View the pdf version

Media Contact:
Courtney Jewell Beveridge
Extension Group
(703) 618-8205


Poll of 700 Information Security Experts Reveals Disparity between Front-line Opinion and Proposals to Restructure Cybersecurity Workforce

Security Community Urges Lawmakers to Consider Feedback Regarding How to Solve Federal Human Capital Crisis in Cybersecurity

PALM HARBOR, Fla., U.S.A., Nov. 17, 2010 (ISC)²® (“(ISC)²-squared”), the largest not-for-profit body of certified information security professionals worldwide, with over 73,000 members in more than 135 countries, along with global leaders in the information security professional, certification and education community, is calling on Congress to collaborate with front-line information security professionals before finalizing pending legislation on cybersecurity.

In an effort to determine how best to support the legislation, (ISC)2 officials polled nearly 700 front-line information security professionals from government and industry on trending proposals regarding professional licensing through testing and the creation of an examination review board.  The poll found that a vast majority of professionals do not agree with such proposals.

Respondents did agree that there is a critical shortage of federal information security professionals, that one of the main causes of this shortage is the lack of a career path, and that a gap exists between current certification programs and the specific cybersecurity skills needed in the federal government.

A recent prepublication release of the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency titled “A Human Capital Crisis in Cybersecurity” has articulated several similar critiques of the current certification system for cybersecurity.  The whitepaper went on to recommend, among other things, the creation of a Board of Information Security Examiners to close the gap between existing certification programs and specific skills; an emphasis on technology-specific certifications as a means of replenishing the current shortage of qualified professionals; a shift in focus in training and certification from security principles and best practices to primarily technical skills; imposing licensure upon information security, as with the medical profession, to ensure a qualified information security workforce.

Sixty-nine percent of respondents to the (ISC)² poll said they do not believe that a government-run board of examiners will close the gap between existing certification programs and the cybersecurity skills needed in the workplace, and 53.7 percent said they do not believe that spending money on exclusively technical training and certification programs would solve the nation’s security problems.

“We recognize the importance of advising lawmakers on the link between workforce development, cybersecurity education and the broader mission of national cybersecurity and believe that input from front-line professionals is absolutely critical in determining the final approach to the solution,” says W. Hord Tipton, (ISC)2 executive director and former CIO of the U.S. Department of the Interior.  “The results of this poll demonstrate that although information security professionals believe that the white paper and others have accurately identified the human capital problems in cybersecurity, they have neither acknowledged the correct causes, proposed the best solutions, nor have they provided data to support the claim that fatal flaws exist in the existing certification environment.”

“(ISC)2, along with other global professional bodies such as the Information Systems Security Association (ISSA), ISACA, CompTIA, and more, represent the information security community around the globe, with collectively more than one million professionals in both the private and public sectors as members,” says Elizabeth Hyman, CompTIA’s vice president for public advocacy. “The unique insight of highly experienced information security professionals and leaders from these organizations will be essential to bringing a balanced perspective to the final cybersecurity legislation.”

“We firmly believe that the human capital issue is so critical to advancing national cybersecurity that all voices, especially those of information security personnel on the front-lines of securing mission-critical systems, should be heard on this,” says Richard Clark, CISA, CGEIT, CRISC, chair of ISACA’s Government and Regulatory Agencies Committee. “The stakes are too high not to consider this group of stakeholders.”

In a letter written to Congress in late August, these leading professional organizations urged Congressional leaders to engage a larger pool of information security professionals to address fundamental and foundational cybersecurity areas. “Engaging our global community of IT security subject-matter experts is critical in developing the right approach to achieving our cyber security objectives,” says Kevin L. Richards, president, ISSA.  

Collectively, the organizations urged Congress to “leverage the existing certification and information security community infrastructure to ensure a seamless ramping up of information assurance security professionals.” To receive a copy of the letter to Congress dated August 26, 2010 or to view the survey questions and results in full, please go to https://www.isc2.org/government.aspx.

About (ISC)²®

(ISC)² is the largest not-for-profit membership body of certified information security professionals worldwide, with over 73,000 members in more than 135 countries.    Globally recognized as the Gold Standard, (ISC)² issues the Certified Information Systems Security Professional (CISSP
Ò) and related concentrations, as well as the Certified Secure Software Lifecycle Professional (CSSLPÒ), Certified Authorization Professional (CAPÒ), and Systems Security Certified Practitioner (SSCPÒ) credentials to qualifying candidates. (ISC)²’s certifications are among the first information technology credentials to meet the stringent requirements of ANSI/ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)² also offers education programs and services based on its CBK®, a compendium of information security topics. More information is available atwww.isc2.org.

# # #

© 2010, (ISC)² Inc. (ISC)², CISSP, ISSAP, ISSMP, ISSEP, CSSLP, CAP, SSCP and CBK are registered marks of (ISC)², Inc.


Follow (ISC)² onTwitter andYouTube.