THE BIGGEST THREAT TO THE U.S. DIGITAL INFRASTRUCTURE: THE CYBER SECURITY WORKFORCE SUPPLY CHAIN Aleta Wilson, Ph.D. Amjad Ali, Ph.D. 1
Jan 14, 2015
THE BIGGEST THREAT TO THE U.S. DIGITAL INFRASTRUCTURE: THE CYBER SECURITY WORKFORCE SUPPLY CHAIN
Aleta Wilson, Ph.D.
Amjad Ali, Ph.D.
1
Overview
• Study examines supply and demand for cybersecurity professionals
• Progress impeded by lack of career field for cybersecurity professionals
The Obama administration has declared that Protection of our digital infrastructure is a
national security priority
2
Scope
• This study explores activities required to employ cyber security workers for the – federal government and– its contractor community
• These two sectors comprise an estimated 500,000 workers– who must undergo a significant background
check because– positions are considered as "national security
positions".3
Scope and Methodology (cont)
• Second focus of study is university level education and certifications
- - - - - - - -Methodology
View the cyber workforce through the prism of a supply chain
In other words.... How to optimize the supply chain to increase production
4
Definition of a Cyber Security Professional
5
Definition of a Cyber Security Professional - DOL
• DOL Occupational Outlook Handbook does not contain a definition for cybersecurity professionals
• DOL categories acknowledge positions that involve people who– plan, coordinate, and maintain an organization's
information security– database administrators plan and coordinate security
measures with network administrators – network engineers "may ... address information security
issues”
6
Definition of a Cyber Security Professional - DHS
• Department of Homeland Security Secretary Janet Napolitano defines Cybersecurity professionals as – employees responsible for "... cyber risk and
strategic analysis; cyber incident response; vulnerability detection and assessment; intelligence and investigation; and network and systems engineering“
7
Definition of a Cyber Security Professional – ISC2
– Frost & Sullivan conducted a survey of 10,413 information security professionals which indirectly defined security professionals as those • employed as Information Security
professionals and • those who had cyber security as their
primary job function.
8
Definition of a Cyber Security Professional – DOD
DOD usually takes the lead in defining elements related to cyberspace and cybersecurity, but according to GAO
"DOD has defined some key cyber-related terms but it has not yet fully identified the specific types of operations and program elements that are associated with full-spectrum cyberspace operations"
9
Definition of a Cyber Security Professional – Monster.com
• What does the largest job site call them– Network engineers– System Administrators– IT Security Engineers– IT Security Analysts– Network Administrators
10
But where are the web designers;
policy folk; SW
engineers; etc.
etc.
Definition of a Cyber Security Professional – for this study
• Professionals who have information security as a major part of their job;
• those who self-identify as cyber or security specialists; and,
• those who build and maintain the national critical infrastructure of the computer systems on which the public and private sectors have come to rely.
11
Now that we’ve defined them….
How do they get to the workplace….
12
Supply Chain Management (SCM)
• Viewing the shortage of cybersecurity workers through SCM– SCM attacks problem of uncertainty
head-on• SCM solves two core resource problems
–Shortages and excesses– Identifies where the chain is broken
13
14
Supply Chain Management (SCM)
K to 12
•STEM
•Science
Engineering
•Technology
Math
Higher Ed
•Higher Education•Centers
of Excellence
•Other Higher Ed Institutions
Professional Certifications
•Non- Higher Education Certifiers•Certifying
CISSP (ISC2)
•GSEC•CompTIA
Security+ Certification
•Vendor certifications
Shortage
Dilution
Need
S.T.E.M. (K to 12)
• Public private partnership will invest $260M between 2009 and 2019 (like race to space)
• Growth in STEM jobs is 3X non-STEM jobs
15
University Level Education
• NSA is Certifying Universities, Colleges, and now Community Colleges
• 124 NCA’s (as of 2010)– 14 are 2-year institutions
– 2 are 4-year institutions
– 51 are research institutions
– Some fall into more than one category
16
Certifications
• Certifications can come from
• Universities $$$$ /• Value is unkown
• Private sector $$ /
• Highly prized
17
Highly recognized certificates
18
Certifications – Highly RecognizedORGANIZATIONS AND THEIR CERTIFICATE OFFERINGS
CERTIFYING ORGANIZATION
CERTIFICATION
CERT CSIH
CompTIA Security+
Cisco Systems CCNA Security; CCSP; CCIE Security
EC-Council ENSA; CEH; CHFI; ECSA; LPT; CNDA; ECIH; ECSS; ECVP; EDRP; ECSP; ESCO
GIAC GSIF; GSEC; GCFW; GCIA; GCIH; GCUX; GCWN; GCED; GPEN; GWAPT; GAWN; GISP; GLSC; GCPM; GLEG; G7799; GSSP-NET; GSSP-JAVA; GCFE; GCFA; GREM; GSE
ISAC CISA; CISM; CGEIT; CRISC
(ISC)2 SSCP; CAP; CSSLP; CISSP; ISSAP; ISSEP; ISSMP
ISECOM OPST; OPSA; OPSE; OWSE; CTA
Microsoft MCSE, MCSA
Indication individual is improving herself.
What’s the Problem
• STEM will not produce for 10 years and then those high schooler’s have to go to college
• University pipeline is waiting for STEM graduates to enter
• Universities are not graduating enough cyber specialists
• University certificates are new and general• too soon to determine value
19
So What
• US has discovered it is behind the curve in the production of S.T.E.M graduates
• S.T.E.M skills are needed for cybersecurity workforce
• War has expanded beyond nation states to organizations like Wikileaks
• Warfare is expanding into cyberspace and we do not have war fighters
20
So What (cont)
• Focusing on S.T.E.M in K-12 is critical to US economy
• The field of cybersecurity is being developed in pieces• NIST, Microsoft, Cisco, & NSA are each
• Designing standards models, processes, certifications, and methodologies for the field and many of them overlap
21
Conclusion
• The US government must take immediate steps to coordinate the development of the cybersecurity field
• The US should task the National Security Agency to take the lead
• Once the field is defined– There will be sub-specialties– There will be a roadmap for obtaining proficiency (like doctors &
lawyers)– There will be standardized tests– Estimates on workforce needs can more accurately be determined
– Training and certifications can be organized and synchronized
22
23
Questions and Answers
NSA designated National Center of Academic Excellence in Information Assurance Education