Month: April 2017

Information security is one of the most important and fastest growing professions in the world, possessing a near-zero unemployment rate, but also a worker shortfall that grows larger every year. Most organisations admit that bridging the industry’s skills gap, while attracting women into cybersecurity is crucial; yet female participation has remained static since I began working with our Global Information Security Workforce Study programme in 2004.

When we first began benchmarking the development of the cybersecurity workforce, analysts projected a double-digit growth that has since been realised. Today we forecast a skills gap projected to reach a shortage of 1.8 million by 2022. The obvious implication being here that the trend can’t be explained by a lack of available jobs: hiring managers participating in the study admit that they struggle for as long as six months to fill positions.

Additionally, new research from (ISC)²’s charitable arm, the Center for Cyber Safety and Education™, found that women comprised only 8% of the UK’s information security workforce – a number that has been stagnant since 2013. The study also suggested that initiatives to attract women aren’t proactive enough or that the profession isn’t as committed to building the balanced and sustainable workforce as it claims to be.

But if the level of women in information security were to double, it would fill the anticipated workforce gap. The clear need for talent makes the apparent lack of progress on this front baffling.

Join the conversation as industry leaders discuss why we struggle to attract more women into information security

Next month, a global panel of industry thought leaders from the USA, Australia and UK will each bring their unique perspectives to the table while exploring and debating the recent findings from our Global Information Security Workforce Study; as well as discussing concrete steps in closing that imminent cybersecurity workforce gap.

The Frost & Sullivan webinar Women in Cyber: Why Can’t We Attract Them? will feature leading information security experts, including Jarad Carleton (Principal Consultant – Digital Transformation Practice, Frost & Sullivan), Richard Horne (Partner – Cyber Security, PwC UK), Professor Jill Slay (Director – ACCS, UNSW Canberra), Lynn Terwoerds (Executive Director, Executive Women’s Forum) and Vicki Gavin (Head of Business Continuity Information Security and Data Privacy, The Economist Group), who will be examining many of the issues faced by the sector and females, including equality challenges for women in the profession. They will also put forward proposed recommendations that will endeavor to offer equal opportunities for all professionals, such as compulsory quantitative key performance indicators to bring about a gender-balanced workforce.

Only by developing the profile of our workforce should we be able to attain a truer reflection of talent and fulfill the needs of our digital society. It will be interesting to see whether companies answer the call for progress within the industry, as well as the experts’ take on how this can be achieved.

Lyndsay Turley
Head of Comms & Public Affairs, (ISC)² EMEA

 

Webinar details: Women in Cyber: Why Can’t We Attract Them?

A Global Information Security Workforce Study debate

Wednesday, 3rd May 2017 – 1:00 PM BST / 8:00 AM EDT

To submit a question that will be answered live during the briefing, please email: Gil_Briefings@frost.com.

Register for this event  and follow us on Facebook and Twitter.

[(ISC)² Blog]

Planning is well underway to lead into ISACA’s 50^th year in 2019, mark the anniversary, and carry momentum forward into the next decade and beyond. From outreach nearly a year ago to ISACA’s past presidents —an early tap of their ideas and insights — to anniversary footings now in place, importance, inclusivity, curiosity and enthusiasm characterize efforts to date.

And today is an important date, as ISACA debuts one of those footings — and a digital one at that. The first phase of our anniversary microsite, www.ISACA50.org, is up and running. The site will serve as a hub for stories, to gather and share history, for celebrating toolkits, to post anniversary news and updates from around the global, and to predict our future. It will lead the way to bring our anniversary theme to life:

Honor Our Past. Innovate Our Future.

As you read this, the site is having its first show-and tell during the ISACA Regional Leadership Conference, beginning today in Las Vegas. The site, the celebration underway and to come, is theirs, yours, ours. It has taken a collective effort to reach such a proud milestone, so it is only natural that the global ISACA community enjoys the celebration together: ISACA50.org is just the start. We encourage you to share your story of what ISACA means to you, as well as any images, videos or other materials — whether related to ISACA or the professions we serve — that will help enhance anniversary programming.

The anniversary logo is featured prominently on ISACA50.org. There is meaning to its design, and we hope you sense its energy. Concentric circles in the “50” represents the perpetual motion and innovation that have been hallmarks of ISACA’s past and present, and will be even more prominent going forward. Fittingly for a future-minded tech organization such as ISACA, envisioning and embracing the possibilities of the next 50 years will be a rallying point of our celebration.

Beyond the web portal, there are many other in-progress plans to commemorate this demarcation of the past and future. Another foundational element is an immersive, innovatively designed event exhibit. Preliminary concepts feature interactive, responsive technologies to illustrate history, ISACA contributions and milestones, people and impact, and a central “Future Visions” booth to capture and enhance visitor experiences and aspirations — for themselves, for ISACA, for our industry and for the world.

A third and just as essential early anniversary element are plans, creative programs and packaged toolkits to prompt celebrations of all shapes, sizes and durations by and for ISACA chapters, volunteers, leaders, members and engaged professionals the world over. The anniversary provides a clarion call, as ONE global community, to deliver ISACA’s Purpose and Promise:

• Help you realize the positive potential of technology
• Inspire confidence that enables innovation through technology

Indeed, you will see, hear and feel the impact of Purpose and Promise as we honor, and as we innovate over the course of our anniversary years.

ISACA has an incredible story to tell. Consider the seismic shifts in technology that have unfolded since 1969, when a small group of individuals in the Los Angeles area formed the EDP Auditors Association, which eventually became ISACA. For the past five decades, ISACA has been at the forefront of helping professionals and their enterprises navigate the fast-moving technology landscape. Our ability to do so for the next 50 years is even more imperative given the scale of global digital disruption we’re experiencing.

This is a special time for ISACA. Our global professional community — growing each year in number and impact — will honor our past and innovate our future together. It will be a fun, enlightening and rewarding celebration.

Stay tuned – there will be much more to share, know and do in the coming months and years. It is time to Honor Our Past. Innovate Our Future. A first visit to www.ISACA50.org is a great place to start!

[ISACA Now Blog]

Editor’s note: The ISACA Now series titled “Faces of ISACA” highlights the contributions of ISACA members to our global professional community, as well as providing a sense of their lives outside of work. Today, we spotlight Maria Divina C. Gregorio, CISA, CRISC, PCI-ISA, PCIP, internal audit manager, VSP Global, a US resident from the state of California.

ISACA Now: What motivated you to pursue a career in audit?
I chose a career in audit because it allows me to have a comprehensive understanding of and exposure to all facets of the business. I am able to use my knowledge, analytical techniques and people skills to effectively contribute to the betterment of the organization. I was also influenced by a mentor early in my career who encouraged me to explore opportunities in this field and introduced me to ISACA’s CISA certification.

ISACA Now: How do you see technological advancements having the greatest impact on audit in the next 3-5 years?
I believe that technological advancements have and will pave the way for more efficient, more effective and more economical audits.

ISACA Now: What are a few professional achievements of which you’ve been most proud?
I am proud to have achieved my CISA, CRISC, PCI ISA and PCIP certifications. They allowed me to lead highly impactful audits that resulted in major cost savings to the organization. I am very proud to have authored our cyber crisis management plan, and I am now leading the global business continuity initiative in my organization.

ISACA Now: How long have you been an ISACA member, and what has that added to your professional development?
I have been a member of ISACA since October 2005 – 12 years! I believe that the benefits derived from my ISACA and other professional association membership, certifications, active participation in my local chapter, passion toward my profession and continued quest to educate myself have been a great formula for my professional development.

ISACA Now: You’ve been active in Habitat for Humanity – what have you taken from that experience?
I’ve always been guided by a personal commitment to leave this place a little better than I found it. I believe that serving with Habitat is my small contribution to that commitment.

ISACA Now: What is the most fun aspect of living in California?
Do I feel like having authentic dim sum breakfast in San Francisco this morning, then heading to a Napa vineyard for lunch and some wine? Or how about some honest to goodness mole in the Mission, then heading to the beach and gazing at migrating whales in Bodega Bay? Or maybe picking up my skis and hitting the slopes at South Lake Tahoe, or lounging in a houseboat in Shasta Lake? As you can see, there is something for everyone in California. I feel very blessed to have these choices – all within hours from each other!

ISACA Now: What are some of your favorite things to do outside work?
I read, go on hikes with my dog; tend my organic garden; feed the ducks, peacocks (yes, we have them “wild” around my neighborhood) and turkeys; swim; work out; and have lunch dates with my mom.

[ISACA Now Blog]

Based on the findings of the 2017 Global Information Security Workforce Study, the world will face a deficit of 1.8 million information security professionals by 2022. With headlines dominated by breaches and cyber threats, we at (ISC)² need to be a strong voice and advocate for the global cybersecurity workforce.

It is for this reason that I sent a letter to White House Chief of Staff, Reince Priebus, on behalf of the (ISC)² organization and our members across the globe, to provide feedback on President Trump’s Executive Order, which directed the Department of Homeland Security to review how it issues H1-B visas.

Even after giving U.S. citizens priority consideration for open cybersecurity positions, we will still face a substantial talent shortfall, which can be mitigated with an H-1B visa program that helps bring skilled and trained workers from other countries to fill these roles.

(ISC)² suggests our Certified Information Systems Security Professional (CISSP) certification as one way to verify cybersecurity professionals for H-1B visas. The CISSP was the first credential in the field of information security to meet the stringent requirements of ISO/IEC Standard 17024, and is also Department of Defense 8140/8570 approved. Professionals with the CISSP have proven their knowledge and experience in the field. Our members also must abide by a standard code of ethics, which includes the following canon: “protect society, the common good, necessary public trust and confidence and the infrastructure.”

We do not want to prevent talented cybersecurity professionals, such as our global members, from offering their expertise to benefit the U.S. economy.

I recently testified in a Subcommittee on Information Technology on ways that the United States can improve the federal IT workforce. We also provided recommendations to the Trump administration on how to improve the current status of the federal cybersecurity workforce. Utilizing the expertise and experience of our membership, these recommendations were created following our 2016 federal CISO forum, which included members of the (ISC)² U.S. Government Advisory Council (USGAC) and other federal CISOs and executives who participated in discussions surrounding these critical considerations.

(ISC)² hopes to establish a constructive dialogue with the Trump administration as they strengthen cybersecurity for our country.

Dan Waddell, CISSP, CAP, PMP
Regional Managing Director, North America Region, (ISC)²

[(ISC)² Blog]

Download the 12 Areas of Activity and their key supporting tasks

The (ISC)² EMEA Advisory Council is turning to its professional membership to measure the readiness of organizations and security departments for the General Data Protection Regulation (GDPR) and highlight the challenges they are facing in the effort to become compliant by May 2018. We are doing this by bringing people who are actively working on implementation projects together either on monthly international calls and, as of this month, in face-to-face workshops hosted at (ISC)²’s new two-day Secure Summits, five of which are being held across the EMEA region this year. The first such workshop staged a series of round table discussions at our Secure Benelux Summit in Amsterdam gathering over 120 information and cybersecurity professionals from various industries. Another is set for Stockholm at the end of May, and we’ll be in Zurich for the end of June.

Through this effort, we are helping our members realize expectations and requirements that they hadn’t anticipated. In January, for example, we raised the alarm around the lack of engagement and support from the business units which hold the key to assessing how and why personal data is collected, how it is processed and used, and therefore how much effort should be made to ensure the company can continue to work with it. Lack of engagement continues to be a challenge with many of our Summit workshop participants reporting that they are still working to motivate the stakeholders needed across various functions. Unfortunately, the work continues to be the domain of a few as most employees and their managers have yet to understand that GDPR is a task for everybody.

Work is progressing on the development of policies—legal departments are active in the review of contract clauses, plans are being made to communicate privacy notices to individuals—but there remain many practical gaps and a level of detail that many in the room admitted they had not yet considered. An example included employee awareness and the need to manage their downloading of data on laptops. It was clear training would be required, but the scope of such training has yet to be defined. In considering the need for an inventory of the personal data held, some very basic questions are still being asked, such as: How can you know when the task is complete?

There are also numerous uncertainties arising as requirements are translated into the processes needed for implementation. Discussions covered whether companies could rely on consent gathered decades ago, should a record of it be found.  Participants were unclear as whether privacy notices would have to be given in local languages—or all EU languages. To challenge things further, the role of the Data Protection Officer and parameters to conducting Data Protection Impact Assessments have not yet been fully defined by the EU Committee (Article 29 Working Group) working with and providing guidance to member states. And, as is currently the case for security practice in general, companies will continue to be challenged to gain the control needed over legacy systems and shadow IT to assure compliance. This is expected to, for example, frustrate the effort to document a process and efficiently fulfill data subject access requests, a new individual right that will come into force.

Overall, with just over a year to go to the compliance deadline, organizations remain in discovery mode. Plans are being put in place, but we are still developing our understanding of the scope of the task ahead, and our engagement with the organization. To address this concern, the EAC GDPR Task Force has worked with members’ input to define 12 Areas of Activity and their key supporting tasks, as well as some of the tips they shared for implementation. They can be tackled simultaneously, are easy to understand, and importantly, communicate to the people that will be responsible for achieving them:

1. Stakeholder support: board and business units
2. Inventory of the personal information you hold
3. Privacy notice and information
4. Individuals’ rights
5. Data subjects’ access requests
6. Data Protection Impact Assessments
7. Consent
8. Children
9. Personal Data Breaches
10. Security of data processing and Data Protection by Design
11. Data Protection Governance
12. International Data Transfers

We will continue to share what we learn from the upcoming opportunities to learn more about members’ experience as we progress. Workshops will be held at all the (ISC)² Secure Summits in the EMEA region this year, and an overview will be shared within the Strategy Theatre at Infosecurity Europe June 8^th. Join us if you can and let us know how you are getting along.

Yves Le Roux, Co-Chair (ISC)² EMEA Advisory Council (EAC) and Chair of its GDPR Task Force.

[(ISC)² Blog]