When Richard Nealon first sat for his CISSP exam, he was struck by how U.S.-centric the questions were. Since then, he has strived to promote greater awareness of global information security concerns.
He raised his exam concerns with an (ISC)Â² member, who subsequently encouraged Nealon to become a volunteer. He eventually joined and aided in eliminating questions in the exam that weren't relevant internationally. "The only way that I had a voice back then was to actually get involved in it," he says.
Since that time, (ISC)Â² has moved its focus more toward meeting and understanding the needs of its entire international membership, Nealon says.
"One of the things we have planned for the upcoming year is to go out and survey the members," Nealon says in an interview with Information Security Media Group [transcript below].
Further, (ISC)Â² is ramping up its efforts to set up chapter organizations to assist in communicating ideas and concerns, working alongside academia to increase awareness of the profession and offering scholarships.
In an interview at Infosecurity Europe 2013, Nealon discusses:
- His role as an (ISC)Â² board member;
- The organization's growth strategy;
- How to understand and meet members' needs.
Nealon has worked in information security and related disciplines within the financial sector for more than 20 years. His current role includes the formulation, management and reporting of security assurance metrics for an Irish bank. He was one of the first CISSPs in Ireland and has been actively involved as an (ISC)Â² volunteer for more than 10 years. Nealon has a long-time involvement with the Irish Information Security Forum and is a committee member of the Irish Computer Society Security Professional's Network. He was awarded the James R. Wade (ISC)Â² Service Award in 2010 for his contributions to the organization in many different roles. He was also the first Irish recipient of the COSAC award (2003).
History at (ISC)Â²
TOM FIELD: You've got an interesting story because I know that you're an (ISC)Â² member who had some dissatisfaction and had become a board member. Tell me about your rise.
RICHARD NEALON: When I started out ... I was the second person in the Republic of Ireland to take and pass the exam. That was a long, long time ago.
FIELD: That's CISSP?
NEALON: This is CISSP. That was the only exam really that was relevant to my area of expertise at the time. We've since branched out, and we have a lot more exams that are much more relevant, and we can certify too. But it was pretty much CISSP and CAP, which was the U.S. government exam at that stage.
I sat down, I did the exam and ... we had a lot of stuff on the Boston fire regulations and we had a lot of U.S. law questions we had to answer. I suppose I found that it wasn't that applicable to me, being a European taking the exam. The one thing that I've always been very passionate about is the first "I" in (ISC)Â² is "international." I was introduced to a person who is now another board member way back at a conference by a gentleman who's been in the profession for a long time. He said, "[This person's] involved in (ISC)Â²." I said, "That's interesting because I have a couple of things to say to you."
I went on and on, and I said this is what I don't like about it, this is what I don't like about it, and this is what I don't like about it. She said, "If you feel so passionately about it, why don't you step up to the mark and become involved as a volunteer? We need people like you who are passionate to come in and actually start to write the exam and make sure that the exam has an international flavor and is internationally accepted for all candidates, not just for North American-based candidates."
That was my first involvement, as a writing volunteer, and we did international reviews of the item bank, and we went through and took out U.S.-centric questions, and we certainly took out some other questions that came from other parts of the world which weren't relevant internationally. That was my first involvement. I don't know whether I was successful in that or not, but I was asked to volunteer in other ways as well. A couple of years ago, one of our board members had to resign, and I was asked [if] I would fill in the vacant slot for one year on the board to see out that term of office, and I ran for reelection after that.
Role as Board Member
FIELD: Tell me about your work in the (ISC)Â² community. What are the activities you're involved in?
NEALON: The board is very careful. When we started out with (ISC)Â², we were a volunteer-run organization. All of the management of the organization was done by volunteers. Many years ago, we moved to being a professionally run organization, so we took on staff. At that stage, we had to take a step backwards, and we said, "We have to separate the two aspects of it. We have to separate the operational and the management end of it from the governance end of it." The board sits, they govern and they look at long-term strategy and where we want to go as an organization and how we want to be.
Then, the management comes out and they say, "We have to build objectives; we have to build ... a technical strategy, goals and objectives to be able to meet that long-term strategic objective." Really what we've tried to do - and it works pretty well now - is to have kind of a Chinese wall down the middle and management do their job and the board do their job and neither gets involved in the business of the other. We govern and management manages, and that's where we are.
From the board point of view, we have a number of different things that we're concerned about. The board owns certification. Every time that a new member comes on ... when they get that certificate it's signed by board members. The board owns that certification.
We define the strategy for the organization, the long-term goals, and we've changed that strategy quite a bit in the last year or year and a half from being very much a certification and education-based organization to becoming a member-focused organization. I suppose we found ourselves challenged in, first of all, knowing what the members wanted and then being able to meet the expectations and basically meet the needs of the members.
We're very much focused on the membership now. During that time, we've spread out from being not just a not-for-profit organization, to being both a not-for-profit organization and [having] the foundation, which is a charitable organization. The foundation is a different arm of (ISC)Â². The board is the same board, but the foundation's strategy is to serve the members in terms of research, and we've seen the Global Information Security Workforce Study as a result of that.
In terms of helping the members pursue their careers, we've seen the scholarship awards, both the awards to scholars and also the women's scholarship, in terms of that. I suppose one of the big ones is the Safe and Secure program, which is a branch, an outreach of the foundation, in giving back to society. The Safe and Secure Program is aimed at school children, bringing them along and teaching them how to be safe online.
It also has a knock-on effect in that it shows people what information security professionals do. We go in there, present Safe and Secure and the children have an opportunity to ask questions. Some of those questions might be, "How did you get into information security?" Back in the day when I started out, I came from a communications background. People came from communications; they came from operations; they came from cryptography. They came from some other aspect of IT. But nobody actually chose information security as a specialty. Nowadays it's different. People can go in and they can say, "I want to be an information security professional," and that's available to them now. We help people go through that. ...
FIELD: I'm glad you mentioned the workforce study because one of the things that was uncovered ... was we really do have a critical skills issue that needs to be addressed, not just in any region of the world, but globally. What are (ISC)Â²'s strategies to grow this workforce and help to have a qualified and certified skilled workforce?
NEALON: These things are tied together. I don't see any of them as stand-alone - they're more of a holistic thing. One of the first things that we really needed to do was we needed to look at the workforce and get some good data on how the workforce was actually constructed. When we did the workforce study, we saw the output of it in terms of the report, but we broke those figures down and we looked at where people sat within the organization. Did they sit at the CISO level? Did they sit at the security manager level? Did they sit at an analyst and operator level? Or did they sit in the auditing field? Where did they sit within organizations? We broke that down within the workforce study.
The second thing we did was we [asked] what level of experience they [have]. How many years are they in information security, and what age are they? What salary range? We need to understand what the career path is throughout security. One of the things that came out of the workforce study is that we're an aging population and we're growing older. The average age - and I'm not sure whether it's the international one or whether it's the European one - was 43. The time in information security was 12 years' experience that went along with that. We're actually an aging population. We grow older from workforce study to workforce study, and this has been going on since 2004. We see ourselves grow older and have longer experience. What we're not seeing is the backfill. We're not seeing people coming in at the ground level, choosing a career in information security and staying with that career.
One of the things that we're trying to do as an organization - and this talks to some of the work we do with the European Advisory Board - is we go out to academia, we reach out to academia, and not only at the master's programs - because the master's program area is served pretty well - but the bachelor programs as well. Can we help you build your curriculum and can we bring people in and - excuse the phrase - make it sexy? We see that people have a view of what information security professionals do, and that's a very stale view. We're seen as the suited brigade; we either have gray hair or we have no hair at all. We're in a profession that has been really seen as very conservative, and we have to go out there and say, "Information security [can't be placed] into one area. Information security takes on many different roles."
I spoke to a professor from [a university], and he was saying that he went out and developed a program which was a bachelor's in information security. He had almost nobody turn up for that program. But he rebranded it and said he was offering a bachelor's in cybersecurity and forensics, and he had a full cohort. We have to make it attractive to people to actually look and say, "These are roles that we wanted."
I sat at the AppSec Europe Conference in Dublin two years ago, and two things were really apparent to me. One was the youth in the audience. Almost all of the people were under 35. I said this was great to actually see so many young people involved in a specific area of information security, but so many young people involved. The other thing was the diversity. Almost half of the audience was women, which is something that we don't see in information security in general.
With (ISC)Â², I don't see it holistically. I don't see it as board, management, European Advisory Board and chapters. I see it to encourage and mentor young people coming into the profession, to bring them in, help them along and hold their hands while they go through their education process and gain experience. That's the only way I really see us filling that backfill.
Meeting Members' Needs
FIELD: We talked before we sat down for this interview about wanting to, one, listen to your members' needs and, two, meet those needs. How are you doing that?
NEALON: One of the things we have planned for the upcoming year is to go out and survey the members. As I say, the only way that I had a voice back then was to actually get actively involved in it. One of the things that we have done in the past year has been to roll out the chapter organization. There's a hierarchy of communication, if you want to call it that, and I see that hierarchy of communication as being the chapters. Anybody can join a chapter. They can be a member or they don't have to be a member, but [it's for] anybody with an interest in information security.
Not only do we have to meet the needs of the members, but also those who are prospective members or people who are involved in information security but don't want to hold one of our certifications. We have to take that information from the chapters and feed it up through the EMEA Advisory Board. The EMEA Advisory Board advises management. We have that communication channel between the chapters and the EMEA Advisory Board, between the EMEA Advisory Board and management, and between management and the board. What we're trying to do is to make sure that those three indication lines are in place.
We intend to go out to the membership next year, survey them and find out from them what they want. We get a huge amount of data from things like the workforce study, and this year was great because we found that we had a huge amount of nonmembers. I think we had 4,000 nonmembers who actually responded to the workforce study this year, and that was brilliant, because it's as important to us to listen to people who are out there that aren't already part of our community, but who are involved in information security, and find out what their needs are as well and try to help them meet their needs. We don't see ourselves being exclusively a closed shop only serving the needs of the members, but we see ourselves serving the needs of society and of the people in the profession.