For better info security, certify the workforce

 

Connecting state and local government leaders

Marc Noble, (ISC)2's director of government affairs, talks about the need for certified information security professionals and three emerging areas that need attention: software security, cloud computing and risk management.

The need for certified information security professionals is becoming a critical issue for federal agencies. Marc Noble is trying to help reduce that gap. A former chief information security officer and deputy chief information officer at the Federal Communications Commission, Noble spent 30 years overseeing government information systems before moving to Mitre Corp. as an information assurance engineer. Noble was recently tapped to take the helm as director of government affairs for the International Information Systems Security Certification Consortium, a world leader in certifying information security professionals.

Noble spoke with GCN Editor-in-Chief Wyatt Kash about improving the state of information assurance.

GCN: After working for federal agencies and moving to study government security solutions at Mitre — a federally funded research development center, or FFRDC — what struck you most about the state of information assurance and security in government?

Noble: Working in the government, I quickly understood that upgrading my knowledge of security standards, skills, best practices, education and retooling my knowledge base were my responsibility, and I encouraged others to do the same.

In contrast, in a federally funded research development center, there is an ongoing culture of education and renewal of one’s resources, which is really the key to overall effectiveness of an organization’s security program.

Also in contrast to a government agency, an FFRDC has access to research and development funds to help in developing the most effective solutions. Creating a culture that supports innovation and rewards professional growth will be critical to improving the government state of security.

Take, for instance, the State Department. For any employee who attains its Certified Information System Security Professional or other certification, they are rewarded with a bonus. This is just one step toward changing an agency’s culture for the better and subsequently improving its state of security.

Many believe the technical skills gap in government is wider than appreciated. What’s your take?

I believe that information security is a multifaceted job that requires multiple skill sets. One size does not fit all. People with technical skills are certainly critical to fulfilling the government’s security goals, but equally important are those with strong managerial skills, communications skills, skilled instructors, etc., especially given the current proportion of contractor personnel assigned to technical positions within government. Agencies need skilled management groups in order to manage these contractors effectively.

Can you point to how the government is making progress?

I look at it from this angle: Certifications are a lot more prevalent today than they were even 10 years ago. I believe that is a real game changer. The real issue is that certified people can speak to each other in a clear language where those who haven’t gone through the rigorous training involved find it more difficult to communicate with other security professionals.

What are the top three technical areas in which you see an increased need for training and certification in government?

First, I see the need for training and certification in the area of software security. Because I spent so many years in software development, I understand the process from the inside out. In a world where 80 percent of all breaches are application-related, we need educated professionals and a reformed culture that views software security as second nature. In my opinion, security testing specifically will be a critical area for training and certification in the future.

Next, I see a real need for information security personnel to get, shall we say, cozy with the cloud. Cloud computing and Web 2.0 are being recognized as game changers, and their evolution will be interesting to watch. With the IT and business worlds focusing on the potential of cloud computing, we need to be preparing those who will be responsible for securing it.

Finally, there is no doubt that adopting a risk management perspective on managing security will be required of all government personnel involved in information security programs — not only from a best-practices perspective but from a compliance perspective. [The National Institute of Standards and Technology] and other standards organizations have made that shift in building standards based on a risk management approach. It is only a matter of time before an agency’s performance is judged on its ability to effectively manage risk.

In these three areas that are emerging, I am aware of only one with a certification program actually in place, and that is the Certified Secure Software Lifecycle Professional (CSSLP).

How do you see the role of information security professionals evolving relative to agency CIOs and senior executives?

With security now a business enabler for government, I see the information security professional as a significant partner in the business of government. The information security professional’s perspective is now critical to both the strategy and fulfillment of an agency’s mission. A 2009 survey of federal CISOs found that CISOs are becoming more empowered in their jobs. Eighty percent of them believe they have significant influence or some influence on the security posture of their agency.

The bottom line is that they feel they have a voice. I believe that soon we will see the role of information security professionals become recognized as a separate and distinct career field within government.

How is the shift toward mobile networking changing the priorities for information security specialists?

It’s not that different. It’s really about expanding the territory that the information security specialist is responsible for. The tools are already there. We just have to apply them more widely.

Take, for example, the [Veterans Affairs Department] data breach several years back. We had products to encrypt information on laptops back then, but we had not applied the technology, or we didn’t have policies in place for applying that technology. In this instance, government did not prioritize the investment and took a risk. It then made national news and became a priority.

Are the systems evolving around BlackBerry, Android, Microsoft and other mobile platforms adding new complexities to risk management for security specialists?

Absolutely. I’d have to completely agree. As a former CISO, I would have to say I would not allow my government employees to use their Androids and other new devices [for government work]. I would only let them put government information on government devices.

Congress has been working on several bills expected to impact how agencies deal with cybersecurity. What should the information technology community be watching for?

The IT community should expect or be aware of the following:

  • An evolution in the way that agencies report the progress of, and effectively manage, their security programs.
  • The possible adoption of a governmentwide certification requirement for information security professionals.
  • And finally, an increased support for education programs.

I believe that we will see increased funding for programs already in place and new funds set aside for new programs that focus on educating, developing and mentoring those interested in the information security field.

What are your top priorities as you take the helm at (ISC)2?

I believe that the information security profession is reaching a critical point in its evolution, and I want to play a lead role in serving, on behalf of the (ISC)2, as an advocate for the profession, particularly employed at all levels of the public sector. My priorities will be:

  • The development of partnerships between government and the private sector. This mirrors the direction that our president and National Cyber Coordinator Howard Schmidt has mapped for government. So, as director of government affairs, I will put a lot of muscle into coordination, cooperation and communication among government, certification bodies, universities and the private sector to encourage the development of a professional workforce.
  • Next, I plan to monitor the cyber legislation environment on the Hill and help (ISC)2 plan for the changes to come and support the federal information security workforce in its implementation of those changes.
  • Finally, in growing programs such as our Veterans Initiative that educates and mentors soldiers returning from war and in need of a new career, I plan to help the government fill its shortage of qualified and skilled information security professionals.

What about the need for real-time system monitoring?

I believe a lot of people are still going to need to be educated on what they need to do and how it needs to be measured. The second part is risk management. It’s been around for a while. But I think the era of risk executive will soon be upon us and that will be an area in which a lot of security professionals will actually fit nicely into that type of position.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.