Cybersecurity an Evolving Practice

Lyndsay Turley Director Communications & PA

for (ISC)² in EMEA

2

Milan, October 28 2016

Professional Community » 120,000 Certified Professionals » Nonprofit leaders in education » Accredited to ANSI/ISO/IEC

Standard 17024. » CBK® continuously updated

taxonomy of topics » Job Task Analysis » (ISC)2 Global Workforce Study

www.isc2.org

CEN ICT Skills Workshop (ISC)2 joined in 2012 to bring front-line experience in cybersecurity

1. Review the European eCompetence Framework (eCF) against current expectations for cybersecurity

2. Develop a guide for interpreting the eCF from a security accountability perspective

3. Document functional interfaces and dependencies

2006: What does this tell us? » Primary concern

IT; 49,73%; 50% Risk

Management; 50,27%; 50%

IT

Risk Management

Professional Activities

50%

50%

38%

43%

29%

28%

25%

26%

16%

8%

7%

54%

49%

29%

44%

21%

25%

19%

20%

13%

4%

6%

43%

58%

34%

50%

29%

28%

23%

23%

17%

8%

5%

59%

52%

39%

50%

31%

35%

28%

25%

14%

7%

5%

GR

C

Secu

rity

man

agem

ent

Secu

rity

oper

atio

ns

Prov

ide

advi

ce o

nse

curit

y to

…R

esea

rchi

ngne

wte

chno

logi

es

Secu

rity

lead

ersh

ip

Vuln

erab

ility

asse

ssm

ent

and…

Inci

dent

resp

onse

Secu

rity

solu

tions

/sal

es

Softw

are

deve

lopm

ent

Sale

sco

nsul

ting

EMEA France Germany United Kingdom

Security Threat Techniques

51%

34%

36%

35%

36%

30%

27%

26%

24%

23%

49%

32%

41%

30%

31%

32%

20%

29%

20%

21%

53%

39%

47%

32%

40%

44%

32%

29%

30%

31%

53%

30%

31%

32%

35%

23%

25%

22%

18%

19%

Phi

shin

g

Sca

nne

twor

k

Web

appl

icat

ion

atta

cks

Priv

ilege

abus

e

Den

ial o

fse

rvic

e an

ddi

strib

uted

…

SQ

LIn

ject

ion

Dow

nloa

der

Com

man

dan

d co

ntro

l

Bac

kdoo

r

Bru

te fo

rce

Top 10 Security Threats (Very/Somewhat Common)

EMEA France Germany United Kingdom

A Maturing Practice After 28 years

8

Have you heard the story about the Jeep (and Tesla!), the steel factory and the Coca Cola delivery guy….

9

Losing visibility & oversight

Policy, Governance

Architecture, Project

management,

Operational security; access

control

Procurement, Services, Design & Development

The pressure is on …

62% too few infosec people

57% can’t find the right people today

Breaches rising, struggling to trace origin, longer recovery periods

Our key challenge today is the pace

of change and….

12

the lack of understanding for how

this is leaving us vulnerable

13

Impact of GDPR (& NIS)

14

» Wholesale Review of everything • Industries to be considered critical • Organisational processes &

ecosystems • Employee habits • Understanding of data and its

attributes • Etc.

A Confusing Time

15

•architecture •software •Forensics •vulnerability testing

Risk management policy Project and Programme Management

•Security business consultancy •Security account management

Polarising Skill Requirements

Technical

Business Management

Diverse Reporting Structure – IT less than 30% 23

%

25%

15%

5% 7%

7%

4%

3%

3%

2%

26%

18%

13%

7%

9%

3% 7%

4%

5%

2%

23%

26%

17%

3%

12%

3%

2% 4%

5%

1%

20%

23%

18%

5% 8%

8%

4%

4%

3%

2%

ITde

partm

ent

Exec

utiv

em

anag

emen

t(C

-leve

l or…

Secu

rity

depa

rtmen

t(in

form

atio

…

Ope

ratio

ns o

rad

min

istra

tion

Con

sulti

ng

Boar

d of

dire

ctor

s

Ris

km

anag

emen

t

Gov

erna

nce

orco

mpl

ianc

e

Sale

sm

anag

emen

t

Inte

rnal

audi

ting

EMEA France Germany United Kingdom

Evolving Job Titles 10

%

9%

6%

5%

4%

4%

4%

4%

4%

3% 6%

13%

8%

5%

3% 7%

3% 5%

6%

3%

3%

11%

13%

7%

1% 5%

1%

11%

7%

3%

8% 10

%

9%

2% 6%

7%

3%

3%

9%

2%

8%

18%

5%

3% 5%

9%

2%

3% 6%

1%

Secu

rity

anal

yst

Secu

rity

cons

ulta

nt(m

anag

em…

CS

O/C

ISO

/CIA

O

Secu

rity

audi

tor

Info

rmat

ion

Assu

ranc

eM

anag

er

Secu

rity

arch

itect

(con

sulti

ng)

Secu

rity

engi

neer

(pla

nnin

g,…

Secu

rity

arch

itect

(pro

duct

s,…

Secu

rity

advi

sor

Net

wor

kad

min

istra

tor

Worldwide EMEA France Germany United Kingdom

New Recruits

75 80 85 90 95 100

Communications

Analytical

Risk assessment/mgt

Specific platform/tech

IT&SecOps Mgt

UK EMEA Global

Skills Frameworks & Roles » Various disparate efforts -IISP, ESCO,

IEEE/ACM, SOFIA, PViB, UNINFO, BCS, eCF, etc

» Competence vs. process standards » Different Perspectives – ICT, info/cyber

Security, Risk management, » Government driven or funded » Big business informed

20

Changing influences

skills

Sector Risk

Backgrounds

21

Regulations

Who’s job is it anyway?

22

Top Security Concerns

70%

66%

63%

60%

58%

56%

52%

46%

42%

41%

43%

40%

34%

37%

42%

74%

49%

48%

56%

54%

49%

45%

47%

35%

27%

42%

43%

25%

23%

34%

68%

55%

58%

57%

50%

53%

41%

42%

41%

37%

47%

34%

41%

32%

45%

70%

68%

67%

58%

58%

51%

53%

48%

46%

42%

37%

38%

38%

42%

45%

Appl

icat

ion

vuln

erab

ilitie

s

Mal

war

e

Conf

igur

atio

nm

istak

es/o

vers

ight

s

Mob

ile d

evic

es

Faul

ty n

etw

ork/

syst

emco

nfig

urat

ion

Hack

ers

Inte

rnal

em

ploy

ees

Clou

d-ba

sed

serv

ices

Cybe

r ter

roris

m

Trus

ted

third

par

ties

Corp

orat

e es

pion

age

Cont

ract

ors

Stat

e sp

onso

red

acts

Hack

tivist

s

Org

anize

d cr

ime

(Top/High Concern)

EMEA France Germany United Kingdom

Recruiting Perspective » Planning for the next

generation workplace –experts, IT, business and employees

» Adding the strengths of the academic community to the process

» CEN workshop membership – including (ISC)2

Cyber experience

Universities, educators

Stakeholders ICT,

Business, Gov’t

UK Academic experience

Guidelines for : Curriculum, Apprenticeships, Occupational Standards

Workbased learning

Apprenticeships

Undergraduate University /Higher

Learning Apprenticeships

Training

Cybersecurity principals and Learning Outcomes

BCS, IET, Comptia, Tech Partnership,

CPHC – 40 universities

BIS, OCSIA (Cabinet Office) ; GCHQ (ISC)2; IISP, ISACA

» 2014/15/16 Workshops - 66 universities, professional bodies, government

» Published June/ Referenced within BCS accreditation – June 2015

» Mapped to Apprenticeships/occupational standards – Consultation December 2015

BCS – Where relevant » Information and risk: models and concepts and the

relationship between information and system risk » Threats and attacks: threats, how they materialise,

typical attacks and how those attacks exploit vulnerabilities

» Cybersecurity architecture and operations: physical and process controls to identify and mitigate vulnerability, and ensure organisational compliance

» Secure systems and products: the concepts of design, defensive programming and testing for resilient systems

» Cybersecurity management: the personal, organisational and legal/regulatory context in which information systems could be used

http://cert.isc2.org/isc2-cphc-whitepaper/

References & Content - Principles

» Association for Computing Machinery (ACM)

» Detailed standards outlined within British Standard PAS 754 Software Trustworthiness

» (ISC)2 International Academic Programme/ bodies of current practice knowledge that underpin our CISSP and other professional certifications.

» Framework for higher education qualifications in England,

Wales and Northern Ireland

» Learning outcomes to satisfy Level 4 requirements/advanced concepts & learning outcomes to Level 5 and 6 requirements - examples of application to subject areas, including database systems, software engineering, operating systems, etc.. 27

Closing an Interpretation Gap » Security is well referenced right across the eCF framework ,

alongside project management, Service Delivery etc » Overall eCF is written for an audience with good, established

understanding of the concepts referenced ... Security does not fall into this category

» Basic terms are used – for eg. A1 Plan includes “ensures a secure environment” in its description and requires security knowledge in the knowledge area

» Portrays generic security management function

Through the eCF Lens– D1

Information and risk

Threats and attacks

Cybersecurity architecture

and operations

Secure systems and products

Cybersecurity management

http://cert.isc2.org/isc2-cphc-whitepaper/

Plan 1.Information & risk

2. Threats & attacks

3. Cybersecurity Architecture & Operations

4.Secure systems & products

Build

3. Cybersecurity Architecture & Operations

4. secure systems and products

Run 2. Threats & Attacks

3. Cybersecurity Architecture and Operations

Enable 1.Information & risk

4.Secure Systems & products

Manage 1.Information & Risk

2. Threats & Attacks

5. Cybersecurity management

Adding Granularity – D2&4 A1 – security requirements analysis Alignment to risk appetite A5 /A6– understanding of threats & attacks

B1-3 – functional security requirements eg. Authentication, data encryption Manage Secure software and systems development lifecycle

C1 - recognise/manage current security threats & attack vectors – eg phishing, malware

D1 – Security Design – knowledge of security metrics, testing regimes; Interpret security analytics

E3 – Fundamentals of security policy economics of security risk management

A1-A4/A9 –understanding of information and risks A4 – knowledge of secure development lifecycle A3 –economics of security risk management

B4/B6 –penetration testing/vulnerability scanning Vulnerability and misuse testing

C2- knowledge of security architecture C2/C3 – understand and be able to apply principles of security controls

D2/D4- includes security benchmarks, process improvement D10/11- Security design/requirements, understanding of information and risk, D12 -data collection restrictions

E5 – Security analytics testing for security failure E7- trends, cloud , AI, IoT

For eg: D2&4 B1-3 – functional security requirements eg. Authentication, data encryption Manage Secure software and systems development lifecycle

B4/B6 –penetration testing/vulnerability scanning Vulnerability and misuse testing

Build

3. Cybersecurity Architecture & Operations

4. secure systems and products

Finding the Fit

Mobile/remote Communications Innovation lifecycle

Identity & Access Mgt Access Control Incident Response & recovery Forensics

Access Control systems Data protection requirements

E8 disparate function & embedded across Run/Enable

Embedding Security as Core » Security Architecture will be core to

ICT architecture » Secure Software lifecycle – will be

core to software development cycle » Data, security management will be

core to risk management » Quality, testing… etc.

federate knowledge widely – Need to Federate knowledge » Move away from the idea of the generic

security management » Key concepts, terms, functions, features,

behaviours that are relevant across functions

» Influence innovation and the development of new service models – applications to smart cities

» Provoke Understanding of competences at a task level

34

Debunking Myths » It’s a Technical discipline » It’s Security’s Job » It’s about the Defences

Debunking Myths » It’s also a management discipline » It’s Everybody’s Job » It’s about the Opportunities

Email: lturley@isc2.org www.isc2.org Twitter: @ISC2