You may know ISACA as an organization for information governance, control, security and audit professionals. The membership organization is well known for its COBIT business framework for the governance and management of enterprise IT. This week ISACA is launching a new program, Cybersecurity Nexus, to provide comprehensive expert-level cybersecurity resources tailored to each stage in a cybersecurity professional’s career.
Every organization that has recently tried to recruit and hire qualified information security professionals knows it’s a tough environment for hiring. The demand for cybersecurity professionals has grown more than 3.5 times faster than the demand for other IT jobs over the past five years and more than 12 times faster than the demand for all other non-IT jobs, according to a recent report from Burning Glass Technologies. Current staffing shortages are estimated between 20,000 and 40,000 and are expected to continue for years to come.
This week ISACA (www.ISACA.org) is launching the Cybersecurity Nexus (CSX) program to address this shortage and to help IT professionals with security-related responsibilities to “skill up.”
For more than 40 years, ISACA has been a pace-setting global organization for information governance, control, security and audit professionals. The membership organization is well known for its COBIT business framework for the governance and management of enterprise IT. This framework is based on the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems.
Now ISACA is building on this foundation with the Cybersecurity Nexus program to help bridge the skills gap between IT governance and information security. ISACA is seeing rapid growth among its 115,000 members in assuming security practitioner responsibilities. However, a recent member survey indicated that many of these people don’t feel they have the necessary knowledge and skills to prevent advanced persistent threats (APTs) from causing harm to their organizations.
CSX is designed as a comprehensive program that provides expert-level cybersecurity resources tailored to each stage in a cybersecurity professional’s career. Today the program includes career development resources, frameworks, community and research guidance such as Responding to Targeted Cyberattacks and Transforming Cybersecurity Using COBIT 5.
There is also a Cybersecurity Fundamentals Certificate that is aimed at entry level information security professionals with 0 to 3 years of practitioner experience. The certificate is for people just coming out of college and for career-changers now getting into IT security. The foundational level knowledge-based covers four domains:
1. Cybersecurity architecture principles
2. Security of networks, systems, applications and data
3. Incident response
4. Security implications related to adoption of emerging technologies
The exam will be offered online and at select ISACA conferences and training events beginning this September. The content aligns with the US NICE framework and was developed by a team of about 20 cybersecurity professionals from around the world.
As time goes by, ISACA will be adding more to the CSX program, including:
• Mentoring Program
• Implementation guidance for NIST’s US Cybersecurity Framework (which incorporates COBIT 5) and the EU Cybersecurity Strategy
• Cybersecurity practitioner-level certification (first exam: 2015)
• Cybersecurity Training courses
• SCADA guidance
• Digital forensics guidance
The membership and strong community aspect of ISACA is what differentiates this program from other training and certifications offered by groups like Cyber Aces, SANS Institute and ISC2. What’s more, those programs tend to focus on the true infosec domain, whereas ISACA’s initiative is coming at cybersecurity from the business risk element and the risk proposition of cyber computing. CSX is a single “place” for people to go to and get what they need to advance not only their organization’s cybersecurity posture but also their own careers.
“We’re trying to tie the business ecosystem together, down from the corporate strategy, to the business architecture and execution, and ultimately to the cyber risk and putting in the appropriate preventative controls,” says incoming ISACA president Rob Stroud. “But more importantly with cyber is how you deal with an attack after it happens because you can’t prevent everything. This is where we see our place in this domain and it is certainly our starting position.”
According to Stroud, part of where ISACA is going with this program is with practical publications that give guidance on putting appropriate controls in place. “What we are doing now in this changing, disruptive world is developing practical guidance and making it available in a form that the practitioner can actually interact with it based on roles and responsibilities. This will be coming down the road a little way,” says Stroud.
For more information about ISACA’s Cybersecurity Nexus program, visit www.isaca.org/cyber.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.