Background
Karen Thurston, Business Development Analyst for the University of Coeur d’Alene, Idaho, sent 11 email and 20 LinkedIn messages to professionals in the Idaho/eastern Washington region for feedback on the need for professional development in cybersecurity. Participants were chosen from among the North Idaho IT Professional Association members and guests, and from a LinkedIn query of professionals in Spokane/Coeur d’Alene holding CISSP credentials. Sixteen people completed the survey in late December, 2014 and the first week of 2015.
Summary Conclusions
The survey questions were designed to gauge the respondents’ opinions of the benefits of various cybersecurity topics on a scale from 1 to 5 with 1 being the least beneficial and 5 being the most beneficial. Of the topics presented on the survey, no topic scored lower than 4.0 (Survey of Standards and Frameworks), and the highest scored 4.87 (Incident Response Best Practices). Of the 6 questions score in this way, the average score was 4.41. The high score clearly indicates a strong desire on the part of the respondents for professional development opportunities.
A few of the questions addressed specific certifications, with the responses clearly identifying the (ISC)2 organization’s CISSP (Certified Information Systems Security Professional) and the ISACA organization’s CISM (Certified Information Security Manager) credentials as the most relevant and valuable.
For specific technology certifications, Cisco and Microsoft were the clear leaders.
While the survey was quickly designed to gauge the level of interest and is not to be considered scientific, it does encourage pursuit of cybersecurity as a viable subject for professional development courses in the region. Future surveys should explore the size of the potential market in the region, and could also explore the market for shorter duration workshops to attract attendees from outside the area.
Survey Questions and Responses
The survey considered three tracks for professional development. 1) Management and Planning Track: Frameworks, standards, and development of policies and procedures for cybersecurity and incident response. Includes risk assessment best practices and development of a business case for dedication of resources to cybersecurity.
2) Implementation of Secure Systems Track: Solutions and best practices for securing and monitoring systems and data (with lab component)
3) Incident Response Track: Solutions and best practices for recovering systems and data (with lab component)
SURVEY RESPONSES:
1) Survey of frameworks, standards, and regulatory requirements for cybersecurity, such as NIST SP-800, ISO27002, FFIEC, COBIT, COSO, HITRUST CSF, FAIR, and others Average score: 4.0 / 5 (16 responses, 5 comments: ” The new NIST Cyber Security framework”, “Although it's not considered an actual framework, the SANS 20 Critical Controls is a good starting point for people trying to implement a security program.”, “NIST Cyber Security Framework”, “Sarbanes Oxley, HIPPA”, “HIPAA, HITECH, SSAE, PCI DSS, FISMA, SOX” )
2) Best Practices for cybersecurity policies and procedures in the enterprise (includes acceptable use, information classification, control policies, physical security, logical security, end user training, toolkits, human resources practices, vendor security, and incident response) Average score: 4.63 / 5 (16 responses, 1 comment: “I would also add principles of least privilege, separation of duties, and data loss prevention.”)
3) Creating the business case for investing in cybersecurity measures. Includes risk assessment fundamentals, and cost/benefit analysis. Average score: 4.25 / 5 (1 comment: “quantifying risk”)
4) Implementation solutions and best practices for securing systems and data (patching, antivirus, password standards, dual controls), with hands on lab Average score: 4.6 / 5 (15 responses, five comments: “Any time you can have hands on experience you never can lose.”, “Configuration management would be a good topic to cover here, including baseline creation and system hardening best practices.”, “I think the largest gap in finding people right now around security analysts and security engineers. I would place more of a focus on incident response, forensics, SIEM, IDS/IPS, Proxies, antivirus, and implementation of these tools and day to operations to find ongoing attacks.”, “Add vulnerability assessment / remediation”, “RMM - monitoring and alerting”)
5) Technical certification courses/lab such as (ISC)2, CompTIA, Cisco, EC-Council, Linux Professional Institute (LPI), Microsoft, Oracle, Information Systems Audit and Control Association (ISACA) Average score: 4.13 / 5 (15 responses, 3 comments: “It isn't necessarily the certification but the knowledge one gains from studying the material and then being able to apply it to real world situations.”, “You are missing a big one in question 5 and 6, SANS.”, “CSA's [Cloud Security Alliance] CCSK [Certificate of Cloud Security Knowledge”)
6) If you recommend one certification over another, please rank them in order. The top 4 most highly rated: (ISC)2, Information Systems Audit and Control Association, Cisco, and Microsoft (no fifth certification was a clear leader)
The bottom 5 in ratings: Brocade, Nortel, EC-Council, Juniper, and Solar Winds
7) Incident response best practices, including tools for detection, categorization, containment, remediation, recovery and restoration, recurrence prevention, and reporting. Includes lab simulation, red/blue team exercises. Average score: 4.87 / 5 (15 responses, 1 comment: “Developing policies communicating security topics in layman's terms and so business units understand.”)
8) Does your company employ cybersecurity professionals? (Choose all that apply) Total of 14 responses, 13 “Yes”, and one “No, cybersecurity is included as part of a more general job description” (3 comments: “1 technical/analyst”, “2 Technical positions to supplement the 12 we have today.”, “1”)
9) What qualifications do/would you require of your cybersecurity professionals? (Choose all that apply)
| Certified Information Systems Security Professional (CISSP) * | 11 |
| B.S. computer science | 4 |
| B.A. or B.S. any field | 4 |
| Certified Information Systems Manager (CISM)** | 3 |
| CompTIA certification | 3 |
| Cisco certification | 3 |
| Certified Protection Professional (CPP) | 2 |
| Certified Ethical Hacker (CEH) | 2 |
| Payment Card Industry Professional (PCIP) | 2 |
| M.S. computer science | 2 |
| M.S. Information Security & Assurance | 2 |
| Certified in Risk and Information Systems Control (CRISC) | 1 |
| Professional in Critical Infrastructure Protection (PCIP) | 1 |
| Certified in the Governance of Enterprise IT (CGEIT) | 0 |
| Certified Fraud Examiner (CFE) | 0 |
| Certified Nessus Auditor | 0 |
| Total Respondents: 12 |
*The CISSP certification is from the (ISC)2 organization.
** The CISM certification is from the ISACA organization, formerly known as Information Systems Audit and Control Association (now known only by the acronym)