Live: Tuesday, July 28, 2015 2-Hour Event Recorded Live: March 2, 2015
Global Cybersecurity Outlook: Legislative, Regulatory and Cybersecurity New Frontier
Policy Landscapes 2-Hour Event Recorded Live: February 24, 2015
2-Hour Event Recorded Live: Tuesday, June 23, 2015 Security Reflections of 2014 & Predictions for 2015
Breach Report: How Do You Utilize It? 2-Hour Event Recorded Live: January 27, 2015
2-Hour Event Recorded Live: Tuesday, May 26, 2015 Dorian Grey & The Net: Social Media Monitoring
Open Software and Trust--Better Than Free? 2-Hour Event Recorded Live: Tuesday, November 18, 2014
2-Hour Event Recorded Live: Tuesday, April 28, 2015
ec policy interpretation and development. Other skills may an all-time high, and even if an individuals career spans only
include management and leadership; conflict, project, and a few years, it can provide opportunities for gaining valuable
financial management; quality and continuous improvement training and experience and fulfill a desire for serving the
processes; and strategic planning. public good. The experience gained can be a stepping stone to
All employees are encouraged to develop interpersonal skills expanded opportunities and higher wages and compensation
in the areas of teamwork, ethics, writing, communication, in the public sector.
and problem solving in order to become a more well-rounded And while the career progression detailed in this article is
employee. focused on service in the United States Department of De-
fense, the basic tenants are applicable to government service
Conclusion in other nations, and can also be a template for developing
Job security, excellent benefits, competitive pay including lo- ones information security skills in general.
cality pay, vacation and sick leave, and a retirement system
that is exceptional compared to much of the private sector About the Author
are just a few of the reasons people seek federal employment. John Gray, CISSP-ISSEP, PMP, is an infor-
Some people consider government careers because of desir- mation systems security analyst with over 15
able travel opportunities, availability of training, and the years experience in information security and
ability to locate jobs nationwide or even overseas. Following IT. He is employed by the Department of De-
the guidelines listed above to develop ones cybersecurity fense, focusing on certification and accredi-
skill set establishes a solid foundation for career growth. Ca- tation, cross-domain solutions, and informa-
reer opportunities in the DoD cybersecurity workforce are at tion security management. John may be reached at jgraydiss@
wavecale.com.
The author discusses key decision points regarding an information security career, the options
available, and how to succeed in this field.
Abstract ethical hacking skills.3 This initiative is just another fact that
shows the government recognizes the need to expand the
Nowadays access to information is not a problem; everyone skills of young students and ensure that they learn about in-
can find answers for a wide variety of topics and learn about formation security. Adding information security-related dis-
them without many requirements. At the same pace the in- ciplines into the core school curriculum can have a great ben-
formation lands in every device across the planet, the num- efit for the future generation that will grow way more aware of
ber of vulnerabilities discovered on a daily basis also grows, what needs to be done to stay secure. This goes beyond secu-
which is causing a higher demand for qualified security pro- rity awareness because it can also lead students to learn more
fessionals across the industry. How these security profession- about secure coding, which is the real root of the problem.
als will learn and continuously develop themselves to handle But while this is not happening, what should be done for the
this demand will vary. This article will go over key decision current generation and how should you improve your skills?
points regarding an information security career, the options
available, and how to succeed in this field. What path should I take?
The information security career has many ramifications,
A
ccording to an analysis performed by Peninsula Press from a very specialized Pentester to a more generalized Se-
using numbers from the Bureau of Labor Statistics,1 curity Analyst who needs to know a variety of topics about
the demand for information security professionals is security. This means that the first step you should take is to
expected to grow by 53 percent by 2018. While this might not perform a self-assessment and decide where you want to go
look like a big number across three years, the real alarming in your career, what you like to do, and how to advance in
number comes in the same analysis when they state: it was that particular field. This is an important point because many
found that 209,000 cybersecurity jobs in the US are unfilled. times people decide what they will do based solely on market
The struggle to fulfill these positions is a reality not only in demand. Blindly following this rationale can be dangerous
the private sector but in government as well. The government because you might end up working in a field that you dont
is aware of this shortage, and in July 2014 the Homeland Se- like and one which may have a negative impact on how you
curity Cybersecurity Boots-on-the-Ground Act2 passed the grow in your position. As a result you will not evolve and
House with the intent of helping the Department of Home- soon or later will start looking for another job. Regardless of
land Security (DHS) to recruit and retain cybersecurity pro- what pays more, you must be passionate about what you are
fessionals. going to embrace in your next career move. Some security
professionals are already in this situation, having to work
Recently the National Security Agency (NSA) started a pro-
in a branch of this field where they dont feel passionate; the
gram for middle and high school students, to teach them
rationale is the same: find your next career move by doing
this self-assessment and discovering what motivates you in
1 Ariha Setalvad, Demand to Fill Cybersecurity Jobs Booming, March 31, 2015 -
http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/. 3 Hanna Sanchez, National Security Agency Teaches Students Ethical
2 Eric Chabrow, Senate Passes Cybersecurity Skills Shortage Bill: Measure Aims Hacking, Cybersecurity, Jul 20, 2015 http://www.ischoolguide.com/
to Boost IT Security Employment at DHS, September 20, 2014 http://www. articles/18948/20150720/national-security-agency-students-ethical-hacking-
bankinfosecurity.com/senate-passes-cybersecurity-skills-shortage-bill-a-7340/op-1 cybersecurity.htm.
this area. Nowadays everyone talks about hacking, ethi- fulfill that particular position you need a Masters in Cyber-
cal hacking, cybersecurity, and other terms. Dont let the security, make it happen and go after it.
buzz distract you; understand deeply what you want to do
and pursue the right path to your next move. Specialist or generalist?
Once you decide which path you will take, evaluate what you Ten years ago the demand to have very specialized profes-
already have to offer. In general, there are three core compo- sionals was greater than today. If you knew one specific fea-
nents that you must assess regarding the field that you are ture within a product, you were of extreme value to the com-
going to work: pany. I remember when companies were hiring Exchange 5.5
professionals that were specialized in
Experience: do you have the required experience on that
troubleshooting mail flow. Those pro-
field?
Professional certification: do you have the profession-
fessionals needed to know deeply how
to debug the protocol and know deep-
Regardless of
al certifications that are required for the job that you are ly how to troubleshoot connectors what pays more,
looking for? between Exchange and Lotus Notes, you must be
Degree: do you have a degree that can be helpful in that among other specific features. They
field? didnt need to know how to restore an passionate about
This self-assessment is very important as it allows you to un-
Exchange database; they didnt even what you are
derstand your strengths and weaknesses. The goal is to en-
need to know how to create an user
account; as long as they were level 400
going to embrace
sure that once you detect your weakness, you start working
in mail-flow troubleshooting, they in your next
on a plan to fulfill the gap. If the result of this self-assessment
shows that you need a specific certification in order to be
had the job. Not anymore! career move.
more competitive, than you already know what to do: study With cloud computing everything
and obtain the certification. changed. Broad knowledge is now
more important for all IT segments and especially for infor-
A survey performed by SANS in 20144 shows that experience
mation security professionals. With cloud computing grow-
is a key factor for a better salary in the information security
ing in such a fast pace, it becomes extremely important that
field. The same survey also reveals that certification is a criti-
security professionals are aware of the essential characteris-
cal component for career success in the information security
tics defined by NIST6 and how the threat landscape is going
arena. What should we conclude with this? Having both is the
best scenario for a security professional. While experience is 6 The NIST Definition of Cloud Computing http://csrc.nist.gov/publications/
for the most part directly related to the jobs that you have nistpubs/800-145/SP800-145.pdf.
had in the field, you can also obtain experience by attending
trainings and conferences and helping your community. Ini-
Career Opportunities
V
tiatives like Security BSides5 are available in many locations
in the world. You can propose a presentation or volunteer to isit the Career Center to look for a new op-
work in their meetings. By engaging yourself in communities portunity. These are among the current job
like this you will gain knowledgeand you will also expand listings you will find [as of 9/21//15]:
your network. Project Control/Project Scheduler MD
Pursing a Masters or PhD degree in information assurance, Advanced Analytics Manager CA
cybersecurity, or any other field related to information secu- Information Technology Security Analyst FL
rity is definitely a choice to consider. However, in this case
IT Security Analyst Threats and Vulnerabilities
you must analyze the return on investment and ask yourself: Monitoring NY
will it be worth it in the long term? The investment is not only
Architect - Security Information OH
financial; it is also the time that you put to obtain these high-
er degree. As part of your career plan in security you must Identity Access Manager MA
establish your vision; as part of this vision, ask yourself: what Instructor of IT/Cybersecurity HI
do I want to achieve in this field? If you want to work in the Program Director, Cybersecurity/Information
academic field or research, pursuing a Masters or PhD should Technology VA
definitely be in your plans. The other scenario that can lead Director, Information Security CA
you to go after these degrees is job requirements; if you want IS Policy Administrator TX
to work for a specific company and you know that in order to Chief Information Security Officer WI
Manager Information Security MA
Information Security Analyst MO
4 Cybersecurity Professional Trends: A SANS Survey https://www.sans.org/reading-
room/whitepapers/analyst/cybersecurity-professional-trends-survey-34615.
5 Welcome to the Security BSides Community Wiki http://www.securitybsides.
Visit www.issa.org/?CareerCenter
com/w/page/12194156/FrontPage.
Another very common scenario is you are the generalist but Network Security
you are also the specialist for one area. For example, you are Compliance and Operational Security
a security professional working in the incident response field; Threats and Vulnerabilities
you know your process and what needs to be done to investi-
gate an incident. However, you are also the guy who knows Application, Data, and Host Security
more about computer forensics on your team. Figure 1 shows Access Control and Identity Management
an example of how this usually looks like and why it happens. Cryptography
7 Certificate of Cloud Security Knowledge https://cloudsecurityalliance.org/ 8 See the entire exam objectives here http://certification.comptia.org/docs/default-
education/ccsk/. source/exam-objectives/comptia-security-sy0-401.pdf
Featured Keynotes:
Carl Herberger Colonel Cedric Leighton Christopher Pierson Demetrios Lazarikos James Beeson Larry Ponemon
Vice President of Security USAF (ret.) and CEO, Cedric General Counsel & Chief IT Security Researcher CISO Chairman and Founder of
Solutions, Radware Leighton Associates Security Officer, EVP and Strategist GE Capital Americas the Ponemon Institute
Viewpost
The 2015 SecureWorld Expo conference theme is the Secret Service. We partnered with one of our
countrys most valuable organizations to bring you stories about the electronic crimes task force.
SecureWorld Digital:
Connecting you to larger forums, articles and gatherings to shape the conversation. Visit us today
at www.secureworldexpo.com to sign up for exclusive web conferences and subscribe to the
SecureWorld Post.
This is a very broad scope because it covers subjects like Certified, CompTIA Network+, CompTIA Cloud+, CompTIA
BYOD, SCADA, Incident Response, and other topics that are Mobility+, MCSE, MCTS and MBA. Currently Yuri works for
relevant for anyone who wants to either start working in se- Microsoft as Senior Content Developer for the Enterprise Mo-
curity or boost his or her security career by obtaining a more bility Team and as Professor for the Master of Security Science
general certification. One of the course from EC-Council University. Yuri is co-author of Win-
advantages of starting with a broad dows Server 2012 Security, Forefront TMG Administrators
As anything you do certification in the security field is Companion, and a Security+ book (in Portuguese). You can
that you can decide which area you follow him on Twitter @yuridiogenes or reach him at yurid@
in life, progressing want to focus on in case you want microsoft.com.
in this field to specialize. For example, after ob-
becomes easier if taining this certification you might
conclude that you want to invest
you are passionate, more time and effort to become
self-driven, and a Computer Forensics Analyst. If
thats your choice, you can start
have the discipline with GIAC Certified Forensic An-
to pursue the vision alyst (GCFA)9 or EC-Council C|H-
of what you want FI (Computer Hacking Forensics
Investigator).10 The reasons that
ISSA Journal 2015 Calendar
for your career. lead you to choose one certification Past Issues click the download link:
over another can vary: job require-
ment, financial restrictions, etc. It
JANUARY
Legal and Regulatory Issues
is important to research and verify what certification will ag-
gregate more value not only for your resume but also your FEBRUARY
own knowledge. What you are going to learn throughout the The State of Cybersecurity
preparation phase is vital; if you are going to spend hours and
hours studying for an exam, you better like the subject and be MARCH
Physical Security
very passionate about what you are about to embrace.
APRIL
Conclusion Security Architecture / Security Management
If information technology is already a very dynamic field, MAY
information security is even more challenging because it Infosec Tools
changes on a daily basis, and one change can have collateral
damage in different areas. Be aware that these challenges can JUNE
be overwhelming, but they are also full of opportunities to The Internet of Things
highlight the quality of your work. As anything you do in life, JULY
progressing in this field becomes easier if you are passion- Malware and How to Deal with It?
ate, self-driven, and have the discipline to pursue the vision
of what you want for your career. Make sure to participate AUGUST
and network with other professionals, because this will help Privacy
to identify areas that you can explore more, and it gives you
real-world scenarios that you might not be exposed to if you
SEPTEMBER
Academia and Research
are working on your own.
Last but not least, follow this simple advice and stay hungry OCTOBER
for knowledge: The more I learn, the more I realize how Infosec Career Path
much I dont know. Albert Einstein NOVEMBER
Social Media and Security
About the Author Editorial Deadline 9/22/15
Yuri Diogenes, MS in Cybersecurity Intelli-
gence & Forensics Investigation (UTICA Col- DECEMBER
lege), CISSP, CASP, E|CEH, E|CSA, Comp-
Best of 2015
TIA, Security+, CompTIA Cloud Essentials You are invited to share your expertise with the association and submit an
article. Published authors are eligible for CPE credits.
9 GIAC Certified Forensic Analyst (GCFA) http://www.giac.org/certification/ For theme descriptions, visit www.issa.org/?CallforArticles.
certified-forensic-analyst-gcfa.
10 C|HFI Certification http://www.eccouncil.org/certification/computer-hacking- EDITOR@ISSA.ORG WWW.ISSA.ORG
forensics-investigator.
My Unexpected Infosec I interned at the college TV station and in my fifth (and fi-
nal) year of school set out to create a documentary in order to
Career Path teach myself how to edit video. What was the documentary
about, you ask. Hackers. I filmed Hackers Are People Too at a
By Ashley Schwartau ISSA member, Middle few conferences and premiered it at DefCon 16 on 08/08/08.
Tennessee Chapter Even for a personal project, I could not get away from infosec.
I may not have known it then, but making that movie only
T
cemented my future in this industry.
here is not a specific career path that lands you in the
infosec industry. Everyone has a different journey After graduating college, I moved home to get my bearings
and must be open to the opportunities that present and figure out where I was going. Would I really venture to
themselves, especially the unexpected ones! the City of Angels to pursue film, or head into the Big Apple
to join the failing publishing industry? After working a lame
I never expected to work in this industry. Yet here I am. A
retail job, and not finding any other leads, I felt lost. But then
woman working in infosec.
my dad offered me something I had never seen as an option:
I did not go to school for IT, and I had no interest in pursuing join his company full time. They were ready to expand their
a security-related career. Yet, here I am. services and jump into e-learning, and I knew enough about
Somehow, completely by accident, I have spent the last ten the subject matter to develop content and savvy enough with
years of my life preaching infosec ideals and becoming an in- software to figure out how to do what he needed.
formation security professional. How did this even happen? I took the job willingly but with every intention of finding
I blame it on my dad, really. something better down the line. Then our client base expand-
ed. I started coming up with new ideas for teaching the same
He has been in this industry and run his business out of the
old security lessons, and I found myself in a full-time position
house for my entire life, so my childhood was full of securi-
in an industry I had spent most of my life trying to avoid. And
ty software, consulting calls with clients, and swag brought
I was actually having fun! Pretty soon we needed more help,
back from security conferences. I even learned the alphabet
and we hired my first assistant. Not long after that we need-
on a keyboard at 18-months old. He started taking me to Def-
ed to hire another team member and another and another
Con when I was 16, and one of my chores in high school
and another. Here we are in 2015; the company with an entire
was compiling a list of security-relevant news to be used in
production staff and me, fully invested in an industry I now
a weekly newsletter sent out to clients. (I got paid and it sure
have no intention of leaving.
beat scrubbing toilets like my friends were doing for spending
money!) Concepts like social engineering, white hat hacking, As Creative Director of The Security Awareness Company, I
Wi-Fi sniffing, and the importance of backup were common- work hands-on with all of our clients, building and launching
place for me, and it was not until high school that I realized information security awareness campaigns. I develop train-
maybe not everyone knew Kevin Mitnicks name or was as ing materials to teach users how to protect company data and
paranoid about downloading a virus on Napster as I was. the importance of following security policy. I have seen secu-
rity initiatives of all shapes and sizes both succeed and fail,
While my dad gave me odd jobs to do for the company here
and have learned what the security teams must do in order to
and there, and I learned from my mom as she did design work
get buy-in from users and C-levels.
in CorelDraw, neither of them ever pushed me to join the
family business. They urged me to pursue my dreams, which On the surface, to many of my friends, my job may not seem
ranged from becoming the art director of an entertainment like an obvious infosec career. I run the creative depart-
magazine in New York to editing movie trailers in Los An- ment, after all. But the work my team and I produce is en-
geles. trenched in security, focused on re-imagining and teach-
ing age-old problems such as passwords, compliance, data
I transferred colleges a few times, my major switching from
breaches, and phishing. It is impossible to work on awareness
multimedia (with a fine arts focus) to digital media (a com-
materials without becoming somewhat of a subject matter
bination of comp sci, web development, and graphic design).
expert yourself. So while my skills might serve me in other ers, so they took graphic design classes and scoffed at those
industriesmarketing, advertising, publishingmy knowl- of us who ventured into other areascomputer networking,
edge base and experience with clients awareness programs film editing, PHP, creative writing, theme park design, inter-
make me a infosec professional. active performance. They saw no need for any skills that were
not in the basic job description of a designer. But as someone
So what advice would I give to future infosec who now leads a production department, having an under-
professionals? standing of all those others areas has only made me better at
my job. And the same goes for any job in the infosec field. You
Throw away preconceptions about what infosec is should know more than just what your dream job expects of
The infosec industry calls on a wide variety of people with you. You should understand the roles of the people you work
myriad skills, everything from sysadmins and pentesters with and for. Learn everything you can about everything
to the people who design simulated phishing attacks. Look networking, programming, designing, managing. Coding
around the vendor floor of any conference and you will see was never my forte, but I understand it enough to talk to our
the kind of variety I am talking about. Software developers, programmers and web development team with confidence
phishing companies, awareness training, cloud services, and savvy. And while I am not a CISO myself, I understand
MDM, VPNs, hardware developers...and each of those com- the problems they face on a daily basis and constantly educate
panies has a need for programmers, designers, marketers, ad- myself about new threats so that I can better serve the people
ministrators...a range of people with a range of skills that are I work for. You will be an asset to your team if you can ex-
not all deeply technical. Infosec is not just a technical field, pand your knowledge base beyond the limited scope of your
and you can thrive in this industry as long as you have a base specific job title.
understanding of the issues and passion for the subject mat-
ter. Be open to opportunities
This relates to my point above. Lets say you are headed to-
Widen your focus wards being a pentester, and the job market is kind of scarce
One of the mistakes I see students make in all industries is in your city. But a position opens up for the help desk at a lo-
choosing a career path and never veering off road. Many of cal healthcare company. Take it. Is it exactly what you want to
the people I went to school with wanted to be graphic design- do? Not at all. But being at the help desk puts you on the front
lines of defense, receiving calls from users who dont know
what to do or cant login to the company network. You will
see many weaknesses that Future Pentester You will be able
Easy and to exploit. Help Desk You can keep track of the most com-
Convenient! mon mistakes made by users and help the security team build
targeted awareness training. Look for learning opportunities
in any job, and think about how it can help you reach your
www.issa.org/store dream job. Remember, I wanted to be the art director of a
major magazine, and now I oversee the production depart-
ment of a company that creates videos, e-learning modules,
and magazine-like newsletters, so in reality, I have my dream
job. Or something better.
School is important but not the most important
Its been a long-held misconception that a college degree is
necessary to be a successful member of a workforce. Atti-
tudes toward this are changing, and I am of the firm belief
that college is not for everyone nor does it mean you know
everything thing about your field. Our companys first intern
was a graphic design college graduate with a minor in comp
sci and a 4.0 GPA. He interviewed really well, but when he
Weve stocked our shelves with ISSA merchandise came to work for us proved he knew zilch about anything we
featuring our logo. Visit our online store today its needed him to do. Now, when we hire people we do not even
easy and convenient to securely place your order and ask about college because a degree proves nothing. But work
receive great ISSA-branded items. experience, and lots of it, does. Going out and taking the ini-
Computer Bags Short-Sleeve Shirt Long-Sleeve Shirt tiative to learn more, getting certified and working hard to
Padfolio Travel Mug Baseball Cap Fleece Blanket perfect your craftthat proves more than sitting through
Proud Member Ribbon Sticky Note Pads (12 pk.) four (or five!) years of college and coming out with a piece of
Place Your Order Today: ISSA Store! paper. Frankly, I do not even know where my piece of paper
is, nor do I care. My degree did not prepare me for this job
or this industry. The things that truly prepared me were at- One final piece of advice for the ladies
tending conferences, joining the ISSA, staying up to date on Have confidence in yourself and your abilities. Do not let a
security news, talking to our clients, and putting in a lot of male-dominated industry intimidate you away from it. I wish
long hours working to get better. You can learn a lot in school, that the stigmas surrounding STEM industries would just
yes, but there are just so many things that can not be taught in fade away because I think they scare off smart people who
a classroom and must be learned from real experience. In my would have a lot to contribute. Like I said, infosec is not any
opinion, the infosec field is a prime example of one in which a one thing or meant only for one
degree is not entirely necessary to becoming a well-educated, type of person. As a woman in
knowledgeable, and skilled professional. this industry, which has been a As a woman, it is
boys club for a long time, you
Be willing to say I dont know
will face adversity and discrim- even more important
Technologies change so rapidly and new threats pop up so
often, we all must be in constant learning mode. None of us
ination and eye-rolling. You to know your subject
can ever say, Yup, I know everything about security! While
will be spoken down to and
many will assume that you do
matter and become
many of the issues and lessons have not changed over the last
not know what you are talking knowledgeable about
twenty years (passwords! breaches! malware! Oh my!) the
technical specifics and speed at which bad things can hap-
about. As a woman, it is even everything that
more important to know your
pen are only ramping up. Our daily news feeds overflow with
subject matter and become touches your area of
criminal hacks and APTs and data breaches galore, and as
industry professionals we must all maintain a current knowl-
knowledgeable about every- expertise.
thing that touches your area
edge of these issues and an understanding of new technolo-
of expertise. You must develop
gies. But there is a lot to keep up with. It can be overwhelming.
a thick skin and confidence to keep your head raised high.
So ask for help. Talk with your colleagues, join professional
Keep learning, keep pushing, keep bettering yourself. The
development groups, ask your company for additional train-
women I meet in this field impress me on many levels, with
ing (even if it is not directly related to your role), subscribe
skill sets ranging from over-my-head technical expertise to
to journals like this one, and attend conferences. Never stop
master-level, geek-wrangling management skills. So, if you
learning. This is not an industry in which you can afford to
can hurdle the gender divide and the few detractors you will
stagnate, because if you do, you will be left behind.
meet along the way, you will be rewarded with a fascinating
A
Attending the NSF Cyber Security Summit dramatically
s an undergraduate I had aspirations of becoming
changed my mind-set by allowing me to interact with leaders
a top-performance track and field athlete. The ma-
in information security. When they inquired about my per-
jority of my time was spent on the field priming for
sonal career goals, I realized the error of my ways: I admitted
competition and breaking records, while my time off the field
to them that I had limited technical skills, and as a result I
was spent changing my academic focus every semester: I tra-
would better serve management or policy. In the back of my
versed from English to Psychology, to Africana Studies, to Pi-
mind, however, I was looking to get my hands a little more
ano, to Photography, to Spanish, and finally to Marketing. By
dirty; the challenge of learning something new and explor-
the end of 4.5 years, I managed to walk away with a degree in
ing technology was what had attracted me to the field, but
Business Administration: Entrepreneurship.
yet, I was referring to my management background out of
After graduation I spent a year living abroad before decid- fear of looking incompetent. Fortunately, the speakers I met
ing to return to pursue my masters degree. I had just decid- offered me guidance that helped to broaden my perspective.
ed upon studying public administration when cybersecurity Susan Ramsey, from the University Corporation for Atmo-
caught my attention during the new-student orientation. The spheric Research, assured me that there was still time for me
thought of a cyber war between the black hats versus white to explore new interests. She encouraged me to stay focused
hats was intriguing enough to pull my interest away from and whatever I aspired to do would become a reality with de-
red tape and bureaucracy. After all, my recent retirement as a termination and time. This brief exchange of dialogue was
track and field sprinter had left my competitive spirit feeling critical in helping me realize that industry leaders did not
a bit malnourished. What began as an interest quickly trans-
formed into an appetite for more knowledge. Although I did 1 https://www.sfs.opm.gov.
2 Center for TrustworthyScientific Cyberinfrastructure http://trustedci.org.
succumb to limiting beliefs; perhaps they had already gotten evolved, formal curricula sprang up to train the masses of as-
over them or they never had them to begin witheither way, piring cyber warriors, as they have been dubbed by higher ed.
I understood that if I wanted to grow, I would have to repro- Where once those interested in pursuing this field only found
gram my way of thinking. computer science programs, now interested parties can find
As a student, I offer a perspective of someone who has merely specialized degrees in cybersecurity/information security/cy-
begun studying information security. I find it important to ber defense in a number of universities. Here in Ohio alone
divulge my experiences thus far to inspire those who are in- there are a number of accredited four-year universities offer-
terested in transitioning from a non-tech to tech background. ing bachelors and masters degrees in information security:
I cannot promise it will be an easy transition, but I believe Franklin University in Columbus, Ohio; Wright State in Day-
it will be rewarding for those who commit to it. When fac- ton; and Tiffin University in Tiffin, Ohio, no less! Some may
ing any lingering doubts, my remedy has been to return to a argue the merit of such programs, for they liken the curricula
child-like state where curiosity is foremost and possibilities to be more akin to trade school fare; yet, such grumblings
are unlimited. I advise all new techies to explore whatever do not account for the non-traditional student who might be
topics interest them. It is important that the questions you changing careers, or the accredited liberal arts program in-
ask are not geared towards seeking validation or permission corporating the traditional core of requirements: humanities,
to pursue (Should I? Can I? Do you think I?). Instead, physical and social sciences, composition, and the like. Grate-
questions should be indicative of a mind already made up fully these programs proliferate, and logically so, if the gap
with a simple inquiry of Where do I get started? between supply and demand is to be remedied.
Short of formal education, someone interested in information
About the Author security, but either unable or uninterested in pursuing high-
Dora Baldwin is a graduate student of Cal- er education, can still amass quite a bit of knowledge, if not
ifornia State University, San Bernardino, experience, from an abundance of alternative sources: pro-
where she is pursuing her Masters of Public fessional associations, MOOCS, podcasts, vendors webcasts,
Administration with an emphasis in cyberse- industry journals, white papers, government and consumer
curity. She is a recipient of the CyberCorps: websites, think tanks such as the Brookings Institute3 and
Scholarship for Service, which is an academ- Pew Research,4 YouTube channels, blogs, and the websites of
ic program funded by the National Science educational organizations and institutions.
Foundation and co-sponsored by the Department of Home-
My own introduction to this field and subsequent quest for
land Security. After graduation, she aspires to work in the
knowledge began one day while listening to an NPR show
public sector and specialize in network and computer systems
broadcasting daily out of the American University called the
security. She may be reached at baldwindora@gmail.com.
Kojo Nnamdi Show,5 which is a two-hour magazine show fea-
turing news, politics, and social issues. Yet, it was his lively
Tech Tuesday program, which he hosts on the first Tuesday
Outside Looking In of the month, that grabbed my attention. Like many workers
in sedentary occupations looking for an opportunity to break
By Roza Winston ISSA member, Central Ohio up the monotony, I happened upon this show quite unexpect-
Chapter edly and found it not only informative, but entertaining as
well. With his regular panel of guests from the surrounding
T
his is an article detailing the journey of a willing but areaChief Futurist Allison Druin from the University of
inexperienced and unskilled worker attempting to Maryland; hardware and software consultant Bill Harlow
break into the infosec field. from Mid Atlantic Consulting; and John Gilroy, Director of
The road of life twists and turns and no two directions are Marketing and Business Development at BLT Global Ven-
ever the same. Yet, our lessons come from the journey, not the turesexploring the myriad ways that technology touches
destination. Don Williams, Jr. every aspect of lives, they take what can be a dull topic and of-
ten turn it into shtick, making for a truly engaging show. This
Career paths are but journeys, mostly direct ones (i.e., with show whetted my appetite for information on this fascinating
the exception of information security, which heretofore was field of information security and acted as the launching pad
not a linear path, but one of winding and unfolding byways). for further exploration.
Ask any chief information security officer or any over-worked
infosec practitioner and you will find this to be truemost Once sparked, my curiosity lead me on a unique journey
arrived in this profession via allied or indirect channels. Some where I would pick up, sort out, and assemble bits and often
were industrial engineers or communications specialist, oth- bytes (had to include that pun) of information from varied
ers occupied various technology slots, and most learned on
the job.
3 www.Brookings.edu.
That, however, is no longer the case. As the field of infor- 4 www.pewresearch.org.
mation security matured, and regulations and standards 5 https://thekojonnamdishow.org.
sources: at the SANS Institutes website6 I learned of the 20 tems (threat landscape) and the varied means by which they
Critical Security Controls and worked to memorize as many do so (threat vectors), but of greater importance I learned the
as I could. I downloaded security policies and procedures as precautions that I could take, and teach others in my circle to
a blueprint for any that I might find myself drafting, comb- take, to prevent, or at least lessen the chance of, a breach to my
ing through their white papers and vendor webcasts. I culled personal network and of the enterprise system where I work.
information about intrusion detections systems such as Snort Formal training, though decidedly important to human re-
and discovered how SEIMs are designed to work. At the US source departments at major corporations and perhaps a ne-
Cert website,7 I read security bulletins and signed up for cessity for a comprehensive understanding of the field, need
alerts, and at a related government website, OnGuard On- not be the only avenue toward gaining entry into this field. As
line,8 I learned the definition of malware, how to secure my has been demonstrated here, there are untold channels from
computer, and other cyber safety tips together with the im- which to gain training. With a bit of ingenuity and fortitude
portance of doing so. The National Institute of Standards and individuals desiring to do so can build a considerable body
Technology 9 site offered best practices and information relat- of knowledge in the field, which they can then use to gain a
ing to efforts to improve critical infrastructure. The Brook- foothold in the door; perhaps not at large established corpo-
ings Institute10 offered up panel discussions on information rations, but given the severe shortage of skilled workers and
security. Open Web Application Security Project11 (OWASP), the projection of an ever-widening gap in talentas set forth
Build Security In,12 and the Software Engineering Institute at in the 2015 (ISC)2 Global Information Security Workforce
Carnegie Mellon University13 all provided training and infor- Study released by Frost & Sullivan, stating that globally it
mation on secure programming and software assurance. Def- is expected that the information security workforce short-
Con placed videos of their conference on YouTube for view- age will reach 1.5 million in five years19surely such an
ers to learn about forensic detection strategies such as RAM individual can either find or create an opportunity for one-
analysis, and I learned of something called RAM Scraping. self as a consultant, a contractor to very small businesses, a
Eli the Computer Guy14 and Professor Messers15 YouTube security software salesperson, or by partnering with a start-
channels expanded my knowledge on application ports and up, or interning with a managed services company, and/or,
protocols and exfiltration techniques like keylogging. Blog- alas, volunteering with a non-profit or social service agency
gers and journalists at Dark Reading16 discussed the latest to gain experience. These opportunities abound. My own
threats and merits of various breach remedies. A number of such experience to date has been limited to participation in
states placed their training videos online, most notably those a few programming projects geared toward children in mid-
geared toward Attorney Generals. MOOCS, such as those at dle school, which is an annual event organized by one of the
Coursera,17 offered free online learning in disciplines such as professional associations to which I belong; the other two in-
risk management, information security, programming, cryp- stances have been with a small podiatry office that needed ev-
tography, etc.. Finally, ISSA Central Ohio Chapter,18 in its of- erything from written policies to a vulnerability assessment
fering of certification classes, provided detailed learning on and a small communications/tech company.
each of the ten domains of information security, combined
with monthly meetings and an annual summit that treats My paralegal background, combined with the former expe-
each topic in depth. Representatives from each modality rience of working under directors in the heavily-regulated
train, teach, and speak at these events and freely post infor- medical industry, served me well in these circumstances and
mation at their social media sites as well. underscores the idea that by bringing together past work ex-
perience, particularly if that experience has been in an allied
I could elaborate more about the enormous about of free profession, with newfound knowledge, the aspiring infosec
training and education online, in certification books and practitioner can launch a career in cybersecurity, keeping in
classes, and at seminars and workshops, but I have already mind that technology is no panacea, that information securi-
provided enough of a cross sampling for you to get the pic- ty is holistic in nature and requires a myriad of approaches as
ture. At each venue, I learned of shady characters (threat ac- well as ongoing training.
tors) looking to exploit vulnerabilities in networks and sys-
Chiefly what I have learned is that the more I learn, the more
there is to know and there are new discoveries and adventures
6 https://www.sans.org/. around the corner.
7 https://www.us-cert.gov/.
8 https://www.onguardonline.gov/.
About the Author
9 http://www.nist.gov/.
10 http://www.brookings.edu/.
A former paralegal and administrative assis-
11 https://www.owasp.org. tant (an end user personified), Rosa Winston
12 https://buildsecurityin.us-cert.gov/. is an aspiring infosec practitioner. She may be
13 http://www.sei.cmu.edu/. reached at rzw122@gmail.com.
14 https://www.youtube.com/user/elithecomputerguy.
15 https://www.youtube.com/user/professormesser.
16 http://www.darkreading.com/. 19 Frost and Sullivan, The 2015 (ISC)2 Global Information Security Workforce Study.
Mountain View, CA: Booz Allen Hamilton, 2015 https://www.isc2cares.org/
17 https://www.coursera.org/. uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-(ISC)-Global-
18 http://www.centralohioissa.org/. Information-Security-Workforce-Study-2015.pdf.
In order to obtain personal information and account access over the phone, ISSA Member services will ask your provided security question.
* Security Question:_____________________________________________ * Security Answer: ________________________________
* Only Online Journal: n Yes n No Annual general membership dues of $95 per year include $28 for a one-year subscription to the ISSA Journal.
ISSA Privacy Statement: The ISSA privacy statement is included in the Organization Manual, and is provided for your review at www.issa.org/?PrivacyNotice.
Your Primary Job Title (Select only ONE number from below and enter here) _________________________ *Membership Category _______________________________
1. Corporate Manager/CIO/CSO/CISO 9. Operations Manager 17. Engineer (See above)
2. IS Manager/Director 10. Operations Specialist 18. Auditor
*Chapter(s) _______________________________________
3. Database Manager, DBA 11. LAN/Network Manager 19. President/Owner/Partner
(Required within 50 miles of local chapter - list on reverse)
4. Database Specialist, Data Administrator 12. LAN/Network Specialist 21. Financial Manager
5. Application Manager 13. Security Specialist 22. Administrator Referring Member & Chapter __________________________
6. Applications Specialist 14. Contingency Planner 23. Educator
ISSA Member Dues (on reverse) $ _______________
7. Systems/Tech Support Manager 15. Sales/Marketing Specialist
24. Other________________
8. Systems Programmer/Tech Support 16. Independent Consultant
Chapter Dues x Years of Membership $ _______________
Your Areas of Expertise (List all that apply) ______________________________________ (on reverse)
A. Security Mgmt Practices E. Security Architecture I. Operations Security Additional Chapter Dues $ _______________
B. Business Continuity/Disaster Recovery F. Applications/Systems Development J. Physical Security (if joining multiple chapters - optional)
C Network Security G. Law/Investigations/Ethics K. Telecommunications Security
D. Access Control Systems/Methods H. Encryption L. Computer Forensics Total Membership Dues $ _______________
ISSA Foundation Donation $ _______________
ISSA Code of Ethics A tax-deductible contribution, as allowed by US tax code, can be
The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that made in addition to your ISSA Membership Payment. For more infor-
mation on the foundation and its programs, visit www.issaef.org.
will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve
www.ISSAEF.org
this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA
Total (dues + ISSA Foundation) $ _______________
has established the following Code of Ethics and requires its observance as a prerequisite for continued
membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I
have in the past and will in the future: Print out and mail or fax form to:
Perform all professional activities and duties in accordance with all applicable laws and the highest ISSA Headquarters
ethical principles; 12100 Sunset Hills Road, Suite 130, Reston, VA 20190
Promote generally accepted information security current best practices and standards; Fax +1 (703) 435-4390
Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the
Phone +1 (866) 349-5818 www.issa.org
course of professional activities;
Discharge professional responsibilities with diligence and honesty;
Refrain from any activities which might constitute a conflict of interest or otherwise damage the
reputation of employers, the information security profession, or the Association; and You may fill out the form and submit it electronically as an email
Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or attachment. You will need an email account to send it.
employers.
Submit by EMAIL to: member@issa.org
Signature __________________________________________ Date ______________
ISSA Member Application 01/15
Risk Radar: Real-World Rogue AV | Ken Dunham
Please check the following:
Membership Categories and Annual Dues Where would you place yourself in your career lifecycle?
General Membership: $95 (USD) plus chapter dues n Executive: CISO, senior scientist, principal or highest level in respective field
Professionals who have as their primary responsibility information systems security in the private n Senior: department manager or 7+ years in respective field
or public sector, or professionals who supply information systems security consulting services to n Mid-Career: 5-7 years with an identified field of security specialty
the private or public sector; or IS Auditors, or IS professionals who have as one of their primary n Entry Level: 1-5 years, generalist
responsibilities information systems security in the private or public sector; Educators, attorneys n Pre-Professional: Student or newcomer exploring the field
and law enforcement officers having a vested interest in information security; or Professionals with
primary responsibility for marketing or supplying security equipment or products. Multi-year mem- The most important aspects of my membership for the current membership
term are:
berships for General Members, are as follows (plus chapter dues each year): 2-Year: $185; 3-Year:
$275; 5-Year: $440. n Build or maintain professional relationships with peers
n Keep up on developments and solutions in cybersecurity, risk or privacy
Government Organizational: $90 (USD) plus chapter dues n Establish a professional development strategy to achieve my individual career goals
This membership offers government agencies the opportunity to purchase membership for an em- n Increase my personal visibility and stature within the profession
ployee. This membership category belongs to the employer and can be transferred as reassign- n Share my knowledge and expertise to advance the field
ments occur. When an employee is assigned to this membership, he or she has all of the rights and n Develop the next generation of cybersecurity professionals
privileges of a General Member.
n Earn CPEs/CPUs to maintain certifications or credentials
Student Membership: $30 (USD) plus chapter dues n Access to products, resources and learning opportunities to enhance job performance
Student members are full-time students in an accredited institution of higher learning. This mem- n Problem solving or unbiased recommendations for products and services from peers
bership class carries the same privileges as that of a General Member except that Student Members n Gain leadership experience
may not vote on Association matters or hold an office on the ISSA International Board. There is no n All n None
restriction against students forming a student chapter.
Most challenging information security issue?
CISO Executive Membership: $995 (USD) plus chapter dues n Governance, risk and compliance
The role of information security executives continues to be defined and redefined as the integration n Securing the mobile workforce and addressing consumerization
of business and technology evolves. While these new positions gain more authority and respon- n Data protection n Application security
sibility, peers must form a collaborative environment to foster knowledge and influence that will n Security and third party vendors n Security awareness
help shape the profession. ISSA recognizes this need and has created the exclusive CISO Execu- n Threat updates n Legal and regulatory trends
tive Membership program to give executives an environment to achieve mutual success. For more
n Endpoint security n Incident response
information about CISO Executive Membership and required membership criteria, please visit the
n Strategy and architecture
CISO website http://ciso.issa.org.
n All n None
Which business skills would be most valuable for your professional growth?
Credit Card Information n Presenting the business case for information security
n Psychology behind effective security awareness training
Choose one: n Visa n MasterCard n American Express n Budgeting and financial management n Business forecasting and planning
n Management and supervisory skills n Legal knowledge
Card # ___________________________________ Exp. Date ____________
n Presentation skills n Negotiation skills
Signature ________________________________ CVV code _____________ n Written and verbal communications
n All n None
ISSA Chapters & Annual Dues Changes/additions visit our website www.issa.org
At-Large ............................ 25 Switzerland........................ 80 Central Florida .................. 25 Inland Empire .................... 20 North Oakland ................... 25 Silicon Valley .................... 30
Turkey ............................... 30 Central Indiana .................. 25 Kansas City ....................... 20 North Texas ....................... 20 South Bend, IN (Michiana) .. 25
Asia Pacific
UK ..................................... 0 Central New York................. 0 Kentuckiana....................... 35 Northeast Florida............... 30 South Florida .................... 20
Chennai............................... 0
Central Ohio ...................... 20 Kern County ...................... 25 Northeast Indiana .............. 10 South Texas....................... 30
Hong Kong .......................... 0 Latin America
Central Pennsylvania......... 20 Lansing ............................. 20 Northeast Ohio .................. 20 Southeast Arizona ............. 20
Philippines ........................ 20 Argentina............................. 0
Central Plains.................... 30 Las Vegas.......................... 30 Northern New Mexico........ 20 Southern Indiana ............... 20
Singapore.......................... 10 Barbados ........................... 25
Central Virginia ................. 25 Los Angeles ...................... 20 Northern Virginia............... 25 Southern Maine................. 20
Sri Lanka ........................... 10 Brasil................................... 5
Charleston......................... 25 Madison ............................ 15 Northwest Arkansas........... 15 Southern Tier of NY............. 0
Sydney ................................ 0 Chile ................................. 30
Charlotte Metro ................. 30 Mankato ............................ 20 Oklahoma .......................... 30 St. Louis............................ 20
Tokyo ................................ 30 Colombia ............................ 5
Chicago............................. 30 Melbourne, FL................... 25 Oklahoma City................... 25 Tampa Bay......................... 20
Victorian.............................. 0 Ecuador ............................... 0
Colorado Springs .............. 25 Memphis ........................... 30 Omaha................................. 0 Tech Valley Of New York.... 35
Lima, Per........................... 5
Europe, Middle East Connecticut ....................... 20 Metro Atlanta..................... 30 Orange County .................. 20 Texas Gulf Coast ............... 30
Puerto Rico ....................... 35
& Africa Dayton............................... 25 Middle Tennessee ............. 35 Ottawa ............................... 10 Toronto.............................. 20
Uruguay .............................. 0
Brussels European ............ 40 Delaware Valley ................. 20 Milwaukee ......................... 30 Palouse Area ..................... 30 Tri-Cities ........................... 20
Egypt ................................... 0 North America Denver............................... 25 Minnesota ......................... 20 Phoenix ............................. 30 Triad of NC ........................ 25
France ............................... 00 Alamo................................ 20 Des Moines ....................... 30 Montana ............................ 25 Pittsburgh ......................... 30 Tucson, AZ ........................ 10
Irish................................. 155 Alberta............................... 25 East Tennessee .................. 15 Montreal.............................. 0 Portland ............................ 30 Upstate SC .......................... 0
Israel ................................... 0 Amarillo ............................ 25 Eastern Idaho ...................... 0 Motor City ......................... 25 Puget Sound ..................... 20 Utah .................................. 15
Italy ................................... 65 ArkLaTex ............................. 0 Eastern Iowa ........................ 0 Mountaineer ...................... 25 Quebec City......................... 0 Vancouver ......................... 20
Netherlands ....................... 30 Baltimore........................... 20 Fort Worth ......................... 20 National Capital................. 25 Rainier............................... 20 Ventura, CA ....................... 30
Nordic ................................. 0 Baton Rouge...................... 25 Grand Rapids ...................... 0 New England ..................... 20 Raleigh .............................. 25 West Texas ........................ 30
Poland................................. 0 Blue Ridge......................... 25 Greater Augusta................. 25 New Hampshire ................. 20 Rochester .......................... 15 Yorktown ........................... 30
Romania .............................. 0 Boise ................................. 25 Greater Cincinnati ............. 10 New Jersey ........................ 20 Sacramento Valley............. 20
Saudi Arabia........................ 0 Buffalo Niagara.................. 25 Greater Spokane ................ 20 New York Metro................. 55 San Diego ......................... 30
Germany............................ 30 Capitol Of Texas ................ 35 Hampton Roads................. 30 North Alabama .................. 15 San Francisco ................... 20
Spain................................. 60 Central Alabama .................. 0 Hawaii ............................... 20 North Dakota ..................... 25 SC Midlands ..................... 25 ISSA Member Application 01/15
HIDE OR
The longer threats remain undetected, the more damaging they become.
Take control of your information and fight threats on your terms. Its time
to start advancing security. Take the next step at symantec.com
Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or
its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.