Expanding threats are buoying the need for a strong enterprise cybersecurity strategy, as well as raising the stakes in the training, certification and deployment of IT security professionals, according to industry advocate Hord Tipton.
In this video, Tipton, executive director of the International Information Systems Security Certification Consortium (ISC)2 in Palm Harbor, Fla., speaks with SearchCompliance.com Executive Editor Chris Gonsalves about changes in the cybersecurity strategy landscape and the need for better training for users at all levels of consumer and business technology.
Expanding threats from increasingly sophisticated hackers and international gangs of computer criminals, along with the growing specter of state-sponsored cyberterrorism, are contributing to the increased focus on cybersecurity strategy. Recent reports that point to U.S. government involvement in attacks on Iran's nuclear infrastructure -- using malware such as Stuxnet and Flame -- only heighten that urgency, he said.
"I have to admit, I was a bit dumbfounded. It seems to us in the security field [to be] a game changer," Tipton said. "I think we all recognize that all nations have a certain amount of intelligence gathering that goes on. But we have to be careful with what could be characterized as sabotage. What would we do if someone had attacked our critical infrastructure in this way?"
Tipton, a former chief information officer (CIO) at the U.S. Department of the Interior under President George W. Bush overseeing systems used by more than 85,000 individuals, said keeping systems safe requires a focus on the people -- end users, trusted partners, even the general public -- more than on the technology.
"We are the first to recognize we've developed good technology, but at the heart is the people who manage it, configure it, monitor it," he said. "The people who use the technology are a vital, critical component of keeping that environment safe.
"To err is human. There is no such thing as perfect security. It's all based on risk. How much risk do we have an appetite for and how much freedom do we want to allow the people who use our systems to have?"
To that end, Tipton strongly advocates improved security training for IT professionals and users alike. "Until we have an improved position on our applications, we're going to have to insist that our people become more compliant," he said. "We have to educate the executives. They need to fund training for their people beyond what they are getting, and they need to insist more on secure software and fund adequate technology."
That said, Tipton agrees that an increasingly dangerous cyberworld spells opportunity for IT security professionals. (ISC)2 's membership has doubled in the past five years to more than 86,000, but that's still well short of the 2 million security experts needed in today's global market. By 2015, (ISC)2 estimates that more than 4.25 million security specialists will be needed to manage and monitor cybersecurity strategy systems globally.
"We're in a world where it's fully digital, we are in a fully cyber world. The unemployment rate [for security personnel] is virtually zero. It's proven to be recession-proof," Tipton said. "We need these people all across the board."