In this interview, John Colley, MD for (ISC)2 EMEA, talks about the challenges of his job, discusses critical information security areas, and tackles the future of certification.
What’s been your greatest challenge since becoming MD for (ISC)2 EMEA? How have your previous positions prepared you for this role?
I should answer this question in the context of the way information security has changed in the last 10 years. When I joined (ISC)2, information security was seen very much as a niche area, and the importance of professional qualifications wasn’t recognized widely. I suppose information security was a relatively new discipline then, which made it difficult for people to assess its potential or how much investment was required not just for technology, but also from a “people’ standpoint. My biggest challenge and focus was to put the “people’ issue on the agenda of CISOs and CSOs; and to get their buy-in on the need to identify, nurture and develop talent in order to create a talent pool of well-rounded, qualified and skilled professionals.
I recollect a discussion at a conference in Prague in 2004 – I was talking to a very senior, internationally recognized CSO about the need for qualifications in the security profession. At the time he simply couldn’t see its importance, however today he is a great advocate of qualifications and skills development for information security professionals.
Even today, information security is still relatively new when you compare it to IT, but the field is growing fast and qualification is being taken seriously. Today, it is difficult to find a job without a CISSP or equivalent qualification. But I think, from an education and skills development standpoint, a lot more needs to be done still.
My previous roles as Head of Risk Services at Barclays Group and Group CISO at the Royal Bank of Scotland gave me the opportunity to communicate with the security professional community on a peer-to-peer level. This experience has proved valuable and I’ve been able to draw on those relationships to further the skills development cause that is intrinsic to (ISC)2. In fact, the information security community is very well disposed to information and knowledge sharing – this kind of constructive approach benefits the profession as a whole.
Based on what your members report, what areas of information security have emerged as critical this year?
Presently there is a lot of talk about big data and the Internet of Things. In a pervasively “connected’ world, getting security right will be critical. This means that security will need to be embedded in products and services from the word “go’. Thus far, while there is recognition that more needs to be done to pre-empt insecure software (which is a major cause of security breaches), often security is tacked on at the end. This approach will almost certainly not work with the Internet of Things.
In fact, already application vulnerability is a major concern of the information security profession. In addition to application vulnerabilities, hacktivism, cyber-terrorism and hacking also feature among the list of top security concerns. Security professionals continue to highlight the ongoing skills shortage saying that it is impacting their organizations’ security incidence preparedness and the ability to discover and recover from breaches.
How many people does (ISC)2 certify each year? How many of those are employed?
We are unable to provide these statistics. However, I can confidently say that our membership is growing. Today we have nearly 100,000 members globally across 135 countries. In EMEA, we are almost 16,000 strong. When I started my role as MD at (ISC)2, we had 7000 members, we have more than doubled since.
The good thing now is that with the introduction of computer-based testing capability, professionals’ ability to secure certification is not limited by our logistical ability to run exams. Candidates can schedule an exam online 24 hours a day, seven days a week, for anytime a test centre of their choice is open – all our exams are held via Pearson Vue certified test centers.
With young professionals increasingly opting to get certified and entering the workplace instead of attending the university, how can we expect certifications in general to evolve in the near future?
I’m not sure if young professionals are opting out of university to get certified, but they certainly are keen to secure professional qualifications regardless of whether they have academic qualifications or not. For most employers today, a professional qualification is a pre-requisite as it provides assurance on the expertise and skills of the candidate.
Certifications will continue to evolve in response to the security and professional requirements needed at different points in time. Our own portfolio has grown significantly since the launch of our flagship CISSP credential. Over the years we have introduced SSCP, an entry level IT security certification; and CSSLP for application security professionals.
Last year, we introduced the healthcare security and privacy certification (HCISPP) as a result of direct feedback from our members. The healthcare industry globally has undergone a transformation in recent years, especially as it has moved from primarily paper-based processes to a digital and connected environment. There are numerous sensitivities and complexities around information risk management and governance; and many of the people that are accountable for risk, don’t actually have technology or IT backgrounds. So we created this credential – it provides validation that a healthcare security professional has the core level of knowledge and expertise required to deal with security issues pertaining to the healthcare industry.
Similarly, just in April this year we launched a cyber-forensics credential for Europe – the CCFP-EU. Today cyber forensics has become a profession in its own right and there is a need to establish professional standards for the discipline. In fact, in the (ISC)2 Global Information Security Workforce Study last year, 42% of respondents said that forensics was consuming a significant amount of their time.
My point here is that as the information security field evolves, new certifications will be developed in response to the current skills and knowledge requirements of the time.