New Zealand Information Security Workforce Development Strategy · 2012-11-19 · New Zealand...

New Zealand

Information

Security

Workforce

Development

Strategy November 2012

A Comprehensive Strategy Addressing the Recruitment, Retention

and Professionalization Needs of the New Zealand Information

Security Industry

Prepared and presented by In2securITy Limited

New Zealand Information Security Workforce Development Strategy

November 2012 In2securITy Limited Page 1



Abstract New Zealand has faced many challenges when protecting its valuable information. Time and again,

many private and public sector organisations have failed to approach these challenges with the

maturity, governance and technical excellence that modern systems require.

As the pace of technical innovation increases, the complexity and quantity of these challenges will

only increase. As a result, New Zealand needs to seize this opportunity to modernise its approach to

the recruitment, retention and professionalization of its information security industry – an industry

that will be tasked with protecting our systems and sensitive information for years to come.

This document outlines the issues faced by New Zealand organisations when addressing this

challenge as well as the threat posed by failing to act now.

In addition, this strategy contains an evaluation of a 12 month pilot scheme, in2securITy, launched in

2012 to address these issues. This scheme has proven without doubt that New Zealand has a large

appetite and need for this kind of development programme.

Finally, this strategy outlines a set of objectives and operating principles for the implementation of a

National Information Security Workforce Development Strategy, to consist of a set of proposed

initiatives – each designed to make New Zealand a global leader in the strategic development of

world class information security professionals.



Executive Summary New Zealand has a problem with information security.

Popular opinion in the cyber age is that security issues stem from a lack of technology, the

application of which can solve all problems.

Technology however, is nothing without skilled systems architects, implementers and operations

staff. Without people, technology is not a solution; it is just one of many tools available to the

modern organisation.

While technological innovation is high within the New Zealand market, the national spend on

educating, training and developing skilled technical personnel is surprisingly low, creating an in-

balance and directly contributing to the fragility and vulnerability of our nations IT systems.

An increasing number of high profile system breaches have reinforced that from initial systems

development and design, through to implementation and operational management, New Zealand

businesses and public sector organisations are struggling to cope with the demands of a “connected-

by-default” society.

This lack of skilled security professionals affects public, private and academic sectors, impacting on

small business systems and multi-million dollar cross-organisation projects alike. It is a national

problem and requires national attention.

New Zealand is embracing the internet and the business opportunities it brings. It will continue to

do so at an increasing pace as technology and connectivity becomes cheaper and more widely

available. The days of “learning by doing” and “she’ll be right” in systems security are over.

We have a responsibility to adapt to this challenge and build a new generation of skilled security

professionals to enable our country to operate in this new environment as safely as possible.

Meeting this obligation is key to survival in the global technology market.

The New Zealand Information Security Workforce Development Strategy provides an overview of the

information security industry in New Zealand and globally.

In addition, a high level analysis of the strengths and weaknesses of the New Zealand information

security industry are provided. This has identified great community enthusiasm and strength within

a number of active groups. It has also however revealed vulnerability introduced by a combination of

poor awareness, poor cross industry communication and low availability of objective information

with which to plan career development.

Looking forward, New Zealand has the chance to become a global leader in strategic development of

information security professionals. By capitalising on the agility and innovation innate within our

technical industries and presenting a quality, security focused global brand, New Zealand could

experience high volume growth in emerging markets such as highly distributed systems and remote

IT service provision.



This can only happen however if, as a nation we can address some of the upcoming threats to our

industry. These include rapid service growth from Asian, South American and Indian markets,

reputational damage from regular publicised systems compromises and increased emigration.

This strategy outlines a set of objectives, operating principles and initiatives aimed to address these

issues. Together, these items will allow New Zealand to define a lean programme that focuses on

education over bureaucracy in a transparent and accountable way. This programme aims to develop

New Zealand as a global leader in the field of information security workforce development.

In2securITy Limited launched a limited scope pilot to implement parts of this strategy in 2012. This

pilot achieved great success despite limited resources and reliance on unpaid volunteers. A detailed

evaluation of this pilot, its achievements and limitations are included as part of this strategy.

This whitepaper proposes the following ten initiatives to extend the 2012 in2securITy pilot:

Dedicated Security Education and Project Spaces

National Security Apprenticeship Scheme

Security Training and Development Fund

National Schools Integration Programme

University Integration Programme

National Security Awareness Programme

Mentoring Programme Expansion

Improved Web Portal

New Zealand Computer Emergency Response Team (CERT)

Information Security Workforce Development Board

A comparison of these proposed initiatives has been included in this document. This measures each

initiative against the core objectives identified by in2securITy for the operation of a successful

Information Security Workforce Development project as well as geographic inclusion, cost and

overall estimated impact.

Finally, this strategy strongly recommends the introduction of a government funded Information

Security Workforce Development Scheme based on the objectives and operating principles outlined

herein. This scheme should expand upon the in2securITy pilot and consider a range of the proposed

initiatives.



Contents Background ............................................................................................................................................. 8

Information Security in New Zealand ................................................................................................. 8

Information Security in a Global Market .......................................................................................... 10

Key Employment Demographics ....................................................................................................... 12

Dedicated Security Roles .............................................................................................................. 12

Integrated Security Roles .............................................................................................................. 12

Academic Security Roles ............................................................................................................... 13

Analysis ................................................................................................................................................. 15

Strengths ........................................................................................................................................... 15

Weaknesses ...................................................................................................................................... 16

Opportunities .................................................................................................................................... 19

Threats .............................................................................................................................................. 19

Requirements ........................................................................................................................................ 23

The Five Core Objectives ................................................................................................................... 23

Operating Principles .......................................................................................................................... 24

Dependencies and Key Relationships ............................................................................................... 25

Funding Options ................................................................................................................................ 25

Measuring Success ............................................................................................................................ 26

Current Initiatives ................................................................................................................................. 28

Introduction to In2securITy .............................................................................................................. 28

Pilot Funding and Resources ............................................................................................................. 28

Pilot Initiatives .................................................................................................................................. 29

Pilot Limitations ................................................................................................................................ 31

Proposed Initiatives .............................................................................................................................. 34

Initiative Overview ............................................................................................................................ 34

Comparison Metrics ...................................................................................................................... 34

Comparison Matrix ....................................................................................................................... 35

Initiative One: Dedicated Security Education and Project Spaces .................................................... 36

Initiative Two: National Security Apprenticeship Scheme ................................................................ 38

Initiative Three: Security Training and Development Fund .............................................................. 40

Initiative Four: National Schools Integration Programme ................................................................ 42

Initiative Five: University Integration Programme ............................................................................ 44

Initiative Six: National Security Awareness Programme ................................................................... 46



Initiative Seven: Mentoring Programme Expansion ......................................................................... 48

Initiative Eight: Improved Web Portal .............................................................................................. 50

Initiative Nine: New Zealand Computer Emergency Response Team (CERT) ................................... 51

Initiative Ten: Information Security Workforce Development Board .............................................. 52

Conclusion ............................................................................................................................................. 54

Recommendations ................................................................................................................................ 54

References ............................................................................................................................................ 54



Background

In This Section:

Information Security in New Zealand

Information Security in a Global Market

Key Employment Demographics



Background

Information Security in New Zealand

Cultural Imperatives

New Zealand is known as a nation of people that are unafraid of a challenge or taking risks.

From the much lauded “Number 8 wire” approach to fixing problems to the prevalence of “she’ll be

right”, we are a country of people who are ready to try out new things, get our hands dirty and

experiment.

Whilst these traits create a fertile development environment for new business and innovation, they

have also contributed to the nation’s immature approach to information security.

Furthermore, the fiercely proud “Made in New Zealand” ethos that permeates small business often

translates into a phenomenon in technical fields known as “Not Invented Here”.

“Not Invented Here” manifests in two ways.

In the first instance, individuals, groups and organisations will prioritise country of origin or

operation over security, innovation or quality. In this case, decision makers will intentionally choose

inferior or less secure products and services because they come from a particular location.

In the second and more dangerous case, individuals, groups and organisations will design their own

version of a product instead of utilising an existing mature product or system from elsewhere (in this

case overseas).

In the small business and innovation space, “Not Invented Here” has led to fundamental security

mistakes including self-built cryptographic solutions, immature trust models/ authentication systems

in software applications and use of niche/unsupported development tools and languages.

While promoting New Zealand businesses and solutions is a fantastic way to develop our nation as a

leading technical force and foster further innovation, development and business growth. The naïve

assumption that geographic source alone creates a mature, secure IT product/system must stop.

Further work must be carried out to ensure that “Made in New Zealand” means a product/system

that was built locally, in a secure, robust and mature manner. They should be thoroughly tested, well

maintained and monitored and regularly updated to account for new security threats and changes to

the technological landscape. Until this is the case, “Not Invented Here” remains a danger to IT

projects nationwide.

Security in an Agile and Innovative Market

New Zealand organisations are increasingly adopting agile development and design principles. These

principles focus on rapid development, frequent integration and short delivery iterations. This

allows organisations of all sizes to bring new development ideas and products to market in a short

period of time and is helping the country gain traction as an innovative and fast paced market.



Agility, particularly in software and IT systems development can, however, come at a cost. Security

considerations and design patterns are perceived as complex and slow to implement, a direct

contrast to the fast paced and flexible approach associated with agility and innovation. It is

unsurprising therefore that these security requirements are left until very late in the project or

removed entirely.

In reality, security can be integrated into an agile lifecycle (1) with relative ease. By combining

security requirements with functional requirements on an iteration by iteration basis, security can

be built in from first release. The adaption of test driven design mechanisms to include security

testing in every iteration release provides a light weight and constantly evolving sense of security

awareness across the entire project. This approach could allow New Zealand to continue to be

innovative and rapidly bring new products and services to market whilst building security in by

default.

High Pressure, High Consequence

The past 12 months have represented a dramatic increase in not only the size and frequency of

information security breaches within New Zealand, but also a change in the amount of media and

public interest in such events.

It is no longer the case that breaches (particularly those exposing private information) only receive

limited coverage in the technical column. Today, breaches are widely covered by print and online

media and result in high volumes of public debate.

Recent events have highlighted issues with many aspects of security within New Zealand

organisations (2):

Lack of systems monitoring and operational security to detect and prevent breaches.

Immature understanding of/ approach to the acceptance of risk.

Poor integration of security design and testing into the systems development and

maintenance lifecycles.

Insufficient incident response planning and integration of incident response procedures

across the entire organisation.

Poor level of awareness with regards information security fundamentals across New Zealand

media.

The reputational damage from such compromises can have a lasting effect on an organisation and

any third parties it is associated with, a result that is compounded further by kneejerk, unplanned

public statements and incident response.

In terms of financial impact, the exact cost of such systems compromise is unclear. While the total

cost is rarely revealed and difficult to calculate accurately, associated costs include a wide range of

remediation activities aside from simple technical systems changes. From legal costs to marketing

activities and staff training, the cost and resource impact of a security breach far exceeds realms of

the IT department budget.

The most significant feature of these breaches has been the mismatch between the perceived

complexity of breaching a large system and the reality. The majority of public systems compromises,



data loss and breaches within New Zealand do not come from Advance Persistent Threat (APT)

actors but from rudimentary failures in the design, implementation and monitoring of our systems.

Issues, for which, there have been tried and tested solutions for many years. These compromises

have cost organisations thousands in remediation activities (3) and could have been avoided with

simple, cost effective and well known security design patterns and an increased focus on defensive

operational practices.

Small Island Syndrome

In geographic terms, New Zealand is a very remote location. It’s relatively small size and low

population numbers, coupled with the cost of international travel can create a sense of isolation and

separation – even in the digital age.

While these features make New Zealand a beautiful and popular location to live and operate, it also

creates a false sense of security. A land with no natural predators, with no history of large scale

invasion and with no direct political threats has a natural sense of ingrained security.

When large organisations overseas are compromised, the severity and relevance of these events can

be diluted by the distance and differences between the two countries. In fact, New Zealand

organisations rarely identify similarities and implied risk to their systems and business from foreign

systems breaches. In most cases, a New Zealand based incident is required to focus attention and

motivate organisational change.

Evidently, this behaviour is not unique to New Zealand; however its impact on the agility and

awareness of the country in the face of information security vulnerability is high. By devaluing

lessons and case studies happening outside of New Zealand and focusing on local incidents, valuable

security lessons are ignored until they occur closer to home. This reduces the time available for

remediation efforts and increases the remediation cost.

Fixing an issue over 12 months after an incident in a similar European system is much cheaper and

less stressful that remediation of an issue within 2 weeks as a result of a breach within a New

Zealand organisation.

Information Security in a Global Market

Connected By Default

Internet based and distributed systems are no longer the reserve of cutting edge innovators. With

the rise in portable computing devices and the reduction in cost of IT hardware and bandwidth, high

availability, interconnected systems are now expected of the modern organisation.

As demand for these systems has grown and organised a “connected-by-default” mentality, the

demand for high calibre security professionals has in turn risen (4).

These professionals are expected to design, implement and manage sophisticated information

systems, often spanning massive geographic distances and combining modern and legacy

technologies.

These systems often cross international borders, time zones and legal jurisdictions. Downtime and

compromises in these kinds of systems is now measured in millions of dollars. (5)



The End of the Silent Failure

Information systems breaches and data loss cases are big news. The internet, social networking and

the growth of subjective content production means that news of security incidents reaches an

international audience quickly and spreads fast. Within hours of a public breach disclosure, the

international online technical press will normally feature coverage.

In addition to the fast, uncontrolled nature of the coverage, most media outlets provide (and

encourage) interactive, international debate of their stories. This creates an evolving story, reaching

a wide target audience. Subjective commentators can write about, comment on and analyse these

incidents publicly and at length with no oversight or authority. The quality of their reporting and

evidence to support claims are rarely present or verified.

Once a story breaks in essence, there is no stopping it.

New Zealand, like all other nations can suffer reputational damage from this sort of publicity. In fact,

the only proven way to avoid the negative impact of an information security breach in the

international press is to minimise the likelihood of such a breach happening in the first place.

Crossing Linguistic, Social and Cultural Boundaries

Information Technology is a field that crosses linguistic, social and cultural boundaries. Whether an

organisation is based in Hamilton, Moscow or Delhi, the technologies and concepts in use remain

the same.

This has created an employment market like no other. Information security professionals are globally

mobile with skills that can apply to any country. As a result, when New Zealand requires talented

information security professionals, its employers are competing with similar positions globally, not

just within New Zealand.

This is particularly noticeable in New Zealand where an already high emigration rate is compounded

by the fact that information security roles pay less than neighbouring countries. A successful New

Zealand recruiter must offer a job package that can not only compete with similar national

organisations but also those in neighbouring countries.

A young IT professional will require more than just job security to retain them; they are looking for

career development challenges and a benefits package comparable to those offered abroad.



Key Employment Demographics

Dedicated Security Roles

Definition

In the context of the New Zealand employment market, dedicated security roles refer to those

people employed in a position whose sole function is the implementation, testing or management of

security for one or more organisations.

Dedicated security roles span both technical and non-technical specialists. Successful security

specialists often come from a more general technical background and may have been implementers

or developers in previous roles.

Dedicated Security roles currently represent approximately 20% of the New Zealand Information

Security market and can be found in both public and private sector organisations.

Key Skills

Technical generalists (Technical Roles Only)

Highly adaptable, fast learners

Skilled communicators (both verbally and written)

Analytical and logical

Risk focused

Example Job Titles

Penetration Tester

Forensic Analyst

Security Consultant

Incident Responder

Security Architect

Integrated Security Roles

Definition

Integrated Security roles include those positions which require a working knowledge of security best

practice and methodologies in the context of a traditional technical, project or managerial role.

This category of roles is rapidly increasing and now includes most technical professionals as well as

those employed to design, support or manage technical systems.

Integrated Security roles currently represent approximately 75% of the New Zealand Information

Security market and can be found in both public and private sector organisations.

Key Skills

Security knowledge supports core technical discipline (Technical roles only)

Innovative

Skilled integrators balancing business and security requirements

Skilled communicators



Example Job Titles

Software Developer

Infrastructure Engineer

Project Manager

Systems Architect

Support Engineer

Technology Manager

Academic Security Roles

Definition

Academic security professionals are charged with the task of furthering security technologies and

techniques. From teaching within formal learning environments such as universities and

polytechnics through to conducting cutting edge research, academic roles are a small, key group of

positions within New Zealand and can be some of the hardest to fill.

Academic security specialists may have migrated from commercial or government roles but have

often had a long standing academic relationship. Academic roles are fundamental to the growth of

New Zealand and our contribution to the security field. The academic community however is

fragmented and insular which can damage integration between researchers and business needs.

Academic roles currently represent approximately 5% of the New Zealand Information Security

market.

Key Skills

Deep knowledge in a small number of disciplines

May specialise in security or integrate security as a part of a more complex subject set

Skilled communicators

Highly educated (most roles require a PhD and proven published academic record)

Methodological, analytical thinkers

Example Job Titles

Lecturer

Researcher



In This Section:

Strengths

Weaknesses

Opportunities

Threats

Analysis



Analysis

Strengths

Well Established Community

The New Zealand information security community is well established and active. Despite geographic

disparity, several community groups have formed and meet on a regular basis. While a formalised

leadership and governance structure does not exist, each group has specialised to serve a specific

need or demographic.

When issues arise, communication between organisations and professionals is essential. In many

cases formal communication channels between competing businesses do not exist. These groups

have evolved to provide a safe mechanism for issue discussion and resolution.

Services provided by these groups include:

Knowledge sharing and talks

Conferences and community gatherings

Working groups and research

Networking

Example groups include:

New Zealand Information Security Forum (part of the New Zealand Security Association) (6)

New Zealand Information Security Interest Group (NZISIG) (7)

New Zealand Internet Task Force (NZITF) (8)

InternetNZ (9)

Kiwicon (New Zealand hacker conference) (10)

First Tuesday (Security Executive Networking Group) (11)

ISACA (part of the international ISACA organisation) (12)

ISC2 (part of the international ISC2 organisation) (13)

In2securITy (Information Security Development and Education Organisation) (14)

Internationally Recognised New Zealand Security Professionals

Despite its size, New Zealand has created a surprisingly high number of world class security

researchers and professionals. This legacy of talented and globally respected individuals has created

a strong set of role models to which many current New Zealand professionals aspire.

New Zealand achievements include:

Presentation at global information security conferences such as Black Hat (15) and Defcon

(16)

Development of security tools in use by thousands of professionals worldwide

Identification of security flaws in widely used software products and the responsible

disclosure of said issues

Employment in senior security positions within global organisations such as Google and

Microsoft.



Acceptance and Prioritisation of Issue

The New Zealand information security community is made up of volunteer representatives from a

range of organisations and groups. This community has widely and openly acknowledged the issues

they face in the areas of talent development and retention. This issue has prioritised and many

individuals have given time, resources and effort to participating in activities related to its resolution.

In addition, a need for more maturity and governance in information security projects and related

organisations remains a constant focus for this group.

By recognising and prioritising this issue, the New Zealand information security community has taken

the vital first step.

Unfortunately, the information security community does not officially represent the information

security industry. The wider information security industry must work together to official own and

prioritise this issue.

Weaknesses

Ambiguity in Language (including Employment Titles/Roles)

The IT industry is renowned for its complex language and buzzwords. Information security is no

different, particularly when it comes to job titles. This ambiguity and complexity in job titles impacts

the industry in two ways.

From a job candidate’s perspective it can be difficult to tell what a job involves, likely responsibilities

and expected seniority. This impacts a candidate’s ability to judge their own suitability for a role.

From an employer’s perspective, previous job titles are one of the pieces of information with which

they will judge the suitability of job applicants. A CV or application littered with grand titles can seem

impressive at first glance but can often be a poor representation of the actual roles undertaken.

While an overhaul of the language used in job titles is out of scope for any initiative or programme,

provision of an objective information source that can decode this language would be a simple and

effective solution.

The Information Security Certification Industry

The information security certification industry is huge.

Many professional and commercial bodies have launched ranges of information security

certifications and qualifications aimed to promote professionalization within the industry. (17)

Qualifications vary in price from several hundred dollars to several thousand. In addition to upfront

training and exam costs, many certifications expire after a period of 1-3 years. These certifications

require a retest or renewal fee to sustain and update.

At this time, no objective assessment of information security qualifications exists. Professionals will

choose their certifications based on job role requirements, word of mouth or marketing campaigns.



Many employers will require a range of named certifications and qualifications for a particular role.

These requirements are often based on perceived industry standards, subjective opinion or similar

existing positions.

While certifications remain a clear way to demonstrate technical ability or specialism, the breadth

and size of the certification market combined with the lack of objective information surrounding the

suitability of certifications persists. This uncertainty makes choosing qualifications/certifications

difficult and expensive.

Current Reliance on Individuals

The majority of New Zealand information security initiatives are funded by donations and rely on the

time and enthusiasm of unpaid volunteers. Without such people and their efforts, most of the

existing groups and community would cease to exist.

While voluntary provision of these groups and services is both useful and noble, the reliance on such

individuals to continue in this way is naïve. People will move roles and locations, circumstances and

funding levels will change.

Support must be provided both financially and in terms of resources so that these initiatives and the

individuals and groups running them can continue. This support should come from a combination of

national government and private sector industry.

Communication across IT Communities

While dialogue and knowledge sharing within the information security community is well developed,

it operates largely in isolation from the rest of the IT world and the information security industry.

Integration with other IT communities is essential is awareness of information security is to

propagate.

All IT professionals of all specialisms have an obligation to be aware of information security and its

implications. As information security professionals, we have an obligation to help raise awareness of

information security and encourage the creation of systems that are “secure-by-design”.

Lack of Defined Career Development Streams

Information security is a new specialism. As such there is much confusion surrounding how best to

start out and develop a career within it.

Even once an individual gains an entry level security position, there is little guidance on the paths

available for career development from that point.

Compounding this issue further is the IT qualification and certification industry which provides a

range of competing options (as previously discussed). Very few of these certifications have been

independently verified for suitability, content or effectiveness.

Without clear guidance or objective information, professionals can face a confusing and sometimes

expensive career.



Poor Security Awareness

Information security is a complex field and when applied to the diversity of organisations in New

Zealand, this complexity is only amplified. Every organisation is different and has a different range of

(often conflicting) requirements.

It can be challenging for business leaders and technical implementers to identify which aspects of

information security are relevant to their projects and businesses and even once identified,

objective, trustworthy sources of advice and information are hard to find.

When the commercial information security industry and vendors are added to this mix, an already

confusing subject becomes intertwined with marketing materials and vendor specific terminology

and jargon.

The net result of this is a lack of security awareness. Without a solid security awareness foundation,

all attempts to introduce security initiatives and mitigations will invariably fail.

Educational, Business and Government Integration

With the exception of NetSafe (18) and its subsidiaries, all information security groups and initiatives

in New Zealand are independent and have no business, educational or government integration.

While this means they remain unbiased and objective it also means that their influence and reach is

limited.

Furthermore, there is little consistent integration between educational organisations, businesses

and government on the issues of information security. The result of this is a confused and

sometimes contradictory dialogue within New Zealand and a lack of efficiency and consistency in our

national approach to information security.

While the New Zealand Cyber Security Strategy (June 2011) (19) goes some way to address this

issue, many of the initiatives outlined in this document are categorised as “longer-term” and

requiring further investigation. This includes all initiatives for the provision of training and

development of cyber security professionals.

While the Cyber Security Strategy led to the creation of the New Zealand National Cyber Security

Centre (NCSC) (20) which was founded to centralise cyber security support for government and

critical national infrastructure, the vast majority of New Zealand organisations are not included in

this group.

The lack of a national Computer Emergency Response Team (CERT) (21)means that without

considered effort, this situation is unlikely to be resolved quickly. This will continue to have a serious

impact on the nation’s ability to produce secure systems and response to information security

threats. Of the 34 OECD countries (22), New Zealand remains the only country without this capability

(23).



Opportunities

Massive New Zealand Online Expansion

New Zealand businesses and organisations are embracing online operation at a rapid rate. Even the

smallest businesses are experimenting with online retailing, expanding their reach and reducing

their operating costs.

Large organisations are looking to globally distributed technologies such as the cloud to facilitate

inter-organisation integration and increase efficiency.

Now more than ever, every IT professional within the country has a responsibility to be conscious of

security. Furthermore, the demand for skilled IT and information security professionals has never

been higher. Failure to respond to these demands could limit the success of this growth period and

damage New Zealand’s ability to compete.

Becoming a Global Leader in Information Security Education and Development

While the UK, USA and other OECD countries are facing the same challenges as New Zealand in

terms of developing and retaining information security professionals and increasing the security of IT

and information systems, there are few co-ordinated programmes to address this issue.

While high publicity campaigns (24) such as those by Government Communication Head Quarters

(GCHQ) (25) have generated interest in the field, these have been a marketing campaign for one

employer. There remains no centralised or independent programme or effort to address this issue.

In the USA, several national events and initiatives exist funded by a mix of government (defence and

intelligence) programmes and community groups. Events such as the National Collegiate Cyber

Defence Competition (CCDC) (26)(a large scale network defence competition) and range of

scholarships and competitions from large organisations and interest groups are increasing interest

and gaining international exposure.

By creating a national strategy and programme, New Zealand could become a global leader in the

development of information security talent.

By remaining independent from but working closely with government and national organisations, a

world class education and development programme could be created. This programme would be

unique in the Asia Pacific region and if closely integrated with other westernised countries, could

provide New Zealand with a clear, marketable advantage in the international market place.

This could help attract talent and business to New Zealand as well as help retain existing home

grown organisations and individuals.

Threats

Increased Attack Surface and the Defender Deficit

Rapid expansion and increased ambition globally are creating a larger visible attack surface for New

Zealand. This attack surface includes web applications, distributed systems and shared data stores.



New Zealand organisations consistently struggle to find, attract and retain high quality IT and

information security professionals to design, maintain and protect such systems. As time passes,

this deficit of defenders will lead to increased vulnerability.

Increased vulnerability and a lack of defensive implementation practices will only increase the

number of information security and data breaches in New Zealand.

Reputational Damage

Security breaches are big news.

Breaches in New Zealand organisations now feature on the pages of international technical and

security publications. It is only a matter of time before they reach more mainstream audiences via

the proliferation of blogs and online news vendors.

The reputational damage from such breaches damages all New Zealand organisations, whether they

are government, small businesses or internationally trading.

An organisation can only tolerate a certain amount of reputational damage before it impacts

profitability or customer trust. Once this tolerance is exceeded private sector organisations often

cease to trade and private sector organisations face widespread restructuring, increased auditing

and oversight.

It is in every New Zealand organisation’s interest to avoid further reputational damage.

Increased Emigration

information security is not the only area of the New Zealand employment market affected by the

increased emigration of talent, however it is one of the areas that cannot simply rely on the

immigration of new foreign talent to make up for the shortfall.

While a high number of talented immigrants are entering the country under the skilled migrant

category and accepting information security positions, there are a number of organisations and roles

that require New Zealand citizenship as a prerequisite. This includes government agencies and those

dealing with sensitive data. These positions are those most affected by increased migration and are

often those requiring high calibre information security talent the most.

Increased Global Competition

Information Technology is a truly global business. With the exception of the physical installation of

computer hardware, the majority of IT services (including security) can be provided remotely from

anywhere with sufficient connectivity.

As such, the competition to provide such services is high. Rapidly developing economies such as

India, China and Latin America are emerging as dominant global providers of high quality IT services

such as software development, security testing and systems hosting.

While some cultural and language issues have traditionally plagued such providers, these are

improving. When combined with strong exchange rates and lower costs, many businesses are

choosing to offshore their services in this way.



While public sector organisations will remain dependant on New Zealand service providers, those IT

service organisations servicing the private sector must now compete with an entire global

marketplace.

In order to successfully compete, New Zealand based IT service providers must ensure that not only

are they providing a high quality, cost effective solution but that they are delivering systems that are

secure. This will become an increasingly important factor in a service organisations ability to

compete (nationally and internationally).

As well as facing increased competition for New Zealand based contracts, New Zealand service

providers need to embrace the global market to expand.

The national IT market is relatively small. To reach their full potential, service providers must seek

international contracts and begin to service geographically distant clients, capitalising on our agility,

favourable exchange rates and innovation.

International markets, especially those in more developed nations have high expectations from their

service providers and will expect a high level of competence in all aspects of service delivery. This

includes information security.



Requirements

In This Section:

The Five Core Objectives

Core Operating Principles

Dependencies and Key Relationships

Funding Options

Measuring Success



Requirements

The Five Core Objectives In order to address the threats and weaknesses identified in this report and grow New Zealand as a

global leader in information security professional development, the following five core objectives

have been identified.

ON

E Awareness Awareness of information security issues from the classroom through to the boardroom

TWO

Career Development

Clear, defined, flexible career development and training plans for all those seeking a career in, or currently employed within the information security industry (including dedicated,

integrated and academic roles)

THR

EE Centralisation and Governance

National Posture of “Secure by Design” for all information security projects led and incentivised by the government. Strategic leadership rather than reactive.

FOU

R Advisory

Centralised source of advice, guidance and advisory and government liaison for all public and private sector organisations and individuals.

FIV

E

Training

High quality, cost effective security training nationally available (including flexible and on-demand learning options)



Operating Principles To maximise its impact and chance of success, the following operating principles should be adhered

to by those charged with the implementation of this strategy:

1. Education Before Administration

The provision of high quality educational opportunities should always be prioritised above

unnecessary administration, bureaucracy and red-tape.

2. Transparency And Accountability For All

The provision of educational initiatives has a burden, particularly when it comes to

accountability. All initiatives should be able to account for their spending and activities and

identify the objectives they intend to meet.

3. Practice What We Preach

Information security is a complex, advice filled field. All information, education and guidance

provided by this initiative should represent best practices. Those charged with providing this

information should be respected professionals with a track record of practicing their own

recommendations.

4. No-Profit… No Negotiation

Profiting from the provision of any of the initiatives presented in this document or the

development of the New Zealand information security workforce would be inappropriate

and weaken the intention of such activity. While profit driven organisations may provide

services to support this strategy, its overall governance must remain free from financial or

commercial motivation.

5. Communication Technologies Before Travel

Travel and accommodation can be a huge financial drain on any organisation. Given the

availability of high quality internet communications mechanisms, the use of travel (both

international and national) should be limited to maximise the funds available for educational

work.

6. Lean Operation

Following on from principle 5, administration and operating costs should be minimised. This

should include at a minimum the use of shared administration/office services and minimal

use of printed materials.

7. Leverage Community And Industry Relationships

The existing information security community is a great source of industry knowledge and

contacts. They are the people most in touch with current industry conditions and will be a

vital source of performance metrics for any activities conducted.

8. Collaboration Not Competition



Where objectives are met by alternative groups or schemes within New Zealand, this

strategy recommends collaboration not competition. Competition is a waste of resources

and can lead to contradictions in the intended message.

Dependencies and Key Relationships The success of this strategy will rely on close integration between public sector, private sector and

academic institutions. The following organisations and groups have been identified as particularly

critical to its success:

National Cyber Policy Office

Ministry of Foreign Affairs and Trade

Ministry of Social Development

Ministry of Education

GCSB/NCSC

Industry Leaders and Groups

Schools, Universities and Tertiary Education Providers

NZQA

Security Industry Professionals

Ministry of Justice

Equivalent International Organisations and Initiatives

Funding Options Funding is a complex issue and can have a dramatic effect on the effectiveness of a strategy and its

message.

At its most basic, the following funding options should be considered:

Government Funding (Preferred)

Government funding is the preferred option for an initiative such as this. Government funding can

provide the stability and objectivity in more than just financial terms. In addition to funds,

government funding and involvement can facilitate national adoption and provide crucial contacts

both nationally and internationally.

Government involvement does however come with some overhead. With a reputation for a

committee based, heavy-weight bureaucratic approach, the agility and innovation previously

employed in pilot activities can be compromised or lost altogether.

Industry Sponsorship

Industry sponsorship can raise vital funds and industry credibility without the overhead associated

with government organisations.

In order to maintain objectivity however, sponsorship must be found from a range of organisations

and funding agreements formulated in such a way that the educational message is not compromised

by the commercial interests of sponsors.

Industry association requires a fine balance of negotiation, relationship management and

commercial awareness.



Cost Recovery

The cost recovery model is the simplest funding method available but could also have a detrimental

effect on any initiatives uptake and success. In a cost recovery model, small charges to cover the cost

of administration and logistics are charged to participants for events and activities. These charges

are limited to only covering the actual cost of providing the service.

Cost recovery must be very carefully managed and can compromise the overall message of the

initiative. Introducing participant cost will reduce uptake from those with limited budgets or those

unsure of their level of interest.

Hybrid Funding

A hybrid funding model could balance the above options and be used on an activity by activity basis.

Government funding for core initiative activities supplemented by industry sponsorship for larger

events is a popular model.

Measuring Success Measuring the progress and effectiveness of a strategy is important. It allows initiatives to be

reviewed and adapted to maximise their effectiveness. It also supports accountability and can be

used to justify continued funding, support and operation.

As an educational strategy, success cannot be measured by traditional metrics such as profitability.

The following alternative methods are proposed for measuring the effectiveness of this strategy and

the proposed initiatives herein.

Creation and execution of industry surveys to measure the perceived state of the

information security workforce. Execution of such surveys at regular intervals will allow for

periodic assessment and identification of positive and negative trends.

Collaboration with industry and community organisations to measure increases/decreases in

participation.

Analysis of event participation and feedback

Indications of success could include the following:

Increased availability of skilled information security professionals (characterised by

reductions in the time taken to fill vacant employment vacancies)

Increased uptake of information security training courses across tertiary and professional

education providers.

Increased attendance at information security events.

Increased attendee diversity at information security events and community groups (to

include increased representation of integrated information security roles).



Current Initiatives

In This Section:

Introduction to In2securITy

Pilot Funding and Resources

Pilot Initiatives

Pilot Limitations



Current Initiatives

Introduction to In2securITy In2securITy (14) is a New Zealand based education initiative founded in November 2011 and publicly

launched in January 2012.

At Kiwicon 5, prominent member of the New Zealand information security community, security

researcher/tester and business owner – Brett Moore (27) spoke at length about the history of the

national information security industry. This talk made two important points.

New Zealand has historically “punched above its weight” in the field of information security,

producing several world respected professionals who have gone on to hold high level

positions in world class organisations.

New Zealand can’t find enough talented new professionals to continue this tradition and

cope with the increase in demand.

In2securITy was formed by current New Zealand professionals and is based upon the principle that

by combining simple initiatives such as mentoring and work experience with an objective source of

regularly updated career development and training information, New Zealand could cultivate a new

generation of dedicated and integrated information security professionals.

In2securITy was formed as a New Zealand limited company with a strict non-profit operating

mandate. It is run by a team of 3 volunteers and supported by an ad-hoc contributing group of

speakers, mentors and writers from across the Information and information security community.

In2securITy operates with a simple mission statement:

To educate, encourage and inspire a new generation of information security

professionals for New Zealand

Pilot Funding and Resources Funding for the initial 12 month pilot was sourced from donations and community sponsorship as

follows:

Organisation Sponsorship Value (NZD)

InternetNZ $4000

Lateral Security (IT Services) Limited $500

Insomnia Security Limited $500

Where’s My Server Web Hosting

Total Funding 2011-2012 $5000

Funding for this initial pilot was used to provide all listed pilot initiatives plus formation of a New

Zealand limited company.



Pilot Initiatives

Community Web Portal and Online Media (www.in2security.org.nz)

The core of in2securITy activity is centred on the community web portal. This portal contains a series

of blogs and articles and is divided into 6 security specialisations.

These specialisms are:

Penetration Testing

Network Defence

Policy and Compliance

Secure Software Development

Forensics

Vulnerabilities Research

Educational articles are provided on an ad-hoc basis by an informal team of volunteer writers. All

writers are experienced professionals in a particular field and all content is vetted for suitability

before publishing. Only those articles that can clearly explain their chosen topic and are suitable to

an audience of mixed technical ability are accepted. External content such as online courses and

articles are vetted by the in2securITy team and only recommended to participants if they are found

to be of a high quality.

In addition to educational articles, the community web portal is the central point for the

organisation and promotion of in2securITy media and events.

Table 1 In2securITy Portal Statistics 2012

Country Visits Pages / Visit

1. New Zealand 5,525

2. United States 423

3. Australia 266

4. Taiwan 149

5. United Kingdom 144

6. India 128

7. Estonia 73

8. Canada 60

9. Germany 59

10. Brazil 43



Since its launch on 15th January 2012 this portal has been visited by 7544 unique visitors and has

served 22155 pages of content. Visitors to the site have come from 101 different countries; statistics

for the top ten countries are included above.

Information Security Awareness National Tour

The Information Security Awareness National Tour was not initially part of the in2securITy pilot plan.

However upon receiving a grant from InternetNZ, a decision was made to attempt a large scale

awareness outreach programme.

This tour was originally planned for 5 locations (Auckland, Wellington, Hamilton, Dunedin and

Christchurch).

The North Island events were a great success attracting 220 registrations across the 3 events.

Unfortunately a lack of local support in Christchurch and spiralling organisation costs in Dunedin

forced the cancelation of both South Island events.

To compensate for the lack of geographic coverage, all talks from the 3 North Island events were

recorded and have been made available free of charge on the in2securITy YouTube Channel (28).

This channel now contains 15 videos varying between 25 minutes and an hour in length. These

videos have since attracted a global audience and positive comments from across New Zealand.

National Mentoring Scheme

The in2securITy National Mentoring Scheme brings together those with an interest in entering

IT/information security with those who have professional experience. Mentoring provides a way for

those starting out to make contacts, ask questions and receive informal, targeted development

advice from someone who has a large pool of experience on which to draw.

At launch, in2securITy aimed to form 6 mentoring pairs (12 people). As of 1st November 2012 the

actual number of active mentoring pairs in the scheme had reached 20 (40 people total).

Summer Project and Placement Programme

In2securITy summer programme launches December 2012 and runs for 3 months. During this period

a number of work experience placements and projects will be offered across a range of New Zealand

organisations.

A project is a distinct task or objective that can be completed by an in2securITy participant remotely

and delivered to an organisation. It includes research, took development or remote testing under

the supervision of a mentor.

A placement is a period of unpaid work experience in which an in2securITy participant can work

within an organisation in a relevant and challenging position and gain valuable experience and

references. Placements last between 2 and 6 weeks.

In2securITy aims to provide 12 project/placement opportunities in 2012.

Integration with National Technical Groups

In2securITy is now represented in the following National Technical Groups:



InternetNZ

NZITF (New Zealand Internet Task Force) plus associated working groups

Awareness Talks

In2securITy has presented a range of awareness talks throughout 2012 including:

Cyber Security Awareness Week Launch @ Parliament

AUT University

InternetNZ – Bruce Schneier Introduction

NZISF – Breakfast Briefing

Networking Events

In2securITy has held informal networking events to co-ordinate with awareness talks, national tour

events and on a more casual basis. These have proven a popular way to discuss talks or lectures,

make new contacts and ask questions in a non-threatening group environment.

Pilot Limitations The following limitations have been identified with the initial 12 month in2securITy pilot and its

associated initiatives:

Lack of South Island Coverage

Despite substantial effort, in2securITy’s coverage of South Island was limited. Events such as the

“Information Security Awareness National Tour” were unable to include South Island venues due to

spiralling costs and lack of local support.

Initial attempts at holding a full day in2securITy event at Dunedin University attracted only 10

registrations. Even after reducing the speaker line-up, the cost of domestic flights and

accommodation meant that the cost of holding this event exceeded $200 per participant (assuming

100% attendance). This event alone would have required almost 50% of the total annual operating

budget of the entire in2securITy scheme.

Inability to Attain Registered Charity Status

In2securITy promotes a profession and is therefore ineligible for charitable status. This impacts on

the tax status of the organisation and makes a donation funded model less efficient. Creation of an

Incorporated Society would alleviate some of these issues but was deemed to introduce additional

complexity and reduce the organisations ability to operate with agility in its first year.

Limited Budget

Five thousand New Zealand dollars is a very small amount of money in the world of national

initiatives. Despite this, in2securITy has achieved great things.

While this should be celebrated, the in2securITy team have acknowledged that this is not

sustainable. In2securITy can continue to achieve amazing things but it will require a source of

funding appropriate to the level of activity undertaken.

Lack of budget in 2012 has impacted the following activities:

Provision of printed and take home materials



Provision of South Island events

Representation at trade and conference events

Marketing

Limited Press Coverage and Marketing

While nationally significant, in2securITy is a niche initiative run without large business or

government backing. As such it has achieved little traction in traditional media or marketing

channels.

Lack of Job Board or Employment Pages

Initial plans for in2securITy did not include any job advertising functionality. Since launch however,

the in2securITy team have been contacted by several organisations wishing to advertise posts

suitable for in2securITy participants. To this point, in2securITy have not advertised these positions

publicly but have acknowledged that this functionality would be valuable in future years.

Availability of Suitable Venues

A recurring challenge faced when organising educational events; particularly in Auckland was a lack

of affordable, suitable venues. While many shared and rentable spaces are available, the price of

these venues has been prohibitively expensive. While some organisations such as Microsoft have

generously donated rooms for the National Awareness Tour – several smaller events were cancelled

as a result of lack of suitable location.



Proposed Initiatives

In This Section:

Initiative Overview








Improved Web Portal





Proposed Initiatives This whitepaper proposes the following ten initiatives to extend the 2012 in2securITy pilot:








Improved Web Portal



The following section details each of these proposed initiatives, their aims, objectives and

deliverables. In addition, each initiative is defined in terms of the benefits it aims to provide to the

New Zealand Information Security Industry.

Initiative Overview

Comparison Metrics

In order to compare the proposed initiatives and prioritise them, the following metrics are

suggested:

Cost

This metric represents a high level estimation of the cost of implementation, management and

maintenance of the proposed initiative. Further financial analysis would be required to determine an

accurate cost estimate for each initiative.

Impact

The impact of a proposed initiative takes into account the number of demographics served, the

proposed number of objectives met and the extent to which the proposed initiative is unique within

the New Zealand market. For simplicity, proposed initiatives have been ordered 1-8 where 1 has the

highest impact potential and 8 the lowest compared to the other initiatives.

Objectives Met

This metric assesses the number of the objectives outlined in this document met by the proposed

initiative. Efficiency dictates that the more objectives met, the more beneficial the initiative.

Geographic Inclusion

Given the geographic challenges faced across New Zealand, all initiatives will be judged by their

ability to include those based outside of the major cities. Rural participants may be served

electronically or remotely by suitable means.



Comparison Matrix

Objective Metrics

1 2 3 4 5

Co

st

Geo

grap

hic

al In

clu

sio

n

Imp

act

Aw

aren

ess

Car

eer

Dev

elo

pm

ent

Cen

tral

isat

ion

an

d

Go

vern

ance

Ad

viso

ry

Trai

nin

g


x x x $$ Y 5


x x x $$$ Y 1


x x $$$ Y 2


x x x $$ Y 8


x x x x $$ Y 6


x x x $$ Y 9


x x x x $ Y 7

Improved Web Portal x x x x x $ Y 10


x x $$$ Y 4


x x $ N 3



Initiative One: Dedicated Security Education and Project Spaces

Description

One of the recurring issues faced by the in2securITy pilot was the lack of suitable, cost effective venues for the provision of training classes and events. Not only were venues difficult to find, they were often expensive, only available in specific locations and outside of working hours. Dedicated classroom and project spaces would provide central points for the provision of information security training and events. In addition to formal events, operating costs could be subsidised by a low membership option allowing for individuals and groups to book the spaces for projects or private events. These spaces would provide the equipment necessary to teach in a geographically challenging country as well as a range of equipment and book loan options to support and subsidise the cost of training. This model is in use globally as “hacker spaces”. These spaces are often subsidised by membership schemes and provide dedicated safe spaces for education and projects in cities where individuals are unlikely to have home project space in which to work. The use of shared space not only enables project completion but also makes collaboration and networking easier. These spaces become community hubs not just classrooms. With these spaces, event running cost would reduce and event frequency could increase. In addition, the lack of vendor reliance would allow security education to occur without sensitivity to commercial impact or reputation. Low cost, suitable office space is available in all New Zealand cities.

Target Demographic(s)

Everyone

Objectives Met

Objective 1: Awareness

Objective 2: Career Development

Objective 4: Advisory

Objective 5: Training

Resource Requirements

Open-plan office space

Central city locations close to public transport

Tables & Chairs

Projector

Insurance

Power and networking



Deliverables

Dedicated security education and project spaces in major cities

Ability to book these spaces for individual or group projects at minimal cost

Regular classes and project meets

Equipment, book and eBook library in each location

Educational licences for software in project spaces

Teleconferencing equipment in each location for shared classes (ability to remotely connect in for those in other locations)

Benefits

A central location and dedicated training space in major cities will provide participants with a safe place to learn and experiment with information security technologies

Venue costs can be high for events in working hours, dedicated spaces allow for a reduction in cost and greater availability.

Specialist kit equipment can be provided to help with information security lessons

Allows for lessons, courses and events to be vendor agnostic



Initiative Two: National Security Apprenticeship Scheme

Description

In traditional trades such as building and plumbing, apprenticeships are considered fundamental to the acquisition of experience and skills during the early stages of a career. While there remains an element of compulsory theoretical and academic learning to become an information security professional, this must be supplemented by hands on project experience. A 4-5 year competitive apprenticeship scheme would allow talented future information security professionals to undertake a range of placements designed to deliver project based experience of a range of information security fields. Each placement would include work on real New Zealand security projects and be designed to challenge the participants. On commencement, all participants will create a personal development plan outlining their ambitions. A series of placements would then be co-ordinated to fulfil this plan. This series of 6-12 month placements would allow participants to experience both private and public sector organisations and could be complemented by a structured selection of certifications or external training as necessary. Personal development plans would be reviewed at 12 month intervals. For businesses, this would provide the following benefits:

Enthusiastic talent

National publicity

A chance to build the next generation of architects and leaders

Subsidised labour costs Entrance to the scheme would be competitive, require New Zealand permanent residency or citizenship and specifically develop potential and seek out new talent – not just academic qualifications. The scheme would pay a salary to its participants. It is envisioned that this would be funded by both government and the businesses involved. Pay would be on a structured scale over the course of the scheme and have performance based assessments and criteria to advance. This would mirror similar schemes in the Accounting and Legal fields.


Students

New IT Professionals

Existing Professionals Seeking A Career Change

Individuals Returning to Work

Objectives Met




Objective 3: Centralisation and Governance



Integration with NZQA for accreditation

Industry and Government Support (Provision of 6-12 month placements)

Funding for training to compliment placements

Scheme Administrator

Marketing

Web Site

Deliverables

A national apprenticeship scheme for those wishing to pursue information security as a career

A network of industry and government organisations to provide 6-12 month placements across a range of information security specialisms

NZQA accreditation

A range of courses and development plans to compliment the on-the-job placements aspects of the scheme

Benefits

Provides a clear defined and flexible development scheme for those wishing to pursue a career in information security

Provides a range of placements set to challenge participants and let them gain a range of high quality experience at the start of their career.

Provides a source of high quality graduate apprentices to become the information security architects and leaders of the future

Provides apprentices with a range of contacts from which to build their professional networks.



Initiative Three: Security Training and Development Fund

Description

Information security training is very expensive. For the majority of courses, participants must be sent abroad (typically the USA or Australia) for periods of 3-7 days. These courses can charge between $2000 AUD and $7000 AUD per seat. This additional travel incurs heavy financial cost for the sending organisation including travel, accommodation and subsistence. When faced with this high cost of training many organisations have to prioritise who to train or seriously limit the amount of training offered. Many organisations will choose to offer no classroom based training as a result. By subsidising training from international training organisations, New Zealand will be able to bring classroom based training to its cities rather than sending staff abroad. This will reduce the cost of training and also allow professionals in the same field to network with others in the same field while they learn. Successful training subsidisation has been run on a limited scale by NZITF and showed high interest and enthusiasm from the community.


Students


Experienced IT Professionals

Management Level Professionals

Objectives Met




Fund administrator to negotiate with training providers

Web Site and Application System

Integration with MSD and student funding systems

Deliverables

Provision of world class information security training at a subsidy for eligible organisations and individuals

NZQA integration to allow for accreditation of high quality information security training and



certifications

Benefits

Reduces the cost of high quality information security training to New Zealand businesses

Reduces the need for international travel when pursuing training and certifications

Allows for professional networking during courses



Initiative Four: National Schools Integration Programme

Description

There is a common misconception that school age children are not interested in scientific or technical subjects. This is not the case. School students are only bored by scientific or technical subjects when they are not taught in a relevant and engaging way. By providing hands on workshops on information security issues, this initiative aims to foster interest within the 14-18 age groups. Provision of a range of teaching materials and activity ideas will make integrating these activities with the existing curriculum easy and allow for activity adaption and reuse over time. In school talks and visits in conjunction with programmes such as the IITPO connect programme can help inspire school students to explore this subject further as they progress through their education.


School Age Students

Teachers

Objectives Met





Resource writers and developers

Web Site

Travel and Accommodation for University Visits

Schools Liaison

Deliverables

A range of engaging, hands on activities suitable for the 14-18 age range

Guest speakers

Reusable materials and activity packs

Benefits



Engaging with school students can be a great way of fostering early interest in technical subjects.

The provision of high quality reusable materials means that activities can be run with minimal effort and maximum impact



Initiative Five: University Integration Programme

Description

For the majority of new professionals, university was their first opportunity to explore complex technical or professional subjects. It introduced aspects of the IT world that remain largely abstract to those not employed in the field. University is also the last time that most professionals engage in an extended period of dedicated education. It is globally recognised that security is crucial to modern IT systems, however many New Zealand universities offer little or limited integration of security issues into their curriculums. A university integration programme would give institutes of higher education a source of training and development for their lecturers so that they can better understand how to teach and integrate security into their classes. Furthermore by providing world class open source materials, students will be able to gain high quality teaching regardless of their institution. Guest speakers from industry would provide real life examples of information security as a profession and the challenges information security professionals face. They would also give authenticity and credibility to material taught in lectures as well as giving students a chance to ask questions. Inter-university competitions and events could promote networking and generate further interest.


Students

Lecturers and Academics

Objectives Met






Resource writers and developers

Web Site

Travel and Accommodation for University Visits

University Liaison



Deliverables

A library of world class, open source training materials suitable for university level students on a range of information security topics.

Teacher/Lecturer Seminars to help all lecturers to introduce security into their modules and courses

Guest Speakers available to visit Universities with real life examples and debate

National University Level competitions to increase participation in the field and introduce opportunities to explore information security in a fun, challenging and safe environment

Benefits

This initiative would allow universities across New Zealand to integrate information security into their syllabus regardless of the availability of dedicated information security lecturers

The creation of high quality shared materials would reinforce a consistent message across education establishments

Guest speakers from industry could provide engaging means of reinforcing and strengthening taught lessons

Teacher Seminars would allow lecturers to integrate security into their core subjects



Initiative Six: National Security Awareness Programme

Description

While NetSafe provides a coherent and consistent message on Internet security for the small business and home user market, no such organisation within New Zealand is targeting technical implementers and business leaders. A range of security groups and events exist within New Zealand that can provide elements of this awareness and knowledge sharing, however these groups can appear closed or foreign to those new to information security or those not directly involved within its implementation. Rather than competing with individual information security interest groups, this awareness programme would provide coordination between them. Providing a coherent, linking dialog between each group and how their intended audience would increase the membership and interest in groups such as OWASP and ISACA. For business leaders and existing professionals, this initiative would be an introduction and gateway to the range of groups and events available. It would provide fundamental knowledge, introductions to suitable groups and networking opportunities between implementers and business leaders in the same position or facing the same challenges.


Technical Implementers

Business Leaders

Students

Objectives Met





Programme Administrator

Marketing

National and International Liaison

Web Site for Sharing Talks and Materials

Deliverables

Regular talks at industry events and professional groups

Online portal of shared talks and awareness material aimed at each demographic listed above.



Expansion of the NetSafe (Small Business and Home User) message to the corporate world

Positive, controlled message on the subject of information security in New Zealand and central source of media information.

Benefits

Close integration with national and international schemes will allow New Zealand to find efficiencies between schemes, share ideas and increase innovation within initiatives

Regular talks with different demographics will increase awareness and allow for the tailoring of messages to each group

Sharing talks and materials online will allow for knowledge sharing outside of events



Initiative Seven: Mentoring Programme Expansion

Description

The existing in2securITy mentoring programme has proven to be very successful. Continuation and expansion of this programme would provide a simple and cost effective asset to this strategy. The following mentoring programmes are proposed: New To Security (The existing in2securITy scheme) Helping those curious about or new to the profession to gain initial contacts and information through pairings with exiting professionals with a minimum of 3 years’ experience. Career Development Helping existing professionals to plan and pursue their career. Matching professionals with 1-2 years’ experience with those at more advanced stages of their career. Security for Managers and Board Members Helping those who manage security projects and professionals to understand the profession and its impact on their organisation. This scheme will pair existing information security professionals with appropriate experience, commercial knowledge and communication skills with managers and board members.


Students


Experienced IT Professionals

Management Level Professionals

Objectives Met



Objective 4: Advisory Objective 5: Training


Mentor programme supervisor/advisors

Venues for training classes

Software licence for online streaming software

Deliverables

Introduction to Mentoring Training (in person and online)



Regular mentor scheme events including knowledge sharing and networking

Provision of experienced mentor advisors to support mentoring relationships

Mentoring resources such as worksheets and activity packs

Benefits

Supports career development at all stages of professional life

Improves community and generates cross field/organisation contacts

Informal and flexible

No geographical limitations



Initiative Eight: Improved Web Portal

Description

An online presence is central to the success of modern organisations. Done well, it provides a high quality, stable and intuitive gateway to all the products, services and information provided by an entity. Said online portal is the focus of marketing efforts, provides a central repository of information and a safe place for participants to interact online. It will co-ordinate, help communicate and market.


Everyone

Objectives Met







Web Developer

Content Writers

Graphic Designer

Deliverables

Professional quality web portal

Central source of high quality information

Job board for relevant NZ job advertisements (agency free)

Events calendar and sign up system

Gateway to all other initiatives

Social Network Integration

Secure Members Area

Benefits

Provide a quality, stable interface to all initiatives

Co-ordinate branding and marking efforts



Initiative Nine: New Zealand Computer Emergency Response Team (CERT)

Description

Centralised and co-ordinated communications can improve the relevance and consistency of information security advisory. It can also create a known point of authority for all New Zealand businesses, allowing all organisations to seek advice and guidance on information security issues without relying on personal contacts. The preferred delivery method for this initiative would be the creation and operation of a New Zealand Computer Emergency Response Team (CERT). This would be consistent with all other OECD countries and provide a public facing, central response to information security threats. This organisation would also be part of the wider CERT network and allow easier unclassified knowledge sharing with other national CERT groups worldwide.


Everyone

Objectives Met




Skilled information security professionals with excellent communication skills

Central contact mechanisms such as email, telephone and web presence

Industry and government recognition and information sharing arrangements

Marketing

Deliverables

New Zealand Computer Emergency Response Team (CERT).

Benefits

A centralised communications point would improve the consistency of information security news and advisories within New Zealand.

Reduced reliance on personal industry contacts

Provision of a consistent and accurate response to media and journalist enquiries

Expansion of central support from just government and critical national organisations to include the wider industry.



Initiative Ten: Information Security Workforce Development Board

Description To maximise the relevance of this strategy to the needs of New Zealand government and industry, these stakeholders must be involved in its governance, development and promotion. The creation of an Information Security Workforce Development Board would provide this strategy with centralised governance that represents the needs of the wider IT and information security industry. This board would form a mature governing body for any initiatives to be held accountable to. While boards such as this have previously proven to increase bureaucracy, the benefit of having both senior industry and government support could ensure that this strategy remains tightly adapted to the needs of these organisations and widely accepted. By ensuring that a wide range of organisations are represented, the likelihood of this strategy remaining objective and independent is increased.


Senior Industry and Government Leaders

Objectives Met




Industry leaders and government representatives

An operating constitution

Suitable meeting space for board meetings

Deliverables

A mature body to help govern and drive forward this strategy

Benefits

Clear accountability to a group representing both the New Zealand government and the wider information security industry.

Increased relevance of initiatives

High level support driving acceptance of this strategy from the top of organisations down

Translation of this strategy and its benefits to senior leadership and the wider (non-technical) organisation.



Conclusion

In This Section:

Conclusion

Recommendations

References



Conclusion New Zealand has faced many challenges when implementing information security systems and

regrettably not all of these challenges have been handled with the knowledge and technical

excellence they require.

The complexity and quantity of these challenges is only set to increase over the next 3-5 years. As a

result, New Zealand needs to seize the opportunity to modernise its approach to the recruitment,

retention and professionalization of its information security industry.

This document has outlined the issues faced by New Zealand organisations when addressing this

challenge, the threat these challenges pose and the opportunities available.

In addition, this strategy contains an evaluation of a 12 month pilot scheme, in2securITy, launched in

2012 to address these issues. This scheme has proven without doubt that New Zealand has a large

appetite and need for this kind of development programme.

Finally, this strategy outlines a set of objectives and operating principles for the implementation of a

National Information Security Workforce Development Strategy, to consist of a set of proposed

initiatives – each designed to make New Zealand a global leader in the strategic development of

world class information security professionals.

Recommendations This strategy recommends the following actions:

Introduction of a government funded Information Security Workforce Development Scheme

based on the objectives and operating principles outlined within this document and

expanding from the in2securITy pilot.

Full analysis and prioritisation of the initiatives proposed within this strategy

Implementation of a range of initiatives such as those suggested here to proactively improve

the recruitment, retention and professionalization of the information security industry

Reduction in the use of phrases such as “in the long term”

Adoption of a lean, agile and iterative approach to this strategy that will allow rapid delivery

and measurable results

Collaboration with existing community and industry groups, universities and public/private

sector organisations to source funding, effort and ideas.

References 1. SANS Secure Software. [Online] http://software-security.sans.org/blog/2012/02/22/agile-

development-teams-can-build-secure-software/.

2. MSD Deloitte Breach Report 2012. [Online] http://www.msd.govt.nz/documents/about-msd-and-

our-work/newsroom/media-releases/2012/independent-review-deloitte.pdf.



3. Symantec Threat Report. [Online]

http://www.symantec.com/content/en/us/enterprise/other_resources/b-

istr_main_report_2011_21239364.en-us.pdf.

4. ISC2 Career Impact Survey. [Online]

https://www.isc2.org/uploadedFiles/2012CareerImpactSurveyResults_FINAL_020112.pdf.

5. PWC Information Security Breach Survey 2012. [Online]

http://www.pwc.co.uk/en_UK/uk/assets/pdf/olpapp/uk-information-security-breaches-survey-

technical-report.pdf.

6. NZISF. [Online] http://www.security.org.nz/NZISF_NZISForumContent.php.

7. NZISIG. [Online] http://isig.org.nz/.

8. NZITF. [Online] http://www.nzitf.org.nz/.

9. InternetNZ. [Online] http://internetnz.net.nz/.

10. Kiwicon. [Online] https://kiwicon.org/.

11. 1st Tuesday. [Online] http://www.1sttuesday.co.nz/content/1st-tuesday-club.

12. ISACA. [Online] http://www.isaca-wellington.org/.

13. ISC2. [Online] https://www.isc2.org/.

14. In2securITy Limited. New Zealand Education Non-Profit Organisation. [Online]

http://www.in2security.org.nz.

15. BlackHat. [Online] http://www.blackhat.com/.

16. Defcon. [Online] https://www.defcon.org/.

17. CSO Security Qualification Directory. [Online] http://www.csoonline.com/article/485071/the-

security-certification-directory.

18. NetSafe. [Online] http://www.netsafe.org.nz/.

19. New Zealand Cyber Security Strategy. [Online] http://www.med.govt.nz/sectors-

industries/technology-communication/pdf-docs-library/cyber-security-documents/nz-cyber-

security-strategy-june-2011.pdf.

20. NCSC. [Online] http://www.ncsc.govt.nz/.

21. CERT Definition. [Online] http://en.wikipedia.org/wiki/Computer_emergency_response_team.

22. OECD. [Online] http://www.oecd.org/general/listofoecdmembercountries-

ratificationoftheconventionontheoecd.htm.

23. AP CERT. [Online] http://www.apcert.org/about/structure/members.html.



24. Cyber Security Challenge. [Online] https://cybersecuritychallenge.org.uk/.

25. GCHQ. [Online] http://www.gchq.gov.uk/Pages/homepage.aspx.

26. National CCDC. [Online] http://nationalccdc.org/.

27. Insomnia Security. [Online] http://www.insomniasec.com/about-us.

28. In2securITy on YouTube. [Online] http://www.youtube.com/user/in2securITy.



In Association With:

For further information

In2securITy Limited

Email: [email protected]

Twitter: @in2securitynz

New Zealand Information Security Workforce Development Strategy · 2012-11-19 · New Zealand...

Documents

Transcript of New Zealand Information Security Workforce Development Strategy · 2012-11-19 · New Zealand...