You are on page 1of 68

October 2015

Volume 13 Issue 10

Planning for a Career in the Department of Defense


Cybersecurity Workforce
Information Security Career Path
How I Got Here: My Unexpected Infosec Career Path;
A Transition into Tech; Outside Looking In

Improving
Cybersecurity
Workforce Capacity
and Capability
Addressing the Education-to-Workforce Disparity

INFOSEC CAREER PATH


Table of Contents
DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Feature
14 Improving Cybersecurity Workforce Capacity and Capability: Addressing the Education-to-
Workforce Disparity
By Marie A. Wright ISSA member, Connecticut Chapter
This article examines the chasm between demand and supply in the cybersecurity labor market. It looks at the
professional competencies established by the federal government to help align industry cyber needs with education
and training initiatives and offers suggestions to enhance the partnerships between academia, industry, and
professional associations.

Conference Guide inserted after page 20.


Articles
21 Planning for a Career in the Department of 26 Information Security Career Path
Defense Cybersecurity Workforce By Yuri Diogenes ISSA member, Fort Worth Chapter
By John Gray ISSA member, Rainier Chapter The author discusses key decision points regarding an
The author discusses how the Department of Defense information security career, the options available, and
cybersecurity workforce is organized, how to prepare how to succeed in this field.
for a cybersecurity position, and the appropriate 31 Career Paths: How I Got Here
combination of education, training, and experience in Three ISSA members answered our call to know what
which to progress into advanced responsibilities. career path they took, how it served them, and what
path they would recommend for future generations of
information security professionals.
Also in this Issue
3 From the President
My Unexpected Infosec Career Path
By Ashley Schwartau ISSA member, Middle Tennessee
4 editor@issa.org Chapter
5 Sabetts Brief ATransition into Tech
A CISO, a Marketer, a Wonk, and a Lawyer Walk into a
Bar By Dora Baldwin ISSA member, Inland Empire
Chapter
6 Herding Cats
The Pathway Forward Outside Looking In
By Roza Winston ISSA member, Central Ohio Chapter
7 Security Awareness
What the TJ Hooper Case Means for Security
Awareness
8 Security in the News
9 Perspective: Women in Security SIG
Blaze Your Own Trail
10 Open Forum
Your CISSP Is Worthless. Now What?
11 Association News
12 ISSA International Conference
23 Donns Corner
Over and Out
25 The Curmudgeon
There Are Two Types of People on the Internet
2015 Information Systems Security Association, Inc. (ISSA)
The ISSA Journal (1949-0550) is published monthly by the Information Systems
Security Association, 12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190.

2 ISSA Journal | October 2015


From the President
Hello ISSA Members
International Board Officers
Andrea Hoy, International President
President

T
Andrea C. Hoy, CISM, CISSP, MBA,
Distinguished Fellow hose of you reading this at the along side, to guide
Vice President ISSA International Conference and mentor, and to
Justin White in Chicago, Welcome! help succeed in their
Secretary/Director of Operations For those who are reading this else- careers.
Anne M. Rogers where, I hope you will be able to join us My hope for you
CISSP, Fellow
at future conferences. here at the confer-
Treasurer/Chief Financial Officer enceand especially
Pamela Fusco ISSA is unique in its ability to bring in-
Distinguished Fellow formation security professionals togeth- for those of you new to ISSAis that you
er at all levels of their careers. When I make relationships that count, both per-
Board of Directors first started going to chapter meetings, sonally and professionally, for your self
Frances Candy Alexander, CISSP, I really wasnt sure what to expect nor growth; that you share your knowledge,
CISM, Distinguished Fellow skills, and aptitudes to help grow our
how ISSA would change my life. The
Debbie Christofferson, CISM, CISSP, people I met became my pseudo men- association and industry; and that you
CIPP/IT, Distinguished Fellow consider where you fit in the Cyber Se-
tors, one being Hal Tipton, whom many
Mary Ann Davidson curity Career Lifecycle. We have infor-
Distinguished Fellow refer to as the George Washington of
information security. My manager at mation security plans for our businesses;
Rhonda Farrell, Fellow an information security career plan for
Geoff Harris, CISSP, ITPC, BSc, DipEE,
Rockwell got me involved with ISSA,
and the relationships I have established yourself is just as important, no matter
CEng, CLAS, Fellow
have saved me countless hours when what stage of your career you are in.
Tim Holman, Fellow
Alex Wood, Senior Member met with limited resources. The value For those of you who are considering
Keyaan Williams
of knowing someone to reach out to in your second life or perhaps embarking
challenging timespriceless. There are into the retirement portion of your ca-
Stefano Zanero, PhD, Fellow
so many opportunities to help and be reer life cycle, but still want to stay active
helped. We make career decisions based in the information security communi-
The Information Systems Security Asso-
ciation, Inc. (ISSA) is a not-for-profit, on the information we have and learn ty: in the next few months, we plan on
international organization of information from the past decisions we have made. introducing an Emeritus membership
security professionals and practitioners. Seasoned members, we often discover status. This will allow those with years
It provides educational forums, publica-
tions and peer interaction opportunities it is only when we look back that we see of experience as information security
that enhance the knowledge, skill and what we thought was a wrong turn or a professionals to stay engaged with their
professional growth of its members. bad experience turned out to be for the friends and other professionals and still
With active participation from individuals best. Are there younger members who be active participants in symposiums
and chapters all over the world, the ISSA
is the largest international, not-for-profit might benefit from your expertise and and international conferences like ours.
association specifically for security pro- career lessons learned? Our hope is that this allows for more
fessionals. Members include practitioners mentor/protg opportunities, further-
at all levels of the security field in a broad Our industry is currently suffering a
range of industries, such as communica- shortage of skilled and qualified practi- ing the life cycle.
tions, education, healthcare, manufactur- tioners. In a recent CSO magazine, the And lastly, for those of you here at the
ing, financial, and government.
demand for our workforce is expected to conference, take back what you learn and
The ISSA international board consists of
some of the most influential people in the rise to six million globally by 2019, with share with others from the sessions you
security industry. With an internation- a projected shortfall of 1.5 million, while attend. Make sure your sharing extends
al communications network developed data breaches from threats and vulnera- beyond your infosec team, reaching out
throughout the industry, the ISSA is fo-
cused on maintaining its position as the bilities are rising. Unless our association, to the C-level, other departments, local
preeminent trusted global information se- our industry, and our governments work law enforcement, vendors , partners, and
curity community. together to encourage and equip the dont forget your community.
The primary goal of the ISSA is to pro- next generation of cybersecurity profes-
mote management practices that will See you soon in Chicago.
ensure the confidentiality, integrity and sionals, the need will be even greater in
availability of information resources. The the future. A number of authors in this Windy City here we come!
ISSA facilitates interaction and education issue address that shortage and how we
to create a more successful environment
for global information systems security as individuals as well as an industry can
and for the professionals involved. address it. There will be many to come

October 2015 | ISSA Journal 3


editor@issa.org

Infosec Career Path


Editor: Thom Barrie
Thom Barrie Editor, the ISSA Journal editor@issa.org
Advertising: vendor@issa.org

L
et me say, the Finally, we offer a number of infosec 866 349 5818 +1 206 388 4584
response to career stories: how folks got where they
Editorial Advisory Board
this topic was are, what helped, what hindered, how
overwhelming, but they are moving on. You might see your- Phillip Griffin, Fellow
we can only include self in these stories, or you might even Michael Grimaila, Fellow
so many. Everywhere discover some inspiration to change John Jordan, Senior Member
you turn there are your own story. Infosec career paths are Mollie Krehnke, Fellow
statistics warning of as varied as the individuals making up Joe Malec, Fellow
the current and future workforce short- the industry.
Donn Parker, Distinguished Fellow
age. How do we get more qualified folks
into the industry and keep them there? Kris Tanaka
Joel Weise Chairman,
Marie A. Wright examines US federal Distinguished Fellow
initiatives that seek to strengthen and
Youll notice we are adding the Cyber Branden Williams,
grow the national cybersecurity work-
Distinguished Fellow
forcecivil and federaland offers Security Career Lifecycle levels to the
suggestions to enhance the partner- articles. The levels are fairly self-evi- Services Directory
ships between academia, industry, and dentyou can get a full description of
the levels in the included International Website
professional associations. John Gray webmaster@issa.org
delves into the specifics of Department Conference Guide or on the ISSA web-
siteand the board has assigned appro- 866 349 5818 +1 206 388 4584
of Defense requirements, painting an
engaging picture of the expectations and priate levels to the articles. While the Chapter Relations
challenges of that agencys workforce. icons are suggestions, you need not pass chapter@issa.org
And Yuri Diogenes discusses how to ex- over those you feel do not apply to your 866 349 5818 +1 206 388 4584
amine your career, improve your skills career levelyou may discover some-
and abilities, and successfully pursue thing thatll help you in your journey or Member Relations
your future: As anything you do in life, that you may pass on to another. member@issa.org
progressing in this field becomes easier Hope to see you in Chicago, 866 349 5818 +1 206 388 4584
if you are passionate, self-driven, and
have the discipline to pursue the vision
Thom Executive Director
execdir@issa.org
of what you want for your career.
866 349 5818 +1 206 388 4584

Vendor Relations
Information Systems Security Association vendor@issa.org
12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190 866 349 5818 +1 206 388 4584
703-234-4082 (direct) +1 866 349 5818 (USA toll-free) +1 206 388 4584 (International)

The information and articles edge of the author and editors. official policy of ISSA. Articles pendent corporation and is not
in this magazine have not been If the reader intends to make may be submitted by members owned in whole or in part by
subjected to any formal test- use of any of the information of ISSA. The articles should be any manufacturer of software or
ing by Information Systems presented in this publication, within the scope of information hardware. All corporate infor-
Security Association, Inc. The please verify and test any and systems security, and should be mation security professionals
implementation, use and/or se- all procedures selected. Techni- a subject of interest to the mem- are welcome to join ISSA. For
lection of software, hardware, cal inaccuracies may arise from bers and based on the authors information on joining ISSA
or procedures presented within printing errors, new develop- experience. Please call or write and for membership rates, see
this publication and the results ments in the industry, and/or for more information. Upon www.issa.org.
obtained from such selection or changes/enhancements to hard- publication, all letters, stories, All product names and visual
implementation, is the respon- ware or software components. and articles become the proper- representations published in
sibility of the reader. The opinions expressed by the ty of ISSA and may be distrib- this magazine are the trade-
Articles and information will be authors who contribute to the uted to, and used by, all of its marks/registered trademarks of
presented as technically correct ISSA Journal are their own and members. their respective manufacturers.
as possible, to the best knowl- do not necessarily reflect the ISSA is a not-for-profit, inde-

4 ISSA Journal | October 2015


Sabetts Brief

A CISO, a Marketer, a Wonk, and a


Lawyer Walk into a Bar
By Randy V. Sabett ISSA Senior Member, Northern Virginia Chapter

S
omewhere in that title a joke prob- ly, staying on the technical side can be rience. Whether
ably exists, but they dont pay me quite rewarding and moving laterally through nurturing
for my sense of humor, so Ill stay (in a good way) could allow you to expe- via informal professional relationships
away from any punchlines. I could, rience a number of different aspects of or more formal mentoring relationships,
however, turn it into a riddle by asking the cyber profession. Furthermore, the please consider helping others in their
the question: How many people actual- predicted dearth of cyber workers has infosec career quest. There are many
ly stepped over the threshold of the bar? materialized. I have heard Steve Battis- programs out there that would allow
That would then give a neat segue into a ta, president of ISSA Northern Virginia you to get involved and dedicate as much
discussion of the variety of career paths Chapter, cite a very telling statistic on time as you have available to help guide
that infosec provides, some of which several occasions: for every two cyber- infosec students and young infosec pro-
could overlap. Take me for examplea security jobs in the greater Washington, fessionals in the pursuit of their own
crypto engineer who didnt think about DC, metropolitan area (to include Bal- careers. Such opportunities are readily
law school until well into my profession- timore and Northern Virginia), there is available and can be incredibly reward-
al life. only one person qualified to fill them. I ing. In my own experience, I know of
As some of you may have heard in my suspect that the statistic refers mainly to at least four of my former students who
presentations at ISSA (and other) events technical jobs, so if we layer in business, have gone to law school and several oth-
over the years, I have been advocating legal, policy, management, and related er acquaintances who have considered it
that the legal profession needs more peo- positions, just think of the opportuni- (and may actually have gone).
ple who truly understand the intricacies ties! Ultimately, a career path in infosec
and subtleties of cybersecurity. Tackling I often describe infosec as a horizontal can lead in many different directions.
the complexities of the legal arena is dif- concept that cuts across any number of I would encourage anyone who has an
ficult enough as it is. Interweave cyber- industry, government, academic, and interest in pursuing something slightly
security into a particular set of facts and business verticals. But I would assert different to go for it. After all, you might
you wind up with something that can be that the same is true for infosec career be the next CISO, marketer, wonk, and
daunting for both the legal and technical areas. Cybersecurity is no longer rel- lawyer to walk into that bar!
team trying to handle it. A common line egated solely to the IT department or
of mine at such events is the legal com- the CISO. Based on my experience, the About the Author
munity needs more people like youthe C-suites and boards of organizations Randy V. Sabett, J.D., CISSP, is Vice
ones who truly understand infosec. continue to get better at integrating Chair of the Privacy & Data Protection
infosec into their corporate mind-set. practice group at Cooley LLP (www.cool-
An even better example would be the
This necessarily means that many other ey.com), and a member of the Boards of
White House cybersecurity policy per-
areas within an organization need rel- Directors of ISSA NOVA and the George-
son with whom I had lunch recently.
evant infosec experience. The lesson to town Cybersecurity Law Institute. He
This person is an attorney, but started
be learnedif you are looking to make a was a member of the Commission on Cy-
with a technical background, has tack-
change, you dont necessarily need to be bersecurity for the 44th Presidency, was
led many policy questions, and has even
limited to things that are pure infosec. named the ISSA Professional of the Year
delved into commercial endeavors. That
Many other job functions would benefit for 2013, and can be reached at rsabett@
combination (along with being at the
from (or perhaps even require) infosec cooley.com. The views expressed herein
White House) has allowed this person to
skill. are those of the author and do not neces-
work on numerous complex and inter-
sarily reflect the positions of any current
esting matters. One final thought: for those of you that
or former clients of Cooley or Mr. Sabett.
The point of these examples is that cyber have a well-established infosec career,
skills can be a terrific complement to a recognize that many other people out
wide variety of career options. Clear- there could benefit from your expe-

October 2015 | ISSA Journal 5


Herding Cats

The Pathway Forward


By Branden R. Williams ISSA Distinguished Fellow, North Texas Chapter

W
hen I happens a little bit too close to home.1 It to prove a product concept? All of these
started becomes clearer by the day that our abil- things are important to give you per-
my ca- ity to keep up is perhaps the largest race spective on your daily work. It also will
reer in information condition in the coming years. further prepare you for leadership roles
security, it was because I had to. I was To the victor the spoils! down the line.
responsible for a couple of IT shops. For Get educated. Information security pro-
the most part, I was the sole IT guy. Yes, There are a few things Ive learned that
I would love to pass along to our next fessionals follow Bayes Theorem even if
there were others around me who were they dont realize it. Otherwise, they are
in the middle of it with me, but I was the generation of information security pro-
fessionals as they enter into the work- out of a job. Continuously learn what
one who got the call at 3:00 am when both the good guys and the bad guys are
something blew up. As the story goes, in force and start to learn how to be digital
soldiers in an ongoing conflict. doing. Keep up on new technology, and
1997 I became enamored with informa- do your best to stay on (if not ahead of)
tion security as an IT guy because I left a Learn to ask questions and test as- new technology adoption. Learn how
service running on a server that I should sumptions. As a developer, I assumed people use technology in their daily
not have. This was before small IT shops users would be honest and follow di- lives, and think hard about how it can
had firewalls. I was late to the game on rections. I was foolish. Letters in a tele- be used against them.
system hardeningprobably because phone number field? Why would any-
the first time I tried using a hardcore one do that? What happens if someone Have fun. Yes, its the generic advice
security hardening script the machine does do that? Taken another way, why from any motivational speaker (I am not
became unusable. would we follow a particular behavior one). If you have fun, you will keep do-
or procedure just because weve always ing all of the above. That will propel you
In a way, I have the University of Wash- into the next generation of information
ington to thankeven though I had no done it that way? What happens if we
dont? Engineers will tell you that using security leadership. You will have bad
formal affiliation with them. Their imap days; learn from them. Incorporate what
dmon had a vulnerability that allowed the question Why? three to five times
will typically get you to the root of why you learn into your future behavior.
an attacker to root one of my servers.
something is the way it is. Question,
And thus, my career was born. learn, and understand. Be curious!
About the Author
Branden R. Williams, DBA, CISSP,
This isnt meant to be an autobiography, Learn the business. You cannot make CISM, is the CTO, Cyber Security Solu-
but many of the people I meet in our field the most effective decisions as an in- tions at First Data, a seasoned security
have a similar story. Something piques formation security professional if you executive, ISSA Distinguished Fellow,
their interest in seeing what technology dont understand how your business and regularly assists top global firms with
can do, versus what its designed to do. works. Take the time to talk to various their information security and technolo-
Perhaps it was a prank, falling victim people around the company to learn gy initiatives. Read his blog, buy his book,
to malware, or just curiosity that made how it makes money. Pay attention to or reach him directly at http://www.bran-
them think. And at this point, we have what your executives say that holds stra- denwilliams.com/.
one of two paths to choose. Both paths tegic value for the firm. Be involved in
leads to late nights in front of a screen, things beyond information security. It
but on opposite sides of the conflict. will round you out and prepare you for
This conflict is ever present in every leadership.
facet of human existence. Nation states Learn business in general. Do you
launch cyber attacks at rivals just like know how a profit and loss statement
corporations do. Activists take to the works? Do you know the laws related to
digital world to bring justice for causes employee rights? What are the best ways
they feel passionate about. Crime rings
target individualsand sometimes it
1 This will be a column for another month.

6 ISSA Journal | October 2015


Security Awareness

What the TJ Hooper Case Means


for Security Awareness
By Geordie Stewart ISSA member, UK Chapter

F
or those not familiar with the So what does this mean for information Even a PCI auditor
case, TJ Hooper was a landmark security awareness? It means that many could pick up on
in tort law that established an organizations may be sitting on a liabil- that one, if given
important standard for negligence. The ity time bomb. That is, in the event of half an hour and a detailed checklist.
case was heard in 1932 to assign liabil- a security incident, will their security Failures in the information security field
ity for a lost cargo. A tug towing the awareness programs be considered ad- are different. Some organizations dont
cargo on a barge had set to sea in good equate to shield them from third-party know theyve had a breach. Or maybe
weather but later that night there was a claims of negligence? There is a univer- they do know but dont want to make it
storm and the barge sank. The owner of sal-practice argument to be made for public by engaging in litigation. There
the cargo argued that if the tug had been mediocritymost organizations barely are two important aspects to this that
equipped with a radio, the tug captain go through the motions, with comput- are changing. Firstly, mandatory breach
could have checked weather reports and er-based training and a few security reporting requirements mean that the
taken the opportunity to seek shelter in a slides as part of the induction process. news of the breach is almost certain to
nearby breakwater before the storm hit. Some organizations dont even have a se- be made public as organizations cant
The owner of the tug curity policy. Sooner place any confidentiality restrictions
disagreed and made or later this sad state on their notification process. Once the
a prevailing-practice of affairs will be put breach is public, theres no incentive to
defense. That is, that to the test. refrain from litigation.
tugs at the time were If I had a contract Secondly, weve seen a rise in organi-
not usually equipped with a third party zation doxing, where leaks are inten-
with radios and this that suffered a secu- tionally made public. Think of Sony,
was considered nor- rity breach related Hacking Team, Manning, the diplomat-
mal practice in the to human failings, ic cables, and the list goes on.
industry. Id be asking if their It may well be that the next step change
In a landmark deci- security awareness in professionalizing security awareness
sion handed down by program was ad- campaigns wont be new standards,
Judge Learned Hand, equate, given the certifications, or qualifications but the
it was found that risks. Not was it the lawyers getting involved. Consider how
prevailing practice industry minimum, your security awareness program would
did not completely but whether the ef- fare if put under the spotlight. If its just
shield the tug own- Judge Learned Hand: That everyone else fort the other party a token gesture, going through the mo-
er against a claim of does it badly is no excuse. invested in securi- tions of the industry minimum, then
negligence. In one ty awareness was you could be in trouble.
of the most beautiful legal phrases ever commensurate with the likelihood of a
uttered, the rationale was summed up security incident, the value at risk, and About the Author
as: There are precautions so imperative the benefits of security awareness done Geordie Stewart, MSc, CISSP, is the
that even their universal disregard will properly. Principle Security Consultant at Risk
not excuse their omission. Common Why hasnt the adequacy of security Intelligence and is a regular speaker and
prudence, therefore, was not always the awareness programs been repeatedly writer on the topic of security awareness.
same as reasonable prudence. In this challenged in court? Part of this is the His blog is available at www.risk-intelli-
case the value of the cargo, the likeli- unknown-unknown argument. For the gence.co.uk/blog, and he may be reached
hood of a storm, and the relatively low TJ Hooper case, it was easy to see that at geordie@risk-intelligence.co.uk.
cost of a radio meant that it was negli- damage had been done. The barge was
gent to go to sea without one. below the water instead of on top of it.

October 2015 | ISSA Journal 7


Security in the News
News That You Can Use
Compiled by Joel Weise ISSA Journal Editorial Board Chairman, ISSA Distinguished Fellow, Vancouver, Canada Chapter
and Kris Tanaka ISSA member, Portland Chapter

Best Information Security Certifications for 2016


http://www.tomsitpro.com/articles/information-security-certifications,2-205.html
In fair disclosure, I dont agree that any of the certifications mentioned in this article are worth much. How-
ever, it seems appropriate to include this article for those who are just starting their information security
careers. I can name numerous faults with each of the certifications in the article and I will always recommend
experience over any certification. But hey, its your money.
EMV: Why US Will Miss October Deadline
http://www.bankinfosecurity.com/emv-us-will-miss-oct-deadline-a-8531
This truly pains me. As one of the inventors of the Visa EMV multi-application chip card, I find it almost em-
barrassing that the US still cannot get its act together and adopt EMV. The arguments in this article are the
same ones we debated years ago when we were developing EMV and chip cards. One would think that by now we could
have settled the debate around risk, fraud, and infrastructure development. Apparently not.
Four Tips to Keep Your Career Relevant
http://www.csoonline.com/article/2980932/it-careers/4-tips-to-keep-your-career-relevant.html
Speaking of experience over certification, this article raises a number of good points. As the author notes,
With some of the most desirable and challenging certifications after my name, I was officially burned out. I had
no idea how I could remain relevant and useful within my new specialty. I especially like the authors point
about training and funding continuous training.
Microsoft Is Downloading Windows 10 to PCs, Even If You Dont Reserve a Copy
http://arstechnica.com/information-technology/2015/09/microsoft-is-downloading-windows-10-to-pcs-even-if-you-dont-
reserve-a-copy/
According to Microsoft, For individuals who have chosen to receive automatic updates through Windows Update,
we help upgradable devices get ready for Windows 10 by downloading the files theyll need if they decide to up-
grade. What this really means is that your system will be pushed code even if you dont intend to upgrade to
Windows 10. Imagine you have limited bandwidth and pay dearly for the few bits and bytes you do use. Now imagine
when a few extra gigabytes of code are pushed to you and your ISP or other supplier surprises you with a fat
bill the next month.
The Startling Economic Truth about Cyber Risks
http://www.bloomberg.com/sponsor/zurich/holistic-approach/?mvi=3169b2f0db864142ae2feaf4a9173aa5
Im not sure I am willing to throw in the towel just yet. In addition, I imagine the likes of Amazon, Google,
or Apple might have something to say about this, but there is an excellent point being made here. To quote,
A new report indicates that were reaching the tipping point when the annual costs of cyber disruptions begin
to reduce the incentive for doing business in a connected world. As most readers know, life is all about risk
management, and there are no clear answers. Check out the complete report here: http://knowledge.zurich.com/
cyber-risk/overcome-by-cyber-risks/.
Former AV Man McAfee Runs for US President
http://www.infosecurity-magazine.com/news/former-av-man-mcafee-runs-for-us/
Who could resist John McAfee running for president of the United States? At least there would be someone in
the White House with a relatively clear understanding of information security. And he certainly understands the
central issue of privacy. As he states: I am protected by a government that invades my privacy so that it can
assure me that I am not the enemy it is protecting me from.
The Security Operations Hierarchy of Needs
http://www.securityweek.com/security-operations-hierarchy-needs
This is an interesting take on security operations. The author suggests that there is a hierarchy of needs:
awareness, vision, process, instrumentation content, unified work queue, staffing, training, operations, intel-
ligence, and information sharing. It does seem a bit more complex that necessary, but each of these on its own
does make sense. And I would agree that organizing against such a hierarchy is a good way to start.
Intelligence Start-Up Goes behind Enemy Lines to Get ahead of Hackers
http://mobile.nytimes.com/2015/09/14/technology/intelligence-start-up-goes-behind-enemy-lines-to-get-ahead-of-hack-
ers.html?_r=3
Threat intelligence is, in my humble opinion, where we need to expend far more energy and resources than in
any other information security area. We are all familiar with firewalls, antivirus, and the latest and greatest
vendor products, but for the most part these are reactive and not proactive. This article looks at iSight, a
cyber threat intelligence organization, which reportedly infiltrates the underground, where they watch crimi-
nals putting their schemes together and selling their tools. In short, lets try to stay ahead of the bad guys.
Cybersecurity Competitions Make a Difference
http://www.csoonline.com/article/2978865/it-careers/cybersecurity-competitions-make-a-difference.html
Education is more than just classrooms and teachers. Its active learners working to improve their knowledge,
skills, and abilities. Its mentors guiding both students and teachers. Its making learning fun, says Ron Wo-
erner, director of Cybersecurity Studies at Bellevue University. Its time to start thinking outside the box
and step out of the traditional classroom environment to help deal with the shortage of qualified cybersecurity
professionals. Check out the list of competitions and programs listed to see how you can make a difference.

8 ISSA Journal | October 2015


Perspective: Women in Security SIG
Blaze Your Own Trail
By Christa Pusateri ISSA member, Tampa Bay ISSA Chapter

I
n established fields, career progres- turned down several high paying senior I felt deep down,
sion is often thought of as a linear leadership job opportunities in order to when the right op-
journey. Climbing the corporate take time to spend with family, focus on portunity came, I
ladder is a metaphor for career success her mentoring within the international would know, Fer-
that tells us that if we work hard, we security community, and invest in her guson says. It would
will ascend, rung by rung, in a clearly non-profit interests with the Nubian have to be the right
upward path, knowing exactly how to Village Cultural Heritage Center. reason to step away and have deeper
reach that next level. If youre working hard, work happily meaning than just more money or bet-
In todays world of exponential tech- and joyfully do what you love. Smiles ter title.
nology requiring explosive growth in come from your internal self. Be the As these stories illustrate, sometimes
the information security field, this clear person who creates circumstances rath- success means saying no to linear pro-
corporate ladder is a foreign concept. er than just going with the flow. Chart gression and conventional career paths.
However, the leaders who find their way your own path. Sali Osman, CRISC, In information security you have the
to success without a map are often the CISM, CISSP, Security and Risk Officer opportunity to work in any and every
most inspirational. With unprecedented Another example of a leading lady who industry imaginable and take on any
access to information, global networks, blazes her own trail is Ashley Fergu- number of different roles, from pene-
and self-publishing platforms, its no son, Global Director, Governance, Risk, tration testing to communications and
longer necessary to follow the herd. Compliance, Security Architecture and public relations, or even start your own
Take Sali Osman, one of my favorite in- Design at Dell SecureWorks. She start- business.
fosec thought leaders. Sali started her ed her information security career in If at any point you run into a road block
career in electronics engineering, and audit at a big-four consulting firm. She that may seem like a failure, think of
then moved into information security. quickly found that her passions were in it as a sign that you need to take a step
Her most recent post was CISO at Time leadership and helping people. Whether back in order to move forward in the
Customer Service Inc., the global orga- it was helping clients understand her au- right direction. If you recognize that
nization that fulfills orders and ship- dit findings or helping a team member your path could look different than ev-
ping for Time magazine and its affiliates. with career planning, Ashley quickly eryone elses, it can help you focus your
Currently, she is the Security and Risk excelled and cleared her path to become energy on finding yourself and getting
Management Advisor for Saudi Aram- the Manager of Risk and Compliance back on the right path.
co and makes time to invest in the next and Information Security Officer for The days of mandated corporate lad-
generation of female and minority lead- Energen, a growing oil and gas firm. der climbing are behind us, so dare to
ers through her work as the co-chair Her role at the CISO level, investment in be different and blaze your own trail to
Mentor-Protg Program at the Interna- building a strong network, and winning happiness in your career.
tional Consortium of Minority Cyberse- the Peoples Choice ISE Southeast award
curity Professionals (ICMCP). contributed to her visibility as a leader in About the Author
As a young girl, growing up in the Mid- the industry. Opportunities often came Christa Pusateri is a trailblazer, problem
dle East, Osman would tinker with cir- her way that most people would say she solver, entrepreneur, student, coach, sto-
cuit boards and take her toys and com- was crazy to turn down. But Ferguson ryteller, teacher, adventurer, and above
puters apart just to see how they worked. knew she had to follow her intuition and all else a devoted wife and mother. She
Her father told her that she could make choose the right next step in her career. currently serves as the vice president for
it in any job she chose if she worked hard the Tampa Bay Chapter, leads communi-
She wanted to make an impact and help
and stood up for herself. cations and public relations for Algenol
people, not just in one industry or at one
(www.algenol.com), the leader in world
Her family and friends called her cra- company but on the overall industry,
changing biofuels, and teaches Entrepre-
zy when she later joined the Abu Dhabi which is a big part of her new role at Dell
neurship and Creativity at Florida Gulf
Police as a network and software engi- SecureWorks.
Coast University. She blogs and may be
neer. She says they still think shes cra-
reached at cmp@christapusateri.com.
zy today when, after a layoff at TCS, she

October 2015 | ISSA Journal 9


Open Forum
The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to
the ISSA community. Open Forum articles are not intended for reporting news; they must provide insight, opinion, or commentary to initiate a dialog as to be expected from an
editorial. The views expressed in this column are the authors and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board.

FOR THOSE CONSIDERING TRAINING AND CERTIFICATIONS, of which there are many that apply in the informa-
tion security space, here is one perspective on the Certified Information Systems Security ProfessionalCISSP. The CISSP
has been around for a fairly long time, but the questions of its validity and currency come up at times. Both valid questions.
Is the CISSP right for you? Possibly. Can it be improved? Certainly. Are there alternatives? Yes. Ed.

Your CISSP Is Worthless. Now What?


By Dave Shackleford

O
K, so its doing things. Or answer obtuse ques- So what do I propose?
not really tions about things without being able to
worthless. perform hands-on tasks. I say scrap the whole thing. Start over.
Build a cert and program that tests fun-
It can help you get a Ive had some people tell me Im proud damental skills and means something to
job or a contract of my CISSP. employers who really need things done.
but in the scheme of Really? Of what, exactly? Offer existing cert holders one year and
todays infosec world? a free test to get the new one. Other-
Studying for a test?
Its really broken, in my opinion. Let me wise, theyre out. We need to weed out
Taking and passing a long, obnox-
break down my thought process, since the people skating their way through
ious test?
Im typically pretty upbeat about things. infosec on the back of a bunch of stupid
Doing WORK for three to four years? CPEs. Id love for the CISSP to mean
Over the years, I have had more than a (wow, welcome to a CAREER) something, and see the industry rally
few laughs with both clients and SANS
students about various aspects of the Having a college degree (in some cas- around it as a useful and legitimate in-
CISSP. Few seem to really take it seri- es)? dicator of knowledge and skill.
ously. Thats a big indicator. Acquiring CPE credits for random
things and events? About the Author
Second, there are far too many things in Dave Shackleford is the owner and prin-
that cert/test that are completely and to- Getting someone to attest that you cipal consultant of Voodoo Security and
tally useless to 99% of us in infosec. As are smart and/or awesome? a SANS analyst, senior instructor, and
the information systems security pro- course author. He has consulted with
fessional, I do not need to know about People, its broken.
hundreds of organizations in the areas
fire extinguisher types, fence height, HR offices are essentially discriminat- of security, regulatory compliance, and
or lighting. Sure, it may be interesting ing against people who dont have one, network architecture and engineering.
knowledge, but not relevant to most for really no good reason. This cert is He may be reached at dshackleford@voo-
peoples infosec jobs, and thus extrane- ridiculous. If you have to get one for doosec.com.
ous in the cert. work, or compliance, or DOD 8570, or
Third, the CISSP demonstrates no somethingOK. But dont strut around
hands-on skills. The test itselfcom- and act as though this really means you
have something unique or special
Annual Membership
Meeting
pletely insane in its wording and content
in some casesjust makes you memo- you dont. I know way too many CISSPs
rize a bunch of concepts. We dont need who cant dissect a packet, configure a
firewall or IDS, write a script, perform The Annual Membership
many, if any, theoreticians today. We
need tangible, real skills that can be a real in-depth risk analysis, and so on. Meeting was held 12:00 pm
put to good use immediately. You may That does NOT bode well for the future EDT, September 10th.
argue that theory and research and risk of information security. If you argue
that its meant to be a broad, theory
To access the recorded
have a place. Sure. But I dont need that
or breadth of knowledge cert well, version, visit
in acert like this. I want someone who
can walk in the door and DO things, not I argue we dont NEED those. We need www.issa.org/?page=2015An-
think about doing things. Or talk about more DO-ers. nualMeeting.

10 ISSA Journal | October 2015


Association News
Please Join Your Colleagues in ISSAEF Annual Fund-Raiser Kick Off
Chicago
T
he Foundation is pleased to announce its fourth an-

D
nual fund-raiser to be held in Chicago, Illinois, this
ear ISSA Member, year in conjunction with ISSAs annual conference.
For those outside the world of security, it is difficult, At our fund-raiser well be selling tickets to our drawing held
if not impossible, to comprehend the true scale of on Tuesday after lunch. Winners need not be present to win!
present and future security issues that are daily transform- All winners will be notified at the conference to pick up their
ing the lives of people, businesses, society, and the world at prizes at the Foundation booth before the conference ends.
large. Simultaneously, the promises of the ongoing techno- Stop by to learn about our scholarship programs and make
logical revolution often tend to decry the recommendations a tax-deductible donation for a chance to win great prizes,
of cybersecurity professionalsyet, we are charged with mit- including:
igating risk and safeguarding the world from those enormous A SANS-donated course from their entire catalogue of on-
security challenges. line, in-person, or on-demand courses for 2016.
Thus, our roles are also transforming. We must continue to Great security books signed by the authors, such as:
grow our security expertise even as we advance our skills in Future Crimes by Marc Goodman
effective communication and organizational leadership.
Data and Golaith by Bruce
The ISSA International Conference offers unique guidance Schneier
and resources that were carefully selected to help securi- Spam Nation by Brian Krebs
ty professionals at all levels to achieve this strategic mix of
With Murder You Get Sushi,
knowledge, skills, and aptitudes. It also provides you with ac-
by Mary-Ann (Maddie) Da-
cess to the strongest global network of experts across indus-
vidson
tries and skill sets. Join us to transform your career and your
organizations. ISSA A Kindle Fire HD6, gift cards,
BOSE headphones, and much,
much more! Marc Goodman

The ISSA Education Foundation (ISSAEF) thanksSC Maga-


zine(a Haymarket Media brand)for its generous donation to
our annual scholarship fund.
Upcoming International Web See you in Chicago!
Conferences Mark Your Calendar
Big Data Trust and Reputation, Privacy Cyber Pre-Professional Meet-Up Links
Threat Intelligence Introductory Meet-Up: https://www.youtube.com/
watch?v=3_FTI2d62Ss
2-Hour Live Event: Tuesday, October 27, 2015
Start Time: 9:00 am US-Pacific/ 12:00 pm US-Eastern/ 5:00 Penetration Testing: Fireside Chat with Chris Simpson:
pm London https://www.youtube.com/watch?v=dTXr5cop8_o
Overview: The Internet is forever. If something is posted All about Entry-Level Security Certifications: https://www.
on the net, there is no way to get it backor even correct it. youtube.com/watch?v=GGlbE5JevEg
This webinar will talk about the potential uses of big data for How to Get the Most out of Networking and Mentoring
good and bad. Opportunities: https://www.youtube.com/watch?v=tsT-
Moderator: Hari Pendyala, ISSA Fellow, Chennai, Asia Pa- 4cvm_bTo
cific Chapter How to Land Your First Security Job: https://www.youtube.
com/watch?v=drWsKdrBVOE
Forensic Tracking the Hacker
2-Hour Live Event: Tuesday, November 17, 2015
Start Time: 9:00 a.m. US-Pacific/ 12:00 p.m. US-Eastern/ ISSA, Raleigh Chapter
5:00 p.m. London Triangle InfoSeCon 11th Annual Conference
Moderator: Allen Wall, Senior Consultant, Information Risk October 8, 2015
Management, HP Enterprise Security Services Largest Infosec Conference in North Carolina
Speaker: Dipto Chakravarty, EVP Engineering and Prod- www.triangleinfosecon.com
ucts, ThreatTrack Security Inc.

October 2015 | ISSA Journal 11


ISSA International Conference
OCTOBER 12-13, 2015 CHICAGO MARRIOTT DOWNTOWN CHICAGO, ILLINOIS

Advancing the Culture of Security


Newly Added Featured Speaker:
James Trainor, Jr.
Assistant Director, Cyber Division, FBI
October 13: 10:15 am - 11:00 am, Salon 3

Register Now
www.issa.org/?issaconf_home
See Why You Should Attend! Groups of 10 or more save 20 percent on registration
fees. For more information, email Leah Lewis:
https://youtu.be/hGJ5U_woHPs llewis@issa.org.

Preparing for the Big One PREVIEW Diversified IT: Why the Security Workforce
Track: Incident Response Needs Qualified Women...and Men
David Phillips Track: Business Skills for the Information Security Professional
Managing Director, Cybersecurity Consulting, Berkeley Tammy Moskites
Research Group CIO and CISO, Venafi
Data breaches are going to continue to happen to Theres long been a need for more diverse candidates in informa-
earnest companies. Many are simply not prepared for the situation, tion technology, but lately the need is growing much stronger for
bumbling the press comments, trampling on evidence, and not simply finding qualified security professionalsmen and women
recognizing the severity of the situation. All of this is increasing aliketo enter the cybersecurity workforce. The personnel and
the Fear-Uncertainty-Doubt to the public, David explains. The skills gap shortage is already starting to negatively impact the in-
only way to be prepared is to treat security as other industries have dustry, Tammy explains. Many CISOs Ive met across the globe
treated high-risk environments. The board room cannot wait for have mentioned to me that they are having a difficult time find-
the Big One. From the Securities and Exchange Commission to ing and hiring the right qualified people for the job. Thats a major
the American Bar Association to the White House, regulatory and problem.A recent 2015 Frost & Sullivan report claims that the glob-
oversight bodies are foreshadowing the liability event. CxOs, board al workforce shortage of security professionals will reach 1.5 million
members, shareholders, and insurance companies are going to feel within five years, and the need for a wider skill set and strong com-
the punch as negligence suits become the norm. This session will munications skills has never been greater.
focus on a five-step process for developing an effective executive
cybersecurity program that demonstrates due diligence. So how do we build the next generation of cyber warriors and also
ensure that more females get interested at an early age in joining
Preparing for a major privacy data breach requires a board-level the workforce? While there are some great certification and training
approach to coordination across general council, CISO, finance, HR, programs out there, we still need to find ways to encourage our kids
IT operations, and partners. The IT security industry is focused on and college-aged students to get interested in the field. Thats a
selling point solutions that address a very limited part of the overall critical part of solving this problem, she emphasizes. Its not just
security landscape, he adds. A deeper focus on the holistic prob- about finding more women to create a diverse workforce; we sim-
lem is required in order to be prepared to rapidly detect and re- ply cannot find enough qualified professionals in general.
spond to breaches.
This presentation will discuss firsthand lessons learned over Tam-
Attendees will consider the broader sphere of the security environ- mys 30-year career span in IT and security. She will discuss the chal-
ment that includes corporate politics, insurance mitigation, legal lenges of entering the workforce as a woman and how shes built
protections, security cultural assessments, and security operations. and grown her career. Shell also discuss how shes built and men-
They will take away knowledge of the Layer 8 issues required to tored great teams and where she sees the need for skills to evolve
properly respond to the Big One, how to measure and adapt an in- as the threatscape has changed. Attendees will take away best
fosec program on a new scale, and how to articulate security issues practices and key lessons learned from the personal challenges
to key decision makers. she has overcome over the years. Im extremely passionate about
Security is a people-centric issue; avoid relying on technology as growing and mentoring great security teams, she exclaims. I be-
the solution, he concludes. Instead, focus on what it takes to build lieve strongly that we have a major skills-gap and a hiring crisis that
a high-reliability organization. needs to be addressednow.
Attendees will understand why a more diversified workforce is
needed and how the gender gap can continue to dissolve with
See International Conference Guide Inserted more STEM programs and computer security college curricula. As

in the Journal for Full Agenda and All


Tammy sums it up,This session will give infosec professionals first-
hand experience on how to build a successful team around them-
Sessions selves, have continued career growth, become great mentors to
their teams, and evolve their skills sets throughout their careers.

12 ISSA Journal | October 2015


DEVELOPING AND CONNECTING
ISSA CYBERSECURITY LEADERS GLOBALLY

Improving
Cybersecurity
Workforce Capacity
and Capability
Addressing the
Education-to-Workforce Disparity

By Marie A. Wright ISSA member, Connecticut Chapter


This article examines the chasm between demand and supply in the cybersecurity labor market.
It looks at the professional competencies established by the federal government to help align
industry cyber needs with education and training initiatives and offers suggestions to enhance the
partnerships between academia, industry, and professional associations.

Abstract than twice the rate of all other information technology (IT)
jobs [3]. They also took 36 percent longer to fill than all job
Across public and private sectors, there is a growing demand
postings [3]. Last year, Cisco estimated an industry shortage
for qualified cybersecurity professionals. Finding those in-
of more than one million security professionals worldwide
dividuals with the necessary knowledge, skills, and abilities
[4]. A recent Ponemon Institute survey of 504 human re-
(KSAs) to fill vacant positions has proven to be difficult. This
sources and IT security specialists in the United States found
article examines the chasm between demand and supply in
that the IT security function in most organizations was un-
the cybersecurity labor market. It looks at the professional
derstaffed, with 70 percent of the respondents reporting that
competencies established by the federal government to help
they had neither the depth nor breadth of qualified securi-
align industry cyber needs with education and training ini-
ty professionals [21]. In January 2015, ISACA conducted a
tiatives. It also offers suggestions to enhance the partnerships
global survey of 3,439 business and IT professionals in 129
between academia, industry, and professional associations
countries [12]. Ninety percent of the respondents said there
that will improve the KSAs of undergraduates who will soon
was a national shortage of skilled cybersecurity profession-
enter the cybersecurity workforce.
als. Another survey conducted earlier this year [13] seemed
to corroborate this. More than half of the 926 respondents

S
ince 2007, the demand for cybersecurity professionals reported that it took their organizations anywhere from three
has risen dramatically. The cause is likely due to multi- to six months to fill an open position, and that fewer than 25
ple factors (e.g., greater connectivity, more vulnerabil- percent of the applicants were qualified to fill the positions
ities, increased intruder awareness of the value of attacking for which they applied.
networks, and heightened public awareness of successful at- The demand for cybersecurity professionals is projected to
tacks) [14]. According to Burning Glass Technologies, cyber- intensify over the next several years, largely due to the in-
security job postings grew 74 percent from 2007-2013, more creasing sophistication and persistence of cyber threats, and

14 ISSA Journal | October 2015


Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright

the growing pervasiveness of mobile devices and cloud ser- While billions of dollars are being spent on new technol-
vices in the business environment [9]. According to the most ogies to secure the US Government in cyberspace, it is
recent (ISC)2 Global Information Security Workforce Study the people with the right knowledge, skills, and abilities
[9], the estimated compound annual growth rate in global to implement those technologies who will determine suc-
demand for security professionals from 2014-2019 is 10.8 per- cess. However, there are not enough cybersecurity experts
cent, while the estimated compound annual growth rate in within the Federal Government or private sector to im-
global supply during that same five year period is only 5.6 plement the CNCI, nor is there an adequately established
percent. The numbers suggest that by 2019, there will be a Federal cybersecurity career field. Existing cybersecuri-
workforce shortage of more than 1.5 million cybersecurity ty training and personnel development programs, while
professionals. good, are limited in focus and lack unity of effort. In order
The Bureau of Labor Statistics projects a 37 percent growth to effectively ensure our continued technical advantage
in employment for Information Security Analysts through and future cybersecurity, we must develop a technologi-
2022, compared to an 11 percent average growth rate for all cally-skilled and cyber-savvy workforce and an effective
occupations [2]; however, the title of Information Security pipeline of future employees. It will take a national strate-
Analyst certainly does not describe all cybersecurity jobs. gy, similar to the effort to upgrade science and mathemat-
Perhaps a better sense of the demand for cybersecurity work- ics education in the 1950s, to meet this challenge [6].
ers should be based on the number of organizations that In 2010, in response to CNCI Initiative #8, the National Ini-
ought to be undertaking some measures to protect their sys- tiative for Cybersecurity Education (NICE) was established.
tems, networks, and data from unauthorized access, use, or Led by the National Institute of Standards and Technology
harm [5]. In the United States there are approximately 456 (NIST), NICE consists of more than twenty federal depart-
agencies in the federal government [18], more than 90,000 ments and agencies. To achieve its mission of enhancing the
state and local governments [26], almost 13,000 independent overall cybersecurity posture of the United States, NICE has
school districts [26], approximately 7,200 public and private three goals: To increase national cybersecurity awareness, to
colleges and universities [28], and more than six million firms expand the pool of individuals prepared to enter the cyber-
[25]. All should have someone responsible for cybersecurity security workforce, and to develop a globally competitive cy-
within their respective organizations. bersecurity workforce [17].

Education and training initiatives NICE National Cybersecurity Workforce Framework


The first official recognition of the need for cybersecurity pro- The foundation of the NICE effort to standardize the cyberse-
fessionals was the 2008 Comprehensive National Cybersecu- curity field is the National Cybersecurity Workforce Frame-
rity Initiative (CNCI) [6]. The CNCI consisted of a dozen ini- work [8]. Version 1.0, released in August 2012, organized cy-
tiatives with the overall goal of helping to secure the United bersecurity into seven high-level categories, each comprised
States in cyberspace. Initiative #8 specifically addressed the of several specialty areas. Related job titles, tasks, and KSAs
expansion of cyber education: needed to successfully complete those tasks were further de-

October 2015 | ISSA Journal 15


Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright

Categories Specialty Areas NICE framework to develop a Cyberse-


curity Competency Model [7]. The goal
Secure Acquisition
was to promote a better understanding
Secure Software Engineering
Securely Provision of the competencies and skill sets that
Systems Security Architecture were essential to educate and train a
Concerned with conceptualizing, designing, and Technology Research and Development
building secure IT systems with responsibility for globally competitive cyber workforce
some aspect of the systems development Systems Requirements Planning [10]. The resulting model incorporates
Test and Evaluation the competencies identified in the NICE
Systems Development framework and expands on it by includ-
Data Administration ing the competencies needed by average
Operate and Maintain Customer Service and Technical Support workers who use technology, as well as
Responsible for providing the support, administration, Network Services those needed by cybersecurity profes-
and maintenance necessary to ensure effective and sionals [7]. The Cybersecurity Compe-
efficient IT system performance and security System Administration
tency Model was launched in May 2014,
Systems Security Analysis and is shown in figure 1 [1].
Enterprise Network Defense Analysis
The pyramid structure conveys an in-
Protect and Defend Incident Response creasing level of content specialization,
Responsible for the identification, analysis, and miti- Enterprise Network Defense Infrastructure from entry-level worker to senior-level
gation of threats to internal IT systems or networks Support
cybersecurity professional. The blocks
Vulnerability Assessment and Management within each tier represent competency
Investigate areas (i.e., the KSAs necessary for suc-
Responsible for the investigation of cyber events or Digital Forensics cessful performance) [1]. At the bottom
crimes related to IT systems, networks, and digital Cyber Investigation of the pyramid, Tiers 1 through 3 repre-
evidence sent the soft skills, the personal effec-
Legal Advice and Advocacy tiveness, academic, and workplace foun-
Oversee and Govern Strategic Planning and Policy Development dation competencies essential for all in
Providing leadership, management, direction, or Training, Education, and Awareness the cybersecurity workforce. Tiers 4 and
development and advocacy so the organization may Information Systems Security Operations 5 (shown in yellow) show the technical
effectively conduct cybersecurity work Security Program Management competencies that are cross-cutting to
Risk Management the cybersecurity industry or indus-
try sector. The top tier (shown in blue)
Knowledge Management
represents the specialization of knowl-
Collect and Operate Collection Operations edge and technical competencies within
Responsible for specialized denial and deception Cyber Operations management and within specific cyber-
operations and collection of cybersecurity information security occupations [1].
that may be used to develop intelligence Cyber Operations Planning

Analyze All Source Intelligence Addressing the supply/demand


Responsible for highly specialized review and Exploitation Analysis disparity
evaluation of incoming cybersecurity information to Targets
determine its usefulness for intelligence In spite of the federal governments ini-
Threat Analysis tiatives to increase the supply of cyber-
Table 1 National Cybersecurity Workforce Framework security professionals, it will take time
to expand the workforce in response to
scribed within each specialty area [11]. framework is shown in Table 1. Source: the heightened demand [14]. It may take
By establishing a common taxonomy DRAFT National Cybersecurity Work- years to educate and train a sufficiently
and lexicon for cybersecurity workers, force Framework Version 2.0, National qualified labor force; yet, there are things
and developing a baseline of tasks and Initiative for Cybersecurity Careers and that can be done in the short termby
KSAs associated with cybersecurity pro- Studies.1 industry, academia, and professional as-
fessionals [17], the framework defines sociationsthat can positively impact
cybersecurity work irrespective of orga- ETA Cybersecurity Competency Model
the KSAs of undergraduates who will
nizational structure or job title, and is In 2013, the Employment and Training soon enter the workforce. Following are
flexible enough to allow organizations to Administration (ETA) of the US Depart- ten straightforward suggestions, offered
adapt its content to their own workforce ment of Labor began working with the from the authors perspective as an ac-
planning needs [16]. In 2013, work began more than twenty federal departments ademic who has spent more than two
on updating the framework to reflect the and agencies that contributed to the decades developing and updating under-
latest changes in IT and the cybersecu- graduate information security courses
rity field. The most recent version of the 1 http://niccs.us-cert.gov/research/draft-national-
and programs.
cybersecurity-workforce-framework-version-20.

16 ISSA Journal | October 2015


Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright

to contribute, and to do so at a (typically) lower pay scale on a


short-term basis. Students have the opportunity to gain the
practical, entry-level experience necessary for them to be-
gin their cybersecurity careers, while earning much-need-
ed money for their tuition expenses.
4 Businesses should make a more concerted effort to
donate their unused equipment to local colleges and
universities that are trying to develop their cyberse-
curity programs. Academic institutions operate in
the real world. They continually face budget cuts, and
oftentimes funding that should go to improve the
classroom learning environment instead becomes
redirected toward administrative and operating
expenses. Today, many publicly-funded universi-
ties receive less than 50 percent of their revenue
from the state. Businesses can help by donating
equipment they no longer need to colleges or
universities for educational purposes. By do-
ing so, businesses not only help students who
may be aspiring cybersecurity professionals,
they may be able to claim a tax deduction
for their equipment donations as well.
5 Business professionals and academ-
ics need to strongly encourage students
Figure 1 Cybersecurity Competency Model to join professional associations, at-
tend local chapter meetings, and network. Particularly for
1 Industry security professionals and board members those on the cusp of starting their careers, what you know
from regional chapters of professional security associa- has to be supplemented with who you know. The benefits of
tions should volunteer to be guest speakers in the IT and professional association membership are well known to those
security classes offered at local colleges and universities. already in the field, but students have not yet learned the ad-
In spite of the fact that millennials (young adults, ages 18 to vantages of developing professional relationships, being men-
26) have grown up in a digital environment, only one in four tored, or having access to an array of resources and services
indicates an interest in a career as a cybersecurity profes- that are offered only to members. Students need help in de-
sional [23]. Most students are uncertain about cybersecurity termining which of the many good security-related profes-
job responsibilities, and they need information, advice, and sional associations they should join. For example, by joining
encouragement from others outside of the academic sphere. the ISSA, students could take advantage of the Cybersecu-
There is no more effective way to share career experiences, to rity Career Lifecycle (CSCL) program. As pre-professionals,
influence individual career choices, or to emphasize the need they could do a self-assessment of their KSAs, which would
for a stronger cybersecurity workforce, than to speak directly help them to better understand what an aspiring professional
to those still in school. needs to know to enter the field, as well as the types of indus-
2 Security professionals from industry and board mem- try roles they might be best suited to fill [20].
bers from regional chapters of professional security associ- 6 All security-related professional associations should
ations should volunteer to serve as advisory board members have low-cost student membership rates, and they should
for college or university departments that offer cybersecu- offer scholarships for student members who are studying
rity or information security courses. Active board partic- cybersecurity. Some professional associations offer student
ipation is essential, and contributing to the advancement of memberships at reduced costs, but not all do. Even fewer offer
cybersecurity education is equally important. Academic ad- student scholarships.2 Student membership in security-relat-
ministrators listen to the feedback provided by external pro- ed professional associations might be better spurred if stu-
fessionals, and they typically listen more carefully than they dent financial needs were better understood. Since 2008, pub-
do to the information provided by their own faculty. lic colleges and universities nationwide have increased tuition
3 Businesses should establish more paid internships and by more than 27 percent to compensate for state funding cuts
co-ops in cybersecurity. These offer the best of both worlds [19]. Most of the nations undergraduates hold jobs while go-
to businesses and to students. Businesses have the opportu-
nity to hire, without obligation, knowledgeable and energetic 2 ISSA offers student memberships. The ISSA Education Foundation (issaef.org)
awards annual scholarships andadministers ISSA chapter scholarships, such as
individuals from local colleges and universities who are eager Denver and San Francisco chapters. In addition, several other ISSA chapters conduct
their own scholarship programs.

October 2015 | ISSA Journal 17


Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright

ing to school to pay for their educational expenses: 52 percent strong communications skills, and being able to understand
work part-time, and another 20 percent work full-time [27]. the business, may be more important for success as a cyber-
The bottom line is that their discretionary income is limited. security professional.
7 Academics should encourage students to pursue certi- 9 Academics should incorporate realistic case studies and
fication. There are hundreds of cybersecurity-related certifi- practical simulations into the cybersecurity curriculum.
cations, and navigating through the confusing array can be a Classroom theory and hands-on practice have a reciprocal
daunting challenge. To make the process easier, the National relationship, where one informs and reinforces the other. The
Initiative for Cybersecurity Careers and Studies (NICCS) de- case method, originally championed by the Harvard Business
veloped a list of organizations that provide the professional School, uses case studies to emulate realistic business chal-
certifications needed for entry or promotion in the cyberse- lenges. The information provided is typically complex and
curity career field [22]. The list supports NICEs goal of facil- insufficiently detailed, so students are challenged while their
itating the development of a globally competitive cybersecu- judgment and leadership skills are strengthened. In the case
rity workforce. Certification standards can help academia to of simulations, learning occurs through hands-on actions,
better align their cybersecurity curricula with current indus- and preferred outcomes tend to be based on experience. The
try needs [24]; however, these standards have a training focus simulation environment provides constant and immediate
that should supplement, but not replace, education. feedback, so students can adjust their actions based on the
8 Academics should employ a multidisciplinary approach information they receive. Both case studies and simulations
to cybersecurity education. Traditionally, security courses are operational scenarios in which specific skills are learned
and programs have been housed in Computer Science or En- and performance is evaluated within a realistic context. Mis-
gineering departments, which necessarily emphasize high- takes will be made, and they often provide the best learning
ly-specialized, technical knowledge; however, cybersecurity experiences.
is more than just a technical discipline. It is a complex sub- 10 Industry professionals should work more closely with
ject, whose understanding requires knowledge and expertise academia to sponsor mock cybersecurity competitions.
from multiple disciplines, including but not limited to com- Unlike large-scale competitions, such as the annual National
puter science and information technology, psychology, eco- Collegiate Cyber Defense Competition sponsored by the De-
nomics, organizational behavior, political science, engineer- partment of Homeland Security Science and Technology Di-
ing, sociology, decision sciences, international relations, and rectorates Cyber Security Division, these mock competitions
law. [15] Although technical knowledge is important, recent should be much smaller and should occur more frequently
studies [9][13] have suggested that other attributes, such as (e.g., monthly). They should have a practical, hands-on focus,
having a broad understanding of the security field, having but they should not require the high level of technical profi-
ciency demanded by national cyber competitions in order to
UPCOMING encourage as much student participation as possible, includ-
ing those who are not majoring in Computer Science or IT.
After all, students majoring in non-technical disciplines may
have the right set of skills to become cybersecurity profes-
sionals [14].
Dont Miss This Web Conference!
Conclusion
Big DataTrust and Reputation, Since 2007, the sharp increase in demand for cybersecurity
PrivacyCyber Threat professionals has been met with a relatively small increase in

Intelligence
the number of individuals qualified to fill those jobs. In spite
of the federal governments initiatives to increase the supply
2-hour live event 9:00 am PDT, 12:00 pm EDT, of cybersecurity professionals, the labor market is tight and is
5:00 pm London, Tuesday, October 27, 2015. projected to remain so for the next decade. It will take years
The Internet is forever. If something is posted on to educate and train a sufficiently qualified workforce. In the
the net, there is no way to get it backor even meantime, there are actions that can be undertaken in part-
correct it. This webinar will talk about the poten- nership by industry, academia, and professional associations
tial uses of big data for good and for bad. that can help to improve the capacity and capability of the
cybersecurity workforce.
Moderator: Hari Pendyala, ISSA Fellow and mem-
ber, Chennai, Asia Pacific Chapter. References
Click here for more information. [1] Bertsche, Alyce Louise. The DOL Competency Model Clear-
inghouse. Webinar presentation for the North East Regional
Employment and Training Association, May 1, 2014 http://
For more information on our webinar schedule:
www.issa.org/?page=WebConferences. docslide.net/government-nonprofit/competency-model-clear-
inghouse.html.

18 ISSA Journal | October 2015


SECURING
Your World
Todays Warfighter requires the best tools to conduct combat in Cyberspace. n 5-10X faster than the
Our field-proven and award-winning network security products ensure your competition
critical data is safe from the inside out. n Application-aware for
With solutions configured to Military-grade specs, you can deploy the fastest precise control
and most advanced network security platform on the market. n Deep packet inspection
(DPI) streamlines traffic
Call to Schedule Your Free Application and Risk flow
Analysis of Your Network (571) 449-8375 n Security Zone level
fortinet.com/solutions/federal.html grouping

FortiDDoS FortiGate FortiGate Rugged


Denial of Service Protection High Performance Firewalls, Industrial Network Security
UTM and NGFW

www.fortinet.com
Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright

[2] Bureau of Labor Statistics, US Department of Labor. Infor- http://csrc.nist.gov/nice/documents/nicestratplan/nice-strate-


mation Security Analysts, Occupational Outlook Handbook, gic-plan_sep2012.pdf.
2014-15 http://www.bls.gov/ooh/computer-and-informa- [17] National Institute of Standards and Technology. NICE
tion-technology/information-security-analysts.htm. Overview. Presentation at the Asia-Pacific Economic Coop-
[3] Burning Glass Technologies. Job Market Intelligence: Re- eration, Womens Business and Smart Technology Seminar,
port on the Growth of Cybersecurity Jobs. 2014 http:// Beijing, China, May 23, 2014 http://mddb.apec.org/Docu-
burning-glass.com/wp-content/uploads/Burning-Glass-Re- ments/2014/PPWE/SEM2/14_ppwe_sem2_007.pdf.
port-on-Cybersecurity-Jobs.pdf. [18] Number of Agencies in the Federal Government http://
[4] Cisco Systems, Inc. Cisco 2014 Annual Security Report www.numberof.net/number-of-agencies-in-the-federal-gov-
https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ ernment/.
ASR.pdf. [19] Oliff, Phil, Vincent Palacios, Ingrid Johnson, and Michael
[5] Committee on Professionalizing the Nations Cybersecurity Leachman. Recent Deep State Higher Education Cuts May
Workforce: Criteria for Future Decision-Making, Computer Harm Students and the Economy for Years to Come. March
Science and Telecommunications Board, Division on Engi- 19, 2013 http://www.cbpp.org/research/recent-deep-state-
neering and Physical Sciences, and National Research Council. higher-education-cuts-may-harm-students-and-the-econo-
Professionalizing the Nations Cybersecurity Workforce?: Cri- my-for-years-to-come?fa=view&id=3927.
teria for Decision-Making, Washington, DC: National Acad- [20] Parizo, Eric. Non-traditional Employee Recruitment May
emy of Sciences, 2013 http://www.nap.edu/catalog/18446/ Remedy Security Hiring Woes, November 2014 http://
professionalizing-the-nations-cybersecurity-workforce-crit- searchsecurity.techtarget.com/opinion/Non-traditional-em-
eria-for-decision-making. ployee-recruitment-may-remedy-security-hiring-woes.
[6] Comprehensive National Cybersecurity Initiative https:// [21] Ponemon Institute LLC. Understaffed and at Risk: Todays
www.whitehouse.gov/sites/default/files/cybersecurity.pdf. IT Security Department, 2014 http://www.hp.com/hpinfo/
[7] Cybersecurity Competency Model, CareerOneStop Com- newsroom/press_kits/2014/RSAConference2014/Ponemon_
petency Model Clearinghouse http://www.careeronestop.org/ IT_Security_Jobs_Report.pdf.
competencymodel/competency-models/cybersecurity.aspx. [22] Professional Certifications, National Initiative for Cyber-
[8] FAQs. National Initiative for Cybersecurity Careers and security Careers and Studies http://niccs.us-cert.gov/train-
Studies http://niccs.us-cert.gov/footer/faqs. ing/professional-certifications.
[9] Frost and Sullivan, (ISC)2, and Booz Allen Hamilton. The [23] Raytheon Company. Preparing Millennials to Lead in Cy-
2015 (ISC)2 Global Information Security Workforce Study berspace, October 2014 http://www.raytheon.com/news/rt-
https://www.isc2cares.org/uploadedFiles/wwwisc2care- nwcm/groups/gallery/documents/digitalasset/rtn_210603.pdf.
sorg/Content/GISWS/FrostSullivan-(ISC)-Global-Informa- [24] University of Phoenix and (ISC)2 Foundation. Cybersecu-
tion-Security-Workforce-Study-2015.pdf. rity Workforce Competencies: Preparing Tomorrows Risk-
[10] Help and FAQs, CareerOneStop Competency Model Clear- Ready Professionals, 2014 http://cdn-static.phoenix.edu/
inghouse http://www.careeronestop.org/competencymodel/ content/dam/altcloud/doc/industry/cybersecurity-report.pdf.
faq.aspx. [25] US Census Bureau. Appendix Table 1: Summary Statistics
[11] Interactive National Cybersecurity Workforce Frame- by NAICS Sector and Enterprise Employment Size: 2012. Sta-
work, National Initiative for Cybersecurity Careers and Studies tistics of U.S. Businesses: Employment and Payroll Summary:
http://niccs.us-cert.gov/training/tc/framework/. 2012 http://www.census.gov/content/dam/Census/library/
[12] ISACA. 2015 Global Cybersecurity Status Report http:// publications/2015/econ/g12-susb.pdf.
www.isaca.org/pages/cybersecurity-global-status-report.aspx. [26] US Census Bureau. Government Organization Summary
[13] ISACA, and RSA Conference, State of Cybersecurity: Im- Report: 2012 http://www2.census.gov/govs/cog/g12_org.pdf.
plications for 2015 http://www.isaca.org/cyber/Documents/ [27] US Census Bureau. School Enrollment and Work Status:
State-of-Cybersecurity_Res_Eng_0415.pdf. 2011 http://www.census.gov/prod/2013pubs/acsbr11-14.pdf.
[14] Libicki, Martin C., David Senty, and Julia Pollak. H4cker5 [28] US Department of Education, National Center for Educa-
Wanted: An Examination of the Cybersecurity Labor Market, tion Statistics. Table 105.50 Number of Educational Institu-
Santa Monica, CA: RAND Corporation, 2014 http://www. tions, by Level and Control of Institution: Selected Years, 1980-
rand.org/content/dam/rand/pubs/research_reports/RR400/ 81 through 2011-12 https://nces.ed.gov/programs/digest/
RR430/RAND_RR430.pdf. d13/tables/dt13_105.50.asp.
[15] National Academy of Sciences, Computer Science and Tele-
communications Board, Division on Engineering and Physical About the Author
Sciences. At the Nexus of Cybersecurity and Public Policy: Marie A. Wright, PhD, is a Distinguished
Some Basic Concepts and Issues, May 2014 http://sites.na- Professor of Management Information Sys-
tionalacademies.org/cs/groups/depssite/documents/webpage/ tems at Western Connecticut State Univer-
deps_087875.pdf. sity. She has been actively involved in the
field of information security for more than
[16] National Institute of Standards and Technology. National twenty-five years. She may be reached at
Initiative for Cybersecurity Education Strategic Plan, 2012 wrightm@wcsu.edu.

20 ISSA Journal | October 2015


Attend
ISSA International Conference the Fabulous
Party in the Sky
Chicago, Illinois October 12-13, 2015 at 360 Chicago!

Advancing the
Monday Night
October 12
Sponsored by

Culture of Security

Dont Miss the


Cyber Networking
Gala Reception
in the Exhibit Hall!
Sunday Night
October 11

Keynote Speakers
Vinton G. Cerf & Dan Geer

Photo credit: Choose Chicago


Advancing the Culture of Security

Advancing the
Culture of Security
Join us for solution-oriented, proactive, and innovative sessions
focused on security as a vital part of business.

For those outside the world of security, it is difficult, if not impossible, to comprehend the true scale of present and future security
issues that are daily transforming the lives of people, businesses, society, and the world at large. Simultaneously, the promises
of the ongoing technological revolution often tend to decry the recommendations of cybersecurity professionalsyet we are
charged with mitigating risk and safeguarding the world from those enormous security challenges. Thus, our roles are also trans-
forming. We must continue to grow our security expertise even as we advance our skills in effective communication and organi-
zational leadership.
The ISSA International Conference offers unique guidance and resources that were carefully selected to help security professionals
at all levels to achieve this strategic mix of knowledge, skills, and aptitudes. It also provides you with access to the strongest global
network of experts across industries and skill sets. Join us to transform your career and your organizations.

Keynote Speakers Featured Speakers


Monday, October 12 Tuesday, October 13 10/12/2015, 10:00 am - 10:45 am
8:15 am 9:45 am 9:00 am 10:00 am Demetrios Lazarikos
CISO, vArmour

10/12/2015, 11:00 am - 11:45 am


Arlan McMillan
CISO, United

10/12/2015, 1:45pm - 2:30 pm


Jeff Reich
Chief Security Officer, Barricade

10/13/15, 10:15 am - 11:00 am


James C. Trainor, Jr.
Assistant Director, Cyber Division, FBI
Vinton G. Cerf Dan Geer
Vice President and Chief CISO, In-Q-Tel 10/13/2015, 1:45 pm - 2:30 pm
Internet Evangelist, Google Dave Ostertag
Global Investigations Manager, Verizon DBIR

Diamond Sponsors

2 ISSA 2015 International Conference


ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Welcome Cybersecurity Professionals!


Fellow members and leaders of ISSA and cybersecurity professionals,
it is our pleasure to welcome you to the 2015 ISSA International Conference.
ISSA selected this years theme, Advancing the Culture of Security, to reflect the tireless dedication of cybersecurity
professionals in creating the necessary culture shift within their organizations, in order to mitigate the challenges
posed by an ever-growing and changing threat landscape. In order to advance their security posture, organizations
must knock down management silos and allow cybersecurity to permeate the whole working environment. Cyber-
security is not only the job of Infosec professionals; it needs to become part of everyones job. It is becoming a relevant
question on the table of Boards of Directors and CEOs. It is a daily matter for executives and line managers alike. CISOs
are growing their staffs and increasingly participating in business-level decision making.
Over the past 26 years, ISSA members have been working diligently to manage the virtual explosion of information
technology, and its exponential growth. To quote Albert Einstein: The human spirit must prevail over technology.
As leaders of the cybersecurity profession, our greatest challenge is to ensure that our organizations cultures are resil-
ient and collaborative, using technology in an environment that is both secure and productive. This conference is our
opportunity to network, share success stories, pose important questions, and welcome the advice and suggestions of
our colleagues and experts of renown.
Thanks to all the volunteers and the staff who worked tirelessly to put together the program and every detail of the
event, to the exhibitors, to the speakers, and to all those who submitted a presentation, proposing great themes
among which it was difficult to pick. And finally, thanks to each and every one of you for joining us at the 2015 ISSA
International Conference.
Dr. Stefano Zanero Valeri L. Baldwin
Chair, ISSA International Conference President, ISSA Chicago Chapter

Conference Agenda at a Glance


October 10, 2015 October 13, 2015
CISO Forum: Conference Events:
5:00 pm 8:00 pm: CISO Forum Opening Dinner* 7:00 am - 12:00 pm: Conference Registration Open
7:30 am - 8:30 am: WIS SIG Breakfast: Networking for
October 11, 2015 Success
CISO Forum: 8:00 am 9:00 am: Breakfast in Salon 3
8:00 am 5:00 pm: CISO Forum Program* 9:00 am 10:00 am: Keynote Session Dan Geer:
Conference Events: CISO, In-Q-Tel
5:00 pm 7:30 pm: Conference Cyber Networking Gala 10:00 am 2:00 pm: Exhibit Show Floor Open
Reception 10:15 am - 11:00 am: WIS SIG Presentation
12:00 pm 1:30 pm: Awards Luncheon
October 12, 2015 4:00 pm 5:00 pm: Cyber Defense Center/Diamond
Conference Events: Sponsors
7:00 am 7:00 pm: Conference Registration Open
7:15 am 8:15 am: Breakfast in Salon 3
October 14, 2015
8:15 am 9:45 am: Keynote Session Vinton G. Cerf: Chapter Leaders Summit
Vice President and Chief Internet Evangelist, Google 8:00 am 3:00 pm: Chapter Leaders Summit Program**
9:45 am 4:00 pm: Exhibit Show Floor Open
12:00 pm 1:30 pm: CISO Panel Luncheon
*CISO Forum is open to members of the CISO Executive Program
1:45 pm - 2:30 pm: WIS SIG Presentation
and qualified first-time guests.
4:00 pm 5:00 pm: Cyber Defense Center/Diamond
Sponsors **The Chapter Leaders Summit is open to all chapter officers and
board members of record at the time of registration. Please RSVP
6:00 pm 9:00 pm: Chicago Welcome Reception: Party online. If you have questions please contact chapter@issa.org.
in the Sky at 360 Chicago, sponsored by Bomgar

ISSA 2015 International Conference 3


Advancing the Culture of Security

Special Events
Saturday, October 10 (Evening Dinner) & Sunday, October 11 (All-day workshops 4th floor)
CISO Forum Opening Dinner: Saturday 5:00 pm 8:30 pm
CISO Forum Program: Sunday 8:00 am 5:00 pm Cyber Defense
CISO Forum is open to members of the CISO Executive Program and qualified first-time guests.
Center
Sunday, October 11: From 4:00 pm to 5:00 pm on
ISSA Conference Cyber Networking Gala Reception Monday and Tuesday, attend
special product demonstra-
5:00 pm 7:30 pm tions, receptions, prize draw-
All attendees are welcome to join us in the Exhibit Hall at this informal networking reception in
ings and more in the new ISSA
Salon 1 & 2.
Cyber Defense Center spon-
Monday, October 12: sored by Bomgar, Microsoft,
Spikes, Symantec, and Venafi.
CISO Panel Luncheon Sponsored by Look for your special invita-
12:00 pm 1:30 pm, Salon 3 tions in September, in your
Seasoned CISOs and C-level security professionals share their thoughts and insights on how to registration packet, and in the
advance the culture of security in your company from the corner office and beyond. ISSA Conference Mobile App!

Party in the Sky at 360 Chicago Sponsored by


6:00 pm 9:00 pm
All attendees are welcome to join us at this informal, networking event at 360 Chicago! Voted Best View in America by Travel & Leisure
Magazine. ISSA has exclusive use of 360 Tilt Observatory.
360 Chicago, 875 N. Michigan Avenue, 94th Floor. Exit the Marriott on the N. Michigan Avenue side of the lobby. Turn left onto N. Michigan Ave. Walk seven
blocks to Chestnut. Cross Michigan Avenue and go down the stairs to the plaza entrance to the John Hancock Center. The entrance to 360 Chicago will be on your
left. You will be directed through the 360 Chicago Concourse to the 94th floor elevators. Handicap entrance on Delaware St.

Tuesday, October 13:


International Awards Luncheon Sponsored by
12:00 pm 1:30 pm
The International Awards Luncheon will be held in Salon 3 is open to all attendees. Join the Whos Who of the information security
community and toast the influential leaders who have demonstrated a superior level of expertise, effectiveness, and dedication to the
advancement of the profession.
2015 Award Winners:
Hall of Fame Honor Roll Presidents Award for Public Service:
Shon Harris (posthumously) Alex Grohmann Hacking Exposed: Stuart McClure,
Jeff Reich Mark Williams Joel Scambray, George Kurtz
Kevin Richards Dave Reed Organization of the Year:
Volunteer of the Year Chapter of the Year Microsofts Trustworthy Computing
David Vaughn Large: Phoenix Chapter Group
Jordan Lombard Small: Puerto Rico Chapter

Wednesday, October 14:


Chapter Leaders Summit
8:00 am 3:00 pm, Kane/McHenry Room
Whether you are a new or long-time chapter board member, this one-day summit is a must. The Chapter Leaders Summit is designed to
provide you with leadership tactics to support, strengthen, and further develop your chapter and enhance member value. How can you
make it easy for members to get the most out of their membership?
**The Chapter Leaders Summit is open to all chapter officers and board members of record at the time of registration. Please RSVP for the Summit
online. If you have questions, please contact chapter@issa.org, 866 349 5818 (toll free within the US) or + 206 388 4584 (international).

4 ISSA 2015 International Conference


Advancing the Culture of Security

Chicago Marriott Downtown

Photo & Video


Disclaimer
Cyber Defense
By attending the ISSA Center
International Conference, Oct. 12 and 13
you will be entering an area 4:00 pm 5:00 pm
where photography, video,
and audio recording may
occur. By attending, you
consent to photography,
audio recording, video re- ROOM LOCATIONS
cording, and its/their release,
publication, exhibition, or Huron ...............................................4th floor
reproduction to be used for Indiana/Iowa .................................6th floor
news, webcasts, promo-
tional purposes, telecasts, Kane/McHenry .............................3rd floor
advertising, inclusion on
websites, or any other pur- Lincolnshire ...................................6th floor
pose by ISSA and its affiliates Michigan/Michigan State .........6th floor
and representatives. You
release ISSA, its officers and Northwestern/Ohio State.........6th floor
employees, and each and all
persons involved from any OHare........................................... 10th floor
liability connected with the Purdue/Wisconsin.......................6th floor
taking, recording, digitizing,
or publication of interviews, Salons 1-3 .......................................7th floor
photographs, computer
images, video and/or sound
recording. Exhibit Hall
Exhibit Hall Hours:
Registration Sunday, Oct. 11
Registration 5:00 pm 7:30 pm
Hours: Monday, Oct. 12
Sunday, Oct. 11 9:45 am 4:00 pm
7:00 am 7:00 pm
Tuesday, Oct. 13
Monday, Oct. 12 Keynote Room 10:00 am 2:00 pm
7:00 am 4:30 pm
Tuesday, Oct. 13
7:00 am 12:00 pm

6 ISSA 2015 International Conference


ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Exhibitor Booth #
Alert Logic ...................................304
Be Sure to Visit All Our Solution Providers Bay Dynamics.............................119
Bit9, Inc. ........................................218
in the Exhibit Hall Bomgar............................ 207 & 209
Cimcor, Inc ..................................221
Sunday, October 11: 5:00 pm - 7:30 pm Monday, Oct. 12: 9:45 am 4:00 pm Clearswift.....................................306
Comodo .......................................300
Tuesday, Oct. 13: 10:00 am 2:00 pm Contact Singapore ...................217
CyberArk ..................................... 305
Damballa ..........................Corner A
DocAuthority .............................101
Dtex Systems..............................320
Corner C Corner D Esentire.........................................200
ESET ...............................................123
Fortinet............................ 312 & 314
Exhibit Hall Salon 1 & 2 Forum Systems ..........................103
Great Bay Software ..................114
InfoBlox ........................................110
Inspired eLearning ...................203
Intelisecure .................... 115 & 117
ISSA Foundation ............ Corner D
Keeper Security .........................307
MediaPro ........................ 311 & 313
Microsoft......................... 214 & 216
MNJ Technologies ....................106
Nexum Inc. ..................................317
ObservIt .......................................116
OpenDNS........................ 105 & 107
PhishLine ........................ 204 & 206
PKWARE........................................222
Pulse Secure ...............................205
Qualys ...........................................223
SANS....................................Corner C
Secunia .........................................319
Sergeant Laboratories ............201
Skybox ..........................................316
Spikes............................... 113 & 212
Sunera...........................................104
Symantec ........................ 109 & 208
Tenable .........................................308
Corner A Corner B The Security Awareness
Company .....................................122
ThreatTrack .................................100
Venafi ............................... 213 & 215
Exhibit Hall Entrance Veracode ......................................322

Diamond Sponsors Platinum Sponsors

Gold Sponsors Silver Sponsors

Partner Sponsor
www.ISSAEF.org

ISSA 2015 International Conference 7


Advancing the Culture of Security

ISSA Conference Tracks: ISSA Career Counseling and


Networking Center
Mobile Security: Wireless, Mobile Apps, Tablets and Smartphones Career counseling by appointment;
Employers: bring and post your job
Application Security: Application Security, Security Development Life Cycle openings here.
Huron Room, 10th Floor
Infrastructure: Endpoint Security, Network Security, Data Loss Prevention,
Pen/Vulnerability Testing, Security Intelligence, Data Protection, Architecture

Incident Response

Laws and Regulations: Legal Updates, GRC, Standards

Business Skills for the Information Security Professional: Presenting the business case for Information Security, Career
Paths for Information Security Professionals, Privacy

Securing the End User: Security Awareness Training, Social Media, Access Control

Monday, October 12
International Conference Registration Open: 7:00 am 4:30 pm, 7th Floor Registration
Breakfast: 7:15 am 8:15 am, Salon 3

Opening Keynote Address Vinton G. Cerf: 8:15 am - 9:45 am, Salon 3


Break in Exhibit Hall: 9:45 am 10:00 am, Salon 1 & 2

Session Information Follows the Session Grids


Breakout Session One: 10:00 am 10:45 am
Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
The Value Featured Speaker Sponsored Session Pathways to
Proposition for Embracing and Harnessing Empowered
Federated Digital Securing the Innovation Security
Identity Services Internet of Things to Address Leadership
Kane/McHenry (IoT) Emerging Northwestern/Ohio State
Salon 3 Security
Challenges Silver Bullet
SELinux Integrity Indiana/Iowa for Identifying
Instrumentation Hacking
Lincolnshire 1&2 and Session
Information Theft
Sponsored Session
in ERP Systems
Malvertising, Purdue/Wisconsin
Drive-by
Downloads, and
Web Exploits:
Stop Them All
with Browser
Isolation
Michigan/Michigan State

8 ISSA 2015 International Conference


ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Monday, October 12

Breakout Session Two: 11:00 am 11:45 am


Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
Cisco Annual Understanding Mainframe Patient Portal Making the Sponsored Session
Security Report & Defending Security: Security: Business Case The Fight
Kane/McHenry against Data A Practical Ensuring Security for Session Against Phishing:
Breaches as Part Overview & Enhancing Information Defining Metrics
of a Custom Lincolnshire 1&2 Patient Privacy Security That Matter
Software Northwestern/Ohio State Purdue/Wisconsin Michigan/Michigan State
Development
Featured Speaker
Process
Indiana/Iowa Information
Security Needs a
Reboot
Salon 3

CISO Panel Luncheon: 12:00 pm 1:30 pm, Salon 3


Seasoned CISOs and C-level security professionals share their thoughts and insights on how to advance the Sponsored by
culture of security in your company from the corner office and beyond.
Moderator: Tim Stanley: Risk Management Consultant, Cummins Inc.
Panelists: Mary Ann Davidson: Chief Security Officer, Oracle Corporation; Tim Rains: Chief Security Advisor, Microsoft Worldwide Cybersecurity Business Unit; Deborah Snyder: Acting Chief
Information Security Officer, New York State Office of Information Technology Services; Tim Virtue: Chief Information Security Officer, Texas.gov

Breakout Session Three: 1:45 pm 2:30 pm


Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
Why Traditional Its Not a Preparing for the Cybersecurity ISSA Women Striking the Right
Perimeter Cyberwar, Its a Big One Due Diligence of in Security SIG Balance between
Security Lifestyle Lincolnshire 1&2 a Vendor: Legal Presentation: Security and User
Approaches Salon 3 Requirements TAP Into Your Enablement in
Sponsored Session
Leave Your APIs and Beyond Potential Cloud Platforms
The New Security Northwestern/Ohio State
Exposed to OHare Purdue/Wisconsin
Stack 2015
Threats
Indiana/Iowa 2020 Architecting
Michigan/Michigan State Your
InfoSecurity/
Cybersecurity
Organization,
Teams, and
Careers
Kane/McHenry

Refreshment Break in Exhibit Hall: 2:30 pm 3:00 pm, Salon 1 & 2

Breakout Session Four: 3:00 pm 3:45 pm


Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
The Permissions Infosec in the Preventing, Diversified IT: Security & the
Gap Hot Seat: How Insuring, and Why the Security Internet of Things
Indiana/Iowa to Accomplish Surviving Fund Workforce Purdue/Wisconsin
Breach Response Transfer Fraud Needs Qualified
Readiness Northwestern/Ohio State Women...and
Lincolnshire 1&2 Men
Kane/McHenry
Sponsored Session
House of Lies
Michigan/Michigan State

Sponsor Prize Drawings: 3:45 pm 4:00 pm, Salon 1 & 2

Cyber Defense Center, 6th floor Diamond Sponsors: 4:00 pm 5:00 pm


Bomgar Microsoft Spikes Security Symantec Venafi
Indiana/Iowa Lincolnshire 1&2 Northwestern/Ohio State Purdue/Wisconsin Michigan/Michigan State

ISSA 2015 International Conference 9


Advancing the Culture of Security

Tuesday, October 13
International Conference Registration Open: 7:00 am 12:00 pm, 7th Floor Registration
Women in Security Breakfast: Networking For Success: 7:30 - 8:30 am, Room Kane/McHenry
Join us for a WIS SIG breakfast filled with cybersecurity fun-facts, networking oppo rtunities, and plenty of ways to earn some great SWAG.
Interact with peers and women luminaries in the field whom are working to bring information, opportunity, and success to each of you. Celebrate
with and recognize those leaders whom have made the past five years of WIS SIG possible.
Breakfast: 8:00 am 9:00 am, Salon 3
Keynote Address Dan Geer, 9:00 am - 10:00 am, Salon 3
Exhibit Hall Open: 10:00 am 2:00 pm, Salon 1 & 2
Break in Exhibit Hall: 10:00 am 10:15 am, Salon 1 & 2

Breakout Session Five: 10:15 am 11:00 am


Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
The Future of Practical N-Gram Embedded Like Data
Mobile App Application Analysis in a Tick Cyber Classification
Security Security for the Suspect Author Intelligence Discovery
Kane/McHenry Real World Identification Northwestern/Ohio State and Response
Indiana/Iowa of Anonymous Prioritization
Email Purdue/Wisconsin
Lincolnshire 1&2

ISSA Women
in Security SIG
Presentation:
Looking to 2020
Are we too late?
OHare

Breakout Session Six: 11:15 am 12:00 pm


Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
Applied Privacy Medical Device Taking Control Stake Your Cyber Security How to Be a Sponsored Session
Engineering: Safety and of Control Reputation Liability Highly Effective Build an Adaptive
User-Controlled, Security (MeDSS): Addressing on Your Cyber Insurance: Need CISO Top 10 Awareness
User-Monetized Assessing and Cybersecurity in Security Incident It or Leave It Performance Program Based
Mobile Managing Industrial Control Response OHare Success Factors on NISTs
Advertising Product Security Systems Program CSIRT Purdue/Wisconsin Cybersecurity
Kane/McHenry Risk Lincolnshire 1&2 Northwestern/Ohio State Framework
Indiana/Iowa Michican/Michigan State

Awards Luncheon, 12:00 pm 1:30 pm, Salon 3 SPONSORED BY

Party in the Sky Work Hard


1,000 Feet above the Town!
MONDAY NIGHT 6:009:00PM
Play Hard
Sponsored by

Party with the stars in the sky and the stars of cybersecurity in
Tilt!
the 360 Chicago Observatory. Take advantage of ISSAs private
use of 360 Chicagos 30-degree, all-glass, tilt-out stations for a
new angle on Chicago and the Magnificent Mile!
See page 4 of this guide for directions.

10 ISSA 2015 International Conference


ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Tuesday, October 13

Sponsor Prize Drawings, 1:30 pm 1:45 pm, Salon 1 & 2

Breakout Session Seven: 1:45 pm 2:30 pm


Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
Security or Lets Hack a Featured Speaker Current Trends Sponsored Session Computer
Convenience? House 2015 Verizon and Our Methods Preventing the Security for SMB/
Enabling a Lincolnshire 1&2 Data Breach for Defense Inevitable Government
Collaborative Investigation Northwestern/Ohio State Safeguarding Purdue/Wisconsin
Work Report Critical Assets in
Sponsored Session
Environment Salon 3 the Age of the
Information
Kane/McHenry Mega-Breach
Michigan/Michigan State Security Beyond
Tools and Toys:
How Do We
Advance the
Culture Side of It?
Indiana/Iowa

ISSA Cyber Security Career Lifecyle Program Sessions: 3:00 pm 3:45 pm


Join ISSA for our first Cybersecurity Career Lifecyle(TM symbol) (CSCL) Working Group Sessions. The CSCL program exists to enable professionals to steer their individual career paths by
providing guidance and resources needed to achieve their long-term career goals. These working groups will divide conference attendees into the five stages of the lifecycle. Please join the
working group that best fits your current place in the lifecycle to learn about ISSAs offerings to your specific CSCL level, give you advice for advancing to the next level, and provide feedback on
what services ISSA can provide to grow this program.
Pre-Professional Working Entry Level Working Group Mid-Career Working Group Senior Level Working Security Leader Working
Group Group Group
Lincolnshire 1&2 Indiana/Iowa Northwestern/Ohio State Kane/McHenry Purdue/Wisconsin

Sponsored Session
Securing our Future: Lessons From the Human Immune System
Jeff Hudson: CEO, Venafi
Michigan/Michigan State

Cyber Defense Center, 6th floor Diamond Sponsors: 4:00 pm 5:00 pm


Bomgar Microsoft Spikes Security Symantec Venafi
Indiana/Iowa Lincolnshire 1&2 Northwestern/Ohio State Purdue/Wisconsin Michigan/Michigan State

Cyber Security Career Lifecycle Levels and Descriptions


PRE-PROFESSIONAL: any individual who has not yet obtained a position working in the cybersecurity field. This may in-
clude anyone who has interest in working in this area with or without formal training and education in the field. Examples
of individuals and or situations who may be part of this phase are those who are switching careers (former military, IT, retail,
law enforcement, etc.), and students (high school or university).

ENTRY LEVEL: An individual who has yet to master general cybersecurity methodologies/principles. Individuals in this
phase of the life cycle may have job titles such as associate cybersecurity analyst, associate network security analyst, or
cybersecurity risk analyst, for example.

MID-CAREER: An individual who has mastered general security methodologies/principles and has determined area of
focus or specialty. Individuals in this phase of the life cycle may have job titles such as network security analyst, cybersecu-
rity forensics analyst, application security engineer, and network security engineer. Individuals who are nearing the senior
level may begin to hold job titles such as senior network security engineer or senior cybersecurity analyst, for example.

SENIOR LEVEL: An individual who has extensive experience in cybersecurity and has been in the profession for 10+ years.
These individuals have job titles such as senior cybersecurity risk analysis, principal application security engineer, or director
of cybersecurity, etc.

SECURITY LEADER: An individual who has extensive security experience, ability to direct and integrate security into an
organization. These individuals have job titles such as Chief Information Security Officer, Chief Cybersecurity Architect, etc.
After extensive periods of leadership, some become recognized industry leaders.
Note: if the session fits multiple levels, the lower and higher levels will be displayed.

ISSA 2015 International Conference 11


Advancing the Culture of Security

Breakout Sessions
Monday, October 12, 2015 careers began, what pivotal events launched them into leadership,
and what has empowered them to grow stronger in the field.
Breakout Session One: 10:00 am 10:45 am Security professionals at any level of experience will benefit from
Featured Speaker hearing the advice, knowledge, and personal challenges these
leaders have faced on their pathways to empowered leadership.
Embracing and Securing the Internet of Things (IoT)
Demetrios Lazarikos: CISO, vArmour The Value Proposition for Federated Digital
Track: Infrastructure Identity Services
10/12/2015, 10:00 am - 10:45 am Stu Vaeth: Senior Vice President, Business Development,
Salon 3 SecureKey
Smarter, connected products offer increasing Track: Mobile Security
amounts of opportunities and capabilities that span 10/12/2015, 10:00 am - 10:45 am
across multiple boundaries. The IoT space is the new norm. The use Kane/McHenry
of these smarter, connected products will force businesses to raise Mobile devices are becoming the defacto method
a new set of strategic choices related to how information security for marketing, retail, payments, and social activities. However, as
is integrated into these complex IoT ecosystems. Veteran CISO consumers hop from channel to channel, keeping their personal
Demetrios Lazarikos (Laz) will review how IoT has been adopted as information both accessible and secure is a huge challenge. In
the fastest disruptive technology in recent years, the information this session, SecureKey SVP of Business Development Stu Vaeth
security considerations that come with it, and what can be expected will showcase the government of Canadas award-winning
for future integration. implementation of a federated digital identity service and discuss
how it is enabling Canadian consumers to simply and securely access
Sponsored Session government services with the credential of their choice.
Harnessing Innovation to Address Emerging Security
Challenges
SELinux Integrity Instrumentation (SII)
Dr. Mike Libassi: Adjunct Professor and Sr. Performance
Engineer, Colorado Technical university
Track: Infrastructure
10/12/2015, 10:00 am - 10:45 am
Lincolnshire 1&2
Moderator: Dr. Michael C. Redmond, PhD As a security reference monitor SELinux configuration
Panelists: Gautam Aggarwal: Chief Marketing Officer, Bay Dynamics; integrity is critical. SELinux users battle complexity of the
Sean Blenkhorn: Senior Director of Solutions Engineering, eSentire, Inc.; configuration and have few methods to verity its setup. There is
Jack Daniel: Tenable Network Security, Inc.; Kevin Sapp: Vice President, a lack of methods to ensure SELinux configuration compliance.
Strategy, This doctorate dissertation research created a set of algorithms to
Track: Incident Response monitor the configuration of SELinux and alert to changes. SII also
10/12/2015, 10:00 am - 10:45 am offers the ability to see relationships between service and SELinux
Indiana/Iowa policies based on type/domain. The panel will cover the research and
2015 is a year in cybersecurity like we have never seen before. The offer a live demo of the framework used during research.
year is not even completed and we have seen numerous cyber Sponsored Session
attacks showing themselves in the form of breaches, denial of Malvertising, Drive-by Downloads, and Web Exploits:
service, ransomware, and many more. These are just a few of the
threats that keep many CISOs up at night. They say two types of
Stop Them All with Browser Isolation
companies exist in the United States: those that have been hacked Ben Strother: Director of Business Development, Spikes
and those who dont know they have been hacked. You know the Security
risks; now find out the solutions in this invigorating session made up Track: Infrastructure
of a panel of experts. 10/12/2015, 10:00 am - 10:45 am
Michigan/Michigan State
Pathways to Empowered Security Leadership All businesses rely on web applications, but connecting to the
Internet introduces the risk of running untrustworthy code from
servers outside your organizations control. Effectively defending
against web malware threats requires isolating web content in
disposable virtual machines run on hardened appliances in your
organizations demilitarized zone. Isolation effectively shields your
endpoints from web-based malware while allowing them to browse
Moderator: Marci McCarthy: President & CEO, T.E.N. the web safely and protects your network.
Panelists: Todd Fitzgerald, Global Director Information Security, Grant
Thornton International, Ltd.; Larry Lidz, CISO, CNA Insurance; Jeff Reich, Silver Bullet for Identifying Hacking and
CSO, Barricade; Richard Rushing, CISO, Motorola Information Theft in ERP Systems
Track: Business Skills for the Information Security Professional Moshe Panzer: CEO, Xpandion
10/12/2015, 10:00 am - 10:45 am Track: Business Skills for the Information Security
Northwestern/Ohio State Professional
The evolving security leader can seamlessly blend technical 10/12/2015, 10:00 am - 10:45 am
knowledge with business acumen to serve as a trusted partner to Purdue/Wisconsin
the board and the businessbut no one starts at the top. During The modern hacker to ERP systems knows the current technologies
this invaluable panel discussion, top CISOs and information security and is well prepared for them. The only unbreakable method for
leaders will share personal stories about when and where their identifying hacking attempts and information theft is monitoring

12 ISSA 2015 International Conference


ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

ISSA 2015 International Conference 13


Advancing the Culture of Security

Monday, October 12 Session Two


user activity and identifying suspicious behavior. This session will software project is complete and bolting security on through the
focus on identifying irregular user activity from different angles, use of security software or network security countermeasures is not
activity in multiple systems environments, static and dynamic effective enough. To have a chance to build a secure system, a team
controls over user activity, and more. Real-life examples about requires the active support of developers and for the organization to
identifying hackers and internal frauds using these methods will be adopt a written information security policy that influences business-
shown. model decisions and the requirements-gathering process.
Breakout Session Two: 11:00 am 11:45 am Sponsored Session
The Fight Against Phishing: Defining Metrics That
Cisco Annual Security Report Matter
James Natoli: Systems Engineering Manager, Cisco Systems Inc. Mark Chapman: President and CEO, Phishline
Track: Mobile Security Track: Securing the End Users
10/12/2015, 11:00 am - 11:45 am 10/12/2015, 11:00 am - 11:45 am
Kane/McHenry Michigan/Michigan State
Discussion of the results of a study that Cisco does every year. 1700 Phishing and social engineering attacks are at the heart of most
customers in nine different countries were followed and studied. significant data breaches. Threats targeting the human layer
The 2015 Cisco Annual Security Report is a look into the attackers and continue to evolve beyond the obvious. In this session, explore
the practices of the defenders. This is an industry product-agnostic how a risk-based approach applied at the human layer improves
presentation; no vendors products are discussed. If you want to take organizational resilience and user-level resistance to these threats.
a look at the report check it out free here.
Understanding and Defending against Data Mainframe Security: A Practical Overview
Breaches as Part of a Custom Software Joe Sturonas: Chief Technology Officer, PKWARE, Inc.
Development Process Track: Infrastructure
Frank S. Rietta, MSIS: Senior Developer, Rietta Inc. 10/12/2015, 11:00 am - 11:45 am
Track: Application Security Lincolnshire 1&2
10/12/2015, 11:00 am - 11:45 am Whether you started on mainframes, still working
Indiana/Iowa with them, or have never seen a mainframe, this is a practical view
Security incidents that lead to data breaches have into the security capabilities of todays z/OS systems. Mainframes
been happening a lot, from the latest Anthem Blue Cross breach started out in the glass house and host much of an enterprises
to Target to Home Depot to breaches including the MongoHQ critical sensitive data, but they are not in the glass house anymore.
incident that lead to the BufferApp compromise. Waiting until a They are just a node on a TCP/IP network and look like any other

Securing
YOUR WORLD
Secure Your Critical Business Assets
at Every Network Entry Point from the Inside Out.
As many as 93% of U.S. businesses believe they are vulnerable to internal network
threats. In todays dynamic and dangerous cyber threat environment, a perimeter-only
defense strategy is no longer enough. Jobs, brands and reputations are at risk.

Built for security and performance, only Fortinet can easily handle the protection of
the internal network, as well as protect every other entry-point to corporate data.

Join the 225,000 organizations worldwide that choose Fortinet


to secure their most critical business assets.

www.fortinet.com
Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered
trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet.

14 ISSA 2015 International Conference


ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Monday, October 12 Session Two


server. But is it being protected like the other servers on the network? misperception about the risk, higher education security professionals
This is a survey of the ways z/OS mainframes are being protected and business executives undoubtedly face a significant challenge.
today and will include some demonstrations to illustrate some of the Please join California State University CISO William Perry to learn
common security capabilities. how the California university system is protecting its most sensitive
information against todays advanced cybercrime. Mr. Perry will
Patient Portal Security: Ensuring Security and share his security road map as it relates to several key elements of
Enhancing Patient Privacy developing an effective strategy and business case.
George Bailey: Senior Security Advisor, Purdue
Healthcare Advisors Featured Speaker
Track: Laws and Regulations Information Security Needs a Reboot
10/12/2015, 11:00 am - 11:45 am Arlan McMillan: CISO IT Security, Risk, and
Northwestern/Ohio State Compliance, United Airlines
The US national health IT strategy is calling for the deployment of Track: Business Skills for the Information Security
patient portals and expanded patient engagement. This session is Professional
will introduce some application, network, and security operation 10/12/2015, 11:00 am - 11:45 am
best practices to ensure a secure and privacy-preserving patient Salon 3
portal. The session will close with a discussion on identity and access Breaches are increasing in both size and frequency, but most
management recommendations for establishing a robust and secure information security teams means and methods remain unchanged.
patient enrollment process. As financial and reputational losses continue to mount, boards are
demanding that the same rigor and discipline used in measuring
Making the Business Case for Information their financial and business risks be applied to how cyber risk is
Security evaluated. To achieve this, the existing information security paradigm
William Perry: Chief Information Security Officer, must be broken. The professions continued focus on tools and
California State University Office of the Chancellor technology to protect complex organizations doesnt and wont
Track: Business Skills for the Information Security work. While a core function of an information security team will
Professional always be cyber response, the profession must pivot away from
10/12/2015, 11:00 am - 11:45 am acting as the sole team that protects the enterprise to the team
Purdue/Wisconsin that evaluates risk and directs coordinated action from across the
Often ill-equipped with outdated defenses, education is a prime enterprise. This talk will discuss the changing role of the information
target for cybercriminals. In fact, a recent cybersecurity threat security team and its leadership and introduce a formalized
report names education as the sixth most targeted industry in the methodology to measure and communicate cyber risk. Attendees
world. Between budget restraints, security policies, and often a will come away with over 300 metrics, KPIs, and KRIs to use in their

InteliSecure introduces
CRITICAL ASSET PROTECTION
I SSA I n tern ati on al Its time to elevate security initiatives above traditional, Visit our booth
Co n feren ce protect everything thinking. The cyber defenses
companies are using can no longer reliably keep 115/117
critical data safe.

RISE ABOVE
for a chance
InteliSecure has pioneered a new perspective on to rise above
protecting those critical data assets that directly impact

THE NOISE
the noise
an organizations bottom line and reputational integrity.
Using expert human intelligence and cutting-edge
and win a
technologies, we develop Critical Asset Protection drone of
ProgramsTM (CAPPs) specifically tailored to protect your own.
your organizations most valuable data.
Learn more about Critical Assets and innovative ways
to protect them by attending InteliSecure CEO,
Robert Eggebrechts presentation.

Preventing the Inevitable: Safeguarding Critical


And get a whole Assets in the Age of the Mega-Breach

NEW ANGLE DATE: 10/13/15 TIME: 1:45 pm 2:30 pm EST

on cybersecurity. LOCATION: Michigan State Room


at the ISSA International Conference

ISSA 2015 International Conference 15


Advancing the Culture of Security

Monday, October 12 Session Three


organization and a framework to measure their gaps and successes. predictably. In this session industry analyst David Foote will define
Once implemented, youll be able to confidently answer the five key the pillars of infosec/cybersecurity people architecture, describe its
questions that board-level executives are asking: How do I know components, and reveal whos doing it and how theyre doing it.
when the security program is working? Is my security program
aligned to the organizations desired risk profile? Can I report to Why Traditional Perimeter Security Approaches
the board our current risk posture and quantify potential impact of Leave Your APIs Exposed to Threats
threats to the business? Is my organization more or less secure than Sachin Agarwal: Vice President, Product Marketing and
last year? Am I spending the right amount of money? Strategy, Akana
Track: Application Security
Breakout Session Three: 1:45 pm 2:30 pm 10/12/2015, 1:45pm - 2:30pm
Striking the Right Balance between Security and Indiana/Iowa
User Enablement in Cloud Platforms More and more enterprises today are doing business by opening up
their data and applications through APIs. Though forward-thinking
Ron Zalkind: CTO and Co Founder, CloudLock and strategic, exposing APIs also increases the surface area for
Track: Securing the End Users potential attack by hackers. To benefit from APIs while staying secure,
10/12/2015, 1:45pm - 2:30pm enterprises and security architects need to continue to develop
Purdue/Wisconsin a deep understanding about API security and how it differs from
With the consumerization of IT, employees are self- traditional web-application security or mobile-application security.
selecting and enabling third-party apps independently, blurring the
lines between sanctioned and unsanctioned IT. The security concerns Cybersecurity Due Diligence of a Vendor:
are understandable. However, many of these apps offer compelling Legal Requirements and Beyond
productivity and efficiency-enhancing benefits. When companies Marilyn Hanzal: Associate General Counsel, University
deny access to certain applications, they get between their of Chicago Medical Center; Rich Skinner: Executive
employees and how they want to work. In organizations where this is Advisor, S3 Venture Group
the case, it is clear that companies and policies are not keeping pace Track: Laws and Regulations
with technology adoption and are failing their workers. This session 10/12/2015, 1:45 pm - 2:30 pm
will reveal how organizations can strike the right balance between Northwestern/Ohio State
security and user enablement in cloud platforms. The objective of this panel discussion is to review the legal
Sponsored Session requirements that form the foundation of an entitys compliant
cybersecurity-vendor due-diligence model, understand why
The New Security Stack: 20152020 exceeding the legal requirements can cause legal liability, appreciate
James Brown: Product Manager, OpenDNS the value of certain vendor contract terms including insurance
Track: Incident Response requirements, and discuss challenges with static versus ongoing
10/12/2015, 1:45 pm 2:30 pm due-diligence activities. The conversation will look at these issues in
Michigan/Michigan State all industries, but will include particular focus on highly regulated
What does it mean when we say the perimeter is industries, including healthcare.
dead? We know that we now live in a world with myriad devices ISSA Women in Security SIG Presentation: TAP into Your
with Wi-Fi and cellular connections, employees working outside the
office, and applications and data moving to the cloud. Its a brand
Potential
new IT landscape, with a boundless surface to protect from entirely Jyothi Charyulu: Senior Principal Application Architect,
new threats, in a world filled with more sophisticated attackers. What Sabre Inc.
are we going to do? What should the new security stack look like? Track: Business Skills for the Information Security
Lets talk about how to re-establish the benefits of a secure network Professional
perimeter in a world where one no longer exists. Join this session and 10/12/2015, 1:45 pm 2:30 pm
learn how to: Extend threat protection from your existing security OHare
stack, beyond the traditional network perimeter; Leverage how TAP into your potential helps you create an effective road map that
the Internet already works to enforce always-on security and gain identifies your #1 goal, an action plan and a sustainable program to
global visibility into emerging threats; Watch as attacks are staged by make your #1 goal a reality. You will understand the success factors
observing changes in the Internets infrastructure. that got you at your current level of mastery. You will then work
on identifying your top 10 goals, prioritize your topmost goal, and
Architecting Your InfoSecurity/Cybersecurity create an action plan for it. Finally, you will create a program plan,
Organization, Teams, and Careers complete with risk analysis/mitigation plans/back up action plans.
David Foote, Co-founder, Chief Analyst and Chief The TAP workshop will train you to generate immense success in
Research Officer, Foote Partners LLC every endeavor.
Track: Business Skills for the Information Security
Professional Its Not a Cyberwar; Its a Lifestyle
10/12/2015, 1:45 pm - 2:30 pm Jeff Reich: Chief Security Officer, Barricade
Kane/McHenry Track: Infrastructure
Information technology as an engine of enterprise innovation and 10/12/2015, 1:45pm 2:30pm
competitiveness has caught many IT leaders and professionals Salon 3
unprepared. For years theyve been slow to address persistent How much does security cost? Probably too much.
human-capital problems ranging from IT skill deficits, hiring/ The key to success in protection, defense, and offense in the non-
retention issues, and pay inequalities to murky promotion paths kinetic world is having the right people do the right thing. With the
and ineffective professional development programs. Coming to proliferation of attacks, breaches, disclosures, and malware one could
the rescue: applying traditional architecture principles to infosec/ make the case that we are at war continuously. Rather, we need to
cybersecurity human capital and workforce management. Known view this as normal and adapt accordingly. Walking down the street
as people architecture, it is now the most dominant strategy for does not engage you into a war on crime, just as being online does
executing mission-critical IT-business initiatives effectively and not place you into cyberwar. The discussion during this session will

16 ISSA 2015 International Conference


ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Monday, October 12 Sessions Three and Four


point out opportunities to improve security by not training and stronger for simply finding qualified security professionals
hiring more security professionals. Contrary opinions are welcome. men and women aliketo enter the workforce and grow long
and rewarding careers in cybersecurity. A recent 2015 Frost &
Preparing for the Big One Sullivan report said that the global workforce shortage of security
professionals will reach 1.5 million within five years, and the need
David Phillips: Managing Director, Cybersecurity for a wider skill set and strong communications skills has never been
Consulting, Berkeley Research Group greater. So how do we build the next generation of cyber warriors
Track: Incident Response and also ensure that more females get interested at an early age
10/12/2015, 1:45 pm - 2:30 pm in joining the workforce? This presentation will discuss firsthand
Lincolnshire 1&2 lessons learned from Tammy Moskites, Venafis CIO/CISO, who has
The board cannot wait for the Big One. From the Securities and enjoyed a 30-year career span in IT and security. Tammy will discuss
Exchange Commission to the American Bar Association to the White the challenges of entering the workforce as a woman and how shes
House, regulatory and oversight bodies are foreshadowing the built and grown her career over the years. Shell also discuss how
liability event. CxO, board members, shareholders, and insurance shes built and mentored great teams and where she sees the need
companies are going to feel the punch as negligence suits become for skills to evolve as the threatscape has changed.
the norm. Preparing for a major privacy data breach requires a board-
level approach to coordination across general council, CISO, finance, Sponsored Session
HR, IT operations, and partners. The session will focus on a five-step House of Lies
process for developing an effective executive cybersecurity program Aamir Lakhani: Senior Security Strategist, Fortinet
that demonstrates due diligence. Track: Incident Response
10/12/2015, 3:00 pm - 3:45 pm
Breakout Session Four: 3:00 pm 3:45 pm Michigan/Michigan State
Diversified IT: Why the Security Workforce Needs Social engineering tactics from attackers are not new,
Qualified Women...and Men and have been used for decades. Social engineering attacks have
had some of the most devastating consequences in the most recent
Tammy Moskites: CIO and CISO, Venafi
data breaches. Their scope goes beyond phishing links and fake
Track: Business Skills for the Information Security profiles. Modern social engineering tactics have been used to stage
Professional complex modern attacks. This talk will look at case studies of modern
10/12/2015, 3:00 pm - 3:45 pm data breaches, taking in-depth look at the social engineering tactics,
Kane/McHenry and examine how complex attacks were launched and bypassed
Theres long been a need for more diverse slate of candidates traditional cyber security defensive devices. Lastly, we will conclude
in information technology, but lately the need is growing much by examining what these organizations could have done to mitigate

ISSA 2015 International Conference 17


Advancing the Culture of Security

Monday, October 12 Session Four


these attacks and how they could have protected themselves. We will coordinated execution of interrelated activity channels: Security,
look at policies, procedures, and next-generation security devices legal, forensic, law enforcement, regulatory, insurance coverage,
that may help combat this risk. public relations, stakeholders, , and personnel management. IT
security response preparedness is necessary, but not sufficient.
Security and the Internet of Things Many of these activities may be beyond the CISOs reach, creating
a dangerous mismatch of authority vs. accountability. This session
Nick Percoco: Vice President, Strategic Services, Rapid7 will explore how CISOs can help their organizations move beyond
Track: Securing the End Users incident preparedness to effective breach response readiness.
10/12/2015, 3:00 pm - 3:45 pm
Purdue/Wisconsin Preventing, Insuring, and Surviving Fund
Wearables. Smart homes. Connected cars. As Transfer Fraud
technology becomes more pervasive, attackers are growing more
sophisticated, cyberespionage is becoming a real-world concern, and
breaches are skyrocketing. For security professionals, the challenge
of contending with shadow IT while still finding the time to stay
abreast of external threats can feel like a perfect storm designed
to derail security programs. In this talk, Nick Percoco will 1) Address
how the Internet of things impacts security, 2) Forecast where the Nick Merker, CISSP, CIPT: Attorney, Ice Miller LLP; Nick Reuhs: Attorney, Ice
industry will go in 5, 10, and 15 years, and 3) Provide a road map for Miller LLP; Stephen Reynolds, CIPP/US Partner Ice Miller LLP
how organizations can position their security program for success Track: Laws and Regulations
amidst an uncertain future. 10/12/2015, 3:00 pm - 3:45 pm
Northwestern/Ohio State
Infosec in the Hot Seat: How to Accomplish
It usually isnt sexy from a technical perspective, but more and more
Breach Response Readiness businesses are feeling the effects of fund transfer fraud. Whether it is
Peter Sloan: Partner, Husch Blackwell a spear phishing attack, social engineering, or malware specifically
LLP; tailored to obtain online banking credentials, hundreds of thousands
Rob Rudloff: Partner, RubinBrown LLP of dollars are at risk to these attacks. If your business is not prepared
Track: Incident Response for and properly insured against these items, you could be left
10/12/2015, 3:00 pm - 3:45 pm holding the bag. Overseas organized crime is using increasingly
Lincolnshire 1&2 sophisticated methods to gain temporary control of commercial
In many organizations, executive management has off-loaded accounts and to initiate fraudulent wire transfers. Over the past year,
preparedness for data breach response to the CISO. But the subset new fraud techniques have proven increasingly effective, and US
of security incidents that are significant data breaches will require companies are becoming victims of these attacks at an alarming rate.

TAKE YOUR SECURITY

FURTHER.
Predictive, cloud-delivered network security.
Threat protection for off-network users
Predict attacks before they happen
Worldwide coverage in minutes

18 ISSA 2015 International Conference


ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Monday, October 12 Session Four and Cyber Defence Center Tuesday, October 13 Session Five

The Permissions Gap


Tuesday, October 13, 2015
Lee V. Mangold: Managing Security Engineer,
Breakout Session Five: 10:15 am 11:00 am
GuidePoint Security Featured Speaker
Track: Infrastructure James C. Trainor, Jr., Assistant Director, Cyber Division, FBI
10/12/2015, 3:00 pm - 3:45 pm 10/13/15, 10:15 am - 11 am
Indiana/Iowa Salon 3
In this presentation, Lee Mangold will discuss how excessive
permissions in operating system and application architectures ISSA Women in Security SIG Presentation: Looking to
have been the primary contributing factor in the majority of data 2020Are we too late?
breaches. Lee will show how best practices are not filling this Jill Rhodes: Vice President and Chief Information Security Officer,
permissions gap and offer actionable discovery and remediation Trustmark Companies
techniques. Track: Incident Response
10/13/2015, 10:15 am 11:00 am
Cyber Defense Center Diamond Sponsors OHare
October 12, 4:00 pm - 5:00 pm, 6th floor Everyday, we work to protect our companies, organizations,
BomgarIndiana/Iowa government from the information security threats around us. Our
MicrosoftLincolnshire 1&2 focus is on controls, educating our associates, determining how best
Spikes SecurityNorthwestern/Ohio State to fund our efforts, engaging our senior leadership, and keeping
SymantecPurdue/Wisconsin our organizations names off Krebs Online. That said, we somehow
VenafiMichigan/Michigan State are missing the big picture related to where we, as a nation, are in
terms of protecting ourselves. The public sector and private sector
See pages 23 and 24 for session descriptions. are starting to work together, but there are so many constraints
that even this leaves much to be desired. In this presentation, the
presenter applies the often used Capability Maturity Model to our
nation to see how secure we are as a nation and then presents
ideas for how to think strategically in order to move our nation
forward over the next several years. Her current assessment is that
we are somewhere in the ad hoc to repeatable phase and that
to effectively address global information security threats over the
coming years, our nation will need to define a multi-tier, integrated
approach. This approach will be discussed during the session.

Are your people walking a tightrope?


GAIN KNOWLEDGE
CHANGE BEHAVIOR
BUILD A RISK-AWARE CULTURE

Creating Adaptive Learning Experiences in


Security, Privacy, and Compliance

(800) 726-6951
Security Awareness Privacy Awareness Compliance Training
awareness@mediapro.com

ISSA 2015 International Conference 19


Advancing the Culture of Security

Tuesday, October 13 Session Five

The Future of Mobile App Security professional, you will be able to give the proper fixes and understand
Vincent Sritapan: Program Manager for Mobile Security the level of effort needed by developers.
R&D, Department of Homeland Security, S&T - Cyber
Security Division Embedded Like a Tick Cyber Intelligence
Track: Mobile Security Jeff Bardin: Chief Intel Officer, Treadstone 71
10/13/2015, 10:15 am 11:00 am Track: Laws and Regulations
Kane/McHenry 10/13/2015, 10:15 am 11:00 am,
Do you know what your mobile app is doing? Are you relying on Northwestern/Ohio State
app markets to protect you? Todays mobile apps are riddled with Most intelligence collection in IT shops is driven
defects that hackers can exploit. Vincent Sritapan, a Cyber Security exclusively by technology and technical information. This provides
Division program manager at the Department of Homeland Security only a fraction of the necessary data, information, and potential
S&T, will discuss ongoing research for securing mobile technology. actionable intelligence needed. Creating online personas helps
He will present a current project in mobile app archiving that can round out the collection efforts and serves to establish a beach head
continuously inventory apps from mobile app markets like iTunes, in target communities of interest. Know your adversaries as they
Google Play, Windows Phone Store, and includes over 83 global app know you, gathering information about their intent before execution
marketplaces. He will discuss the future of mobile app security and of that intent.
where R&D is taking us.
N-Gram Analysis in Suspect Author Identification of
Practical Application Security for the Real World Anonymous Email
Andrew Leeth: Product Security Engineer, Salesforce Paul Herrmann, CISSP, EnCE, CISA, CPP: President,
eVestigations Inc.
Track: Application Security
Track: Incident Response
10/13/2015, 10:15 am 11:00 am
Indiana/Iowa 10/13/2015, 10:15 am 11:00 am
Lincolnshire 1&2
Web applications are undoubtedly our future for
interacting with businesses and data. Companies trust their data In late 2010, a Fortune 100 companys executives were being
and reputations with applications, which most times provide threatened via anonymous email. Multiple anonymous remailers
Internet-accessible avenues inside the firewall. This presentation will prevented standard IP-tracing techniques. eVestigations Inc.
demonstrate web-based attacks through live demos and touch upon developed a system and protocol utilizing current linguistic
mitigation strategies. Tools for application testing will be discussed techniques to successfully identify the perpetrator. Empirical
and tested against our vulnerable applications. Further, we will authorship analysis has a long history, primarily as it relates to literary
discuss the effort needed to fix these vulnerabilities. As a security works of unknown or disputed authors. One such technique known

Plan

Train

PhishLine is an enterprise
software-as-a-service solution
Test that combats phishing
through a combination of
social engineering,
phishing simulations,
Measure security awareness training,
and metrics.

Take
Action

phishline.com | 262.546.1867 | sales@phishline.com

20 ISSA 2015 International Conference


ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Tuesday, October 13 Sessions Five and Six


as N-Gram Analysis has shown promise in identifying the most likely any organization using the Internet. It must be robust yet flexible.
author of known texts when presented with candidate authors Unfortunately in spite of all of the cyber events, many companies
having predefined text samples of undisputed authorship. are taking a long time to respond. Teams must be trained and
have written procedures. Time is critical. Every incident costs the
Data Classification Discovery and Response organization money and reputation.
Prioritization
Tim Plona: Business Solution Architect, Freeport- Cyber Security Liability Insurance: Need It or Leave It
McMoRan
Track: Securing the End Users
10/13/2015, 10:15 am 11:00 am
Purdue/Wisconsin
Data classification and secure handling are something companies
desire to do. This presentation will demonstrate how a company Moderator: Andrea Hoy: President, ISSA
can attack the topic. It shares the methodology for how sensitive
data sets can be identified, risk qualified, and quantified. Through Panelists: Ronald Raether: Partner - Troutman Sanders; Brian Thornton:
use of this model measurements can be made on risk and progress President, ProWriters
towards remediating the risk issues a company faces. Lastly, through Track: Laws and Regulations
measurement and reporting, senior management can be made 10/13/2015, 11:15 am 12:00 pm
aware of data risks and progress towards improving the secure OHare
handling of sensitive data. This session will feature three speakers perspectives on a new type of
insurance, cyber-insurance. It will cover what cyber-insurance is, how
Breakout Session Six: 11:15 am 12:00 pm organizations are using it, and how it can be used in an organizations
IT security/ risk program, including how it plays a role in a sound
Sponsored Session data governance model. Attendees will also learn what they need
Build an Adaptive Awareness Program Based on NISTs to know in evaluating different cyber-insurance options, whether it
Cybersecurity Framework makes sense for their company, and how to present their information
Tom Pendergast: Director of Awareness security program to the cyber-insurance market.
Solutions, Instructional Design
Manager, MediaPro; Steven Conrad: Taking Control of Control Addressing
Managing Director, MediaPro Cybersecurity in Industrial Control Systems
Track: Securing the End Users Daniel Ziesmer: ISSO, Bechtel Corporation
10/13/2015, 11:15 am 12:00 pm Track: Infrastructure
Michican/Michigan State 10/13/2015, 11:15 am 12:00 pm
NISTs Cybersecurity Framework describes a Tier 4: Adaptive program Lincolnshire 1&2
as one that uses a process of continuous improvement incorporating Industrial control systems (ICS) have become
advanced cybersecurity technologies and practices to respond to something of a third rail in cybersecurity circles. Managing
evolving and sophisticated threats in a timely manner. The question everything from light dimmers to elevators to the electricity we all
is, how? In this presentation, well discuss the range of options you rely upon, ICS automates many aspects of our everyday physical
have to plan, measure, train, analyze, and continually adapt your environments, but its historically insecure architecture represents
program to shifting risks. Youll come away armed with options for growing and significant security risk that is difficult to manage using
raising the bar on your end user awareness efforts. traditional security approaches. Even worse, it has become a nearly
irresistible target for those seeking to wreak havoc by jumping the
Applied Privacy Engineering: User-Controlled, gap from information disruption to real-world destruction. This
User-Monetized Mobile Advertising presentation highlights how the failures to secure ICS are presenting
Kevin ONeil: CISSP, CYVA Research Corporation real threats to everyday business operations. More importantly,
Track: Mobile Security however, this presentation attempts to present a series of ideas
10/13/2015, 11:15 am 12:00 pm for real change to combat these threats, ideas that can be used by
Kane/McHenry security professionals in their respective environments to start fixing
the more immediate problems, mitigate the current and near future
Observation: primitive data objects cannot protect
risks, and provide leadership to effect change into the future.
or govern self. CYVA Research has designed a self-protecting, self-
governing mobile object, a self-determining digital persona that Medical Device Safety and Security (MeDSS):
enforces privacy and empowers the right of persons to be secure in Assessing and Managing Product Security Risk
their human-digital existence. These technologies are being built in John Lu: Principal, Cyber Risk Services,
accordance with our guiding architecture principles: human-digital Life Sciences and Healthcare Industry,
dignity and human-digital integrity. Human-digital integrity: never Deloitte & Touche LLP; Muhammad
separate peoples data from their policies, and the capability for them Kashif: Manager, Cyber Risk Services,
to enforce governance over the use of their human-digital identity Life Sciences and Healthcare Industry,
wherever they exist. Deloitte & Touche LLP
Stake Your Reputation on Your Cyber Security Track: Application Security
Incident Response Program CSIRT 10/13/2015, 11:15 am 12:00 pm
Dr. Michael C. Redmond: CEO and Lead Consultant, Indiana/Iowa
Redmond Worldwide The US Food and Drug Administration (FDA) has recently signaled a
Track: Incident Response significant shift in a paradigm that is relevant for many stakeholders
10/13/2015, 11:15 am 12:00 pm in the networked medical-device arena by pointing out that as
Northwestern/Ohio State medical devices are increasingly interconnected via the Internet,
hospital networks, other medical devices, smart phones, electronic
Learn best practices for CSIRT programs, plans, playbooks, and
health records, and third-party cloud solutions, there is an increased
testing. A cybersecurity incident response program is a must for

ISSA 2015 International Conference 21


Advancing the Culture of Security

Tuesday, October 13 Sessions Six and Seven


risk of cybersecurity attack. Such an attack could affect how a
medical device operates and ultimately endanger human health Lets Hack a House
or worse, human life. This session will explore the cybersecurity Tony Gambacorta: Vice President, Operations, Synack
risks related to networked medical devices including the types of Track: Infrastructure
vulnerabilities currently observed in both wired and wireless 10/13/2015, 1:45 pm - 2:30 pm
medical devices in hospitals and large health systems. This session Lincolnshire 1&2
will also highlight Deloittes framework for addressing the evolving
recommended practices and standards for assessing, designing, When we bring cameras, automation controllers, and
testing, and manufacturing more secure networked medical devices. other Internet of things devices into lives, what risks do they bring
with them? You may see a camera, but an adversary sees a feature-
How to Be a Highly Effective CISO Top 10 rich platform to attack your network infrastructure. In this session
Performance Success Factors well provide an introduction to device hacking with no engineering
background required.
Security or Convenience? Enabling a
Collaborative Work Environment
Guy Bunker: Senior Vice President of Products, Clearswift
Track: Application Security
Brian Schultz, CISSP, ISSMP, ISSAP, CISM, CISA: Technical Director, Cyber 10/13/2015, 1:45 pm - 2:30 pm
Architecture and Advisory Services, Battelle; Bob Bigman: President, Kane/McHenry
2BSecure; Dave Cullinane: Co-founder, TruSTAR
We live in a highly connected world, and we have
Track: Business Skills for the Information Security Professional become dependent upon the convenience of email, the cloud, and
10/13/2015, 11:15 am 12:00 pm other collaboration tools; but in this effort to increase productivity,
Purdue/Wisconsin security has been compromised. However, organizations do not need
Join Brian Schultz, who has served as an advisor to many CISOs, to choose between security and convenience. In this presentation,
for a CISO panel discussion to explore the top 10 performance Dr. Guy Bunker will explore the full scope of vulnerabilities presented
success factors of highly effective CISOs. Topics will include by email and collaboration tools, as well as new information-borne
identifying your adversaries, marking your enterprise crown jewels, threats, critical information hidden in metadata and document
optimizing security posture based on ROI, performance beyond revision history, and advanced persistent threats (APTs) within active
compliance, meaningful benchmarking in your industry, dealing content. Dr. Bunker will share how to enable collaboration without
with inappropriate reporting structures, effective C-suite and compromising security.
board communications, recruiting and retaining exceptional talent,
building and maintaining a collaborative CISO mentor network, and Sponsored Session
contributing industry thought leadership. Preventing the Inevitable Safeguarding
Critical Assets in the Age of the Mega-Breach
Breakout Session Seven: 1:45 pm - 2:30 pm
Robert Eggebrecht: Co-Founder, President, and Chief
Sponsored Session Executive Officer, InteliSecure
Information Security beyond Tools and Toys: How Do Track: Business Skills for the Information Security
We Advance the Culture Side of IT? Professional
Moderator: Sali Osman: Security & Risk Management 10/13/2015, 1:45 pm - 2:30 pm
Advisor, ARAMCO. Michigan/Michigan State
Track: Securing the End Users Data security is top-of-mind for organizationsfrom board members
10/13/2015, 1:45 pm - 2:30 pm to front-line employees and their customers. Organizations are
Indiana/Iowa on guard, and rightly so: 2014 was an unprecedented year. Are data
Companies spend a big chunk of the IT budget in security tools breaches now ubiquitous, a virtual certainty? Join InteliSecures
testing, deployment, and maintenance. Mature companies realized president and CEO, Robert Eggebrecht, as he discusses how to build
(early on) the importance of processes and methodologies around a critical asset protection program (CAPP) that prevents data loss and
these tools. What companies and the industry as a whole are still protects critical assets. Highlights include:
struggling with is advancing the institutional culture, (i.e., the Prioritizing your organizations crown jewels based on revenue,
attitude of employees, clients, suppliers, and partners). This session income, reputation, and core operational impact
will share some organizational initiatives (global) to overcome the Aligning your security risk and the corresponding plan
flat learning curve. Recognizing and responding to external and internal threats

Current Trends and Our Methods for Defense Featured Speaker


Adam Keown: Security Consultant / Solutions Architect, 2015 Verizon Data Breach Investigation Report
TEKsytems Dave Ostertag: Global Investigations Manager, Risk Team, Verizon
Track: Laws and Regulations Track: Incident Response
10/13/2015, 1:45 pm - 2:30 pm 10/13/2015, 1:45 pm - 2:30 pm
Northwestern/Ohio State Salon 3
In the past several years a growing list of computer breaches has The 2015 Data Breach Investigations Report (DBIR) is out and marks
scarred numerous US entities from financial industries, healthcare the eighth consecutive year that Verizon has published this highly
providers, and the entertainment industry. Adam Keown will provide regarded report. The 2015 DBIR provides a detailed analysis of almost
direct experience about the impact of these breaches from his time 80,000 incidents, including 2,122 confirmed data breaches. The key
in the FBI and more recently as a private consultant at TEKsystems. findings in the report are:
He will discuss methods of attack, defensive measures for reducing The methods of attack are becoming increasingly sophisticated
risk, and briefly look into a crystal ball. often involving a combination of phishing, hacking, or malware.
We found that in the last year, 23 percent of recipients opened

22 ISSA 2015 International Conference


ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Tuesday, October 13 Session Seven, CSCL Program Sessions, Cyber Defense Center
phishing messages and 11 percent clicked on attachments. for more than $1000 each on Russian marketplaces. Gartner expects
Nine patterns still cover the vast majority of incidents (96 percent) 50% of network attacks to use encrypted SSL/TLS in less than two
of the breaches in this years dataset. years. Whats to do? The human immune system has evolved to
We found that company size has no effect on the cost of a breach. defend and destroy complex and oftentimes overwhelming attacks.
What can we learn from it? How can we create a future thats more
Computer Security for SMB/Government resistant as we use more software, more clouds, more apps, and
more connected devices.
Marv Stein: Sr. Security Consultant, TDAmeritrade
Track: Securing the End Users Cyber Defense Center Diamond Sponsors
10/13/2015, 1:45 pm - 2:30 pm
Purdue/Wisconsin October 13, 4:00 pm - 5:00 pm, 6th floor
What makes an effective information security BomgarIndiana/Iowa
program for a small organization? This educational presentation is MicrosoftLincolnshire 1&2
intended to promote awareness of the importance of need for IT Spikes SecurityNorthwestern/Ohio State
security, understanding of IT security vulnerabilities, and corrective SymantecPurdue/Wisconsin
measures. VenafiMichigan/Michigan State
Bomgar
CSCL Program Sessions: 3:00 pm 3:45 pm Close the Door to Cyber Attacks with Secure Vendor Access. This
session will feature:
LIVE! Cyber Attack & Defense. Watch a cyber-attack unfold live
Sponsored Session to show you how your vendors can unwittingly leave the door
Securing Our Future: Lessons from the Human Immune open to your network and understand how to prevent these by
System managing, controlling and auditing all vendor access
Jeff Hudson: CEO, Venafi Best practice recommendations on how to secure vendor access
to your organization. Hear top tips to protect your company and
Track: Threats and Responses customer data, infrastructure and assets from cyber-attacks by
10/13/2015, 3:00 pm 3:45 pm securing vendor access while improving productivity.
Michigan/Michigan State
All signs point to a future world of more complex, Spikes Security
harder-to-detect cyber threats. Our adversaries are exploiting All businesses are now reliant on web applications. But how can
what seems to be our strengths. Intel predicts the next big hacker you protect your organization from web malware when browsers
marketplace to be in the sale of digital certificatesalready selling are connected directly to the Internet and can run untrusted code

ISSA 2015 International Conference 23


Advancing the Culture of Security

Monday, October 12 and Tuesday, October 13 Cyber Defense Center


from servers outside your control? This interactive session will cover protection, logging and monitoring, anti-malware services, identity
how isolation technology can prevent browser-borne malware from management, and access controls, can help protect your solution
entering your corporate network and infecting endpoint devices. and advance your compliance posture.
Youre invited to learn the basics of isolation technology:
Venafi
How its implemented outside your network
How it prevents users from connecting directly to the Internet Evolving Public Key Infrastructure. Critical updates needed to
keep up with our changing world Several industry trends are forcing
How its different from detection-based technology organizations to take a strong look at their PKI. Factors such as the
Microsoft Monday need to encrypt more data, the expanding network perimeter, the
Exploitation Trends: From Potential Risk to Actual Risk. viewpoint that digital keys should be rotated more frequently and
Microsoft researchers have studied some of the exploits discovered unplanned events such as Heart Bleed all put significant pressure
over the past several years and the vulnerabilities they targeted. on an organization to modernize their PKI environment to keep
Understanding which vulnerabilities get exploited, who exploits pace with change. This one hour workshop will walk through the
them, the timing of exploitation, and the root causes, all help history of PKI, why it is long overdue for a comprehensive upgrade
security professionals more accurately assess risk. Development and the factors that are driving this sea change within our industry.
practices that help minimize vulnerabilities will be discussed. Topics such as automated life-cycle management, security controls
and policy considerations, centralization strategies and enterprise
Microsoft Tuesday adoption will be addressed. Participants will take away a broader
Moving to the cloud in a Compliance-driven World. As cloud awareness of the challenges they face as well as actionable strategies
adoption skyrockets, you might find it complex to deploy innovative that can be used for subsequent planning steps within their own
services while simultaneously trying to meet demanding compliance organization.
requirements. This is because many IT regulations and standards
were not designed for the cloud, and frequently fail to address its
unique qualities. In this session you will learn what it takes to deploy You Can Help the Next Generation of
a Microsoft Azure cloud solution that addresses the requirements
of regulatory standards such as ISO 27001 / 27018, FedRAMP, PCI, Cybersecurity Professionals!
and HIPAA. The presentation will look at a shared responsibility Partner with the ISSA Educational Foundation
model where deploying good security principals can facilitate
a successful adoption of a cloud service, while meeting your Stop by our booth and learn how. Our annual fund-raiser
compliance regulatory requirements. What you will learn: How kicks off at the conference.
Azure can help you meet global compliance requirements such as
ISO 27001 / 27018, FedRAMP, PCI, and HIPAA How security controls
such as at-rest data encryption, key management, virtual machine www.issaef.org
www.ISSAEF.org

MOBILITY AND BYOD CREATE


SECURITY CHALLENGES:
Pulse Secure gives IT the tools
to manage them.

Schedule Your Demo Today!


Call 844-807-8573

24 ISSA 2015 International Conference


DEVELOPING AND CONNECTING
ISSA CYBERSECURITY LEADERS GLOBALLY

Planning for a Career in


the Department of Defense
Cybersecurity Workforce
By John Gray ISSA member, Rainier Chapter

The author discusses how the Department of Defense cybersecurity workforce is organized, how
to prepare for a cybersecurity position, and the appropriate combination of education, training,
and experience in which to progress into advanced responsibilities.

Abstract ployer of choice for cybersecurity workers, including in the


positions of military, federal or civil service, and defense con-
Career opportunities in the Department of Defense cyberse-
tractor personnel.4 The intent is to provide challenging and
curity workforce are at an all-time high, with thousands of
rewarding professional opportunities that will inspire cyber-
additional cybersecurity experts projected to be hired in the
security workers to remain in the government workforce for
near future. Details are presented on how the workforce is or-
their entire career. They advocate that an individuals career
ganized, how to prepare for a cybersecurity position, and on
progression should consist of a variety of challenging roles,
the appropriate combination of education, training, and ex-
responsibilities, and opportunities including those in techni-
perience in which to progress into advanced responsibilities.
cal, non-technical, and managerial positions.
Needs and opportunities Skill-set requirements

A
ccording to the US Bureau of Labor Statistics,1 em-
Government mandates drive the demand for security spe-
ployment for information systems security special-
cialists, with the DoD 8570.01M Information Assurance
ists will grow by almost 40 percent by 2022, mak-
Workforce Improvement Program5 manual requiring that
ing it one of the nations fastest growing careers. Numerous
DoD civil service employees, military personnel, and defense
studies and reports find that there is a nationwide shortage
contractors with elevated privileges to government informa-
of qualified information systems security professionals, and
tion systems be trained and certified in information security
nowhere is this felt more than in the Department of Defense
depending upon their role and level of access.6
(DoD). According to a 2011 Government Accounting Office
report, the number of full-time employees in the DOD with Government information systems security specialist posi-
significant information system security responsibilities ex- tions generally require a bachelors degree in information
ceeds 87,000; while the Office of Personnel Management re- security, computer information systems, network security,
ports that the DoD cybersecurity workforce numbers 19,000 computer science, or a related field of study; however, because
personnel.2 In addition to covering losses due to transfers, skilled security professionals are in demand, an associate de-
retirement, and terminations in this sizable workforce, the gree or a combination of education, professional security cer-
DoD is planning to hire 4,000 more people with cybersecu- tifications, and relevant experience will likely result in close
rity skills over the next two years.3 To address the problem consideration. An applicants resume should detail any spe-
of retention, the DoD is endeavoring to make itself the em- cialized experience that demonstrates his or her knowledge
of security measures in protecting information, information
1 http://www.bls.gov/ooh/computer-and-information-technology/information-
security-analysts.htm. 4 http://dodcio.defense.gov/Portals/0/Documents/DOD Cyberspace Workforce
2 http://www.gao.gov/new.items/d128.pdf. Strategy_signed(final).pdf.
3 http://www.bloomberg.com/bw/articles/2014-04-15/uncle-sam-wants-cyber- 5 http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf.
warriors-but-can-he-compete. 6 http://www.itcareerfinder.com/it-careers/it-security-specialist.html.

October 2015 | ISSA Journal 21


Planning for a Career in the Department of Defense Cybersecurity Workforce | John Gray

systems, or networks from threats; skill in ensuring that an ified personnel as most DoD cyber workforce positions spec-
information system is compliant with applicable information ify a specific professional certification as a requirement. Can-
assurance policies, procedures, and best practices; ability to didates must either hold or obtain the particular certification
provide guidance to personnel on how to secure a system; and within a certain period of time after being placed in the posi-
knowledge and application of information assurance princi- tion. Vendor-neutral certifications provide employers with an
ples and test and assessment methods. indication of an individuals general IT and cyber skills, while
Many universities and community colleges have comput- specific operating system, network, or security certifications
er engineering, computer science, and information security serve to establish more advanced or focused skills.
programs. When considering an education geared towards Individuals with prior military service and/or possessing a
cybersecurity, considering the aca- security clearance generally have a competitive advantage in
demic institutions listed on the Na- the hiring process. Employers recognize that job candidates
Certs serve to filter tional Security Associations list of with prior military service typically have a reliable work eth-
out unqualified National Centers of Academic Ex-
cellence in Information Assurance
ic, good communication skills, are loyal to their employers,
and overall are productive workers. While it does not guar-
personnel as (IA)/Cyber Defense (CD) will en- antee being selected, veterans preference laws give eligible
most DoD cyber sure that the curriculum has been veterans an advantage over many other applicants. A security
vetted for strength in specific IA clearance assures government employers that the applicant is
workforce positions and CD focus areas.7 Computer se- familiar with safeguarding national security information and
specify a specific curity education programs should that they do not have a criminal background. Cyber positions
professional include courses in various operat-
ing systems administration, net-
requiring elevated privileges, including having the ability to
modify security settings, typically must be filled by an indi-
certification as a working, network security, host- vidual having a security clearance; therefore the demand for
requirement. based security, intrusion detection, IT professionals with a security clearance is high.8
hardware and software configu- The cybersecurity workforce management guidance, DoD
ration, and computer forensics. Directive 8140.01,9 advocates that qualified government ci-
Security professionals should also develop their communi- vilian and military personnel, augmented where appropriate
cation skills as they are typically responsible for educating by contracted services support, be employed as an integrated
and recommending solutions to technical and non-technical workforce in order to provide an agile, flexible response to
employees regarding information security issues. constantly changing cybersecurity requirements. Policy re-
Professional information technology (IT) and security certi- quires IA practitioners and managers be trained and quali-
fications provide an employer with an indication of an indi- fied to an approved baseline requirement, depending on the
viduals skill, knowledge, and aptitude and usually command position they fill. The Information Assurance Workforce Im-
increased earning power. They also serve to filter out unqual-
8 https://news.clearancejobs.com/2015/06/23/benefits-security-clearance/.
7 https://www.nsa.gov/ia/academic_outreach/nat_cae/. 9 http://www.dtic.mil/whs/directives/corres/pdf/814001_2015_dodd.pdf.

Click here for On-Demand Conferences


www.issa.org/?OnDemandWebConf

Security of IOTOne and One Makes Zero Continuous Forensic Analytics Issues and Answers
2-Hour Event Recorded Live: Tuesday, September, 22, 2015 2-Hour Event Recorded Live: April 14, 2015
Biometrics & Identity Technology Status Review Secure Development Life Cycle for Your Infrastructure
2-Hour Event Recorded Live: Tuesday, August 25, 2015 2-Hour Event Recorded Live: Tuesday, March 24, 2015
Network Security Testing Are There Really Different Types What? You Didnt Know Computers Control You? / ICS and
of Testing? SCADA
2-Hour Event Recorded Live: Tuesday, July 28, 2015 2-Hour Event Recorded Live: March 2, 2015
Global Cybersecurity Outlook: Legislative, Regulatory and Cybersecurity New Frontier
Policy Landscapes 2-Hour Event Recorded Live: February 24, 2015
2-Hour Event Recorded Live: Tuesday, June 23, 2015 Security Reflections of 2014 & Predictions for 2015
Breach Report: How Do You Utilize It? 2-Hour Event Recorded Live: January 27, 2015
2-Hour Event Recorded Live: Tuesday, May 26, 2015 Dorian Grey & The Net: Social Media Monitoring
Open Software and Trust--Better Than Free? 2-Hour Event Recorded Live: Tuesday, November 18, 2014
2-Hour Event Recorded Live: Tuesday, April 28, 2015

A Wealth of Resources for the Information Security Professional www.ISSA.org

22 ISSA Journal | October 2015


Planning for a Career in the Department of Defense Cybersecurity Workforce | John Gray

vanced-level CE support. They focus on intrusion detection,


finding and fixing unprotected vulnerabilities, and improv-
ing security on a systems network infrastructure. They also
are qualified to perform numerous functions of IAT level 1.
The personnel in IAT level 3 focus on support of the enclave
environment; monitoring, testing, and troubleshooting hard-
ware and software security issues on the numerous systems
which may be in it. In general they have mastery of the func-
tions of both the IAT level 1 and level 2 positions.
IA management
IA management level 1 and 2 personnel are responsible for
managing the operation of an information system within
Figure 1 Cybersecurity workforce structure their CE or network, ensuring that it is functional, secure,
and in compliance with all security requirements. Personnel
provement Program manual details the specific qualifications in these positions perform a variety of security-related tasks,
and certifications on which to train, qualify, and manage including the development and implementation of system
the IA workforce. The ultimate vision of the guidance is to information security standards and procedures, generating
have a workforce of IA professionals who have the knowledge compliance reports, and overseeing certification and accred-
and skills to effectively prevent and respond to cyber attacks itation efforts. IAM level 3 personnel are responsible for en-
against government information, information systems, and suring that all information systems in an enclave are func-
information systems infrastructures. tional and secure. They determine the enclaves long-term IA
needs and acquisition requirements in order to accomplish
Career progression operational objectives. They also develop and implement in-
The DoD cybersecurity workforce (CW) is divided into four formation security standards and procedures through the
categories: information assurance technical (IAT), manage- certification and accreditation process.
ment (IAM), system architecture and engineering (IASAE),
and computer network defense service provider (CND-SP). IA system architecture and engineering
Each category has levels based on where the position is lo- IASAE level 1 personnel apply knowledge of security policies,
cated within the overall cybersecurity workforce and infor- procedures, and structure to design, develop, and implement
mation system environment as detailed in figure 1. The IAT an information system, system components, or system archi-
category is represented by the pyramid on the left side; the tectures. IASAE level 2 personnel apply their knowledge of
pyramid on the right represents the IAM and IASAE catego- security policies, procedures, and workforce structure to de-
ries. Each pyramid has lines dividing it into three functional sign, develop, and implement a secure network environment.
levels which are related to the system architecture, not to an Finally, persons filling an IASAE level 3 position are respon-
individuals grade or experience. sible for the design, development, implementation, and/or in-
Immediately above the base of both pyramids is the com-
puting environment, functional level 1. This level is expected
to be made up of the largest number of cybersecurity pro-
fessionals. The second level of the pyramids is the network
environment with the population of workers projected to be
somewhat smaller than that of level 1. Level 3, the smallest
level, represents the enclave, containing advanced network
Donns Corner
By Donn Parker
and information system IA professionals. CND-SP positions ISSA Distinguished Fellow
are not tied to the environment or IA functional levels, but to Silicon Valley, USA Chapter
specific job roles on a computer network defense team. The

Over and Out


specialties are Analyst, Infrastructure Support, Incident Re-
sponder, Auditor, and Manager. The arrow pointing upward
between the two pyramids depicts a requirement for more ad- I HAVE RUN OUT OF MAXIMS TO AMUSE, educate, and chal-
vanced certifications as the professional level increases. lenge you. More of them would carry tedious detail that I have
IA technical tried to avoid. At this stage in retirement from my career, I am
always the generalist.
IAT level 1 personnel are tasked with making their comput-
ing environment (CE) less vulnerable by correcting flaws A collection of all of my maxims may be found here.
and implementing security in the hardware or software in- Donn Parker, CISSP, retired, and information security
stalled in their various operational systems or devices. IAT pioneer, donnlorna@aol.com.
level 2 personnel provide network environment (NE) and ad-

October 2015 | ISSA Journal 23


Planning for a Career in the Department of Defense Cybersecurity Workforce | John Gray

certification usually must be obtained within six months of


an employee being placed in the particular IA role. Contrac-
tors should have the appropriate certification when entering
the contract. Employees need to maintain their certification
status by completing continuous learning requirements as
defined by the respective certification provider (e.g., (ISC),
ISACA, CompTIA, etc.). IATs are also required to obtain an
appropriate operating system or computing environment
certification in addition to the IA or security certification re-
quirements.
DoD employees should register their certifications in the De-
fense Workforce Certification Application. This is the author-
itative database for all DoD military, civilian, and contractor
personnel who hold 8570-related certifications. Registering
their certifications in the database ensures that the DoD is
aware of an individuals certification status and that the in-
Figure 2 Approved baseline certifications formation is validated by the certification provider.
tegration of a security architecture, system, or system compo- There has been controversy about how the DoD 8570 manu-
nent for use within the entire range of environments. al focuses too much on certifications rather than taking into
account an individuals experience or degree. Its replacement
IA computer network defense service provider
is the DoD 8140 Cyberspace Workforce Management Policy
CND-SP analyst personnel use the data collected from a va- manual, a document that amplifies the requirements of DoD
riety of CND tools, such as intrusion detection system alerts, Directive 8140.01. It is projected to be issued within the next
firewall and network traffic logs, and host system logs, in year and supposedly addresses this issue.
order to analyze events that occur on their assigned system.
CND-SP infrastructure support personnel test, implement, Moving through the various cybersecurity workforce levels
deploy, maintain, and administer the infrastructure systems is a process of acquiring skills and experience. Personal de-
that are required to effectively manage a network and its re- velopment for information assurance employees is generally
sources. This includes routers, firewalls, intrusion detection divided into three levels as well. Entry-level or apprentice po-
and prevention systems, and other devices and tools as de- sition skills and experience should include having an under-
ployed within the network environment or enclave. CND- standing of and being able to perform basic operating system
SP incident responder personnel investigate and analyze re- administration, networking, security principles, and security
sponse activities related to cyber incidents, including creating review processes. Depending on the type of position being
and maintaining incident tracking information; planning, filled, other areas of familiarity may include public key infra-
coordinating, and directing recovery activities; and incident structure procedures, network monitoring applications, and
analysis tasks such as examining information and supporting network device or database configuration, management, and
evidence related to an incident. CND-SP auditor personnel administration. While not a prerequisite for employment,
perform assessments of systems and networks within the net- individuals are encouraged to develop an understanding of
work environment or enclave and identify where they deviate financial management, contract management, and technical
from acceptable configurations or polices. They achieve this writing.
through compliance audits, penetration tests, or vulnerabil- In addition to a more in-depth knowledge of their particular
ity assessments. A CND-SP manager oversees the computer computer or networking specialty, mid-grade infosec pro-
network defense and is responsible for producing guidance fessionals are expected to demonstrate knowledge and skills
for the network environment or enclave, assisting with risk regarding DoD security policy requirements, certification
assessments and risk management, and for managing and su- and accreditation processes, information system monitoring,
pervising the CND technicians within the organization. vulnerability management and reporting, incident response
investigation, and business continuity procedures. Acquiring
Certifications additional skills in the areas of team leadership, negotiating,
Professional certifications map to the different IA categories, mentoring, project management, business process develop-
specialties, and levels to which they apply. An individual ment, and cost modeling further demonstrates their profes-
needs to obtain only one of the approved certifications for sional growth.
the IA category or specialty and level to meet the minimum
Senior-level personnel are expected to also have knowledge
requirement. Higher-level IAT and IAM certifications satisfy
of systems and network architectures, strategic planning, IA
lower-level requirements; however, higher-level CND-SP and
metrics development and analysis, risk assessment and man-
IASAE certifications do not. Each position has one or more
agement, configuration control management, verification
qualifying certifications as detailed in figure 2. The baseline
and validation processes, contingency planning, and infos-

24 ISSA Journal | October 2015


Planning for a Career in the Department of Defense Cybersecurity Workforce | John Gray

ec policy interpretation and development. Other skills may an all-time high, and even if an individuals career spans only
include management and leadership; conflict, project, and a few years, it can provide opportunities for gaining valuable
financial management; quality and continuous improvement training and experience and fulfill a desire for serving the
processes; and strategic planning. public good. The experience gained can be a stepping stone to
All employees are encouraged to develop interpersonal skills expanded opportunities and higher wages and compensation
in the areas of teamwork, ethics, writing, communication, in the public sector.
and problem solving in order to become a more well-rounded And while the career progression detailed in this article is
employee. focused on service in the United States Department of De-
fense, the basic tenants are applicable to government service
Conclusion in other nations, and can also be a template for developing
Job security, excellent benefits, competitive pay including lo- ones information security skills in general.
cality pay, vacation and sick leave, and a retirement system
that is exceptional compared to much of the private sector About the Author
are just a few of the reasons people seek federal employment. John Gray, CISSP-ISSEP, PMP, is an infor-
Some people consider government careers because of desir- mation systems security analyst with over 15
able travel opportunities, availability of training, and the years experience in information security and
ability to locate jobs nationwide or even overseas. Following IT. He is employed by the Department of De-
the guidelines listed above to develop ones cybersecurity fense, focusing on certification and accredi-
skill set establishes a solid foundation for career growth. Ca- tation, cross-domain solutions, and informa-
reer opportunities in the DoD cybersecurity workforce are at tion security management. John may be reached at jgraydiss@
wavecale.com.

The Curmudgeon There are two types of people on the Internet


THIS MONTHS TOPIC: THE INFOSEC CAREER PATH. Where to be- that are likely to cost you <amount> in the courts, lost goodwill, lost
gin? How about with reality? profits. You should have done these things in the past. Now, you need
There are two types of people on the Internet: Those who know to do those things and fight this public action, to defend your busi-
theyve been hacked, and those who dont yet know theyve been ness and protect your revenue stream. If you do not, you are likely to
hacked. Yes, I plagiarized. Its part of my job. suffer <damages>. Its your decision. (Keep a copy of your memo for
record somewhere other than work!)
What I have observed over decades (I am a curmudgeon) are two pop-
ulations entering the field. Translators also work the other way: The CxOs are interested in these
threats. We have to treat these threats because theyre the bosses. We
First is people who grew up with information security: categorizing,
might approach this problem by doing <actions>. We might be able
marking, stamping, storing, adhering to various standards, etc. It was
to treat practical things by including these circumstances and explor-
all about paper, or files, or filing systems; then it was about retention;
ing some alternatives. How may we do this at least quasi-legally with-
legal requirements; and other governances. (Thats a whole other top-
out changing real operations? Theyve taken the bosses interests
ic.) They have systems, requirements, rules, and demand that every-
and sought ways to leverage them to what needs to be done.
one strictly adhere to them.
Please believe me, from personal experience: if you can meet this
The second is we who came up from the systems and computing
sweet spot, you have lifetime employment. Organizations will com-
environment. We understood the effects on the systems, how intrud-
pete for you. Co-workers will claw you back.
ers progressed, where intruders could go from there, but might not be
able to express the ultimate effects to the business-droids in charge. This, Grasshopper, should be your path. You should consider this
For us, the situation is obvious. We then fall victim to a common bias: deeply.
assuming other people have the same knowledge and understand- You should study many things, such as CxOs motivations (read Snakes
ing. in Suits); your corporate infrastructure and core strengths; your com-
Then, sometimes, theres a really strange third group. The transla- petitors, their motivations, their legal limitations (or lack thereof); and
tors. They often have gray beards and irascible attitudes. They proba- most especially, your personal strengths. Find coping techniques for
bly arent in the trenches, dealing with trouble tickets AND intrusions, your weak areas.
invasions, phishing, spearphishing, whaling, or the specific attacks on When the CxOs get caught out, they hunt up someone to noisily
that organization. blame and fire. Sometimes, that is your acknowledged
They really do not want to adhere to the absolute rules imposed by and accepted position; charge them for it, until they
the first group, when those rules damage the business or mission. But squeak and then some. They have deep pockets and
they know things need done legally and properly. They can speak you might be a while finding work. Remember the
geek and speak business-droid, ROI, etc. two types of people....
Treasure them. Welcome. To the Real World.
They translate to the business-speak of: OK, its known by this Your local, grumpy, tie-wearing,
name; what it means to us is: It will expose you to these legal actions un-impressed, and suspicious Curmudgeon

October 2015 | ISSA Journal 25


DEVELOPING AND CONNECTING
ISSA CYBERSECURITY LEADERS GLOBALLY

Information Security Career


Path
By Yuri Diogenes ISSA member, Fort Worth Chapter

The author discusses key decision points regarding an information security career, the options
available, and how to succeed in this field.

Abstract ethical hacking skills.3 This initiative is just another fact that
shows the government recognizes the need to expand the
Nowadays access to information is not a problem; everyone skills of young students and ensure that they learn about in-
can find answers for a wide variety of topics and learn about formation security. Adding information security-related dis-
them without many requirements. At the same pace the in- ciplines into the core school curriculum can have a great ben-
formation lands in every device across the planet, the num- efit for the future generation that will grow way more aware of
ber of vulnerabilities discovered on a daily basis also grows, what needs to be done to stay secure. This goes beyond secu-
which is causing a higher demand for qualified security pro- rity awareness because it can also lead students to learn more
fessionals across the industry. How these security profession- about secure coding, which is the real root of the problem.
als will learn and continuously develop themselves to handle But while this is not happening, what should be done for the
this demand will vary. This article will go over key decision current generation and how should you improve your skills?
points regarding an information security career, the options
available, and how to succeed in this field. What path should I take?
The information security career has many ramifications,

A
ccording to an analysis performed by Peninsula Press from a very specialized Pentester to a more generalized Se-
using numbers from the Bureau of Labor Statistics,1 curity Analyst who needs to know a variety of topics about
the demand for information security professionals is security. This means that the first step you should take is to
expected to grow by 53 percent by 2018. While this might not perform a self-assessment and decide where you want to go
look like a big number across three years, the real alarming in your career, what you like to do, and how to advance in
number comes in the same analysis when they state: it was that particular field. This is an important point because many
found that 209,000 cybersecurity jobs in the US are unfilled. times people decide what they will do based solely on market
The struggle to fulfill these positions is a reality not only in demand. Blindly following this rationale can be dangerous
the private sector but in government as well. The government because you might end up working in a field that you dont
is aware of this shortage, and in July 2014 the Homeland Se- like and one which may have a negative impact on how you
curity Cybersecurity Boots-on-the-Ground Act2 passed the grow in your position. As a result you will not evolve and
House with the intent of helping the Department of Home- soon or later will start looking for another job. Regardless of
land Security (DHS) to recruit and retain cybersecurity pro- what pays more, you must be passionate about what you are
fessionals. going to embrace in your next career move. Some security
professionals are already in this situation, having to work
Recently the National Security Agency (NSA) started a pro-
in a branch of this field where they dont feel passionate; the
gram for middle and high school students, to teach them
rationale is the same: find your next career move by doing
this self-assessment and discovering what motivates you in
1 Ariha Setalvad, Demand to Fill Cybersecurity Jobs Booming, March 31, 2015 -
http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/. 3 Hanna Sanchez, National Security Agency Teaches Students Ethical
2 Eric Chabrow, Senate Passes Cybersecurity Skills Shortage Bill: Measure Aims Hacking, Cybersecurity, Jul 20, 2015 http://www.ischoolguide.com/
to Boost IT Security Employment at DHS, September 20, 2014 http://www. articles/18948/20150720/national-security-agency-students-ethical-hacking-
bankinfosecurity.com/senate-passes-cybersecurity-skills-shortage-bill-a-7340/op-1 cybersecurity.htm.

26 ISSA Journal | October 2015


Information Security Career Path | Yuri Diogenes

this area. Nowadays everyone talks about hacking, ethi- fulfill that particular position you need a Masters in Cyber-
cal hacking, cybersecurity, and other terms. Dont let the security, make it happen and go after it.
buzz distract you; understand deeply what you want to do
and pursue the right path to your next move. Specialist or generalist?
Once you decide which path you will take, evaluate what you Ten years ago the demand to have very specialized profes-
already have to offer. In general, there are three core compo- sionals was greater than today. If you knew one specific fea-
nents that you must assess regarding the field that you are ture within a product, you were of extreme value to the com-
going to work: pany. I remember when companies were hiring Exchange 5.5
professionals that were specialized in
Experience: do you have the required experience on that
troubleshooting mail flow. Those pro-
field?
Professional certification: do you have the profession-
fessionals needed to know deeply how
to debug the protocol and know deep-
Regardless of
al certifications that are required for the job that you are ly how to troubleshoot connectors what pays more,
looking for? between Exchange and Lotus Notes, you must be
Degree: do you have a degree that can be helpful in that among other specific features. They
field? didnt need to know how to restore an passionate about
This self-assessment is very important as it allows you to un-
Exchange database; they didnt even what you are
derstand your strengths and weaknesses. The goal is to en-
need to know how to create an user
account; as long as they were level 400
going to embrace
sure that once you detect your weakness, you start working
in mail-flow troubleshooting, they in your next
on a plan to fulfill the gap. If the result of this self-assessment
shows that you need a specific certification in order to be
had the job. Not anymore! career move.
more competitive, than you already know what to do: study With cloud computing everything
and obtain the certification. changed. Broad knowledge is now
more important for all IT segments and especially for infor-
A survey performed by SANS in 20144 shows that experience
mation security professionals. With cloud computing grow-
is a key factor for a better salary in the information security
ing in such a fast pace, it becomes extremely important that
field. The same survey also reveals that certification is a criti-
security professionals are aware of the essential characteris-
cal component for career success in the information security
tics defined by NIST6 and how the threat landscape is going
arena. What should we conclude with this? Having both is the
best scenario for a security professional. While experience is 6 The NIST Definition of Cloud Computing http://csrc.nist.gov/publications/
for the most part directly related to the jobs that you have nistpubs/800-145/SP800-145.pdf.
had in the field, you can also obtain experience by attending
trainings and conferences and helping your community. Ini-
Career Opportunities

V
tiatives like Security BSides5 are available in many locations
in the world. You can propose a presentation or volunteer to isit the Career Center to look for a new op-
work in their meetings. By engaging yourself in communities portunity. These are among the current job
like this you will gain knowledgeand you will also expand listings you will find [as of 9/21//15]:
your network. Project Control/Project Scheduler MD
Pursing a Masters or PhD degree in information assurance, Advanced Analytics Manager CA
cybersecurity, or any other field related to information secu- Information Technology Security Analyst FL
rity is definitely a choice to consider. However, in this case
IT Security Analyst Threats and Vulnerabilities
you must analyze the return on investment and ask yourself: Monitoring NY
will it be worth it in the long term? The investment is not only
Architect - Security Information OH
financial; it is also the time that you put to obtain these high-
er degree. As part of your career plan in security you must Identity Access Manager MA
establish your vision; as part of this vision, ask yourself: what Instructor of IT/Cybersecurity HI
do I want to achieve in this field? If you want to work in the Program Director, Cybersecurity/Information
academic field or research, pursuing a Masters or PhD should Technology VA
definitely be in your plans. The other scenario that can lead Director, Information Security CA
you to go after these degrees is job requirements; if you want IS Policy Administrator TX
to work for a specific company and you know that in order to Chief Information Security Officer WI
Manager Information Security MA
Information Security Analyst MO
4 Cybersecurity Professional Trends: A SANS Survey https://www.sans.org/reading-
room/whitepapers/analyst/cybersecurity-professional-trends-survey-34615.
5 Welcome to the Security BSides Community Wiki http://www.securitybsides.
Visit www.issa.org/?CareerCenter
com/w/page/12194156/FrontPage.

October 2015 | ISSA Journal 27


Information Security Career Path | Yuri Diogenes

to look like in this scenario. In other words,


Job Duties:
understand the threat landscape for each
Planning and implementing security
one of the essential characteristics below: measures to protect computer systems,
On-demand self-service networks and data
Responsible for preventing data loss and
Broad network access service interruptions
Job Title: Security Analyst
Resource pooling Create, test, and implement network disaster
Past experience: recovery plans
Rapid elasticity Perform risk assessments
Firewall Expert
Measured service (Certified Professional) Install and configure firewalls and other
security measures
Security certifications in cloud computing Train staff on network and information
will reflect this by covering a variety of sub- security procedures (Security Awareness
jects in different areas. The domains included Training)
in the Certificate of Cloud Security Knowledge
The company
(CCSK)7 for example, will cover the following
needs someone with Broad knowledge in many areas
subjects: deep knowledge
Cloud Architecture of firewalls to Deep knowledge in one area
troubleshoot and
Governance and Enterprise Risk manage them!
Legal and Electronic Discovery Figure 1 Generalist and specialist in one area

Compliance and Audit


In this scenario we have a classic example of a job that re-
Information Life Cycle Management quires a broad knowledge in many areas, but on top of that it
Portability and Interoperability needs also someone with deep knowledge in one specific area.
In this scenario your previous experience, or even the experi-
Traditional Security, BCM, D/R
ence that you accumulated over time, can have a big impact.
Data Center Operations This is also a competitive advantage if you are competing for
Incident Response a position with other candidates because your previous certi-
fications and experience will be considered by the employer.
Application Security
Security is very dynamic; your specialty today might not be
Encryption and Key Management so relevant in a few years. However, the knowledge that you
Identity and Access Management accumulate with each project and certification and by per-
forming the daily tasks are very valuable over time. The key
Virtualization
to staying relevant is to stay up to date and be flexible while
Security-as-a-Service focusing on performing your work in the field that you feel
ENISA Document passionate.
You need to know the security capabilities of a variety of Core skills for information security professionals
technologies and how these security capabilities will inte-
grate with each other. The scope of what needs to be covered Now that you understand the general considerations regard-
is broad and it can be deep in some circumstances, which ing which path you can take, how do you resolve the gener-
means you might be a generalist in one area and a specialist alist/specialist dilemma? This is important for building your
in another area. It is fair to say that a CCSK-certified profes- security foundation. If you are new in this area, and you want
sional will have a very broad knowledge of each one of those to know what you should learn about security, the best advice
domains, and at the same time it is possible to have another is to obtain a vendor-neutral certification such as CompTIA
security professionals specialized in one single domain, such Security+. The current exam (SY0-4018) is very broad as you
as Incident Response. can see in the core domains of this exam:

Another very common scenario is you are the generalist but Network Security
you are also the specialist for one area. For example, you are Compliance and Operational Security
a security professional working in the incident response field; Threats and Vulnerabilities
you know your process and what needs to be done to investi-
gate an incident. However, you are also the guy who knows Application, Data, and Host Security
more about computer forensics on your team. Figure 1 shows Access Control and Identity Management
an example of how this usually looks like and why it happens. Cryptography

7 Certificate of Cloud Security Knowledge https://cloudsecurityalliance.org/ 8 See the entire exam objectives here http://certification.comptia.org/docs/default-
education/ccsk/. source/exam-objectives/comptia-security-sy0-401.pdf

28 ISSA Journal | October 2015


SECUREWORLD
See Globally. Defend Locally.
Distilling the global complexities of cybersecurity down to
your city, your network, your shot at a decent nights sleep

2015 Conferences: Cincinnati - October 6


Register for a conference near you with Denver - October 15
these discount codes: ISSA, ISSASWP,
ISSAEO and save up to $200 Dallas - October 28 & 29
For our complete schedule, visit
Bay Area - November 4
www.secureworldexpo.com Seattle - November 11 & 12

Featured Keynotes:

Carl Herberger Colonel Cedric Leighton Christopher Pierson Demetrios Lazarikos James Beeson Larry Ponemon
Vice President of Security USAF (ret.) and CEO, Cedric General Counsel & Chief IT Security Researcher CISO Chairman and Founder of
Solutions, Radware Leighton Associates Security Officer, EVP and Strategist GE Capital Americas the Ponemon Institute
Viewpost

The 2015 SecureWorld Expo conference theme is the Secret Service. We partnered with one of our
countrys most valuable organizations to bring you stories about the electronic crimes task force.

SecureWorld Digital:

Connecting you to larger forums, articles and gatherings to shape the conversation. Visit us today
at www.secureworldexpo.com to sign up for exclusive web conferences and subscribe to the
SecureWorld Post.

Web Conferences: SecureWorld Post:

Shaping the Conversation


www.secureworldexpo.com
Information Security Career Path | Yuri Diogenes

This is a very broad scope because it covers subjects like Certified, CompTIA Network+, CompTIA Cloud+, CompTIA
BYOD, SCADA, Incident Response, and other topics that are Mobility+, MCSE, MCTS and MBA. Currently Yuri works for
relevant for anyone who wants to either start working in se- Microsoft as Senior Content Developer for the Enterprise Mo-
curity or boost his or her security career by obtaining a more bility Team and as Professor for the Master of Security Science
general certification. One of the course from EC-Council University. Yuri is co-author of Win-
advantages of starting with a broad dows Server 2012 Security, Forefront TMG Administrators
As anything you do certification in the security field is Companion, and a Security+ book (in Portuguese). You can
that you can decide which area you follow him on Twitter @yuridiogenes or reach him at yurid@
in life, progressing want to focus on in case you want microsoft.com.
in this field to specialize. For example, after ob-
becomes easier if taining this certification you might
conclude that you want to invest
you are passionate, more time and effort to become
self-driven, and a Computer Forensics Analyst. If
thats your choice, you can start
have the discipline with GIAC Certified Forensic An-
to pursue the vision alyst (GCFA)9 or EC-Council C|H-
of what you want FI (Computer Hacking Forensics
Investigator).10 The reasons that
ISSA Journal 2015 Calendar
for your career. lead you to choose one certification Past Issues click the download link:
over another can vary: job require-
ment, financial restrictions, etc. It
JANUARY
Legal and Regulatory Issues
is important to research and verify what certification will ag-
gregate more value not only for your resume but also your FEBRUARY
own knowledge. What you are going to learn throughout the The State of Cybersecurity
preparation phase is vital; if you are going to spend hours and
hours studying for an exam, you better like the subject and be MARCH
Physical Security
very passionate about what you are about to embrace.
APRIL
Conclusion Security Architecture / Security Management
If information technology is already a very dynamic field, MAY
information security is even more challenging because it Infosec Tools
changes on a daily basis, and one change can have collateral
damage in different areas. Be aware that these challenges can JUNE
be overwhelming, but they are also full of opportunities to The Internet of Things
highlight the quality of your work. As anything you do in life, JULY
progressing in this field becomes easier if you are passion- Malware and How to Deal with It?
ate, self-driven, and have the discipline to pursue the vision
of what you want for your career. Make sure to participate AUGUST
and network with other professionals, because this will help Privacy
to identify areas that you can explore more, and it gives you
real-world scenarios that you might not be exposed to if you
SEPTEMBER
Academia and Research
are working on your own.
Last but not least, follow this simple advice and stay hungry OCTOBER
for knowledge: The more I learn, the more I realize how Infosec Career Path
much I dont know. Albert Einstein NOVEMBER
Social Media and Security
About the Author Editorial Deadline 9/22/15
Yuri Diogenes, MS in Cybersecurity Intelli-
gence & Forensics Investigation (UTICA Col- DECEMBER
lege), CISSP, CASP, E|CEH, E|CSA, Comp-
Best of 2015
TIA, Security+, CompTIA Cloud Essentials You are invited to share your expertise with the association and submit an
article. Published authors are eligible for CPE credits.
9 GIAC Certified Forensic Analyst (GCFA) http://www.giac.org/certification/ For theme descriptions, visit www.issa.org/?CallforArticles.
certified-forensic-analyst-gcfa.
10 C|HFI Certification http://www.eccouncil.org/certification/computer-hacking- EDITOR@ISSA.ORG WWW.ISSA.ORG
forensics-investigator.

30 ISSA Journal | October 2015


DEVELOPING AND CONNECTING
ISSA CYBERSECURITY LEADERS GLOBALLY

Career Paths: How I Got Here


Three ISSA members answered our call to know what career path they took, how it served them,
and what path they would recommend for future generations of information security professionals.

My Unexpected Infosec I interned at the college TV station and in my fifth (and fi-
nal) year of school set out to create a documentary in order to

Career Path teach myself how to edit video. What was the documentary
about, you ask. Hackers. I filmed Hackers Are People Too at a
By Ashley Schwartau ISSA member, Middle few conferences and premiered it at DefCon 16 on 08/08/08.
Tennessee Chapter Even for a personal project, I could not get away from infosec.
I may not have known it then, but making that movie only

T
cemented my future in this industry.
here is not a specific career path that lands you in the
infosec industry. Everyone has a different journey After graduating college, I moved home to get my bearings
and must be open to the opportunities that present and figure out where I was going. Would I really venture to
themselves, especially the unexpected ones! the City of Angels to pursue film, or head into the Big Apple
to join the failing publishing industry? After working a lame
I never expected to work in this industry. Yet here I am. A
retail job, and not finding any other leads, I felt lost. But then
woman working in infosec.
my dad offered me something I had never seen as an option:
I did not go to school for IT, and I had no interest in pursuing join his company full time. They were ready to expand their
a security-related career. Yet, here I am. services and jump into e-learning, and I knew enough about
Somehow, completely by accident, I have spent the last ten the subject matter to develop content and savvy enough with
years of my life preaching infosec ideals and becoming an in- software to figure out how to do what he needed.
formation security professional. How did this even happen? I took the job willingly but with every intention of finding
I blame it on my dad, really. something better down the line. Then our client base expand-
ed. I started coming up with new ideas for teaching the same
He has been in this industry and run his business out of the
old security lessons, and I found myself in a full-time position
house for my entire life, so my childhood was full of securi-
in an industry I had spent most of my life trying to avoid. And
ty software, consulting calls with clients, and swag brought
I was actually having fun! Pretty soon we needed more help,
back from security conferences. I even learned the alphabet
and we hired my first assistant. Not long after that we need-
on a keyboard at 18-months old. He started taking me to Def-
ed to hire another team member and another and another
Con when I was 16, and one of my chores in high school
and another. Here we are in 2015; the company with an entire
was compiling a list of security-relevant news to be used in
production staff and me, fully invested in an industry I now
a weekly newsletter sent out to clients. (I got paid and it sure
have no intention of leaving.
beat scrubbing toilets like my friends were doing for spending
money!) Concepts like social engineering, white hat hacking, As Creative Director of The Security Awareness Company, I
Wi-Fi sniffing, and the importance of backup were common- work hands-on with all of our clients, building and launching
place for me, and it was not until high school that I realized information security awareness campaigns. I develop train-
maybe not everyone knew Kevin Mitnicks name or was as ing materials to teach users how to protect company data and
paranoid about downloading a virus on Napster as I was. the importance of following security policy. I have seen secu-
rity initiatives of all shapes and sizes both succeed and fail,
While my dad gave me odd jobs to do for the company here
and have learned what the security teams must do in order to
and there, and I learned from my mom as she did design work
get buy-in from users and C-levels.
in CorelDraw, neither of them ever pushed me to join the
family business. They urged me to pursue my dreams, which On the surface, to many of my friends, my job may not seem
ranged from becoming the art director of an entertainment like an obvious infosec career. I run the creative depart-
magazine in New York to editing movie trailers in Los An- ment, after all. But the work my team and I produce is en-
geles. trenched in security, focused on re-imagining and teach-
ing age-old problems such as passwords, compliance, data
I transferred colleges a few times, my major switching from
breaches, and phishing. It is impossible to work on awareness
multimedia (with a fine arts focus) to digital media (a com-
materials without becoming somewhat of a subject matter
bination of comp sci, web development, and graphic design).

October 2015 | ISSA Journal 31


Career Paths: How I Got Here | Ashley Schwartau, Dora Baldwin, and Roza Winston

expert yourself. So while my skills might serve me in other ers, so they took graphic design classes and scoffed at those
industriesmarketing, advertising, publishingmy knowl- of us who ventured into other areascomputer networking,
edge base and experience with clients awareness programs film editing, PHP, creative writing, theme park design, inter-
make me a infosec professional. active performance. They saw no need for any skills that were
not in the basic job description of a designer. But as someone
So what advice would I give to future infosec who now leads a production department, having an under-
professionals? standing of all those others areas has only made me better at
my job. And the same goes for any job in the infosec field. You
Throw away preconceptions about what infosec is should know more than just what your dream job expects of
The infosec industry calls on a wide variety of people with you. You should understand the roles of the people you work
myriad skills, everything from sysadmins and pentesters with and for. Learn everything you can about everything
to the people who design simulated phishing attacks. Look networking, programming, designing, managing. Coding
around the vendor floor of any conference and you will see was never my forte, but I understand it enough to talk to our
the kind of variety I am talking about. Software developers, programmers and web development team with confidence
phishing companies, awareness training, cloud services, and savvy. And while I am not a CISO myself, I understand
MDM, VPNs, hardware developers...and each of those com- the problems they face on a daily basis and constantly educate
panies has a need for programmers, designers, marketers, ad- myself about new threats so that I can better serve the people
ministrators...a range of people with a range of skills that are I work for. You will be an asset to your team if you can ex-
not all deeply technical. Infosec is not just a technical field, pand your knowledge base beyond the limited scope of your
and you can thrive in this industry as long as you have a base specific job title.
understanding of the issues and passion for the subject mat-
ter. Be open to opportunities
This relates to my point above. Lets say you are headed to-
Widen your focus wards being a pentester, and the job market is kind of scarce
One of the mistakes I see students make in all industries is in your city. But a position opens up for the help desk at a lo-
choosing a career path and never veering off road. Many of cal healthcare company. Take it. Is it exactly what you want to
the people I went to school with wanted to be graphic design- do? Not at all. But being at the help desk puts you on the front
lines of defense, receiving calls from users who dont know
what to do or cant login to the company network. You will
see many weaknesses that Future Pentester You will be able
Easy and to exploit. Help Desk You can keep track of the most com-
Convenient! mon mistakes made by users and help the security team build
targeted awareness training. Look for learning opportunities
in any job, and think about how it can help you reach your
www.issa.org/store dream job. Remember, I wanted to be the art director of a
major magazine, and now I oversee the production depart-
ment of a company that creates videos, e-learning modules,
and magazine-like newsletters, so in reality, I have my dream
job. Or something better.
School is important but not the most important
Its been a long-held misconception that a college degree is
necessary to be a successful member of a workforce. Atti-
tudes toward this are changing, and I am of the firm belief
that college is not for everyone nor does it mean you know
everything thing about your field. Our companys first intern
was a graphic design college graduate with a minor in comp
sci and a 4.0 GPA. He interviewed really well, but when he
Weve stocked our shelves with ISSA merchandise came to work for us proved he knew zilch about anything we
featuring our logo. Visit our online store today its needed him to do. Now, when we hire people we do not even
easy and convenient to securely place your order and ask about college because a degree proves nothing. But work
receive great ISSA-branded items. experience, and lots of it, does. Going out and taking the ini-
Computer Bags Short-Sleeve Shirt Long-Sleeve Shirt tiative to learn more, getting certified and working hard to
Padfolio Travel Mug Baseball Cap Fleece Blanket perfect your craftthat proves more than sitting through
Proud Member Ribbon Sticky Note Pads (12 pk.) four (or five!) years of college and coming out with a piece of
Place Your Order Today: ISSA Store! paper. Frankly, I do not even know where my piece of paper
is, nor do I care. My degree did not prepare me for this job

32 ISSA Journal | October 2015


Career Paths: How I Got Here | Ashley Schwartau, Dora Baldwin, and Roza Winston

or this industry. The things that truly prepared me were at- One final piece of advice for the ladies
tending conferences, joining the ISSA, staying up to date on Have confidence in yourself and your abilities. Do not let a
security news, talking to our clients, and putting in a lot of male-dominated industry intimidate you away from it. I wish
long hours working to get better. You can learn a lot in school, that the stigmas surrounding STEM industries would just
yes, but there are just so many things that can not be taught in fade away because I think they scare off smart people who
a classroom and must be learned from real experience. In my would have a lot to contribute. Like I said, infosec is not any
opinion, the infosec field is a prime example of one in which a one thing or meant only for one
degree is not entirely necessary to becoming a well-educated, type of person. As a woman in
knowledgeable, and skilled professional. this industry, which has been a As a woman, it is
boys club for a long time, you
Be willing to say I dont know
will face adversity and discrim- even more important
Technologies change so rapidly and new threats pop up so
often, we all must be in constant learning mode. None of us
ination and eye-rolling. You to know your subject
can ever say, Yup, I know everything about security! While
will be spoken down to and
many will assume that you do
matter and become
many of the issues and lessons have not changed over the last
not know what you are talking knowledgeable about
twenty years (passwords! breaches! malware! Oh my!) the
technical specifics and speed at which bad things can hap-
about. As a woman, it is even everything that
more important to know your
pen are only ramping up. Our daily news feeds overflow with
subject matter and become touches your area of
criminal hacks and APTs and data breaches galore, and as
industry professionals we must all maintain a current knowl-
knowledgeable about every- expertise.
thing that touches your area
edge of these issues and an understanding of new technolo-
of expertise. You must develop
gies. But there is a lot to keep up with. It can be overwhelming.
a thick skin and confidence to keep your head raised high.
So ask for help. Talk with your colleagues, join professional
Keep learning, keep pushing, keep bettering yourself. The
development groups, ask your company for additional train-
women I meet in this field impress me on many levels, with
ing (even if it is not directly related to your role), subscribe
skill sets ranging from over-my-head technical expertise to
to journals like this one, and attend conferences. Never stop
master-level, geek-wrangling management skills. So, if you
learning. This is not an industry in which you can afford to
can hurdle the gender divide and the few detractors you will
stagnate, because if you do, you will be left behind.
meet along the way, you will be rewarded with a fascinating

October 2015 | ISSA Journal 33


Career Paths: How I Got Here | Ashley Schwartau, Dora Baldwin, and Roza Winston

industry full of passionate, hard-working, smart people who


you can teach you a lot and want to hear your ideas.
The thought of a cyber war between the
black hats versus white hats was intriguing
Like I said, it was never my intention to become an informa-
tion security professional, but despite my best efforts, here I enough to pull my interest away from red
am. And I love it. I love this industry. Infosec is full of inter- tape and bureaucracy.
esting challenges. As we become more reliant on technology
and as the Internet of things becomes more ubiquitous, this
not come from a traditional computer science background,
industry is only going to grow and become more mainstream.
my competitive spirit and passion for knowledge propelled
Infosec is not just for the nerds. It is not just for the techies. It
me to learn more about security and technology.
is an industry for anyone who is passionate about technolo-
gy and making it more secure. It is for anyone who wants to Shortly afterwards, I joined the CyberCorps: Scholarship for
make the Internet a safer place and secure the information of Service1 (SFS)program as a supplement to my public adminis-
the people who use it. So go forth, educate yourselves, and do tration degree. Finding a program that provided mentorship
not lock yourself in a box. You never know where your career and aligned with my objectives was paramount to establish-
path may lead you, but if it brings you to infosec, there is defi- ing a strong foundation in cybersecurity. The SFS program
nitely a place for you. It just may not be the one you expected. in particular provided mentorship in academic coursework,
extracurricular activities, student teaching, and internships
About the Author as they related to cybersecurity and the public sector.
Ashley Schwartau is the Creative Director at Within time, I began following several security associa-
The Security Awareness Company and has tions(ISC), ISSA, and ISACAto stay abreast with current
worked in this industry pretty much her en- news and events. I joined several local community groups
tire life. Whether its working with the LMS to expose myself as much as possible. My involvement with
team, developing e-learning modules, or help- communities outside of the academia helped me cultivate
ing our designers on a big project, she loves new relationships with professionals and experienced hobby-
the unique challenge of creating a compelling ists.
awareness program from the ground up. Shes the creator of the
2008 documentary, Hackers Are People Too, and often writes Additionally, I tracked down a calendar of security confer-
blog content for blog.thesecurityawarenesscompany.com. You ences to see which of them I could benefit from attending.
can reach her at ashley@thesecurityawarenesscompany.com. DefCon 23 left a memorable impression of what it means
to live in constant paranoia that the stranger sitting next to
you is inconspicuously trying to capture data from your cell-

A Transition into Tech


phone, laptop, or wallet (I will forever hold a heart-throbbing,
adrenaline-rushing soft spot in my heart for you, DefCon).
Furthermore, attending the National Science Foundation
By Dora Baldwin ISSA member, Inland Empire (NSF) Cyber Security Summit2 was monumental in helping
Chapter me transition from a non-techie to techie-in-training.

A
Attending the NSF Cyber Security Summit dramatically
s an undergraduate I had aspirations of becoming
changed my mind-set by allowing me to interact with leaders
a top-performance track and field athlete. The ma-
in information security. When they inquired about my per-
jority of my time was spent on the field priming for
sonal career goals, I realized the error of my ways: I admitted
competition and breaking records, while my time off the field
to them that I had limited technical skills, and as a result I
was spent changing my academic focus every semester: I tra-
would better serve management or policy. In the back of my
versed from English to Psychology, to Africana Studies, to Pi-
mind, however, I was looking to get my hands a little more
ano, to Photography, to Spanish, and finally to Marketing. By
dirty; the challenge of learning something new and explor-
the end of 4.5 years, I managed to walk away with a degree in
ing technology was what had attracted me to the field, but
Business Administration: Entrepreneurship.
yet, I was referring to my management background out of
After graduation I spent a year living abroad before decid- fear of looking incompetent. Fortunately, the speakers I met
ing to return to pursue my masters degree. I had just decid- offered me guidance that helped to broaden my perspective.
ed upon studying public administration when cybersecurity Susan Ramsey, from the University Corporation for Atmo-
caught my attention during the new-student orientation. The spheric Research, assured me that there was still time for me
thought of a cyber war between the black hats versus white to explore new interests. She encouraged me to stay focused
hats was intriguing enough to pull my interest away from and whatever I aspired to do would become a reality with de-
red tape and bureaucracy. After all, my recent retirement as a termination and time. This brief exchange of dialogue was
track and field sprinter had left my competitive spirit feeling critical in helping me realize that industry leaders did not
a bit malnourished. What began as an interest quickly trans-
formed into an appetite for more knowledge. Although I did 1 https://www.sfs.opm.gov.
2 Center for TrustworthyScientific Cyberinfrastructure http://trustedci.org.

34 ISSA Journal | October 2015


Career Paths: How I Got Here | Ashley Schwartau, Dora Baldwin, and Roza Winston

succumb to limiting beliefs; perhaps they had already gotten evolved, formal curricula sprang up to train the masses of as-
over them or they never had them to begin witheither way, piring cyber warriors, as they have been dubbed by higher ed.
I understood that if I wanted to grow, I would have to repro- Where once those interested in pursuing this field only found
gram my way of thinking. computer science programs, now interested parties can find
As a student, I offer a perspective of someone who has merely specialized degrees in cybersecurity/information security/cy-
begun studying information security. I find it important to ber defense in a number of universities. Here in Ohio alone
divulge my experiences thus far to inspire those who are in- there are a number of accredited four-year universities offer-
terested in transitioning from a non-tech to tech background. ing bachelors and masters degrees in information security:
I cannot promise it will be an easy transition, but I believe Franklin University in Columbus, Ohio; Wright State in Day-
it will be rewarding for those who commit to it. When fac- ton; and Tiffin University in Tiffin, Ohio, no less! Some may
ing any lingering doubts, my remedy has been to return to a argue the merit of such programs, for they liken the curricula
child-like state where curiosity is foremost and possibilities to be more akin to trade school fare; yet, such grumblings
are unlimited. I advise all new techies to explore whatever do not account for the non-traditional student who might be
topics interest them. It is important that the questions you changing careers, or the accredited liberal arts program in-
ask are not geared towards seeking validation or permission corporating the traditional core of requirements: humanities,
to pursue (Should I? Can I? Do you think I?). Instead, physical and social sciences, composition, and the like. Grate-
questions should be indicative of a mind already made up fully these programs proliferate, and logically so, if the gap
with a simple inquiry of Where do I get started? between supply and demand is to be remedied.
Short of formal education, someone interested in information
About the Author security, but either unable or uninterested in pursuing high-
Dora Baldwin is a graduate student of Cal- er education, can still amass quite a bit of knowledge, if not
ifornia State University, San Bernardino, experience, from an abundance of alternative sources: pro-
where she is pursuing her Masters of Public fessional associations, MOOCS, podcasts, vendors webcasts,
Administration with an emphasis in cyberse- industry journals, white papers, government and consumer
curity. She is a recipient of the CyberCorps: websites, think tanks such as the Brookings Institute3 and
Scholarship for Service, which is an academ- Pew Research,4 YouTube channels, blogs, and the websites of
ic program funded by the National Science educational organizations and institutions.
Foundation and co-sponsored by the Department of Home-
My own introduction to this field and subsequent quest for
land Security. After graduation, she aspires to work in the
knowledge began one day while listening to an NPR show
public sector and specialize in network and computer systems
broadcasting daily out of the American University called the
security. She may be reached at baldwindora@gmail.com.
Kojo Nnamdi Show,5 which is a two-hour magazine show fea-
turing news, politics, and social issues. Yet, it was his lively
Tech Tuesday program, which he hosts on the first Tuesday

Outside Looking In of the month, that grabbed my attention. Like many workers
in sedentary occupations looking for an opportunity to break
By Roza Winston ISSA member, Central Ohio up the monotony, I happened upon this show quite unexpect-
Chapter edly and found it not only informative, but entertaining as
well. With his regular panel of guests from the surrounding

T
his is an article detailing the journey of a willing but areaChief Futurist Allison Druin from the University of
inexperienced and unskilled worker attempting to Maryland; hardware and software consultant Bill Harlow
break into the infosec field. from Mid Atlantic Consulting; and John Gilroy, Director of
The road of life twists and turns and no two directions are Marketing and Business Development at BLT Global Ven-
ever the same. Yet, our lessons come from the journey, not the turesexploring the myriad ways that technology touches
destination. Don Williams, Jr. every aspect of lives, they take what can be a dull topic and of-
ten turn it into shtick, making for a truly engaging show. This
Career paths are but journeys, mostly direct ones (i.e., with show whetted my appetite for information on this fascinating
the exception of information security, which heretofore was field of information security and acted as the launching pad
not a linear path, but one of winding and unfolding byways). for further exploration.
Ask any chief information security officer or any over-worked
infosec practitioner and you will find this to be truemost Once sparked, my curiosity lead me on a unique journey
arrived in this profession via allied or indirect channels. Some where I would pick up, sort out, and assemble bits and often
were industrial engineers or communications specialist, oth- bytes (had to include that pun) of information from varied
ers occupied various technology slots, and most learned on
the job.
3 www.Brookings.edu.
That, however, is no longer the case. As the field of infor- 4 www.pewresearch.org.
mation security matured, and regulations and standards 5 https://thekojonnamdishow.org.

October 2015 | ISSA Journal 35


Career Paths: How I Got Here | Ashley Schwartau, Dora Baldwin, and Roza Winston

sources: at the SANS Institutes website6 I learned of the 20 tems (threat landscape) and the varied means by which they
Critical Security Controls and worked to memorize as many do so (threat vectors), but of greater importance I learned the
as I could. I downloaded security policies and procedures as precautions that I could take, and teach others in my circle to
a blueprint for any that I might find myself drafting, comb- take, to prevent, or at least lessen the chance of, a breach to my
ing through their white papers and vendor webcasts. I culled personal network and of the enterprise system where I work.
information about intrusion detections systems such as Snort Formal training, though decidedly important to human re-
and discovered how SEIMs are designed to work. At the US source departments at major corporations and perhaps a ne-
Cert website,7 I read security bulletins and signed up for cessity for a comprehensive understanding of the field, need
alerts, and at a related government website, OnGuard On- not be the only avenue toward gaining entry into this field. As
line,8 I learned the definition of malware, how to secure my has been demonstrated here, there are untold channels from
computer, and other cyber safety tips together with the im- which to gain training. With a bit of ingenuity and fortitude
portance of doing so. The National Institute of Standards and individuals desiring to do so can build a considerable body
Technology 9 site offered best practices and information relat- of knowledge in the field, which they can then use to gain a
ing to efforts to improve critical infrastructure. The Brook- foothold in the door; perhaps not at large established corpo-
ings Institute10 offered up panel discussions on information rations, but given the severe shortage of skilled workers and
security. Open Web Application Security Project11 (OWASP), the projection of an ever-widening gap in talentas set forth
Build Security In,12 and the Software Engineering Institute at in the 2015 (ISC)2 Global Information Security Workforce
Carnegie Mellon University13 all provided training and infor- Study released by Frost & Sullivan, stating that globally it
mation on secure programming and software assurance. Def- is expected that the information security workforce short-
Con placed videos of their conference on YouTube for view- age will reach 1.5 million in five years19surely such an
ers to learn about forensic detection strategies such as RAM individual can either find or create an opportunity for one-
analysis, and I learned of something called RAM Scraping. self as a consultant, a contractor to very small businesses, a
Eli the Computer Guy14 and Professor Messers15 YouTube security software salesperson, or by partnering with a start-
channels expanded my knowledge on application ports and up, or interning with a managed services company, and/or,
protocols and exfiltration techniques like keylogging. Blog- alas, volunteering with a non-profit or social service agency
gers and journalists at Dark Reading16 discussed the latest to gain experience. These opportunities abound. My own
threats and merits of various breach remedies. A number of such experience to date has been limited to participation in
states placed their training videos online, most notably those a few programming projects geared toward children in mid-
geared toward Attorney Generals. MOOCS, such as those at dle school, which is an annual event organized by one of the
Coursera,17 offered free online learning in disciplines such as professional associations to which I belong; the other two in-
risk management, information security, programming, cryp- stances have been with a small podiatry office that needed ev-
tography, etc.. Finally, ISSA Central Ohio Chapter,18 in its of- erything from written policies to a vulnerability assessment
fering of certification classes, provided detailed learning on and a small communications/tech company.
each of the ten domains of information security, combined
with monthly meetings and an annual summit that treats My paralegal background, combined with the former expe-
each topic in depth. Representatives from each modality rience of working under directors in the heavily-regulated
train, teach, and speak at these events and freely post infor- medical industry, served me well in these circumstances and
mation at their social media sites as well. underscores the idea that by bringing together past work ex-
perience, particularly if that experience has been in an allied
I could elaborate more about the enormous about of free profession, with newfound knowledge, the aspiring infosec
training and education online, in certification books and practitioner can launch a career in cybersecurity, keeping in
classes, and at seminars and workshops, but I have already mind that technology is no panacea, that information securi-
provided enough of a cross sampling for you to get the pic- ty is holistic in nature and requires a myriad of approaches as
ture. At each venue, I learned of shady characters (threat ac- well as ongoing training.
tors) looking to exploit vulnerabilities in networks and sys-
Chiefly what I have learned is that the more I learn, the more
there is to know and there are new discoveries and adventures
6 https://www.sans.org/. around the corner.
7 https://www.us-cert.gov/.
8 https://www.onguardonline.gov/.
About the Author
9 http://www.nist.gov/.
10 http://www.brookings.edu/.
A former paralegal and administrative assis-
11 https://www.owasp.org. tant (an end user personified), Rosa Winston
12 https://buildsecurityin.us-cert.gov/. is an aspiring infosec practitioner. She may be
13 http://www.sei.cmu.edu/. reached at rzw122@gmail.com.
14 https://www.youtube.com/user/elithecomputerguy.
15 https://www.youtube.com/user/professormesser.
16 http://www.darkreading.com/. 19 Frost and Sullivan, The 2015 (ISC)2 Global Information Security Workforce Study.
Mountain View, CA: Booz Allen Hamilton, 2015 https://www.isc2cares.org/
17 https://www.coursera.org/. uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-(ISC)-Global-
18 http://www.centralohioissa.org/. Information-Security-Workforce-Study-2015.pdf.

36 ISSA Journal | October 2015


ISSA Membership Application
Return completed form with payment. * Required Entries

* Name _____________________________________________________ Certifications ___________________________________


* Employer ___________________________________________________ * Email ________________________________________
Job Title ___________________________________________________ * Preferred phone number for receiving calls: (choose one)
* Preferred address for receiving mailing (choose one): n Home n Professional n Home n Mobile n Professional
* Address 1 __________________________________________________ * Phone ________________________________________
Address 2 __________________________________________________ Fax _________________________________________
* City ________________________________ State/Province ___________ * Country ____________ * Zip/Postal Code _____________

In order to obtain personal information and account access over the phone, ISSA Member services will ask your provided security question.
* Security Question:_____________________________________________ * Security Answer: ________________________________
* Only Online Journal: n Yes n No Annual general membership dues of $95 per year include $28 for a one-year subscription to the ISSA Journal.

ISSA Privacy Statement: The ISSA privacy statement is included in the Organization Manual, and is provided for your review at www.issa.org/?PrivacyNotice.

To enable us to better serve your needs, please complete the following


information:
Membership Fees
Your Industry (Select only ONE number from below and enter here) _______________________________
Membership Categories (descriptions on back)
A. Advertising/Marketing J. Engineering/Construction/Architecture S. Manufacturing/Chemical
B. Aerospace K. Financial/Banking/Accounting T. Medicine/Healthcare/Pharm. General Membership: $95 (USD) plus chapter dues
C. Communications L. Government/Military U. Real Estate 2-Year: $185 (USD); 3-Year: $275 (USD); 5-Year: $440 (USD)
D. Computer Services M. Hospitality/Entertainment/Travel V. Retail/Wholesale/Distribution
E. Security N. Information Technologies W. Transportation/Automobiles Government Organizational: $90 (USD) plus chapter dues
F. Consulting O. Insurance X. Energy/Utility/Gas/Electric/Water Student Membership: $30 (USD) plus chapter dues
G. Education P. Internet/ISP/Web
H. Computer Tech-hard/software Q. Media/Publishing Y. Other ___________________ CISO Executive Membership: $995 (USD) plus chapter dues
I. Electronics R. Legal

Your Primary Job Title (Select only ONE number from below and enter here) _________________________ *Membership Category _______________________________
1. Corporate Manager/CIO/CSO/CISO 9. Operations Manager 17. Engineer (See above)
2. IS Manager/Director 10. Operations Specialist 18. Auditor
*Chapter(s) _______________________________________
3. Database Manager, DBA 11. LAN/Network Manager 19. President/Owner/Partner
(Required within 50 miles of local chapter - list on reverse)
4. Database Specialist, Data Administrator 12. LAN/Network Specialist 21. Financial Manager
5. Application Manager 13. Security Specialist 22. Administrator Referring Member & Chapter __________________________
6. Applications Specialist 14. Contingency Planner 23. Educator
ISSA Member Dues (on reverse) $ _______________
7. Systems/Tech Support Manager 15. Sales/Marketing Specialist
24. Other________________
8. Systems Programmer/Tech Support 16. Independent Consultant
Chapter Dues x Years of Membership $ _______________
Your Areas of Expertise (List all that apply) ______________________________________ (on reverse)
A. Security Mgmt Practices E. Security Architecture I. Operations Security Additional Chapter Dues $ _______________
B. Business Continuity/Disaster Recovery F. Applications/Systems Development J. Physical Security (if joining multiple chapters - optional)
C Network Security G. Law/Investigations/Ethics K. Telecommunications Security
D. Access Control Systems/Methods H. Encryption L. Computer Forensics Total Membership Dues $ _______________
ISSA Foundation Donation $ _______________
ISSA Code of Ethics A tax-deductible contribution, as allowed by US tax code, can be
The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that made in addition to your ISSA Membership Payment. For more infor-
mation on the foundation and its programs, visit www.issaef.org.
will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve
www.ISSAEF.org

this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA
Total (dues + ISSA Foundation) $ _______________
has established the following Code of Ethics and requires its observance as a prerequisite for continued
membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I
have in the past and will in the future: Print out and mail or fax form to:
Perform all professional activities and duties in accordance with all applicable laws and the highest ISSA Headquarters
ethical principles; 12100 Sunset Hills Road, Suite 130, Reston, VA 20190
Promote generally accepted information security current best practices and standards; Fax +1 (703) 435-4390
Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the
Phone +1 (866) 349-5818 www.issa.org
course of professional activities;
Discharge professional responsibilities with diligence and honesty;
Refrain from any activities which might constitute a conflict of interest or otherwise damage the
reputation of employers, the information security profession, or the Association; and You may fill out the form and submit it electronically as an email
Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or attachment. You will need an email account to send it.
employers.
Submit by EMAIL to: member@issa.org
Signature __________________________________________ Date ______________
ISSA Member Application 01/15
Risk Radar: Real-World Rogue AV | Ken Dunham
Please check the following:
Membership Categories and Annual Dues Where would you place yourself in your career lifecycle?
General Membership: $95 (USD) plus chapter dues n Executive: CISO, senior scientist, principal or highest level in respective field
Professionals who have as their primary responsibility information systems security in the private n Senior: department manager or 7+ years in respective field
or public sector, or professionals who supply information systems security consulting services to n Mid-Career: 5-7 years with an identified field of security specialty
the private or public sector; or IS Auditors, or IS professionals who have as one of their primary n Entry Level: 1-5 years, generalist
responsibilities information systems security in the private or public sector; Educators, attorneys n Pre-Professional: Student or newcomer exploring the field
and law enforcement officers having a vested interest in information security; or Professionals with
primary responsibility for marketing or supplying security equipment or products. Multi-year mem- The most important aspects of my membership for the current membership
term are:
berships for General Members, are as follows (plus chapter dues each year): 2-Year: $185; 3-Year:
$275; 5-Year: $440. n Build or maintain professional relationships with peers
n Keep up on developments and solutions in cybersecurity, risk or privacy
Government Organizational: $90 (USD) plus chapter dues n Establish a professional development strategy to achieve my individual career goals
This membership offers government agencies the opportunity to purchase membership for an em- n Increase my personal visibility and stature within the profession
ployee. This membership category belongs to the employer and can be transferred as reassign- n Share my knowledge and expertise to advance the field
ments occur. When an employee is assigned to this membership, he or she has all of the rights and n Develop the next generation of cybersecurity professionals
privileges of a General Member.
n Earn CPEs/CPUs to maintain certifications or credentials
Student Membership: $30 (USD) plus chapter dues n Access to products, resources and learning opportunities to enhance job performance
Student members are full-time students in an accredited institution of higher learning. This mem- n Problem solving or unbiased recommendations for products and services from peers
bership class carries the same privileges as that of a General Member except that Student Members n Gain leadership experience
may not vote on Association matters or hold an office on the ISSA International Board. There is no n All n None
restriction against students forming a student chapter.
Most challenging information security issue?
CISO Executive Membership: $995 (USD) plus chapter dues n Governance, risk and compliance
The role of information security executives continues to be defined and redefined as the integration n Securing the mobile workforce and addressing consumerization
of business and technology evolves. While these new positions gain more authority and respon- n Data protection n Application security
sibility, peers must form a collaborative environment to foster knowledge and influence that will n Security and third party vendors n Security awareness
help shape the profession. ISSA recognizes this need and has created the exclusive CISO Execu- n Threat updates n Legal and regulatory trends
tive Membership program to give executives an environment to achieve mutual success. For more
n Endpoint security n Incident response
information about CISO Executive Membership and required membership criteria, please visit the
n Strategy and architecture
CISO website http://ciso.issa.org.
n All n None
Which business skills would be most valuable for your professional growth?
Credit Card Information n Presenting the business case for information security
n Psychology behind effective security awareness training
Choose one: n Visa n MasterCard n American Express n Budgeting and financial management n Business forecasting and planning
n Management and supervisory skills n Legal knowledge
Card # ___________________________________ Exp. Date ____________
n Presentation skills n Negotiation skills
Signature ________________________________ CVV code _____________ n Written and verbal communications
n All n None

ISSA Chapters & Annual Dues Changes/additions visit our website www.issa.org

At-Large ............................ 25 Switzerland........................ 80 Central Florida .................. 25 Inland Empire .................... 20 North Oakland ................... 25 Silicon Valley .................... 30
Turkey ............................... 30 Central Indiana .................. 25 Kansas City ....................... 20 North Texas ....................... 20 South Bend, IN (Michiana) .. 25
Asia Pacific
UK ..................................... 0 Central New York................. 0 Kentuckiana....................... 35 Northeast Florida............... 30 South Florida .................... 20
Chennai............................... 0
Central Ohio ...................... 20 Kern County ...................... 25 Northeast Indiana .............. 10 South Texas....................... 30
Hong Kong .......................... 0 Latin America
Central Pennsylvania......... 20 Lansing ............................. 20 Northeast Ohio .................. 20 Southeast Arizona ............. 20
Philippines ........................ 20 Argentina............................. 0
Central Plains.................... 30 Las Vegas.......................... 30 Northern New Mexico........ 20 Southern Indiana ............... 20
Singapore.......................... 10 Barbados ........................... 25
Central Virginia ................. 25 Los Angeles ...................... 20 Northern Virginia............... 25 Southern Maine................. 20
Sri Lanka ........................... 10 Brasil................................... 5
Charleston......................... 25 Madison ............................ 15 Northwest Arkansas........... 15 Southern Tier of NY............. 0
Sydney ................................ 0 Chile ................................. 30
Charlotte Metro ................. 30 Mankato ............................ 20 Oklahoma .......................... 30 St. Louis............................ 20
Tokyo ................................ 30 Colombia ............................ 5
Chicago............................. 30 Melbourne, FL................... 25 Oklahoma City................... 25 Tampa Bay......................... 20
Victorian.............................. 0 Ecuador ............................... 0
Colorado Springs .............. 25 Memphis ........................... 30 Omaha................................. 0 Tech Valley Of New York.... 35
Lima, Per........................... 5
Europe, Middle East Connecticut ....................... 20 Metro Atlanta..................... 30 Orange County .................. 20 Texas Gulf Coast ............... 30
Puerto Rico ....................... 35
& Africa Dayton............................... 25 Middle Tennessee ............. 35 Ottawa ............................... 10 Toronto.............................. 20
Uruguay .............................. 0
Brussels European ............ 40 Delaware Valley ................. 20 Milwaukee ......................... 30 Palouse Area ..................... 30 Tri-Cities ........................... 20
Egypt ................................... 0 North America Denver............................... 25 Minnesota ......................... 20 Phoenix ............................. 30 Triad of NC ........................ 25
France ............................... 00 Alamo................................ 20 Des Moines ....................... 30 Montana ............................ 25 Pittsburgh ......................... 30 Tucson, AZ ........................ 10
Irish................................. 155 Alberta............................... 25 East Tennessee .................. 15 Montreal.............................. 0 Portland ............................ 30 Upstate SC .......................... 0
Israel ................................... 0 Amarillo ............................ 25 Eastern Idaho ...................... 0 Motor City ......................... 25 Puget Sound ..................... 20 Utah .................................. 15
Italy ................................... 65 ArkLaTex ............................. 0 Eastern Iowa ........................ 0 Mountaineer ...................... 25 Quebec City......................... 0 Vancouver ......................... 20
Netherlands ....................... 30 Baltimore........................... 20 Fort Worth ......................... 20 National Capital................. 25 Rainier............................... 20 Ventura, CA ....................... 30
Nordic ................................. 0 Baton Rouge...................... 25 Grand Rapids ...................... 0 New England ..................... 20 Raleigh .............................. 25 West Texas ........................ 30
Poland................................. 0 Blue Ridge......................... 25 Greater Augusta................. 25 New Hampshire ................. 20 Rochester .......................... 15 Yorktown ........................... 30
Romania .............................. 0 Boise ................................. 25 Greater Cincinnati ............. 10 New Jersey ........................ 20 Sacramento Valley............. 20
Saudi Arabia........................ 0 Buffalo Niagara.................. 25 Greater Spokane ................ 20 New York Metro................. 55 San Diego ......................... 30
Germany............................ 30 Capitol Of Texas ................ 35 Hampton Roads................. 30 North Alabama .................. 15 San Francisco ................... 20
Spain................................. 60 Central Alabama .................. 0 Hawaii ............................... 20 North Dakota ..................... 25 SC Midlands ..................... 25 ISSA Member Application 01/15
HIDE OR

SEEKTRACK, PURSUE, AND NEUTRALIZE THREATS.

The longer threats remain undetected, the more damaging they become.
Take control of your information and fight threats on your terms. Its time
to start advancing security. Take the next step at symantec.com

Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or
its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

October 2015 | ISSA Journal 39