New Zealand Information Security Workforce Development Strategy

New Zealand Information Security Workforce Development Strategy
November 2012 A Comprehensive Strategy Addressing the Recruitment, Retention and Professionalization Needs of the New Zealand Information Security Industry
Prepared and presented by In2securITy Limited
November 2012
In2securITy Limited
Page 1
Abstract
New Zealand has faced many challenges when protecting its valuable information. Time and again, many private and public sector organisations have failed to approach these challenges with the maturity, governance and technical excellence that modern systems require. As the pace of technical innovation increases, the complexity and quantity of these challenges will only increase. As a result, New Zealand needs to seize this opportunity to modernise its approach to the recruitment, retention and professionalization of its information security industry an industry that will be tasked with protecting our systems and sensitive information for years to come. This document outlines the issues faced by New Zealand organisations when addressing this challenge as well as the threat posed by failing to act now. In addition, this strategy contains an evaluation of a 12 month pilot scheme, in2securITy, launched in 2012 to address these issues. This scheme has proven without doubt that New Zealand has a large appetite and need for this kind of development programme. Finally, this strategy outlines a set of objectives and operating principles for the implementation of a National Information Security Workforce Development Strategy, to consist of a set of proposed initiatives each designed to make New Zealand a global leader in the strategic development of world class information security professionals.
November 2012
In2securITy Limited
Page 2
Executive Summary
New Zealand has a problem with information security. Popular opinion in the cyber age is that security issues stem from a lack of technology, the application of which can solve all problems. Technology however, is nothing without skilled systems architects, implementers and operations staff. Without people, technology is not a solution; it is just one of many tools available to the modern organisation. While technological innovation is high within the New Zealand market, the national spend on educating, training and developing skilled technical personnel is surprisingly low, creating an inbalance and directly contributing to the fragility and vulnerability of our nations IT systems. An increasing number of high profile system breaches have reinforced that from initial systems development and design, through to implementation and operational management, New Zealand businesses and public sector organisations are struggling to cope with the demands of a connectedby-default society. This lack of skilled security professionals affects public, private and academic sectors, impacting on small business systems and multi-million dollar cross-organisation projects alike. It is a national problem and requires national attention. New Zealand is embracing the internet and the business opportunities it brings. It will continue to do so at an increasing pace as technology and connectivity becomes cheaper and more widely available. The days of learning by doing and shell be right in systems security are over. We have a responsibility to adapt to this challenge and build a new generation of skilled security professionals to enable our country to operate in this new environment as safely as possible. Meeting this obligation is key to survival in the global technology market. The New Zealand Information Security Workforce Development Strategy provides an overview of the information security industry in New Zealand and globally. In addition, a high level analysis of the strengths and weaknesses of the New Zealand information security industry are provided. This has identified great community enthusiasm and strength within a number of active groups. It has also however revealed vulnerability introduced by a combination of poor awareness, poor cross industry communication and low availability of objective information with which to plan career development. Looking forward, New Zealand has the chance to become a global leader in strategic development of information security professionals. By capitalising on the agility and innovation innate within our technical industries and presenting a quality, security focused global brand, New Zealand could experience high volume growth in emerging markets such as highly distributed systems and remote IT service provision.
November 2012
In2securITy Limited
Page 3
This can only happen however if, as a nation we can address some of the upcoming threats to our industry. These include rapid service growth from Asian, South American and Indian markets, reputational damage from regular publicised systems compromises and increased emigration. This strategy outlines a set of objectives, operating principles and initiatives aimed to address these issues. Together, these items will allow New Zealand to define a lean programme that focuses on education over bureaucracy in a transparent and accountable way. This programme aims to develop New Zealand as a global leader in the field of information security workforce development. In2securITy Limited launched a limited scope pilot to implement parts of this strategy in 2012. This pilot achieved great success despite limited resources and reliance on unpaid volunteers. A detailed evaluation of this pilot, its achievements and limitations are included as part of this strategy. This whitepaper proposes the following ten initiatives to extend the 2012 in2securITy pilot: Dedicated Security Education and Project Spaces National Security Apprenticeship Scheme Security Training and Development Fund National Schools Integration Programme University Integration Programme National Security Awareness Programme Mentoring Programme Expansion Improved Web Portal New Zealand Computer Emergency Response Team (CERT) Information Security Workforce Development Board
A comparison of these proposed initiatives has been included in this document. This measures each initiative against the core objectives identified by in2securITy for the operation of a successful Information Security Workforce Development project as well as geographic inclusion, cost and overall estimated impact. Finally, this strategy strongly recommends the introduction of a government funded Information Security Workforce Development Scheme based on the objectives and operating principles outlined herein. This scheme should expand upon the in2securITy pilot and consider a range of the proposed initiatives.
November 2012
In2securITy Limited
Page 4
Contents
Background ............................................................................................................................................. 8 Information Security in New Zealand ................................................................................................. 8 Information Security in a Global Market .......................................................................................... 10 Key Employment Demographics ....................................................................................................... 12 Dedicated Security Roles .............................................................................................................. 12 Integrated Security Roles .............................................................................................................. 12 Academic Security Roles ............................................................................................................... 13 Analysis ................................................................................................................................................. 15 Strengths ........................................................................................................................................... 15 Weaknesses ...................................................................................................................................... 16 Opportunities .................................................................................................................................... 19 Threats .............................................................................................................................................. 19 Requirements........................................................................................................................................ 23 The Five Core Objectives................................................................................................................... 23 Operating Principles .......................................................................................................................... 24 Dependencies and Key Relationships ............................................................................................... 25 Funding Options ................................................................................................................................ 25 Measuring Success ............................................................................................................................ 26 Current Initiatives ................................................................................................................................. 28 Introduction to In2securITy .............................................................................................................. 28 Pilot Funding and Resources ............................................................................................................. 28 Pilot Initiatives .................................................................................................................................. 29 Pilot Limitations ................................................................................................................................ 31 Proposed Initiatives .............................................................................................................................. 34 Initiative Overview ............................................................................................................................ 34 Comparison Metrics ...................................................................................................................... 34 Comparison Matrix ....................................................................................................................... 35 Initiative One: Dedicated Security Education and Project Spaces .................................................... 36 Initiative Two: National Security Apprenticeship Scheme ................................................................ 38 Initiative Three: Security Training and Development Fund .............................................................. 40 Initiative Four: National Schools Integration Programme ................................................................ 42 Initiative Five: University Integration Programme............................................................................ 44 Initiative Six: National Security Awareness Programme ................................................................... 46 November 2012 In2securITy Limited Page 5
Initiative Seven: Mentoring Programme Expansion ......................................................................... 48 Initiative Eight: Improved Web Portal .............................................................................................. 50 Initiative Nine: New Zealand Computer Emergency Response Team (CERT) ................................... 51 Initiative Ten: Information Security Workforce Development Board.............................................. 52 Conclusion ............................................................................................................................................. 54 Recommendations ................................................................................................................................ 54 References ............................................................................................................................................ 54
November 2012
In2securITy Limited
Page 6
Background
In This Section: Information Security in New Zealand Information Security in a Global Market Key Employment Demographics
November 2012 In2securITy Limited Page 7
Background
Information Security in New Zealand
Cultural Imperatives New Zealand is known as a nation of people that are unafraid of a challenge or taking risks. From the much lauded Number 8 wire approach to fixing problems to the prevalence of shell be right, we are a country of people who are ready to try out new things, get our hands dirty and experiment. Whilst these traits create a fertile development environment for new business and innovation, they have also contributed to the nations immature approach to information security. Furthermore, the fiercely proud Made in New Zealand ethos that permeates small business often translates into a phenomenon in technical fields known as Not Invented Here. Not Invented Here manifests in two ways. In the first instance, individuals, groups and organisations will prioritise country of origin or operation over security, innovation or quality. In this case, decision makers will intentionally choose inferior or less secure products and services because they come from a particular location. In the second and more dangerous case, individuals, groups and organisations will design their own version of a product instead of utilising an existing mature product or system from elsewhere (in this case overseas). In the small business and innovation space, Not Invented Here has led to fundamental security mistakes including self-built cryptographic solutions, immature trust models/ authentication systems in software applications and use of niche/unsupported development tools and languages. While promoting New Zealand businesses and solutions is a fantastic way to develop our nation as a leading technical force and foster further innovation, development and business growth. The nave assumption that geographic source alone creates a mature, secure IT product/system must stop. Further work must be carried out to ensure that Made in New Zealand means a product/system that was built locally, in a secure, robust and mature manner. They should be thoroughly tested, well maintained and monitored and regularly updated to account for new security threats and changes to the technological landscape. Until this is the case, Not Invented Here remains a danger to IT projects nationwide. Security in an Agile and Innovative Market New Zealand organisations are increasingly adopting agile development and design principles. These principles focus on rapid development, frequent integration and short delivery iterations. This allows organisations of all sizes to bring new development ideas and products to market in a short period of time and is helping the country gain traction as an innovative and fast paced market.
November 2012
In2securITy Limited
Page 8
Agility, particularly in software and IT systems development can, however, come at a cost. Security considerations and design patterns are perceived as complex and slow to implement, a direct contrast to the fast paced and flexible approach associated with agility and innovation. It is unsurprising therefore that these security requirements are left until very late in the project or removed entirely. In reality, security can be integrated into an agile lifecycle (1) with relative ease. By combining security requirements with functional requirements on an iteration by iteration basis, security can be built in from first release. The adaption of test driven design mechanisms to include security testing in every iteration release provides a light weight and constantly evolving sense of security awareness across the entire project. This approach could allow New Zealand to continue to be innovative and rapidly bring new products and services to market whilst building security in by default. High Pressure, High Consequence The past 12 months have represented a dramatic increase in not only the size and frequency of information security breaches within New Zealand, but also a change in the amount of media and public interest in such events. It is no longer the case that breaches (particularly those exposing private information) only receive limited coverage in the technical column. Today, breaches are widely covered by print and online media and result in high volumes of public debate. Recent events have highlighted issues with many aspects of security within New Zealand organisations (2): Lack of systems monitoring and operational security to detect and prevent breaches. Immature understanding of/ approach to the acceptance of risk. Poor integration of security design and testing into the systems development and maintenance lifecycles. Insufficient incident response planning and integration of incident response procedures across the entire organisation. Poor level of awareness with regards information security fundamentals across New Zealand media.
The reputational damage from such compromises can have a lasting effect on an organisation and any third parties it is associated with, a result that is compounded further by kneejerk, unplanned public statements and incident response. In terms of financial impact, the exact cost of such systems compromise is unclear. While the total cost is rarely revealed and difficult to calculate accurately, associated costs include a wide range of remediation activities aside from simple technical systems changes. From legal costs to marketing activities and staff training, the cost and resource impact of a security breach far exceeds realms of the IT department budget. The most significant feature of these breaches has been the mismatch between the perceived complexity of breaching a large system and the reality. The majority of public systems compromises, November 2012 In2securITy Limited Page 9
data loss and breaches within New Zealand do not come from Advance Persistent Threat (APT) actors but from rudimentary failures in the design, implementation and monitoring of our systems. Issues, for which, there have been tried and tested solutions for many years. These compromises have cost organisations thousands in remediation activities (3) and could have been avoided with simple, cost effective and well known security design patterns and an increased focus on defensive operational practices. Small Island Syndrome In geographic terms, New Zealand is a very remote location. Its relatively small size and low population numbers, coupled with the cost of international travel can create a sense of isolation and separation even in the digital age. While these features make New Zealand a beautiful and popular location to live and operate, it also creates a false sense of security. A land with no natural predators, with no history of large scale invasion and with no direct political threats has a natural sense of ingrained security. When large organisations overseas are compromised, the severity and relevance of these events can be diluted by the distance and differences between the two countries. In fact, New Zealand organisations rarely identify similarities and implied risk to their systems and business from foreign systems breaches. In most cases, a New Zealand based incident is required to focus attention and motivate organisational change. Evidently, this behaviour is not unique to New Zealand; however its impact on the agility and awareness of the country in the face of information security vulnerability is high. By devaluing lessons and case studies happening outside of New Zealand and focusing on local incidents, valuable security lessons are ignored until they occur closer to home. This reduces the time available for remediation efforts and increases the remediation cost. Fixing an issue over 12 months after an incident in a similar European system is much cheaper and less stressful that remediation of an issue within 2 weeks as a result of a breach within a New Zealand organisation.
Information Security in a Global Market

Connected By Default Internet based and distributed systems are no longer the reserve of cutting edge innovators. With the rise in portable computing devices and the reduction in cost of IT hardware and bandwidth, high availability, interconnected systems are now expected of the modern organisation. As demand for these systems has grown and organised a connected-by-default mentality, the demand for high calibre security professionals has in turn risen (4). These professionals are expected to design, implement and manage sophisticated information systems, often spanning massive geographic distances and combining modern and legacy technologies. These systems often cross international borders, time zones and legal jurisdictions. Downtime and compromises in these kinds of systems is now measured in millions of dollars. (5) November 2012 In2securITy Limited Page 10
The End of the Silent Failure Information systems breaches and data loss cases are big news. The internet, social networking and the growth of subjective content production means that news of security incidents reaches an international audience quickly and spreads fast. Within hours of a public breach disclosure, the international online technical press will normally feature coverage. In addition to the fast, uncontrolled nature of the coverage, most media outlets provide (and encourage) interactive, international debate of their stories. This creates an evolving story, reaching a wide target audience. Subjective commentators can write about, comment on and analyse these incidents publicly and at length with no oversight or authority. The quality of their reporting and evidence to support claims are rarely present or verified. Once a story breaks in essence, there is no stopping it. New Zealand, like all other nations can suffer reputational damage from this sort of publicity. In fact, the only proven way to avoid the negative impact of an information security breach in the international press is to minimise the likelihood of such a breach happening in the first place. Crossing Linguistic, Social and Cultural Boundaries Information Technology is a field that crosses linguistic, social and cultural boundaries. Whether an organisation is based in Hamilton, Moscow or Delhi, the technologies and concepts in use remain the same. This has created an employment market like no other. Information security professionals are globally mobile with skills that can apply to any country. As a result, when New Zealand requires talented information security professionals, its employers are competing with similar positions globally, not just within New Zealand. This is particularly noticeable in New Zealand where an already high emigration rate is compounded by the fact that information security roles pay less than neighbouring countries. A successful New Zealand recruiter must offer a job package that can not only compete with similar national organisations but also those in neighbouring countries. A young IT professional will require more than just job security to retain them; they are looking for career development challenges and a benefits package comparable to those offered abroad.
November 2012
In2securITy Limited
Page 11
Key Employment Demographics

Dedicated Security Roles
Definition In the context of the New Zealand employment market, dedicated security roles refer to those people employed in a position whose sole function is the implementation, testing or management of security for one or more organisations. Dedicated security roles span both technical and non-technical specialists. Successful security specialists often come from a more general technical background and may have been implementers or developers in previous roles. Dedicated Security roles currently represent approximately 20% of the New Zealand Information Security market and can be found in both public and private sector organisations. Key Skills
Technical generalists (Technical Roles Only) Highly adaptable, fast learners Skilled communicators (both verbally and written) Analytical and logical Risk focused
Example Job Titles Penetration Tester Forensic Analyst Security Consultant Incident Responder Security Architect
Integrated Security Roles

Definition Integrated Security roles include those positions which require a working knowledge of security best practice and methodologies in the context of a traditional technical, project or managerial role. This category of roles is rapidly increasing and now includes most technical professionals as well as those employed to design, support or manage technical systems. Integrated Security roles currently represent approximately 75% of the New Zealand Information Security market and can be found in both public and private sector organisations. Key Skills
Security knowledge supports core technical discipline (Technical roles only) Innovative Skilled integrators balancing business and security requirements Skilled communicators In2securITy Limited Page 12
November 2012
Example Job Titles Software Developer Infrastructure Engineer Project Manager Systems Architect Support Engineer Technology Manager
Academic Security Roles

Definition Academic security professionals are charged with the task of furthering security technologies and techniques. From teaching within formal learning environments such as universities and polytechnics through to conducting cutting edge research, academic roles are a small, key group of positions within New Zealand and can be some of the hardest to fill. Academic security specialists may have migrated from commercial or government roles but have often had a long standing academic relationship. Academic roles are fundamental to the growth of New Zealand and our contribution to the security field. The academic community however is fragmented and insular which can damage integration between researchers and business needs. Academic roles currently represent approximately 5% of the New Zealand Information Security market. Key Skills
Deep knowledge in a small number of disciplines May specialise in security or integrate security as a part of a more complex subject set Skilled communicators Highly educated (most roles require a PhD and proven published academic record) Methodological, analytical thinkers
Example Job Titles Lecturer Researcher
November 2012
In2securITy Limited
Page 13
Analysis
In This Section: Strengths Weaknesses Opportunities Threats

Analysis
Strengths
Well Established Community The New Zealand information security community is well established and active. Despite geographic disparity, several community groups have formed and meet on a regular basis. While a formalised leadership and governance structure does not exist, each group has specialised to serve a specific need or demographic. When issues arise, communication between organisations and professionals is essential. In many cases formal communication channels between competing businesses do not exist. These groups have evolved to provide a safe mechanism for issue discussion and resolution. Services provided by these groups include: Knowledge sharing and talks Conferences and community gatherings Working groups and research Networking
Example groups include: New Zealand Information Security Forum (part of the New Zealand Security Association) (6) New Zealand Information Security Interest Group (NZISIG) (7) New Zealand Internet Task Force (NZITF) (8) InternetNZ (9) Kiwicon (New Zealand hacker conference) (10) First Tuesday (Security Executive Networking Group) (11) ISACA (part of the international ISACA organisation) (12) ISC2 (part of the international ISC2 organisation) (13) In2securITy (Information Security Development and Education Organisation) (14)
Internationally Recognised New Zealand Security Professionals Despite its size, New Zealand has created a surprisingly high number of world class security researchers and professionals. This legacy of talented and globally respected individuals has created a strong set of role models to which many current New Zealand professionals aspire. New Zealand achievements include: Presentation at global information security conferences such as Black Hat (15) and Defcon (16) Development of security tools in use by thousands of professionals worldwide Identification of security flaws in widely used software products and the responsible disclosure of said issues Employment in senior security positions within global organisations such as Google and Microsoft. In2securITy Limited Page 15
November 2012
Acceptance and Prioritisation of Issue The New Zealand information security community is made up of volunteer representatives from a range of organisations and groups. This community has widely and openly acknowledged the issues they face in the areas of talent development and retention. This issue has prioritised and many individuals have given time, resources and effort to participating in activities related to its resolution. In addition, a need for more maturity and governance in information security projects and related organisations remains a constant focus for this group. By recognising and prioritising this issue, the New Zealand information security community has taken the vital first step. Unfortunately, the information security community does not officially represent the information security industry. The wider information security industry must work together to official own and prioritise this issue.
Weaknesses
Ambiguity in Language (including Employment Titles/Roles) The IT industry is renowned for its complex language and buzzwords. Information security is no different, particularly when it comes to job titles. This ambiguity and complexity in job titles impacts the industry in two ways. From a job candidates perspective it can be difficult to tell what a job involves, likely responsibilities and expected seniority. This impacts a candidates ability to judge their own suitability for a role. From an employers perspective, previous job titles are one of the pieces of information with which they will judge the suitability of job applicants. A CV or application littered with grand titles can seem impressive at first glance but can often be a poor representation of the actual roles undertaken. While an overhaul of the language used in job titles is out of scope for any initiative or programme, provision of an objective information source that can decode this language would be a simple and effective solution. The Information Security Certification Industry The information security certification industry is huge. Many professional and commercial bodies have launched ranges of information security certifications and qualifications aimed to promote professionalization within the industry. (17) Qualifications vary in price from several hundred dollars to several thousand. In addition to upfront training and exam costs, many certifications expire after a period of 1-3 years. These certifications require a retest or renewal fee to sustain and update. At this time, no objective assessment of information security qualifications exists. Professionals will choose their certifications based on job role requirements, word of mouth or marketing campaigns.
November 2012
In2securITy Limited
Page 16
Many employers will require a range of named certifications and qualifications for a particular role. These requirements are often based on perceived industry standards, subjective opinion or similar existing positions. While certifications remain a clear way to demonstrate technical ability or specialism, the breadth and size of the certification market combined with the lack of objective information surrounding the suitability of certifications persists. This uncertainty makes choosing qualifications/certifications difficult and expensive. Current Reliance on Individuals The majority of New Zealand information security initiatives are funded by donations and rely on the time and enthusiasm of unpaid volunteers. Without such people and their efforts, most of the existing groups and community would cease to exist. While voluntary provision of these groups and services is both useful and noble, the reliance on such individuals to continue in this way is nave. People will move roles and locations, circumstances and funding levels will change. Support must be provided both financially and in terms of resources so that these initiatives and the individuals and groups running them can continue. This support should come from a combination of national government and private sector industry. Communication across IT Communities While dialogue and knowledge sharing within the information security community is well developed, it operates largely in isolation from the rest of the IT world and the information security industry. Integration with other IT communities is essential is awareness of information security is to propagate. All IT professionals of all specialisms have an obligation to be aware of information security and its implications. As information security professionals, we have an obligation to help raise awareness of information security and encourage the creation of systems that are secure-by-design. Lack of Defined Career Development Streams Information security is a new specialism. As such there is much confusion surrounding how best to start out and develop a career within it. Even once an individual gains an entry level security position, there is little guidance on the paths available for career development from that point. Compounding this issue further is the IT qualification and certification industry which provides a range of competing options (as previously discussed). Very few of these certifications have been independently verified for suitability, content or effectiveness. Without clear guidance or objective information, professionals can face a confusing and sometimes expensive career.
November 2012
In2securITy Limited
Page 17
Poor Security Awareness Information security is a complex field and when applied to the diversity of organisations in New Zealand, this complexity is only amplified. Every organisation is different and has a different range of (often conflicting) requirements. It can be challenging for business leaders and technical implementers to identify which aspects of information security are relevant to their projects and businesses and even once identified, objective, trustworthy sources of advice and information are hard to find. When the commercial information security industry and vendors are added to this mix, an already confusing subject becomes intertwined with marketing materials and vendor specific terminology and jargon. The net result of this is a lack of security awareness. Without a solid security awareness foundation, all attempts to introduce security initiatives and mitigations will invariably fail. Educational, Business and Government Integration With the exception of NetSafe (18) and its subsidiaries, all information security groups and initiatives in New Zealand are independent and have no business, educational or government integration. While this means they remain unbiased and objective it also means that their influence and reach is limited. Furthermore, there is little consistent integration between educational organisations, businesses and government on the issues of information security. The result of this is a confused and sometimes contradictory dialogue within New Zealand and a lack of efficiency and consistency in our national approach to information security. While the New Zealand Cyber Security Strategy (June 2011) (19) goes some way to address this issue, many of the initiatives outlined in this document are categorised as longer-term and requiring further investigation. This includes all initiatives for the provision of training and development of cyber security professionals. While the Cyber Security Strategy led to the creation of the New Zealand National Cyber Security Centre (NCSC) (20) which was founded to centralise cyber security support for government and critical national infrastructure, the vast majority of New Zealand organisations are not included in this group. The lack of a national Computer Emergency Response Team (CERT) (21)means that without considered effort, this situation is unlikely to be resolved quickly. This will continue to have a serious impact on the nations ability to produce secure systems and response to information security threats. Of the 34 OECD countries (22), New Zealand remains the only country without this capability (23).
November 2012
In2securITy Limited
Page 18
Opportunities
Massive New Zealand Online Expansion New Zealand businesses and organisations are embracing online operation at a rapid rate. Even the smallest businesses are experimenting with online retailing, expanding their reach and reducing their operating costs. Large organisations are looking to globally distributed technologies such as the cloud to facilitate inter-organisation integration and increase efficiency. Now more than ever, every IT professional within the country has a responsibility to be conscious of security. Furthermore, the demand for skilled IT and information security professionals has never been higher. Failure to respond to these demands could limit the success of this growth period and damage New Zealands ability to compete. Becoming a Global Leader in Information Security Education and Development While the UK, USA and other OECD countries are facing the same challenges as New Zealand in terms of developing and retaining information security professionals and increasing the security of IT and information systems, there are few co-ordinated programmes to address this issue. While high publicity campaigns (24) such as those by Government Communication Head Quarters (GCHQ) (25) have generated interest in the field, these have been a marketing campaign for one employer. There remains no centralised or independent programme or effort to address this issue. In the USA, several national events and initiatives exist funded by a mix of government (defence and intelligence) programmes and community groups. Events such as the National Collegiate Cyber Defence Competition (CCDC) (26)(a large scale network defence competition) and range of scholarships and competitions from large organisations and interest groups are increasing interest and gaining international exposure. By creating a national strategy and programme, New Zealand could become a global leader in the development of information security talent. By remaining independent from but working closely with government and national organisations, a world class education and development programme could be created. This programme would be unique in the Asia Pacific region and if closely integrated with other westernised countries, could provide New Zealand with a clear, marketable advantage in the international market place. This could help attract talent and business to New Zealand as well as help retain existing home grown organisations and individuals.
Threats
Increased Attack Surface and the Defender Deficit Rapid expansion and increased ambition globally are creating a larger visible attack surface for New Zealand. This attack surface includes web applications, distributed systems and shared data stores.
November 2012
In2securITy Limited
Page 19
New Zealand organisations consistently struggle to find, attract and retain high quality IT and information security professionals to design, maintain and protect such systems. As time passes, this deficit of defenders will lead to increased vulnerability. Increased vulnerability and a lack of defensive implementation practices will only increase the number of information security and data breaches in New Zealand. Reputational Damage Security breaches are big news. Breaches in New Zealand organisations now feature on the pages of international technical and security publications. It is only a matter of time before they reach more mainstream audiences via the proliferation of blogs and online news vendors. The reputational damage from such breaches damages all New Zealand organisations, whether they are government, small businesses or internationally trading. An organisation can only tolerate a certain amount of reputational damage before it impacts profitability or customer trust. Once this tolerance is exceeded private sector organisations often cease to trade and private sector organisations face widespread restructuring, increased auditing and oversight. It is in every New Zealand organisations interest to avoid further reputational damage. Increased Emigration information security is not the only area of the New Zealand employment market affected by the increased emigration of talent, however it is one of the areas that cannot simply rely on the immigration of new foreign talent to make up for the shortfall. While a high number of talented immigrants are entering the country under the skilled migrant category and accepting information security positions, there are a number of organisations and roles that require New Zealand citizenship as a prerequisite. This includes government agencies and those dealing with sensitive data. These positions are those most affected by increased migration and are often those requiring high calibre information security talent the most. Increased Global Competition Information Technology is a truly global business. With the exception of the physical installation of computer hardware, the majority of IT services (including security) can be provided remotely from anywhere with sufficient connectivity. As such, the competition to provide such services is high. Rapidly developing economies such as India, China and Latin America are emerging as dominant global providers of high quality IT services such as software development, security testing and systems hosting. While some cultural and language issues have traditionally plagued such providers, these are improving. When combined with strong exchange rates and lower costs, many businesses are choosing to offshore their services in this way.
November 2012
In2securITy Limited
Page 20
While public sector organisations will remain dependant on New Zealand service providers, those IT service organisations servicing the private sector must now compete with an entire global marketplace. In order to successfully compete, New Zealand based IT service providers must ensure that not only are they providing a high quality, cost effective solution but that they are delivering systems that are secure. This will become an increasingly important factor in a service organisations ability to compete (nationally and internationally). As well as facing increased competition for New Zealand based contracts, New Zealand service providers need to embrace the global market to expand. The national IT market is relatively small. To reach their full potential, service providers must seek international contracts and begin to service geographically distant clients, capitalising on our agility, favourable exchange rates and innovation. International markets, especially those in more developed nations have high expectations from their service providers and will expect a high level of competence in all aspects of service delivery. This includes information security.
November 2012
In2securITy Limited
Page 21
Requirements
In This Section: The Five Core Objectives Core Operating Principles Dependencies and Key Relationships Funding Options Measuring Success
Requirements
The Five Core Objectives
In order to address the threats and weaknesses identified in this report and grow New Zealand as a global leader in information security professional development, the following five core objectives have been identified.
ONE
Awareness
Awareness of information security issues from the classroom through to the boardroom
Career Development TWO

Clear, defined, flexible career development and training plans for all those seeking a career in, or currently employed within the information security industry (including dedicated, integrated and academic roles)
THREE
Centralisation and Governance

National Posture of Secure by Design for all information security projects led and incentivised by the government. Strategic leadership rather than reactive.
FOUR
Advisory
Centralised source of advice, guidance and advisory and government liaison for all public and private sector organisations and individuals.
FIVE
Training
High quality, cost effective security training nationally available (including flexible and ondemand learning options)
November 2012
In2securITy Limited
Page 23
Operating Principles
To maximise its impact and chance of success, the following operating principles should be adhered to by those charged with the implementation of this strategy: 1. Education Before Administration The provision of high quality educational opportunities should always be prioritised above unnecessary administration, bureaucracy and red-tape. 2. Transparency And Accountability For All The provision of educational initiatives has a burden, particularly when it comes to accountability. All initiatives should be able to account for their spending and activities and identify the objectives they intend to meet. 3. Practice What We Preach Information security is a complex, advice filled field. All information, education and guidance provided by this initiative should represent best practices. Those charged with providing this information should be respected professionals with a track record of practicing their own recommendations. 4. No-Profit No Negotiation Profiting from the provision of any of the initiatives presented in this document or the development of the New Zealand information security workforce would be inappropriate and weaken the intention of such activity. While profit driven organisations may provide services to support this strategy, its overall governance must remain free from financial or commercial motivation. 5. Communication Technologies Before Travel Travel and accommodation can be a huge financial drain on any organisation. Given the availability of high quality internet communications mechanisms, the use of travel (both international and national) should be limited to maximise the funds available for educational work. 6. Lean Operation Following on from principle 5, administration and operating costs should be minimised. This should include at a minimum the use of shared administration/office services and minimal use of printed materials. 7. Leverage Community And Industry Relationships The existing information security community is a great source of industry knowledge and contacts. They are the people most in touch with current industry conditions and will be a vital source of performance metrics for any activities conducted. 8. Collaboration Not Competition
November 2012
In2securITy Limited
Page 24
Where objectives are met by alternative groups or schemes within New Zealand, this strategy recommends collaboration not competition. Competition is a waste of resources and can lead to contradictions in the intended message.
Dependencies and Key Relationships

The success of this strategy will rely on close integration between public sector, private sector and academic institutions. The following organisations and groups have been identified as particularly critical to its success: National Cyber Policy Office Ministry of Foreign Affairs and Trade Ministry of Social Development Ministry of Education GCSB/NCSC Industry Leaders and Groups Schools, Universities and Tertiary Education Providers NZQA Security Industry Professionals Ministry of Justice Equivalent International Organisations and Initiatives
Funding Options
Funding is a complex issue and can have a dramatic effect on the effectiveness of a strategy and its message. At its most basic, the following funding options should be considered: Government Funding (Preferred) Government funding is the preferred option for an initiative such as this. Government funding can provide the stability and objectivity in more than just financial terms. In addition to funds, government funding and involvement can facilitate national adoption and provide crucial contacts both nationally and internationally. Government involvement does however come with some overhead. With a reputation for a committee based, heavy-weight bureaucratic approach, the agility and innovation previously employed in pilot activities can be compromised or lost altogether. Industry Sponsorship Industry sponsorship can raise vital funds and industry credibility without the overhead associated with government organisations. In order to maintain objectivity however, sponsorship must be found from a range of organisations and funding agreements formulated in such a way that the educational message is not compromised by the commercial interests of sponsors. Industry association requires a fine balance of negotiation, relationship management and commercial awareness. November 2012 In2securITy Limited Page 25
Cost Recovery The cost recovery model is the simplest funding method available but could also have a detrimental effect on any initiatives uptake and success. In a cost recovery model, small charges to cover the cost of administration and logistics are charged to participants for events and activities. These charges are limited to only covering the actual cost of providing the service. Cost recovery must be very carefully managed and can compromise the overall message of the initiative. Introducing participant cost will reduce uptake from those with limited budgets or those unsure of their level of interest. Hybrid Funding A hybrid funding model could balance the above options and be used on an activity by activity basis. Government funding for core initiative activities supplemented by industry sponsorship for larger events is a popular model.
Measuring Success
Measuring the progress and effectiveness of a strategy is important. It allows initiatives to be reviewed and adapted to maximise their effectiveness. It also supports accountability and can be used to justify continued funding, support and operation. As an educational strategy, success cannot be measured by traditional metrics such as profitability. The following alternative methods are proposed for measuring the effectiveness of this strategy and the proposed initiatives herein. Creation and execution of industry surveys to measure the perceived state of the information security workforce. Execution of such surveys at regular intervals will allow for periodic assessment and identification of positive and negative trends. Collaboration with industry and community organisations to measure increases/decreases in participation. Analysis of event participation and feedback
Indications of success could include the following: Increased availability of skilled information security professionals (characterised by reductions in the time taken to fill vacant employment vacancies) Increased uptake of information security training courses across tertiary and professional education providers. Increased attendance at information security events. Increased attendee diversity at information security events and community groups (to include increased representation of integrated information security roles).
November 2012
In2securITy Limited
Page 26
Current Initiatives
In This Section: Introduction to In2securITy Pilot Funding and Resources Pilot Initiatives
November 2012 In2securITy Limited
Pilot Limitations
Page 27
Current Initiatives
Introduction to In2securITy
In2securITy (14) is a New Zealand based education initiative founded in November 2011 and publicly launched in January 2012. At Kiwicon 5, prominent member of the New Zealand information security community, security researcher/tester and business owner Brett Moore (27) spoke at length about the history of the national information security industry. This talk made two important points. New Zealand has historically punched above its weight in the field of information security, producing several world respected professionals who have gone on to hold high level positions in world class organisations. New Zealand cant find enough talented new professionals to continue this tradition and cope with the increase in demand.
In2securITy was formed by current New Zealand professionals and is based upon the principle that by combining simple initiatives such as mentoring and work experience with an objective source of regularly updated career development and training information, New Zealand could cultivate a new generation of dedicated and integrated information security professionals. In2securITy was formed as a New Zealand limited company with a strict non-profit operating mandate. It is run by a team of 3 volunteers and supported by an ad-hoc contributing group of speakers, mentors and writers from across the Information and information security community. In2securITy operates with a simple mission statement:
To educate, encourage and inspire a new generation of information security professionals for New Zealand Pilot Funding and Resources
Funding for the initial 12 month pilot was sourced from donations and community sponsorship as follows: Organisation Sponsorship Value (NZD) InternetNZ $4000 Lateral Security (IT Services) Limited $500 Insomnia Security Limited $500 Wheres My Server Web Hosting Total Funding 2011-2012 $5000
Funding for this initial pilot was used to provide all listed pilot initiatives plus formation of a New Zealand limited company. November 2012 In2securITy Limited Page 28
Pilot Initiatives
Community Web Portal and Online Media (www.in2security.org.nz) The core of in2securITy activity is centred on the community web portal. This portal contains a series of blogs and articles and is divided into 6 security specialisations. These specialisms are: Penetration Testing Network Defence Policy and Compliance Secure Software Development Forensics Vulnerabilities Research
Educational articles are provided on an ad-hoc basis by an informal team of volunteer writers. All writers are experienced professionals in a particular field and all content is vetted for suitability before publishing. Only those articles that can clearly explain their chosen topic and are suitable to an audience of mixed technical ability are accepted. External content such as online courses and articles are vetted by the in2securITy team and only recommended to participants if they are found to be of a high quality. In addition to educational articles, the community web portal is the central point for the organisation and promotion of in2securITy media and events.
Table 1 In2securITy Portal Statistics 2012
Country Visits Pages / Visit
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
New Zealand United States Australia Taiwan United Kingdom India Estonia Canada Germany Brazil
5,525 423 266 149 144 128 73 60 59 43
November 2012
In2securITy Limited
Page 29
New Zealand Information Security Workforce Development Strategy Since its launch on 15th January 2012 this portal has been visited by 7544 unique visitors and has served 22155 pages of content. Visitors to the site have come from 101 different countries; statistics for the top ten countries are included above. Information Security Awareness National Tour The Information Security Awareness National Tour was not initially part of the in2securITy pilot plan. However upon receiving a grant from InternetNZ, a decision was made to attempt a large scale awareness outreach programme. This tour was originally planned for 5 locations (Auckland, Wellington, Hamilton, Dunedin and Christchurch). The North Island events were a great success attracting 220 registrations across the 3 events. Unfortunately a lack of local support in Christchurch and spiralling organisation costs in Dunedin forced the cancelation of both South Island events. To compensate for the lack of geographic coverage, all talks from the 3 North Island events were recorded and have been made available free of charge on the in2securITy YouTube Channel (28). This channel now contains 15 videos varying between 25 minutes and an hour in length. These videos have since attracted a global audience and positive comments from across New Zealand. National Mentoring Scheme The in2securITy National Mentoring Scheme brings together those with an interest in entering IT/information security with those who have professional experience. Mentoring provides a way for those starting out to make contacts, ask questions and receive informal, targeted development advice from someone who has a large pool of experience on which to draw. At launch, in2securITy aimed to form 6 mentoring pairs (12 people). As of 1 st November 2012 the actual number of active mentoring pairs in the scheme had reached 20 (40 people total). Summer Project and Placement Programme In2securITy summer programme launches December 2012 and runs for 3 months. During this period a number of work experience placements and projects will be offered across a range of New Zealand organisations. A project is a distinct task or objective that can be completed by an in2securITy participant remotely and delivered to an organisation. It includes research, took development or remote testing under the supervision of a mentor. A placement is a period of unpaid work experience in which an in2securITy participant can work within an organisation in a relevant and challenging position and gain valuable experience and references. Placements last between 2 and 6 weeks. In2securITy aims to provide 12 project/placement opportunities in 2012. Integration with National Technical Groups In2securITy is now represented in the following National Technical Groups:
November 2012
In2securITy Limited
Page 30
InternetNZ NZITF (New Zealand Internet Task Force) plus associated working groups
Awareness Talks In2securITy has presented a range of awareness talks throughout 2012 including: Cyber Security Awareness Week Launch @ Parliament AUT University InternetNZ Bruce Schneier Introduction NZISF Breakfast Briefing
Networking Events In2securITy has held informal networking events to co-ordinate with awareness talks, national tour events and on a more casual basis. These have proven a popular way to discuss talks or lectures, make new contacts and ask questions in a non-threatening group environment.
Pilot Limitations
The following limitations have been identified with the initial 12 month in2securITy pilot and its associated initiatives: Lack of South Island Coverage Despite substantial effort, in2securITys coverage of South Island was limited. Events such as the Information Security Awareness National Tour were unable to include South Island venues due to spiralling costs and lack of local support. Initial attempts at holding a full day in2securITy event at Dunedin University attracted only 10 registrations. Even after reducing the speaker line-up, the cost of domestic flights and accommodation meant that the cost of holding this event exceeded $200 per participant (assuming 100% attendance). This event alone would have required almost 50% of the total annual operating budget of the entire in2securITy scheme. Inability to Attain Registered Charity Status In2securITy promotes a profession and is therefore ineligible for charitable status. This impacts on the tax status of the organisation and makes a donation funded model less efficient. Creation of an Incorporated Society would alleviate some of these issues but was deemed to introduce additional complexity and reduce the organisations ability to operate with agility in its first year. Limited Budget Five thousand New Zealand dollars is a very small amount of money in the world of national initiatives. Despite this, in2securITy has achieved great things. While this should be celebrated, the in2securITy team have acknowledged that this is not sustainable. In2securITy can continue to achieve amazing things but it will require a source of funding appropriate to the level of activity undertaken. Lack of budget in 2012 has impacted the following activities: Provision of printed and take home materials In2securITy Limited Page 31
November 2012
Provision of South Island events Representation at trade and conference events Marketing
Limited Press Coverage and Marketing While nationally significant, in2securITy is a niche initiative run without large business or government backing. As such it has achieved little traction in traditional media or marketing channels. Lack of Job Board or Employment Pages Initial plans for in2securITy did not include any job advertising functionality. Since launch however, the in2securITy team have been contacted by several organisations wishing to advertise posts suitable for in2securITy participants. To this point, in2securITy have not advertised these positions publicly but have acknowledged that this functionality would be valuable in future years. Availability of Suitable Venues A recurring challenge faced when organising educational events; particularly in Auckland was a lack of affordable, suitable venues. While many shared and rentable spaces are available, the price of these venues has been prohibitively expensive. While some organisations such as Microsoft have generously donated rooms for the National Awareness Tour several smaller events were cancelled as a result of lack of suitable location.
November 2012
In2securITy Limited
Page 32
Proposed Initiatives
In This Section: Initiative Overview Dedicated Security Education and Project Spaces National Security Apprenticeship Scheme Security Training and Development Fund National Schools Integration Programme University Integration Programme National Security Awareness Programme Mentoring Programme Expansion Improved Web Portal New Zealand Computer Emergency Response Team (CERT)
November 2012 In2securITy Limited Page 33 Information Security Workforce Development Board
Proposed Initiatives
This whitepaper proposes the following ten initiatives to extend the 2012 in2securITy pilot: Dedicated Security Education and Project Spaces National Security Apprenticeship Scheme Security Training and Development Fund National Schools Integration Programme University Integration Programme National Security Awareness Programme Mentoring Programme Expansion Improved Web Portal New Zealand Computer Emergency Response Team (CERT) Information Security Workforce Development Board
The following section details each of these proposed initiatives, their aims, objectives and deliverables. In addition, each initiative is defined in terms of the benefits it aims to provide to the New Zealand Information Security Industry.
Initiative Overview
Comparison Metrics
In order to compare the proposed initiatives and prioritise them, the following metrics are suggested: Cost This metric represents a high level estimation of the cost of implementation, management and maintenance of the proposed initiative. Further financial analysis would be required to determine an accurate cost estimate for each initiative. Impact The impact of a proposed initiative takes into account the number of demographics served, the proposed number of objectives met and the extent to which the proposed initiative is unique within the New Zealand market. For simplicity, proposed initiatives have been ordered 1-8 where 1 has the highest impact potential and 8 the lowest compared to the other initiatives. Objectives Met This metric assesses the number of the objectives outlined in this document met by the proposed initiative. Efficiency dictates that the more objectives met, the more beneficial the initiative. Geographic Inclusion Given the geographic challenges faced across New Zealand, all initiatives will be judged by their ability to include those based outside of the major cities. Rural participants may be served electronically or remotely by suitable means.
November 2012
In2securITy Limited
Page 34
Comparison Matrix
Objective
1 2 3 4 5
Metrics
Geographical Inclusion
Centralisation and Governance
Career Development
Awareness
Advisory
Training
Dedicated Security Education and Project Spaces National Security Apprenticeship Scheme Security Training and Development Fund National Schools Integration Programme University Integration Programme National Security Awareness Programme Mentoring Programme Expansion Improved Web Portal New Zealand Computer Emergency Response Team (CERT) Information Security Workforce Development Board
x x x x
x x x x x x x x x x x x x
$$ $$$ $$$ $$ $$ $$ $ $
Y Y Y Y Y Y Y Y
x x x x x
x x
x x
$$$
November 2012
In2securITy Limited
Page 35
Impact
Cost
5 1 2 8 6 9 7 10
Initiative One: Dedicated Security Education and Project Spaces

Description One of the recurring issues faced by the in2securITy pilot was the lack of suitable, cost effective venues for the provision of training classes and events. Not only were venues difficult to find, they were often expensive, only available in specific locations and outside of working hours. Dedicated classroom and project spaces would provide central points for the provision of information security training and events. In addition to formal events, operating costs could be subsidised by a low membership option allowing for individuals and groups to book the spaces for projects or private events. These spaces would provide the equipment necessary to teach in a geographically challenging country as well as a range of equipment and book loan options to support and subsidise the cost of training. This model is in use globally as hacker spaces. These spaces are often subsidised by membership schemes and provide dedicated safe spaces for education and projects in cities where individuals are unlikely to have home project space in which to work. The use of shared space not only enables project completion but also makes collaboration and networking easier. These spaces become community hubs not just classrooms. With these spaces, event running cost would reduce and event frequency could increase. In addition, the lack of vendor reliance would allow security education to occur without sensitivity to commercial impact or reputation. Low cost, suitable office space is available in all New Zealand cities. Target Demographic(s) Everyone
Objectives Met Objective 1: Awareness Objective 2: Career Development Objective 4: Advisory Objective 5: Training
Resource Requirements Open-plan office space Central city locations close to public transport Tables & Chairs Projector Insurance Power and networking
November 2012
In2securITy Limited
Page 36
Deliverables Dedicated security education and project spaces in major cities Ability to book these spaces for individual or group projects at minimal cost Regular classes and project meets Equipment, book and eBook library in each location Educational licences for software in project spaces Teleconferencing equipment in each location for shared classes (ability to remotely connect in for those in other locations)
Benefits A central location and dedicated training space in major cities will provide participants with a safe place to learn and experiment with information security technologies Venue costs can be high for events in working hours, dedicated spaces allow for a reduction in cost and greater availability. Specialist kit equipment can be provided to help with information security lessons Allows for lessons, courses and events to be vendor agnostic
November 2012
In2securITy Limited
Page 37
Initiative Two: National Security Apprenticeship Scheme

Description In traditional trades such as building and plumbing, apprenticeships are considered fundamental to the acquisition of experience and skills during the early stages of a career. While there remains an element of compulsory theoretical and academic learning to become an information security professional, this must be supplemented by hands on project experience. A 4-5 year competitive apprenticeship scheme would allow talented future information security professionals to undertake a range of placements designed to deliver project based experience of a range of information security fields. Each placement would include work on real New Zealand security projects and be designed to challenge the participants. On commencement, all participants will create a personal development plan outlining their ambitions. A series of placements would then be co-ordinated to fulfil this plan. This series of 6-12 month placements would allow participants to experience both private and public sector organisations and could be complemented by a structured selection of certifications or external training as necessary. Personal development plans would be reviewed at 12 month intervals. For businesses, this would provide the following benefits: Enthusiastic talent National publicity A chance to build the next generation of architects and leaders Subsidised labour costs Entrance to the scheme would be competitive, require New Zealand permanent residency or citizenship and specifically develop potential and seek out new talent not just academic qualifications. The scheme would pay a salary to its participants. It is envisioned that this would be funded by both government and the businesses involved. Pay would be on a structured scale over the course of the scheme and have performance based assessments and criteria to advance. This would mirror similar schemes in the Accounting and Legal fields. Target Demographic(s) Students New IT Professionals Existing Professionals Seeking A Career Change Individuals Returning to Work
Objectives Met Objective 2: Career Development In2securITy Limited Page 38
November 2012
Objective 3: Centralisation and Governance Objective 5: Training
Resource Requirements Integration with NZQA for accreditation Industry and Government Support (Provision of 6-12 month placements) Funding for training to compliment placements Scheme Administrator Marketing Web Site
Deliverables A national apprenticeship scheme for those wishing to pursue information security as a career A network of industry and government organisations to provide 6-12 month placements across a range of information security specialisms NZQA accreditation A range of courses and development plans to compliment the on-the-job placements aspects of the scheme
Benefits Provides a clear defined and flexible development scheme for those wishing to pursue a career in information security Provides a range of placements set to challenge participants and let them gain a range of high quality experience at the start of their career. Provides a source of high quality graduate apprentices to become the information security architects and leaders of the future Provides apprentices with a range of contacts from which to build their professional networks.
November 2012
In2securITy Limited
Page 39
Initiative Three: Security Training and Development Fund

Description Information security training is very expensive. For the majority of courses, participants must be sent abroad (typically the USA or Australia) for periods of 3-7 days. These courses can charge between $2000 AUD and $7000 AUD per seat. This additional travel incurs heavy financial cost for the sending organisation including travel, accommodation and subsistence. When faced with this high cost of training many organisations have to prioritise who to train or seriously limit the amount of training offered. Many organisations will choose to offer no classroom based training as a result. By subsidising training from international training organisations, New Zealand will be able to bring classroom based training to its cities rather than sending staff abroad. This will reduce the cost of training and also allow professionals in the same field to network with others in the same field while they learn. Successful training subsidisation has been run on a limited scale by NZITF and showed high interest and enthusiasm from the community. Target Demographic(s) Students New IT Professionals Experienced IT Professionals Management Level Professionals
Objectives Met Objective 2: Career Development Objective 5: Training
Resource Requirements Fund administrator to negotiate with training providers Web Site and Application System Integration with MSD and student funding systems
Deliverables Provision of world class information security training at a subsidy for eligible organisations and individuals NZQA integration to allow for accreditation of high quality information security training and In2securITy Limited Page 40
November 2012
certifications Benefits Reduces the cost of high quality information security training to New Zealand businesses Reduces the need for international travel when pursuing training and certifications Allows for professional networking during courses
November 2012
In2securITy Limited
Page 41
Initiative Four: National Schools Integration Programme

Description There is a common misconception that school age children are not interested in scientific or technical subjects. This is not the case. School students are only bored by scientific or technical subjects when they are not taught in a relevant and engaging way. By providing hands on workshops on information security issues, this initiative aims to foster interest within the 14-18 age groups. Provision of a range of teaching materials and activity ideas will make integrating these activities with the existing curriculum easy and allow for activity adaption and reuse over time. In school talks and visits in conjunction with programmes such as the IITPO connect programme can help inspire school students to explore this subject further as they progress through their education. Target Demographic(s) School Age Students Teachers
Objectives Met Objective 1: Awareness Objective 2: Career Development Objective 5: Training
Resource Requirements Resource writers and developers Web Site Travel and Accommodation for University Visits Schools Liaison
Deliverables A range of engaging, hands on activities suitable for the 14-18 age range Guest speakers Reusable materials and activity packs
Benefits
November 2012
In2securITy Limited
Page 42
Engaging with school students can be a great way of fostering early interest in technical subjects. The provision of high quality reusable materials means that activities can be run with minimal effort and maximum impact
November 2012
In2securITy Limited
Page 43
Initiative Five: University Integration Programme

Description For the majority of new professionals, university was their first opportunity to explore complex technical or professional subjects. It introduced aspects of the IT world that remain largely abstract to those not employed in the field. University is also the last time that most professionals engage in an extended period of dedicated education. It is globally recognised that security is crucial to modern IT systems, however many New Zealand universities offer little or limited integration of security issues into their curriculums. A university integration programme would give institutes of higher education a source of training and development for their lecturers so that they can better understand how to teach and integrate security into their classes. Furthermore by providing world class open source materials, students will be able to gain high quality teaching regardless of their institution. Guest speakers from industry would provide real life examples of information security as a profession and the challenges information security professionals face. They would also give authenticity and credibility to material taught in lectures as well as giving students a chance to ask questions. Inter-university competitions and events could promote networking and generate further interest. Target Demographic(s) Students Lecturers and Academics
Objectives Met Objective 1: Awareness Objective 2: Career Development Objective 3: Centralisation and Governance Objective 5: Training
Resource Requirements Resource writers and developers Web Site Travel and Accommodation for University Visits University Liaison
November 2012
In2securITy Limited
Page 44
Deliverables A library of world class, open source training materials suitable for university level students on a range of information security topics. Teacher/Lecturer Seminars to help all lecturers to introduce security into their modules and courses Guest Speakers available to visit Universities with real life examples and debate National University Level competitions to increase participation in the field and introduce opportunities to explore information security in a fun, challenging and safe environment
Benefits This initiative would allow universities across New Zealand to integrate information security into their syllabus regardless of the availability of dedicated information security lecturers The creation of high quality shared materials would reinforce a consistent message across education establishments Guest speakers from industry could provide engaging means of reinforcing and strengthening taught lessons Teacher Seminars would allow lecturers to integrate security into their core subjects
November 2012
In2securITy Limited
Page 45
Initiative Six: National Security Awareness Programme

Description While NetSafe provides a coherent and consistent message on Internet security for the small business and home user market, no such organisation within New Zealand is targeting technical implementers and business leaders. A range of security groups and events exist within New Zealand that can provide elements of this awareness and knowledge sharing, however these groups can appear closed or foreign to those new to information security or those not directly involved within its implementation. Rather than competing with individual information security interest groups, this awareness programme would provide coordination between them. Providing a coherent, linking dialog between each group and how their intended audience would increase the membership and interest in groups such as OWASP and ISACA. For business leaders and existing professionals, this initiative would be an introduction and gateway to the range of groups and events available. It would provide fundamental knowledge, introductions to suitable groups and networking opportunities between implementers and business leaders in the same position or facing the same challenges. Target Demographic(s) Technical Implementers Business Leaders Students
Objectives Met Objective 1: Awareness Objective 3: Centralisation and Governance Objective 4: Advisory
Resource Requirements Programme Administrator Marketing National and International Liaison Web Site for Sharing Talks and Materials
Deliverables Regular talks at industry events and professional groups Online portal of shared talks and awareness material aimed at each demographic listed above. In2securITy Limited Page 46
November 2012
Expansion of the NetSafe (Small Business and Home User) message to the corporate world Positive, controlled message on the subject of information security in New Zealand and central source of media information.
Benefits Close integration with national and international schemes will allow New Zealand to find efficiencies between schemes, share ideas and increase innovation within initiatives Regular talks with different demographics will increase awareness and allow for the tailoring of messages to each group Sharing talks and materials online will allow for knowledge sharing outside of events
November 2012
In2securITy Limited
Page 47
Initiative Seven: Mentoring Programme Expansion

Description The existing in2securITy mentoring programme has proven to be very successful. Continuation and expansion of this programme would provide a simple and cost effective asset to this strategy. The following mentoring programmes are proposed: New To Security (The existing in2securITy scheme) Helping those curious about or new to the profession to gain initial contacts and information through pairings with exiting professionals with a minimum of 3 years experience. Career Development Helping existing professionals to plan and pursue their career. Matching professionals with 1-2 years experience with those at more advanced stages of their career. Security for Managers and Board Members Helping those who manage security projects and professionals to understand the profession and its impact on their organisation. This scheme will pair existing information security professionals with appropriate experience, commercial knowledge and communication skills with managers and board members. Target Demographic(s) Students New IT Professionals Experienced IT Professionals Management Level Professionals
Objectives Met Objective 1: Awareness Objective 2: Career Development Objective 4: Advisory Objective 5: Training
Resource Requirements Mentor programme supervisor/advisors Venues for training classes Software licence for online streaming software
Deliverables Introduction to Mentoring Training (in person and online) In2securITy Limited Page 48
November 2012
Regular mentor scheme events including knowledge sharing and networking Provision of experienced mentor advisors to support mentoring relationships Mentoring resources such as worksheets and activity packs
Benefits Supports career development at all stages of professional life Improves community and generates cross field/organisation contacts Informal and flexible No geographical limitations
November 2012
In2securITy Limited
Page 49
Initiative Eight: Improved Web Portal

Description An online presence is central to the success of modern organisations. Done well, it provides a high quality, stable and intuitive gateway to all the products, services and information provided by an entity. Said online portal is the focus of marketing efforts, provides a central repository of information and a safe place for participants to interact online. It will co-ordinate, help communicate and market. Target Demographic(s) Everyone
Objectives Met Objective 1: Awareness Objective 2: Career Development Objective 3: Centralisation and Governance Objective 4: Advisory Objective 5: Training
Resource Requirements Web Developer Content Writers Graphic Designer
Deliverables Professional quality web portal Central source of high quality information Job board for relevant NZ job advertisements (agency free) Events calendar and sign up system Gateway to all other initiatives Social Network Integration Secure Members Area
Benefits Provide a quality, stable interface to all initiatives Co-ordinate branding and marking efforts
November 2012
In2securITy Limited
Page 50
Initiative Nine: New Zealand Computer Emergency Response Team (CERT)

Description Centralised and co-ordinated communications can improve the relevance and consistency of information security advisory. It can also create a known point of authority for all New Zealand businesses, allowing all organisations to seek advice and guidance on information security issues without relying on personal contacts. The preferred delivery method for this initiative would be the creation and operation of a New Zealand Computer Emergency Response Team (CERT). This would be consistent with all other OECD countries and provide a public facing, central response to information security threats. This organisation would also be part of the wider CERT network and allow easier unclassified knowledge sharing with other national CERT groups worldwide. Target Demographic(s) Everyone
Objectives Met Objective 1: Awareness Objective 4: Advisory
Resource Requirements Skilled information security professionals with excellent communication skills Central contact mechanisms such as email, telephone and web presence Industry and government recognition and information sharing arrangements Marketing
Deliverables New Zealand Computer Emergency Response Team (CERT).
Benefits A centralised communications point would improve the consistency of information security news and advisories within New Zealand. Reduced reliance on personal industry contacts Provision of a consistent and accurate response to media and journalist enquiries Expansion of central support from just government and critical national organisations to include the wider industry.
November 2012
In2securITy Limited
Page 51
Initiative Ten: Information Security Workforce Development Board

Description To maximise the relevance of this strategy to the needs of New Zealand government and industry, these stakeholders must be involved in its governance, development and promotion. The creation of an Information Security Workforce Development Board would provide this strategy with centralised governance that represents the needs of the wider IT and information security industry. This board would form a mature governing body for any initiatives to be held accountable to. While boards such as this have previously proven to increase bureaucracy, the benefit of having both senior industry and government support could ensure that this strategy remains tightly adapted to the needs of these organisations and widely accepted. By ensuring that a wide range of organisations are represented, the likelihood of this strategy remaining objective and independent is increased. Target Demographic(s) Senior Industry and Government Leaders
Objectives Met Objective 1: Awareness Objective 3: Centralisation and Governance
Resource Requirements Industry leaders and government representatives An operating constitution Suitable meeting space for board meetings
Deliverables A mature body to help govern and drive forward this strategy
Benefits Clear accountability to a group representing both the New Zealand government and the wider information security industry. Increased relevance of initiatives High level support driving acceptance of this strategy from the top of organisations down Translation of this strategy and its benefits to senior leadership and the wider (nontechnical) organisation. In2securITy Limited Page 52
November 2012
Conclusion
In This Section: Conclusion Recommendations References

Conclusion
New Zealand has faced many challenges when implementing information security systems and regrettably not all of these challenges have been handled with the knowledge and technical excellence they require. The complexity and quantity of these challenges is only set to increase over the next 3-5 years. As a result, New Zealand needs to seize the opportunity to modernise its approach to the recruitment, retention and professionalization of its information security industry. This document has outlined the issues faced by New Zealand organisations when addressing this challenge, the threat these challenges pose and the opportunities available. In addition, this strategy contains an evaluation of a 12 month pilot scheme, in2securITy, launched in 2012 to address these issues. This scheme has proven without doubt that New Zealand has a large appetite and need for this kind of development programme. Finally, this strategy outlines a set of objectives and operating principles for the implementation of a National Information Security Workforce Development Strategy, to consist of a set of proposed initiatives each designed to make New Zealand a global leader in the strategic development of world class information security professionals.
Recommendations
This strategy recommends the following actions: Introduction of a government funded Information Security Workforce Development Scheme based on the objectives and operating principles outlined within this document and expanding from the in2securITy pilot. Full analysis and prioritisation of the initiatives proposed within this strategy Implementation of a range of initiatives such as those suggested here to proactively improve the recruitment, retention and professionalization of the information security industry Reduction in the use of phrases such as in the long term Adoption of a lean, agile and iterative approach to this strategy that will allow rapid delivery and measurable results Collaboration with existing community and industry groups, universities and public/private sector organisations to source funding, effort and ideas.
References
1. SANS Secure Software. [Online] http://software-security.sans.org/blog/2012/02/22/agiledevelopment-teams-can-build-secure-software/. 2. MSD Deloitte Breach Report 2012. [Online] http://www.msd.govt.nz/documents/about-msd-andour-work/newsroom/media-releases/2012/independent-review-deloitte.pdf.
November 2012
In2securITy Limited
Page 54
3. Symantec Threat Report. [Online] http://www.symantec.com/content/en/us/enterprise/other_resources/bistr_main_report_2011_21239364.en-us.pdf. 4. ISC2 Career Impact Survey. [Online] https://www.isc2.org/uploadedFiles/2012CareerImpactSurveyResults_FINAL_020112.pdf. 5. PWC Information Security Breach Survey 2012. [Online] http://www.pwc.co.uk/en_UK/uk/assets/pdf/olpapp/uk-information-security-breaches-surveytechnical-report.pdf. 6. NZISF. [Online] http://www.security.org.nz/NZISF_NZISForumContent.php. 7. NZISIG. [Online] http://isig.org.nz/. 8. NZITF. [Online] http://www.nzitf.org.nz/. 9. InternetNZ. [Online] http://internetnz.net.nz/. 10. Kiwicon. [Online] https://kiwicon.org/. 11. 1st Tuesday. [Online] http://www.1sttuesday.co.nz/content/1st-tuesday-club. 12. ISACA. [Online] http://www.isaca-wellington.org/. 13. ISC2. [Online] https://www.isc2.org/. 14. In2securITy Limited. New Zealand Education Non-Profit Organisation. [Online] http://www.in2security.org.nz. 15. BlackHat. [Online] http://www.blackhat.com/. 16. Defcon. [Online] https://www.defcon.org/. 17. CSO Security Qualification Directory. [Online] http://www.csoonline.com/article/485071/thesecurity-certification-directory. 18. NetSafe. [Online] http://www.netsafe.org.nz/. 19. New Zealand Cyber Security Strategy. [Online] http://www.med.govt.nz/sectorsindustries/technology-communication/pdf-docs-library/cyber-security-documents/nz-cybersecurity-strategy-june-2011.pdf. 20. NCSC. [Online] http://www.ncsc.govt.nz/. 21. CERT Definition. [Online] http://en.wikipedia.org/wiki/Computer_emergency_response_team. 22. OECD. [Online] http://www.oecd.org/general/listofoecdmembercountriesratificationoftheconventionontheoecd.htm. 23. AP CERT. [Online] http://www.apcert.org/about/structure/members.html.
November 2012
In2securITy Limited
Page 55
24. Cyber Security Challenge. [Online] https://cybersecuritychallenge.org.uk/. 25. GCHQ. [Online] http://www.gchq.gov.uk/Pages/homepage.aspx. 26. National CCDC. [Online] http://nationalccdc.org/. 27. Insomnia Security. [Online] http://www.insomniasec.com/about-us. 28. In2securITy on YouTube. [Online] http://www.youtube.com/user/in2securITy.
November 2012
In2securITy Limited
Page 56
For further information In2securITy Limited Email: info@in2security.org.nz Twitter: @in2securitynz
In Association With:
November 2012
In2securITy Limited
Page 57

New Zealand Information Security Workforce Development Strategy - Nov 2012 - V1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

New Zealand Information Security Workforce Development Strategy - Nov 2012 - V1

Uploaded by

Copyright:

Available Formats

Prepared and presented by In2securITy Limited