For better info security, certify the workforce

The need for certified information security professionals is becoming a critical issue for federal agencies. Marc Noble is trying to help reduce that gap. A former chief information security officer and deputy chief information officer at the Federal Communications Commission, Noble spent 30 years overseeing government information systems before moving to Mitre Corp. as an information assurance engineer. Noble was recently tapped to take the helm as director of government affairs for the International Information Systems Security Certification Consortium, a world leader in certifying information security professionals.

Noble spoke with GCN Editor-in-Chief Wyatt Kash about improving the state of information assurance.

GCN: After working for federal agencies and moving to study government security solutions at Mitre — a federally funded research development center, or FFRDC — what struck you most about the state of information assurance and security in government?

Noble: Working in the government, I quickly understood that upgrading my knowledge of security standards, skills, best practices, education and retooling my knowledge base were my responsibility, and I encouraged others to do the same.

In contrast, in a federally funded research development center, there is an ongoing culture of education and renewal of one’s resources, which is really the key to overall effectiveness of an organization’s security program.

Also in contrast to a government agency, an FFRDC has access to research and development funds to help in developing the most effective solutions. Creating a culture that supports innovation and rewards professional growth will be critical to improving the government state of security.

Take, for instance, the State Department. For any employee who attains its Certified Information System Security Professional or other certification, they are rewarded with a bonus. This is just one step toward changing an agency’s culture for the better and subsequently improving its state of security.

Many believe the technical skills gap in government is wider than appreciated. What’s your take?

I believe that information security is a multifaceted job that requires multiple skill sets. One size does not fit all. People with technical skills are certainly critical to fulfilling the government’s security goals, but equally important are those with strong managerial skills, communications skills, skilled instructors, etc., especially given the current proportion of contractor personnel assigned to technical positions within government. Agencies need skilled management groups in order to manage these contractors effectively.

Can you point to how the government is making progress?

I look at it from this angle: Certifications are a lot more prevalent today than they were even 10 years ago. I believe that is a real game changer. The real issue is that certified people can speak to each other in a clear language where those who haven’t gone through the rigorous training involved find it more difficult to communicate with other security professionals.

What are the top three technical areas in which you see an increased need for training and certification in government?

First, I see the need for training and certification in the area of software security. Because I spent so many years in software development, I understand the process from the inside out. In a world where 80 percent of all breaches are application-related, we need educated professionals and a reformed culture that views software security as second nature. In my opinion, security testing specifically will be a critical area for training and certification in the future.

Next, I see a real need for information security personnel to get, shall we say, cozy with the cloud. Cloud computing and Web 2.0 are being recognized as game changers, and their evolution will be interesting to watch. With the IT and business worlds focusing on the potential of cloud computing, we need to be preparing those who will be responsible for securing it.

Finally, there is no doubt that adopting a risk management perspective on managing security will be required of all government personnel involved in information security programs — not only from a best-practices perspective but from a compliance perspective. [The National Institute of Standards and Technology] and other standards organizations have made that shift in building standards based on a risk management approach. It is only a matter of time before an agency’s performance is judged on its ability to effectively manage risk.

In these three areas that are emerging, I am aware of only one with a certification program actually in place, and that is the Certified Secure Software Lifecycle Professional (CSSLP).

How do you see the role of information security professionals evolving relative to agency CIOs and senior executives?

With security now a business enabler for government, I see the information security professional as a significant partner in the business of government. The information security professional’s perspective is now critical to both the strategy and fulfillment of an agency’s mission. A 2009 survey of federal CISOs found that CISOs are becoming more empowered in their jobs. Eighty percent of them believe they have significant influence or some influence on the security posture of their agency.

The bottom line is that they feel they have a voice. I believe that soon we will see the role of information security professionals become recognized as a separate and distinct career field within government.

How is the shift toward mobile networking changing the priorities for information security specialists?

It’s not that different. It’s really about expanding the territory that the information security specialist is responsible for. The tools are already there. We just have to apply them more widely.

Take, for example, the [Veterans Affairs Department] data breach several years back. We had products to encrypt information on laptops back then, but we had not applied the technology, or we didn’t have policies in place for applying that technology. In this instance, government did not prioritize the investment and took a risk. It then made national news and became a priority.

Are the systems evolving around BlackBerry, Android, Microsoft and other mobile platforms adding new complexities to risk management for security specialists?

Absolutely. I’d have to completely agree. As a former CISO, I would have to say I would not allow my government employees to use their Androids and other new devices [for government work]. I would only let them put government information on government devices.

Congress has been working on several bills expected to impact how agencies deal with cybersecurity. What should the information technology community be watching for?

The IT community should expect or be aware of the following:

• An evolution in the way that agencies report the progress of, and effectively manage, their security programs.
  
• The possible adoption of a governmentwide certification requirement for information security professionals.
• And finally, an increased support for education programs.
  

I believe that we will see increased funding for programs already in place and new funds set aside for new programs that focus on educating, developing and mentoring those interested in the information security field.

What are your top priorities as you take the helm at (ISC)2?

I believe that the information security profession is reaching a critical point in its evolution, and I want to play a lead role in serving, on behalf of the (ISC)2, as an advocate for the profession, particularly employed at all levels of the public sector. My priorities will be:

• The development of partnerships between government and the private sector. This mirrors the direction that our president and National Cyber Coordinator Howard Schmidt has mapped for government. So, as director of government affairs, I will put a lot of muscle into coordination, cooperation and communication among government, certification bodies, universities and the private sector to encourage the development of a professional workforce.
• Next, I plan to monitor the cyber legislation environment on the Hill and help (ISC)2 plan for the changes to come and support the federal information security workforce in its implementation of those changes.
• Finally, in growing programs such as our Veterans Initiative that educates and mentors soldiers returning from war and in need of a new career, I plan to help the government fill its shortage of qualified and skilled information security professionals.

What about the need for real-time system monitoring?

I believe a lot of people are still going to need to be educated on what they need to do and how it needs to be measured. The second part is risk management. It’s been around for a while. But I think the era of risk executive will soon be upon us and that will be an area in which a lot of security professionals will actually fit nicely into that type of position.