Part 6: Taking Control of the Stick

Part 6: Taking Control of the Stick

One cold — but rarely addressed — reality of Information Security is the “institutional attack vector.” Practitioners are battling against attackers from around the globe, from private individuals to state sponsored teams. They also battle against the basic insecure foundation of Internet protocols and personal computer operating systems. Add to that list poor programming techniques and the ever-dissolving edge of what they have to protect. However, there is another battle just as difficult and just as removed from their sphere of authority: the very business they are endeavoring to protect.

Information Security practitioners often face the challenge of battling the business. These battles take the form of coping with simple policies to facing complex issues like BYOD and compliancy. It’s rare for the business and the security office to be partners, because the security office is not observed at the board level.

Likewise, the security office is often not thinking at the board level, but happily isolated in the technology. In such cases the Information Security Office is not business enabling but business adverse, further isolating its participation and influence.

The question becomes, how would professionalizing this field help drive solutions?

A recently released report, "Professionalizing the Nation's Cybersecurity Workforce? Criteria for Decisionmaking," by the National Research Council (2013), concluded that cybersecurity is still too new to professionalize standards for its practitioners. The National Research Council’s arguments against professionalizing fall into three categories. In the first category, the council’s claim is that the knowledge, skills, and abilities required of the cybersecurity workforce are so dynamic that one cannot effectively establish a baseline for professionalization. Next, they claim that the knowledge and competencies required by the cybersecurity workforce are too broad and diverse to enable professionalization. Lastly, they state that at a time where demand for cybersecurity workers far exceeds supply, professionalization would create additional barriers to entry.

The questions, if observed with a historical context, might find parallel associations in other nascent times when disruptive technologies emerged. The American Medical Association (AMA) was founded in 1847 to address one of the very same issues: a lack of professionalization in the medical field. During the early nineteenth century, the major concern was a medical profession increasingly overrun with self-taught practitioners, only some of who knew what they were doing. Risk to the public was simply too great to bear, and a movement began to minimize “self-taught practitioners” and professionalize the industry.

The AMA accelerated the professionalization of medicine and the establishment of minimum standards in medical training, education and apprenticeship requirements to gain entry to the profession. The same could and should be done in the Information Security field with a similar cybersecurity national body and professional associations.

The Department of Homeland Security released a recent paper entitled, “The Path towards Cybersecurity Professionalization: Insights from Other Occupations” (2014). The paper makes a comparison of the similarities between the professions of Aviation and Cybersecurity. The aviation industry has a number of categories of pilot that include student, sport, recreational, private, commercial and airline transport. All levels require different training and licensing.

In contrast, the National Research Council in its report, “Professionalizing the Nation’s Cybersecurity Workforce? Criteria for Decision-making” (2013) stated that cybersecurity is still too new a field in which to introduce professionalization standards for its practitioners. Yet a similar break down of “pilots” for cybersecurity has already occurred from the National Initiative for Cybersecurity Careers and Studies (NICCS) with the National Cybersecurity Workforce Framework 2.0 (NCWF). The framework assembles similar types of cybersecurity work into seven broad areas of practice - securely provision, operate / maintain, protect / defend, investigate, collect / operate, analyze and oversight / development.

Francesca Spidalieri and Sean Kern, in an excellent paper titled, “Professionalizing Cybersecurity: A path to universal standards and status” from the Pell Center (2014), noted that the American Board of Medical Specialties has 24 general certificates and 125 subspecialty certificates. In terms of depth and breadth, Information Security does not appear to be any more complex than other professionalized occupations.

The National Research Council report against professionalizing went on to state that the knowledge, skills, and abilities required of the cybersecurity workforce are so dynamic that one cannot effectively establish a baseline for professionalization. A counterargument seems clear: in such dynamic times, an expectation of coalescing direction and business alignment from such chaos is highly unlikely.

Francesca Spidalieri and Sean Kern’s paper provides guidance to help professionalize the cybersecurity workforce following the traditional model of professionalization as represented by the medical profession and suggests a number of broad steps.

  1. Create a nationally recognized, regulatory body to serve as a clearinghouse for the cyber-security profession, similar to the AMA in the medical field.
  2. Establish member professional associations for each specialty.
  3. With these in place, develop a common body of knowledge (CBK) for each specialty. These bodies will then establish and maintain rigorous standards of training and education along with establishing certification/licensing requirements.
  4. To complete the training and certification an establishment of apprenticeships and residency requirements in each specialty will be developed.
  5. Finally, establish a standard code of ethics.

About the Author

Martin Zinaich is the information security officer for the City of Tampa’s Technology and Innovation department. The insights in this article were shared at a Wisegate member event, where senior IT professionals discussed these pressing security issues.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.