(ISC)2—the International Information Systems Security Certification Consortium—has grown into the premier authority for articulating and certifying the critical skills of the world’s information security professionals. The organization’s leadership, interviewed during their annual Security Congress held in Manila for the Asia-Pacific region last July, explained how concern over the growing shortfall in information security professionals caused by an expanding threat landscape is compelling the organization to push a recruitment and public information agenda.
Interviewed were David Shearer, the new CEO of (ISC)2, and Clayton Jones, their Asia-Pacific Managing Director. Shearer had been the organization’s COO for two years before his appointment as CEO, succeeding W.Hord Tipton at the start of 2015. Tipton, whom we had also interviewed in 2013, had served as CEO for six years.
Shearer points out that the information security workforce is growing, though, not fast enough. On the 10th year of the regional congress which started in 2006, the organization attained an historic global milestone as well with the number of practitioners having earned their Certified Information Security Systems Professional (CISSP) credential reaching the 100,000 mark.
In contrast, Shearer observes that in 2015, over 40,000 information security positions remain unfilled. Moreover, the 2015 (ISC)2 Global Information Security Workforce Study extrapolates on the prevailing conditions that led to this shortfall, while factoring in emerging trends that’ll make information technology usage grow exponentially, and projects that those 40,000 unfilled positions will grow to 1.5 million in five years. That’s 1.5 million info-security positions that’ll be unfilled by the end of this decade.
Driving this large wedge between supply and demand numbers is the mainstreaming of new systems that make information technology ubiquitous and pervasive. The threat landscape isn’t merely changing, it’s spreading out and digging in deep, rooting into everyday, every man’s use. The tech has been embedded in ownerless objects, the Internet of Things is already manifest in products from personal devices—smartphones, smartwatches, health monitors, and the like—to vehicles and entire infrastructure systems, the threat may exist, anywhere, anytime, and for anyone. Verizon predicts that there will be 5 billion such devices by the end of this decade.
Interview recordings
Part 1: On application security and how critical concerns in this area have been escalated by the Internet of Things (IoT), with discussion of the Fiat-Chrysler recall of 1.4 million vehicles after a Jeep Cherokee was hacked by security researchers. – 8:07 length
Part 2: On raising public awareness and creating alliances with key organizations, with discussion of how communication has become the most important skill for cyber security professionals, on equal footing with their industry knowledge. – 11:52 length
Part 3: Responding to the question on whether a majority of cyber-attacks originate from the Asia-Pacific region, Shearer emphasizes that attacks employ misdirection as a matter of course and their origins cannot be reliably localized to any single region. This triggers a discussion on the universal prevalence of motives and opportunities–particularly for attacking government’s records of individual healthcare and tax histories–which then leads to further discussion of cyber security legislation, cross-border enforcement, and of a notion to come up with ratings on the security practices of companies and the security features of their products. – 10:55 length
Part 4: On the responsibility of big business to set an example, and how open source software’s popularity among small businesses could be exploited to pivot attacks onto larger organizations. Also discussed was the scenario of “air-gapping” people despite BYOD expectations, particularly in a region where people expect full and unassailable privileges to have their smartphones always on their person. – 7:05 length
Part 5: On cloud services and how these create common service facilities for the enforcement of cyber-security best practices, while offering the flexibility of leased capacities instead of acquired assets. Also discussed was how cloud services may affect the outlook for cyber-security capacity building, how this may trim down the numbers of posts that are expected to be unfilled by certified professionals , although with the shortfall possibly becoming a lot bigger with the emergence of IoT. And finally a conclusion with Shearer getting back on message about how (ISC)2 remains optimistic, about how they focus on education/communication because, ironically, the alternative of not being smart, cool and collected about cyber-security could have disastrous results. – 10:44 length