What's been your greatest challenge since becoming MD for (ISC)2 EMEA? How have your previous positions prepared you for this role?
I should answer this question in the context of the way information security has changed in the last 10 years. When I joined (ISC)2, information security was seen very much as a niche area, and the importance of professional qualifications wasn’t recognized widely. I suppose information security was a relatively new discipline then, which made it difficult for people to assess its potential or how much investment was required not just for technology, but also from a ‘people’ standpoint. My biggest challenge and focus was to put the ‘people’ issue on the agenda of CISOs and CSOs; and to get their buy-in on the need to identify, nurture and develop talent in order to create a talent pool of well-rounded, qualified and skilled professionals.
I recollect a discussion at a conference in Prague in 2004 – I was talking to a very senior, internationally recognized CSO about the need for qualifications in the security profession. At the time he simply couldn’t see its importance, however today he is a great advocate of qualifications and skills development for information security professionals.
Even today, information security is still relatively new when you compare it to IT, but the field is growing fast and qualification is being taken seriously. Today, it is difficult to find a job without a CISSP or equivalent qualification. But I think, from an education and skills development standpoint, a lot more needs to be done still.
My previous roles as Head of Risk Services at Barclays Group and Group CISO at the Royal Bank of Scotland gave me the opportunity to communicate with the security professional community on a peer-to-peer level. This experience has proved valuable and I’ve been able to draw on those relationships to further the skills development cause that is intrinsic to (ISC)2. In fact, the information security community is very well disposed to information and knowledge sharing – this kind of constructive approach benefits the profession as a whole.
Based on what your members report, what areas of information security have emerged as critical this year?
Presently there is a lot of talk about big data and the Internet of Things. In a pervasively ‘connected’ world, getting security right will be critical. This means that security will need to be embedded in products and services from the word ‘go’. Thus far, while there is recognition that more needs to be done to pre-empt insecure software (which is a major cause of security breaches), often security is tacked on at the end. This approach will almost certainly not work with the Internet of Things.
In fact, already application vulnerability is a major concern of the information security profession. In addition to application vulnerabilities, hacktivism, cyber-terrorism and hacking also feature among the list of top security concerns. Security professionals continue to highlight the ongoing skills shortage saying that it is impacting their organizations' security incidence preparedness and the ability to discover and recover from breaches.
How many people does (ISC)2 certify each year? How many of those are employed?
We are unable to provide these statistics. However, I can confidently say that our membership is growing. Today we have nearly 100,000 members globally across 135 countries. In EMEA, we are almost 16,000 strong. When I started my role as MD at (ISC)2, we had 7000 members, we have more than doubled since.