For better info security, certify the workforce

(ISC)2's Marc Noble says software security, cloud and risk management are key areas for government

The need for certified information security professionals is becoming a critical issue for federal agencies. Marc Noble is trying to help reduce that gap. A former chief information security officer and deputy chief information officer at the Federal Communications Commission, Noble spent 30 years overseeing government information systems before moving to Mitre Corp. as an information assurance engineer. Noble was recently tapped to take the helm as director of government affairs for the International Information Systems Security Certification Consortium, a world leader in certifying information security professionals.

Noble spoke with GCN Editor-in-Chief Wyatt Kash about improving the state of information assurance.

GCN: After working for federal agencies and moving to study government security solutions at Mitre — a federally funded research development center, or FFRDC — what struck you most about the state of information assurance and security in government?

Noble: Working in the government, I quickly understood that upgrading my knowledge of security standards, skills, best practices, education and retooling my knowledge base were my responsibility, and I encouraged others to do the same.

In contrast, in a federally funded research development center, there is an ongoing culture of education and renewal of one’s resources, which is really the key to overall effectiveness of an organization’s security program.

Also in contrast to a government agency, an FFRDC has access to research and development funds to help in developing the most effective solutions. Creating a culture that supports innovation and rewards professional growth will be critical to improving the government state of security.

Take, for instance, the State Department. For any employee who attains its Certified Information System Security Professional or other certification, they are rewarded with a bonus. This is just one step toward changing an agency’s culture for the better and subsequently improving its state of security.

Many believe the technical skills gap in government is wider than appreciated. What’s your take?

I believe that information security is a multifaceted job that requires multiple skill sets. One size does not fit all. People with technical skills are certainly critical to fulfilling the government’s security goals, but equally important are those with strong managerial skills, communications skills, skilled instructors, etc., especially given the current proportion of contractor personnel assigned to technical positions within government. Agencies need skilled management groups in order to manage these contractors effectively.

Can you point to how the government is making progress?

I look at it from this angle: Certifications are a lot more prevalent today than they were even 10 years ago. I believe that is a real game changer. The real issue is that certified people can speak to each other in a clear language where those who haven’t gone through the rigorous training involved find it more difficult to communicate with other security professionals.

What are the top three technical areas in which you see an increased need for training and certification in government?

First, I see the need for training and certification in the area of software security. Because I spent so many years in software development, I understand the process from the inside out. In a world where 80 percent of all breaches are application-related, we need educated professionals and a reformed culture that views software security as second nature. In my opinion, security testing specifically will be a critical area for training and certification in the future.

Next, I see a real need for information security personnel to get, shall we say, cozy with the cloud. Cloud computing and Web 2.0 are being recognized as game changers, and their evolution will be interesting to watch. With the IT and business worlds focusing on the potential of cloud computing, we need to be preparing those who will be responsible for securing it.

Finally, there is no doubt that adopting a risk management perspective on managing security will be required of all government personnel involved in information security programs — not only from a best-practices perspective but from a compliance perspective. [The National Institute of Standards and Technology] and other standards organizations have made that shift in building standards based on a risk management approach. It is only a matter of time before an agency’s performance is judged on its ability to effectively manage risk.

In these three areas that are emerging, I am aware of only one with a certification program actually in place, and that is the Certified Secure Software Lifecycle Professional (CSSLP).

How do you see the role of information security professionals evolving relative to agency CIOs and senior executives?

With security now a business enabler for government, I see the information security professional as a significant partner in the business of government. The information security professional’s perspective is now critical to both the strategy and fulfillment of an agency’s mission. A 2009 survey of federal CISOs found that CISOs are becoming more empowered in their jobs. Eighty percent of them believe they have significant influence or some influence on the security posture of their agency.

The bottom line is that they feel they have a voice. I believe that soon we will see the role of information security professionals become recognized as a separate and distinct career field within government.

How is the shift toward mobile networking changing the priorities for information security specialists?

It’s not that different. It’s really about expanding the territory that the information security specialist is responsible for. The tools are already there. We just have to apply them more widely.

Take, for example, the [Veterans Affairs Department] data breach several years back. We had products to encrypt information on laptops back then, but we had not applied the technology, or we didn’t have policies in place for applying that technology. In this instance, government did not prioritize the investment and took a risk. It then made national news and became a priority.

Are the systems evolving around BlackBerry, Android, Microsoft and other mobile platforms adding new complexities to risk management for security specialists?

Absolutely. I’d have to completely agree. As a former CISO, I would have to say I would not allow my government employees to use their Androids and other new devices [for government work]. I would only let them put government information on government devices.

Congress has been working on several bills expected to impact how agencies deal with cybersecurity. What should the information technology community be watching for?

The IT community should expect or be aware of the following:

  • An evolution in the way that agencies report the progress of, and effectively manage, their security programs.
  • The possible adoption of a governmentwide certification requirement for information security professionals.
  • And finally, an increased support for education programs.

I believe that we will see increased funding for programs already in place and new funds set aside for new programs that focus on educating, developing and mentoring those interested in the information security field.

What are your top priorities as you take the helm at (ISC)2?

I believe that the information security profession is reaching a critical point in its evolution, and I want to play a lead role in serving, on behalf of the (ISC)2, as an advocate for the profession, particularly employed at all levels of the public sector. My priorities will be:

  • The development of partnerships between government and the private sector. This mirrors the direction that our president and National Cyber Coordinator Howard Schmidt has mapped for government. So, as director of government affairs, I will put a lot of muscle into coordination, cooperation and communication among government, certification bodies, universities and the private sector to encourage the development of a professional workforce.
  • Next, I plan to monitor the cyber legislation environment on the Hill and help (ISC)2 plan for the changes to come and support the federal information security workforce in its implementation of those changes.
  • Finally, in growing programs such as our Veterans Initiative that educates and mentors soldiers returning from war and in need of a new career, I plan to help the government fill its shortage of qualified and skilled information security professionals.

What about the need for real-time system monitoring?

I believe a lot of people are still going to need to be educated on what they need to do and how it needs to be measured. The second part is risk management. It’s been around for a while. But I think the era of risk executive will soon be upon us and that will be an area in which a lot of security professionals will actually fit nicely into that type of position.

Reader comments

Thu, Jun 24, 2010

The article seems very self-serving since Marc Noble is deeply entrenched in the profit-making machine of certifications. His comment on skilled instrustors is particularly amusing since, based on personal experience, ISC2 and Global Knowledge instructors are selected by availability and certainly not by qualifications. The government has created a new certification industry, but I haven't seen anyone measure ROI --$2500 for boot camps that don't do much to prepare anyone for a test, ridiculous testing fees for paper-based tests, and annual fees amount to great income for companies like ISC2 but little benefit to improving security implementation.

Thu, Jun 17, 2010

unplug the users from the internet. it's facinating how before there was an internet, nobody needed access. then only a limited number of personnel were given a web browser... now everyone has a browser ... and some screw off all day... maybe they should go back to monitoring productivity and seeing who is reading the newspapers and facebooking all day.

Wed, Jun 9, 2010 Dave

"For better info security, certify the workforce" - What a joke! Instead of taking your folks out of the office to get them a certification, how 'bout following up on the policies your security folks recommended, and that you published, but now ignore? How 'bout making an example of your worst offenders? Certifications mean less than nothing, if you aren't enforcing your own security policies!

Wed, Jun 9, 2010

Certifications lead to who is a good test taker, not who knows the subject matter and can actually do a job. Previous years in the days of CNE or other past certifications are proof you can end up with employees and contractors who know nothing hands on, but they passed the test. Then some other technology becomes the hot area and another thing to pay some commercial vendor a lot of money to pass another test. Some certifications will not help people know their job day to day. Having agency type, tailored training around groups of like people with like responsibilities and backgrounds would probably benefit the agencies and the employees much more. Stop hiring or placing people with no IT background, education or training into IT positions like security professionals that they are unqualified for and expect them to be able to communicate with genuine IT employees or make decisions in areas they aren't qualified in. This is true in the management ranks as well. Start recognizing, empowering and developing those techies. Respect an IT professional with expertise as much as other professions. IT security and technology pros in general have to be continously trained and usually keep up with technology on their own or by sheer need based on new technology. I agree with the other commenters, give me experience over a test taker any day.

Tue, Jun 8, 2010 Bill

CISSP certification qualifies you to do the following. 1. Pay $549 for the test. 2. pay (ISC)2 $85 a year and do 40 hours of security related things/proxy tests...etc. 3. If three years pass and you have not done 120 hours of security related things you get to take the test again. What this comes down to is that I would rather hire someone who has five years experience securing servers/workstations or firewalls than hire someone with CISSP. CISSP certification qualifies you to do nothing in the security field.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above