In this interview, Tony Vizza, Director of Cybersecurity Advocacy, Asia-Pacific, (ISC)2, talks about the growing information security skills shortage, the importance of education, and the upcoming gathering of industry leaders at (ISC)2 Security Congress in Orlando, Florida.
Why do you think (ISC)2 membership and advocating for the cybersecurity profession is so important in your region of Asia-Pacific?
As we learned in our 2018 Cybersecurity Workforce Study, the overwhelming majority (2.14 million out of 2.93 million needed professionals) of the global skills shortage exists in the Asia-Pacific region, so we have significantly more work to do in terms of filling cybersecurity roles in our region than in any other part of the world.
Achieving (ISC)2 certifications is certainly one way to demonstrate and validate broad-based skills and knowledge of the fundamentals of cybersecurity, as well as serving as a marker that hiring managers can look for in order to feel confident in the individuals they are bringing into their teams. Certification demonstrates the applicant’s commitment in continually improving their skills to stay up-to-date on the latest threats and technologies, and that’s essential in an environment where change is constant.
The reason that I consider advocating for the profession to be such a massive responsibility is that we’re at an inflection point where the need to find and cultivate the next generation of talent is fundamental to our global security, across many and all economies. What we do now to nurture and grow a diverse workforce will have repercussions for years to come.
As a part-time instructor, what impact do you believe education can have on bringing more talented individuals into the security industry?
There are two major prongs to education that can impact cybersecurity staffing. First, our profession is definitely challenged by a lack of understanding or appreciation of what it is we actually do, particularly at the earlier stages of formal education systems. When young people are exposed to this field, able to break down many of the perceptions that exist about cybersecurity and recognize that it could be an achievable career path, we’ll open the industry up to a greater volume and diversity of talent, particularly if our primary and secondary schools offer more practical learning paths and coursework.
Second, as I alluded to before, even certified professionals with lots of experience need to continue to train and improve their skillsets. That’s why (ISC)2 developed the Professional Development Institute, which is a robust portfolio of online self-paced courses that serve as a go-to resource for timely and relevant continuing education opportunities to help keep skills sharp and curiosity piqued. These courses are free to our members and by the end of this year we’ll have a portfolio of roughly 30 available, covering a vast range of topic areas.
We’re also very excited about this year’s (ISC)2 Security Congress taking place from October 28-30 in Orlando, Florida. While this has traditionally been a North American conference in the past, the 2019 iteration will be a truly global event, with 4,000 attendees expected from all across the globe, and more than 175 sessions planned on a range of topics that will be educational and actionable. Having attended the conference myself last year, I can say with great confidence that attending such events and networking with others in the industry is a great way to keep abreast of the latest trends in cybersecurity.
What do you see as the most important steps organizations of all sizes can take in order to address the growing cybersecurity skills shortage?
I don’t think it comes as any surprise that companies are essentially in competition for the best talent, and as such, should take an inward look at how they market themselves and appear to candidates. Part of this was covered in (ISC)2’s 2018 research Building a Resilient Cybersecurity Culture, which found that those companies whose executive teams prioritized cybersecurity and reinforced good practices were much more successful in hiring and retaining enough talent to make them feel confident in their defenses.
Organizations should also look at opportunities such as mentorship programs, cross-training from different departments and subsidizing continued training for their IT and cybersecurity staffs in order to develop new talent.
What have been the major security developments in the past year, and how have these informed the (ISC)2 Security Congress agenda for 2019?
To a large extent, the topic submissions we receive from our speakers, many of whom are our members, really drive the content for the agenda each year. As such, for 2019 we established a Security Automation track to deal with machine learning and artificial intelligence, which was a particular area of interest for our applicants.
Additionally, we expanded our Privacy track based on interest and demand, particularly with the attention that the California Consumer Privacy Act (CCPA) is generating, as well as the increasing prevalence of mandatory breach reporting directives in economies across the world, including Asia-Pacific.
And on a slightly different note, this year we’re introducing a “Student Experience” program to offer sessions aimed at students and newcomers to the cybersecurity practice. This is an effort to build that awareness around what a great profession and career path it is and encourage students to seek out education, training and ultimately, opportunities.
What trends or sessions do you think will be of particular interest?
We’re all very excited to hear our keynote speakers this year, including Captain “Sully” Sullenberger, Admiral William H. McRaven, Catherine Price and Erik Wahl. We have received some outstanding submissions in the area of ICS and Critical Infrastructure that I feel are compelling to attend. This is an area that affects all people around the world, and to understand the impact of cybersecurity on these areas and make this meaningful to those outside of our industry who are reliant on these services will go some way to helping break down misconceptions.
I also have a close affinity for the Governance, Risk and Compliance realm and will be looking to learn new ideas and concepts in relation to this space, particularly with the regulatory changes that are ever-constant. On a personal level and as a student of law, the Privacy track will guarantee my attendance at many of the sessions there.
Finally, having recently gained my CCSP certification, cloud computing and the rapid changes in this space will necessitate that I attend some of the sessions within the Cloud track. The full conference schedule can be found here.