THE BIGGEST THREAT TO THE U.S. DIGITAL INFRASTRUCTURE: THE CYBER SECURITY WORKFORCE SUPPLY CHAIN

Aleta Wilson, Ph.D.

Amjad Ali, Ph.D.

1

Overview

• Study examines supply and demand for cybersecurity professionals

• Progress impeded by lack of career field for cybersecurity professionals

The Obama administration has declared that Protection of our digital infrastructure is a

national security priority

2

Scope

• This study explores activities required to employ cyber security workers for the – federal government and– its contractor community

• These two sectors comprise an estimated 500,000 workers– who must undergo a significant background

check because– positions are considered as "national security

positions".3

Scope and Methodology (cont)

• Second focus of study is university level education and certifications

- - - - - - - -Methodology

View the cyber workforce through the prism of a supply chain

In other words.... How to optimize the supply chain to increase production

4

Definition of a Cyber Security Professional

5

Definition of a Cyber Security Professional - DOL

• DOL Occupational Outlook Handbook does not contain a definition for cybersecurity professionals

• DOL categories acknowledge positions that involve people who– plan, coordinate, and maintain an organization's

information security– database administrators plan and coordinate security

measures with network administrators – network engineers "may ... address information security

issues”

6

Definition of a Cyber Security Professional - DHS

• Department of Homeland Security Secretary Janet Napolitano defines Cybersecurity professionals as – employees responsible for "... cyber risk and

strategic analysis; cyber incident response; vulnerability detection and assessment; intelligence and investigation; and network and systems engineering“

7

Definition of a Cyber Security Professional – ISC2

– Frost & Sullivan conducted a survey of 10,413 information security professionals which indirectly defined security professionals as those • employed as Information Security

professionals and • those who had cyber security as their

primary job function.

8

Definition of a Cyber Security Professional – DOD

DOD usually takes the lead in defining elements related to cyberspace and cybersecurity, but according to GAO

"DOD has defined some key cyber-related terms but it has not yet fully identified the specific types of operations and program elements that are associated with full-spectrum cyberspace operations"

9

Definition of a Cyber Security Professional – Monster.com

• What does the largest job site call them– Network engineers– System Administrators– IT Security Engineers– IT Security Analysts– Network Administrators

10

But where are the web designers;

policy folk; SW

engineers; etc.

etc.

Definition of a Cyber Security Professional – for this study

• Professionals who have information security as a major part of their job;

• those who self-identify as cyber or security specialists; and,

• those who build and maintain the national critical infrastructure of the computer systems on which the public and private sectors have come to rely.

11

Now that we’ve defined them….

How do they get to the workplace….

12

Supply Chain Management (SCM)

• Viewing the shortage of cybersecurity workers through SCM– SCM attacks problem of uncertainty

head-on• SCM solves two core resource problems

–Shortages and excesses– Identifies where the chain is broken

13

14

Supply Chain Management (SCM)

K to 12

•STEM

•Science

Engineering

•Technology

Math

Higher Ed

•Higher Education•Centers

of Excellence

•Other Higher Ed Institutions

Professional Certifications

•Non- Higher Education Certifiers•Certifying

CISSP (ISC2)

•GSEC•CompTIA

Security+ Certification

•Vendor certifications

Shortage

Dilution

Need

S.T.E.M. (K to 12)

• Public private partnership will invest $260M between 2009 and 2019 (like race to space)

• Growth in STEM jobs is 3X non-STEM jobs

15

University Level Education

• NSA is Certifying Universities, Colleges, and now Community Colleges

• 124 NCA’s (as of 2010)– 14 are 2-year institutions

– 2 are 4-year institutions

– 51 are research institutions

– Some fall into more than one category

16

Certifications

• Certifications can come from

• Universities $$$$ /• Value is unkown

• Private sector $$ /

• Highly prized

17

Highly recognized certificates

18

Certifications – Highly RecognizedORGANIZATIONS AND THEIR CERTIFICATE OFFERINGS

CERTIFYING ORGANIZATION

CERTIFICATION

CERT CSIH

CompTIA Security+

Cisco Systems CCNA Security; CCSP; CCIE Security

EC-Council ENSA; CEH; CHFI; ECSA; LPT; CNDA; ECIH; ECSS; ECVP; EDRP; ECSP; ESCO

GIAC GSIF; GSEC; GCFW; GCIA; GCIH; GCUX; GCWN; GCED; GPEN; GWAPT; GAWN; GISP; GLSC; GCPM; GLEG; G7799; GSSP-NET; GSSP-JAVA; GCFE; GCFA; GREM; GSE

ISAC CISA; CISM; CGEIT; CRISC

(ISC)2 SSCP; CAP; CSSLP; CISSP; ISSAP; ISSEP; ISSMP

ISECOM OPST; OPSA; OPSE; OWSE; CTA

Microsoft MCSE, MCSA

Indication individual is improving herself.

What’s the Problem

• STEM will not produce for 10 years and then those high schooler’s have to go to college

• University pipeline is waiting for STEM graduates to enter

• Universities are not graduating enough cyber specialists

• University certificates are new and general• too soon to determine value

19

So What

• US has discovered it is behind the curve in the production of S.T.E.M graduates

• S.T.E.M skills are needed for cybersecurity workforce

• War has expanded beyond nation states to organizations like Wikileaks

• Warfare is expanding into cyberspace and we do not have war fighters

20

So What (cont)

• Focusing on S.T.E.M in K-12 is critical to US economy

• The field of cybersecurity is being developed in pieces• NIST, Microsoft, Cisco, & NSA are each

• Designing standards models, processes, certifications, and methodologies for the field and many of them overlap

21

Conclusion

• The US government must take immediate steps to coordinate the development of the cybersecurity field

• The US should task the National Security Agency to take the lead

• Once the field is defined– There will be sub-specialties– There will be a roadmap for obtaining proficiency (like doctors &

lawyers)– There will be standardized tests– Estimates on workforce needs can more accurately be determined

– Training and certifications can be organized and synchronized

22

23

Questions and Answers

NSA designated National Center of Academic Excellence in Information Assurance Education