As the head of the largest certification body for information security professionals, I have the unique opportunity to address each day the issues and challenges facing information security professionals. Our recent Career Impact Survey, for example, gave us insight into the hiring challenges the industry faced over the last year and forecasted the IT security career outlook for the year to come. In talking to our members, we found that even in a tough economy, security professionals are finding job stability and mobility and even better salaries. However, we also found that hiring managers are having a tough time finding enough qualified people to meet their growing security needs.
Mind you, the findings of our survey were not very alarming since by now it's common knowledge that there is a major shortage of cybersecurity professionals. Now that the problem is identified, we need to identify some solutions. (Also, watch Tipton's Video at RSA on Lessons Learned from Breaches.)
In this profession, we have to depend on people to be self-taught and to embrace the resources around them.
Earlier this month, I had the chance to attend RSA Conference 2012, providing me with an opportunity to dive deep not only into the issues we addressed in the Career Impact Survey, but also other challenges our members and the security industry overall are facing. RSA always reminds me how fluid our industry is, and how important it is to stay educated and abreast of change.
With that said, some of the more prevalent things I heard discussed at RSA were related to new approaches to security.
Over the last year we've learned, it seems, that some of the things we previously thought were good security practices may in fact not be. For example, at the ESAF, which is a closed event for executives and is one of my favorite things about RSA week, another executive from a leading technology provider (Chatham House rules apply, so please pardon the non-attribution) pointed out how changing a password every 90 days - something that has always been thought of as a safe security practice - may in fact be a vulnerability because hackers catch on to the update schedule. As such, maybe a better security practice is to randomly change a password to keep the hackers guessing.
I also had a chance to talk a lot with my peers about the bring-your-own-device phenomenon happening in the workplace and the kind of practices that are working for protecting data, like sand-boxing and random code execution. I also found it very interesting that some organizations are beginning to adopt dual device authentication (for example a laptop and a cell phone) to validate users when logging on to internal networks, capitalizing on items that have become as common as carrying a wallet. I was equally surprised that I did NOT hear about issues related to application vulnerabilities, which the more than 10,000 respondents to our 2011 Global Information Security Workforce Study identified as THE top security threat. I hope the conversation in this area heats up in the year ahead - it will provide us with plenty to talk about at the next RSA.
Overall, I was pleased to learn from the smart folks in our industry and to meet so many new (ISC)2 members (thanks to the more than 430 of you who attended the member reception!). One article I found particularly interesting in ISMG's Security Agenda magazine (which they handed out at RSA), was by Eugene Spafford. In his article, Dr. Spafford talks about bridging the gap between academia and the security professional. He rightly points out that academia cannot produce the number of people we need to meet the global cybersecurity challenge because of the diverse nature of our profession.
With that, what I took from RSA, and what I'm consistently learning from our members is that in this profession we have to depend on people to be self-taught and to embrace the resources around them. Whether it's through certification or by getting involved in our community and associations, our industry professionals quickly understand that we must think in new ways to build and support our security workforce, and I look forward to another year of working for those who work so hard to keep our cyber world safe.
Tipton is the Executive Director for (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, with more than 80,000 members in more than 135 countries.