October 2015

Volume 13 Issue 10

Planning for a Career in the Department of Defense

Cybersecurity Workforce
Information Security Career Path
How I Got Here: My Unexpected Infosec Career Path;
A Transition into Tech; Outside Looking In

Improving
Cybersecurity
Workforce Capacity
and Capability
Addressing the Education-to-Workforce Disparity

INFOSEC CAREER PATH

Table of Contents
DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Feature
14 Improving Cybersecurity Workforce Capacity and Capability: Addressing the Education-to-
Workforce Disparity
By Marie A. Wright ISSA member, Connecticut Chapter
This article examines the chasm between demand and supply in the cybersecurity labor market. It looks at the
professional competencies established by the federal government to help align industry cyber needs with education
and training initiatives and offers suggestions to enhance the partnerships between academia, industry, and
professional associations.

Conference Guide inserted after page 20.

Articles
21 Planning for a Career in the Department of 26 Information Security Career Path
Defense Cybersecurity Workforce By Yuri Diogenes ISSA member, Fort Worth Chapter
By John Gray ISSA member, Rainier Chapter The author discusses key decision points regarding an
The author discusses how the Department of Defense information security career, the options available, and
cybersecurity workforce is organized, how to prepare how to succeed in this field.
for a cybersecurity position, and the appropriate 31 Career Paths: How I Got Here
combination of education, training, and experience in Three ISSA members answered our call to know what
which to progress into advanced responsibilities. career path they took, how it served them, and what
path they would recommend for future generations of
information security professionals.
Also in this Issue
3 From the President
My Unexpected Infosec Career Path
By Ashley Schwartau ISSA member, Middle Tennessee
4 editor@issa.org Chapter
5 Sabetts Brief ATransition into Tech
A CISO, a Marketer, a Wonk, and a Lawyer Walk into a
Bar By Dora Baldwin ISSA member, Inland Empire
Chapter
6 Herding Cats
The Pathway Forward Outside Looking In
By Roza Winston ISSA member, Central Ohio Chapter
7 Security Awareness
What the TJ Hooper Case Means for Security
Awareness
8 Security in the News
9 Perspective: Women in Security SIG
Blaze Your Own Trail
10 Open Forum
Your CISSP Is Worthless. Now What?
11 Association News
12 ISSA International Conference
23 Donns Corner
Over and Out
25 The Curmudgeon
There Are Two Types of People on the Internet
2015 Information Systems Security Association, Inc. (ISSA)
The ISSA Journal (1949-0550) is published monthly by the Information Systems
Security Association, 12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190.

2 ISSA Journal | October 2015

From the President
International Board Officers
President
Andrea C. Hoy, CISM, CISSP, MBA,
Distinguished Fellow
Vice President
Justin White
Secretary/Director of Operations
Anne M. Rogers
CISSP, Fellow
Treasurer/Chief Financial Officer
Pamela Fusco
Distinguished Fellow
Board of Directors
Frances Candy Alexander, CISSP,
CISM, Distinguished Fellow
Debbie Christofferson, CISM, CISSP,
CIPP/IT, Distinguished Fellow
Mary Ann Davidson
Distinguished Fellow
Rhonda Farrell, Fellow
Geoff Harris, CISSP, ITPC, BSc, DipEE,
CEng, CLAS, Fellow
Tim Holman, Fellow
Alex Wood, Senior Member
Keyaan Williams
Stefano Zanero, PhD, Fellow
The Information Systems Security Asso-
ciation, Inc. (ISSA) is a not-for-profit,
international organization of information
security professionals and practitioners.
It provides educational forums, publica-
tions and peer interaction opportunities
that enhance the knowledge, skill and
professional growth of its members.
With active participation from individuals
and chapters all over the world, the ISSA
is the largest international, not-for-profit
association specifically for security pro-
fessionals. Members include practitioners
at all levels of the security field in a broad
range of industries, such as communica-
tions, education, healthcare, manufactur-
ing, financial, and government.
The ISSA international board consists of
some of the most influential people in the
security industry. With an internation-
al communications network developed
throughout the industry, the ISSA is fo-
cused on maintaining its position as the
preeminent trusted global information se-
curity community.
The primary goal of the ISSA is to pro-
mote management practices that will
ensure the confidentiality, integrity and
availability of information resources. The
ISSA facilitates interaction and education
to create a more successful environment
for global information systems security
and for the professionals involved.
Hello ISSA Members
Andrea Hoy, International President
T
hose of you reading this at the
ISSA International Conference
in Chicago, Welcome!
For those who are reading this else-
where, I hope you will be able to join us
at future conferences.
ISSA is unique in its ability to bring in-
formation security professionals togeth-
er at all levels of their careers. When I
first started going to chapter meetings,
I really wasnt sure what to expect nor
how ISSA would change my life. The
people I met became my pseudo men-
tors, one being Hal Tipton, whom many
refer to as the George Washington of
information security. My manager at
Rockwell got me involved with ISSA,
and the relationships I have established
have saved me countless hours when
met with limited resources. The value
of knowing someone to reach out to in
challenging timespriceless. There are
so many opportunities to help and be
helped. We make career decisions based
on the information we have and learn
from the past decisions we have made.
Seasoned members, we often discover
it is only when we look back that we see
what we thought was a wrong turn or a
bad experience turned out to be for the
best. Are there younger members who
might benefit from your expertise and
career lessons learned?
Our industry is currently suffering a
shortage of skilled and qualified practi-
tioners. In a recent CSO magazine, the
demand for our workforce is expected to
rise to six million globally by 2019, with
a projected shortfall of 1.5 million, while
data breaches from threats and vulnera-
bilities are rising. Unless our association,
our industry, and our governments work
together to encourage and equip the
next generation of cybersecurity profes-
sionals, the need will be even greater in
the future. A number of authors in this
issue address that shortage and how we
as individuals as well as an industry can
address it. There will be many to come
along side, to guide
and mentor, and to
help succeed in their
careers.
My hope for you
here at the confer-
enceand especially
for those of you new to ISSAis that you
make relationships that count, both per-
sonally and professionally, for your self
growth; that you share your knowledge,
skills, and aptitudes to help grow our
association and industry; and that you
consider where you fit in the Cyber Se-
curity Career Lifecycle. We have infor-
mation security plans for our businesses;
an information security career plan for
yourself is just as important, no matter
what stage of your career you are in.
For those of you who are considering
your second life or perhaps embarking
into the retirement portion of your ca-
reer life cycle, but still want to stay active
in the information security communi-
ty: in the next few months, we plan on
introducing an Emeritus membership
status. This will allow those with years
of experience as information security
professionals to stay engaged with their
friends and other professionals and still
be active participants in symposiums
and international conferences like ours.
Our hope is that this allows for more
mentor/protg opportunities, further-
ing the life cycle.
And lastly, for those of you here at the
conference, take back what you learn and
share with others from the sessions you
attend. Make sure your sharing extends
beyond your infosec team, reaching out
to the C-level, other departments, local
law enforcement, vendors , partners, and
dont forget your community.
See you soon in Chicago.
Windy City here we come!
October 2015 | ISSA Journal 3
editor@issa.org

Infosec Career Path

Editor: Thom Barrie
Thom Barrie Editor, the ISSA Journal editor@issa.org
Advertising: vendor@issa.org

L
et me say, the
response to
this topic was
overwhelming, but
we can only include
so many. Everywhere
you turn there are
statistics warning of
the current and future workforce short-
age. How do we get more qualified folks
into the industry and keep them there?
Marie A. Wright examines US federal
initiatives that seek to strengthen and
grow the national cybersecurity work-
forcecivil and federaland offers
suggestions to enhance the partner-
ships between academia, industry, and
professional associations. John Gray
delves into the specifics of Department
of Defense requirements, painting an
engaging picture of the expectations and
challenges of that agencys workforce.
And Yuri Diogenes discusses how to ex-
amine your career, improve your skills
and abilities, and successfully pursue
your future: As anything you do in life,
progressing in this field becomes easier
if you are passionate, self-driven, and
have the discipline to pursue the vision
of what you want for your career.
Finally, we offer a number of infosec 866 349 5818 +1 206 388 4584
career stories: how folks got where they
Editorial Advisory Board
are, what helped, what hindered, how
they are moving on. You might see your- Phillip Griffin, Fellow
self in these stories, or you might even Michael Grimaila, Fellow
discover some inspiration to change John Jordan, Senior Member
your own story. Infosec career paths are Mollie Krehnke, Fellow
as varied as the individuals making up Joe Malec, Fellow
the industry.
Donn Parker, Distinguished Fellow
Kris Tanaka
Joel Weise Chairman,
Distinguished Fellow
Youll notice we are adding the Cyber Branden Williams,
Distinguished Fellow
Security Career Lifecycle levels to the
articles. The levels are fairly self-evi- Services Directory
dentyou can get a full description of
the levels in the included International Website
webmaster@issa.org
Conference Guide or on the ISSA web-
siteand the board has assigned appro- 866 349 5818 +1 206 388 4584
priate levels to the articles. While the Chapter Relations
icons are suggestions, you need not pass chapter@issa.org
over those you feel do not apply to your 866 349 5818 +1 206 388 4584
career levelyou may discover some-
thing thatll help you in your journey or Member Relations
that you may pass on to another. member@issa.org
Hope to see you in Chicago, 866 349 5818 +1 206 388 4584
Thom Executive Director
execdir@issa.org
866 349 5818 +1 206 388 4584

Vendor Relations
Information Systems Security Association vendor@issa.org
12100 Sunset Hills Road, Suite 130, Reston, Virginia 20190 866 349 5818 +1 206 388 4584
703-234-4082 (direct) +1 866 349 5818 (USA toll-free) +1 206 388 4584 (International)

The information and articles
in this magazine have not been
subjected to any formal test-
ing by Information Systems
Security Association, Inc. The
implementation, use and/or se-
lection of software, hardware,
or procedures presented within
this publication and the results
obtained from such selection or
implementation, is the respon-
sibility of the reader.
Articles and information will be
presented as technically correct
as possible, to the best knowl-
edge of the author and editors.
If the reader intends to make
use of any of the information
presented in this publication,
please verify and test any and
all procedures selected. Techni-
cal inaccuracies may arise from
printing errors, new develop-
ments in the industry, and/or
changes/enhancements to hard-
ware or software components.
The opinions expressed by the
authors who contribute to the
ISSA Journal are their own and
do not necessarily reflect the
official policy of ISSA. Articles
may be submitted by members
of ISSA. The articles should be
within the scope of information
systems security, and should be
a subject of interest to the mem-
bers and based on the authors
experience. Please call or write
for more information. Upon
publication, all letters, stories,
and articles become the proper-
ty of ISSA and may be distrib-
uted to, and used by, all of its
members.
ISSA is a not-for-profit, inde-
pendent corporation and is not
owned in whole or in part by
any manufacturer of software or
hardware. All corporate infor-
mation security professionals
are welcome to join ISSA. For
information on joining ISSA
and for membership rates, see
www.issa.org.
All product names and visual
representations published in
this magazine are the trade-
marks/registered trademarks of
their respective manufacturers.

4 ISSA Journal | October 2015

Sabetts Brief
A CISO, a Marketer, a Wonk, and a
Lawyer Walk into a Bar
By Randy V. Sabett ISSA Senior Member, Northern Virginia Chapter
S
omewhere in that title a joke prob-
ably exists, but they dont pay me
for my sense of humor, so Ill stay
away from any punchlines. I could,
however, turn it into a riddle by asking
the question: How many people actual-
ly stepped over the threshold of the bar?
That would then give a neat segue into a
discussion of the variety of career paths
that infosec provides, some of which
could overlap. Take me for examplea
crypto engineer who didnt think about
law school until well into my profession-
al life.
As some of you may have heard in my
presentations at ISSA (and other) events
over the years, I have been advocating
that the legal profession needs more peo-
ple who truly understand the intricacies
and subtleties of cybersecurity. Tackling
the complexities of the legal arena is dif-
ficult enough as it is. Interweave cyber-
security into a particular set of facts and
you wind up with something that can be
daunting for both the legal and technical
team trying to handle it. A common line
of mine at such events is the legal com-
munity needs more people like youthe
ones who truly understand infosec.
An even better example would be the
White House cybersecurity policy per-
son with whom I had lunch recently.
This person is an attorney, but started
with a technical background, has tack-
led many policy questions, and has even
delved into commercial endeavors. That
combination (along with being at the
White House) has allowed this person to
work on numerous complex and inter-
esting matters.
The point of these examples is that cyber
skills can be a terrific complement to a
wide variety of career options. Clear-
ly, staying on the technical side can be
quite rewarding and moving laterally
(in a good way) could allow you to expe-
rience a number of different aspects of
the cyber profession. Furthermore, the
predicted dearth of cyber workers has
materialized. I have heard Steve Battis-
ta, president of ISSA Northern Virginia
Chapter, cite a very telling statistic on
several occasions: for every two cyber-
security jobs in the greater Washington,
DC, metropolitan area (to include Bal-
timore and Northern Virginia), there is
only one person qualified to fill them. I
suspect that the statistic refers mainly to
technical jobs, so if we layer in business,
legal, policy, management, and related
positions, just think of the opportuni-
ties!
I often describe infosec as a horizontal
concept that cuts across any number of
industry, government, academic, and
business verticals. But I would assert
that the same is true for infosec career
areas. Cybersecurity is no longer rel-
egated solely to the IT department or
the CISO. Based on my experience, the
C-suites and boards of organizations
continue to get better at integrating
infosec into their corporate mind-set.
This necessarily means that many other
areas within an organization need rel-
evant infosec experience. The lesson to
be learnedif you are looking to make a
change, you dont necessarily need to be
limited to things that are pure infosec.
Many other job functions would benefit
from (or perhaps even require) infosec
skill.
One final thought: for those of you that
have a well-established infosec career,
recognize that many other people out
there could benefit from your expe-
rience. Whether
through nurturing
via informal professional relationships
or more formal mentoring relationships,
please consider helping others in their
infosec career quest. There are many
programs out there that would allow
you to get involved and dedicate as much
time as you have available to help guide
infosec students and young infosec pro-
fessionals in the pursuit of their own
careers. Such opportunities are readily
available and can be incredibly reward-
ing. In my own experience, I know of
at least four of my former students who
have gone to law school and several oth-
er acquaintances who have considered it
(and may actually have gone).
Ultimately, a career path in infosec
can lead in many different directions.
I would encourage anyone who has an
interest in pursuing something slightly
different to go for it. After all, you might
be the next CISO, marketer, wonk, and
lawyer to walk into that bar!
About the Author
Randy V. Sabett, J.D., CISSP, is Vice
Chair of the Privacy & Data Protection
practice group at Cooley LLP (www.cool-
ey.com), and a member of the Boards of
Directors of ISSA NOVA and the George-
town Cybersecurity Law Institute. He
was a member of the Commission on Cy-
bersecurity for the 44th Presidency, was
named the ISSA Professional of the Year
for 2013, and can be reached at rsabett@
cooley.com. The views expressed herein
are those of the author and do not neces-
sarily reflect the positions of any current
or former clients of Cooley or Mr. Sabett.
October 2015 | ISSA Journal 5
Herding Cats
The Pathway Forward
By Branden R. Williams ISSA Distinguished Fellow, North Texas Chapter
W
hen I happens a little bit too close to home.1 It
started
my ca-
reer in information
security, it was because I had to. I was
responsible for a couple of IT shops. For
the most part, I was the sole IT guy. Yes,
there were others around me who were
in the middle of it with me, but I was the
one who got the call at 3:00 am when
something blew up. As the story goes, in
1997 I became enamored with informa-
tion security as an IT guy because I left a
service running on a server that I should
not have. This was before small IT shops
had firewalls. I was late to the game on
system hardeningprobably because
the first time I tried using a hardcore
security hardening script the machine
became unusable.
In a way, I have the University of Wash-
ington to thankeven though I had no
formal affiliation with them. Their imap
dmon had a vulnerability that allowed
an attacker to root one of my servers.
And thus, my career was born.
This isnt meant to be an autobiography,
but many of the people I meet in our field
have a similar story. Something piques
their interest in seeing what technology
can do, versus what its designed to do.
Perhaps it was a prank, falling victim
to malware, or just curiosity that made
them think. And at this point, we have
one of two paths to choose. Both paths
leads to late nights in front of a screen,
but on opposite sides of the conflict.
This conflict is ever present in every
facet of human existence. Nation states
launch cyber attacks at rivals just like
corporations do. Activists take to the
digital world to bring justice for causes
they feel passionate about. Crime rings
target individualsand sometimes it
6 ISSA Journal | October 2015
becomes clearer by the day that our abil-
ity to keep up is perhaps the largest race
condition in the coming years.
To the victor the spoils!
There are a few things Ive learned that
I would love to pass along to our next
generation of information security pro-
fessionals as they enter into the work-
force and start to learn how to be digital
soldiers in an ongoing conflict.
Learn to ask questions and test as-
sumptions. As a developer, I assumed
users would be honest and follow di-
rections. I was foolish. Letters in a tele-
phone number field? Why would any-
one do that? What happens if someone
does do that? Taken another way, why
would we follow a particular behavior
or procedure just because weve always
done it that way? What happens if we
dont? Engineers will tell you that using
the question Why? three to five times
will typically get you to the root of why
something is the way it is. Question,
learn, and understand. Be curious!
Learn the business. You cannot make
the most effective decisions as an in-
formation security professional if you
dont understand how your business
works. Take the time to talk to various
people around the company to learn
how it makes money. Pay attention to
what your executives say that holds stra-
tegic value for the firm. Be involved in
things beyond information security. It
will round you out and prepare you for
leadership.
Learn business in general. Do you
know how a profit and loss statement
works? Do you know the laws related to
employee rights? What are the best ways
1 This will be a column for another month.
to prove a product concept? All of these
things are important to give you per-
spective on your daily work. It also will
further prepare you for leadership roles
down the line.
Get educated. Information security pro-
fessionals follow Bayes Theorem even if
they dont realize it. Otherwise, they are
out of a job. Continuously learn what
both the good guys and the bad guys are
doing. Keep up on new technology, and
do your best to stay on (if not ahead of)
new technology adoption. Learn how
people use technology in their daily
lives, and think hard about how it can
be used against them.
Have fun. Yes, its the generic advice
from any motivational speaker (I am not
one). If you have fun, you will keep do-
ing all of the above. That will propel you
into the next generation of information
security leadership. You will have bad
days; learn from them. Incorporate what
you learn into your future behavior.
About the Author
Branden R. Williams, DBA, CISSP,
CISM, is the CTO, Cyber Security Solu-
tions at First Data, a seasoned security
executive, ISSA Distinguished Fellow,
and regularly assists top global firms with
their information security and technolo-
gy initiatives. Read his blog, buy his book,
or reach him directly at http://www.bran-
denwilliams.com/.
Security Awareness

What the TJ Hooper Case Means

for Security Awareness
By Geordie Stewart ISSA member, UK Chapter

F
or those not familiar with the So what does this mean for information Even a PCI auditor
case, TJ Hooper was a landmark security awareness? It means that many could pick up on
in tort law that established an organizations may be sitting on a liabil- that one, if given
important standard for negligence. The ity time bomb. That is, in the event of half an hour and a detailed checklist.
case was heard in 1932 to assign liabil- a security incident, will their security Failures in the information security field
ity for a lost cargo. A tug towing the awareness programs be considered ad- are different. Some organizations dont
cargo on a barge had set to sea in good equate to shield them from third-party know theyve had a breach. Or maybe
weather but later that night there was a claims of negligence? There is a univer- they do know but dont want to make it
storm and the barge sank. The owner of sal-practice argument to be made for public by engaging in litigation. There
the cargo argued that if the tug had been mediocritymost organizations barely are two important aspects to this that
equipped with a radio, the tug captain go through the motions, with comput- are changing. Firstly, mandatory breach
could have checked weather reports and er-based training and a few security reporting requirements mean that the
taken the opportunity to seek shelter in a slides as part of the induction process. news of the breach is almost certain to
nearby breakwater before the storm hit. Some organizations dont even have a se- be made public as organizations cant
The owner of the tug curity policy. Sooner place any confidentiality restrictions
disagreed and made or later this sad state on their notification process. Once the
a prevailing-practice of affairs will be put breach is public, theres no incentive to
defense. That is, that to the test. refrain from litigation.
tugs at the time were If I had a contract Secondly, weve seen a rise in organi-
not usually equipped with a third party zation doxing, where leaks are inten-
with radios and this that suffered a secu- tionally made public. Think of Sony,
was considered nor- rity breach related Hacking Team, Manning, the diplomat-
mal practice in the to human failings, ic cables, and the list goes on.
industry. Id be asking if their It may well be that the next step change
In a landmark deci- security awareness in professionalizing security awareness
sion handed down by program was ad- campaigns wont be new standards,
Judge Learned Hand, equate, given the certifications, or qualifications but the
it was found that risks. Not was it the lawyers getting involved. Consider how
prevailing practice industry minimum, your security awareness program would
did not completely but whether the ef- fare if put under the spotlight. If its just
shield the tug own- Judge Learned Hand: That everyone else fort the other party a token gesture, going through the mo-
er against a claim of does it badly is no excuse. invested in securi- tions of the industry minimum, then
negligence. In one ty awareness was you could be in trouble.
of the most beautiful legal phrases ever commensurate with the likelihood of a
uttered, the rationale was summed up security incident, the value at risk, and About the Author
as: There are precautions so imperative the benefits of security awareness done Geordie Stewart, MSc, CISSP, is the
that even their universal disregard will properly. Principle Security Consultant at Risk
not excuse their omission. Common Why hasnt the adequacy of security Intelligence and is a regular speaker and
prudence, therefore, was not always the awareness programs been repeatedly writer on the topic of security awareness.
same as reasonable prudence. In this challenged in court? Part of this is the His blog is available at www.risk-intelli-
case the value of the cargo, the likeli- unknown-unknown argument. For the gence.co.uk/blog, and he may be reached
hood of a storm, and the relatively low TJ Hooper case, it was easy to see that at geordie@risk-intelligence.co.uk.
cost of a radio meant that it was negli- damage had been done. The barge was
gent to go to sea without one. below the water instead of on top of it.

October 2015 | ISSA Journal 7

Security in the News
News That You Can Use
Compiled by Joel Weise ISSA Journal Editorial Board Chairman, ISSA Distinguished Fellow, Vancouver, Canada Chapter
and Kris Tanaka ISSA member, Portland Chapter

Best Information Security Certifications for 2016

http://www.tomsitpro.com/articles/information-security-certifications,2-205.html
In fair disclosure, I dont agree that any of the certifications mentioned in this article are worth much. How-
ever, it seems appropriate to include this article for those who are just starting their information security
careers. I can name numerous faults with each of the certifications in the article and I will always recommend
experience over any certification. But hey, its your money.
EMV: Why US Will Miss October Deadline
http://www.bankinfosecurity.com/emv-us-will-miss-oct-deadline-a-8531
This truly pains me. As one of the inventors of the Visa EMV multi-application chip card, I find it almost em-
barrassing that the US still cannot get its act together and adopt EMV. The arguments in this article are the
same ones we debated years ago when we were developing EMV and chip cards. One would think that by now we could
have settled the debate around risk, fraud, and infrastructure development. Apparently not.
Four Tips to Keep Your Career Relevant
http://www.csoonline.com/article/2980932/it-careers/4-tips-to-keep-your-career-relevant.html
Speaking of experience over certification, this article raises a number of good points. As the author notes,
With some of the most desirable and challenging certifications after my name, I was officially burned out. I had
no idea how I could remain relevant and useful within my new specialty. I especially like the authors point
about training and funding continuous training.
Microsoft Is Downloading Windows 10 to PCs, Even If You Dont Reserve a Copy
http://arstechnica.com/information-technology/2015/09/microsoft-is-downloading-windows-10-to-pcs-even-if-you-dont-
reserve-a-copy/
According to Microsoft, For individuals who have chosen to receive automatic updates through Windows Update,
we help upgradable devices get ready for Windows 10 by downloading the files theyll need if they decide to up-
grade. What this really means is that your system will be pushed code even if you dont intend to upgrade to
Windows 10. Imagine you have limited bandwidth and pay dearly for the few bits and bytes you do use. Now imagine
when a few extra gigabytes of code are pushed to you and your ISP or other supplier surprises you with a fat
bill the next month.
The Startling Economic Truth about Cyber Risks
http://www.bloomberg.com/sponsor/zurich/holistic-approach/?mvi=3169b2f0db864142ae2feaf4a9173aa5
Im not sure I am willing to throw in the towel just yet. In addition, I imagine the likes of Amazon, Google,
or Apple might have something to say about this, but there is an excellent point being made here. To quote,
A new report indicates that were reaching the tipping point when the annual costs of cyber disruptions begin
to reduce the incentive for doing business in a connected world. As most readers know, life is all about risk
management, and there are no clear answers. Check out the complete report here: http://knowledge.zurich.com/
cyber-risk/overcome-by-cyber-risks/.
Former AV Man McAfee Runs for US President
http://www.infosecurity-magazine.com/news/former-av-man-mcafee-runs-for-us/
Who could resist John McAfee running for president of the United States? At least there would be someone in
the White House with a relatively clear understanding of information security. And he certainly understands the
central issue of privacy. As he states: I am protected by a government that invades my privacy so that it can
assure me that I am not the enemy it is protecting me from.
The Security Operations Hierarchy of Needs
http://www.securityweek.com/security-operations-hierarchy-needs
This is an interesting take on security operations. The author suggests that there is a hierarchy of needs:
awareness, vision, process, instrumentation content, unified work queue, staffing, training, operations, intel-
ligence, and information sharing. It does seem a bit more complex that necessary, but each of these on its own
does make sense. And I would agree that organizing against such a hierarchy is a good way to start.
Intelligence Start-Up Goes behind Enemy Lines to Get ahead of Hackers
http://mobile.nytimes.com/2015/09/14/technology/intelligence-start-up-goes-behind-enemy-lines-to-get-ahead-of-hack-
ers.html?_r=3
Threat intelligence is, in my humble opinion, where we need to expend far more energy and resources than in
any other information security area. We are all familiar with firewalls, antivirus, and the latest and greatest
vendor products, but for the most part these are reactive and not proactive. This article looks at iSight, a
cyber threat intelligence organization, which reportedly infiltrates the underground, where they watch crimi-
nals putting their schemes together and selling their tools. In short, lets try to stay ahead of the bad guys.
Cybersecurity Competitions Make a Difference
http://www.csoonline.com/article/2978865/it-careers/cybersecurity-competitions-make-a-difference.html
Education is more than just classrooms and teachers. Its active learners working to improve their knowledge,
skills, and abilities. Its mentors guiding both students and teachers. Its making learning fun, says Ron Wo-
erner, director of Cybersecurity Studies at Bellevue University. Its time to start thinking outside the box
and step out of the traditional classroom environment to help deal with the shortage of qualified cybersecurity
professionals. Check out the list of competitions and programs listed to see how you can make a difference.

8 ISSA Journal | October 2015

Perspective: Women in Security SIG
Blaze Your Own Trail
By Christa Pusateri ISSA member, Tampa Bay ISSA Chapter
I
n established fields, career progres-
sion is often thought of as a linear
journey. Climbing the corporate
ladder is a metaphor for career success
that tells us that if we work hard, we
will ascend, rung by rung, in a clearly
upward path, knowing exactly how to
reach that next level.
In todays world of exponential tech-
nology requiring explosive growth in
the information security field, this clear
corporate ladder is a foreign concept.
However, the leaders who find their way
to success without a map are often the
most inspirational. With unprecedented
access to information, global networks,
and self-publishing platforms, its no
longer necessary to follow the herd.
Take Sali Osman, one of my favorite in-
fosec thought leaders. Sali started her
career in electronics engineering, and
then moved into information security.
Her most recent post was CISO at Time
Customer Service Inc., the global orga-
nization that fulfills orders and ship-
ping for Time magazine and its affiliates.
Currently, she is the Security and Risk
Management Advisor for Saudi Aram-
co and makes time to invest in the next
generation of female and minority lead-
ers through her work as the co-chair
Mentor-Protg Program at the Interna-
tional Consortium of Minority Cyberse-
curity Professionals (ICMCP).
As a young girl, growing up in the Mid-
dle East, Osman would tinker with cir-
cuit boards and take her toys and com-
puters apart just to see how they worked.
Her father told her that she could make
it in any job she chose if she worked hard
and stood up for herself.
Her family and friends called her cra-
zy when she later joined the Abu Dhabi
Police as a network and software engi-
neer. She says they still think shes cra-
zy today when, after a layoff at TCS, she
turned down several high paying senior
leadership job opportunities in order to
take time to spend with family, focus on
her mentoring within the international
security community, and invest in her
non-profit interests with the Nubian
Village Cultural Heritage Center.
If youre working hard, work happily
and joyfully do what you love. Smiles
come from your internal self. Be the
person who creates circumstances rath-
er than just going with the flow. Chart
your own path. Sali Osman, CRISC,
CISM, CISSP, Security and Risk Officer
Another example of a leading lady who
blazes her own trail is Ashley Fergu-
son, Global Director, Governance, Risk,
Compliance, Security Architecture and
Design at Dell SecureWorks. She start-
ed her information security career in
audit at a big-four consulting firm. She
quickly found that her passions were in
leadership and helping people. Whether
it was helping clients understand her au-
dit findings or helping a team member
with career planning, Ashley quickly
excelled and cleared her path to become
the Manager of Risk and Compliance
and Information Security Officer for
Energen, a growing oil and gas firm.
Her role at the CISO level, investment in
building a strong network, and winning
the Peoples Choice ISE Southeast award
contributed to her visibility as a leader in
the industry. Opportunities often came
her way that most people would say she
was crazy to turn down. But Ferguson
knew she had to follow her intuition and
choose the right next step in her career.
She wanted to make an impact and help
people, not just in one industry or at one
company but on the overall industry,
which is a big part of her new role at Dell
SecureWorks.
I felt deep down,
when the right op-
portunity came, I
would know, Fer-
guson says. It would
have to be the right
reason to step away and have deeper
meaning than just more money or bet-
ter title.
As these stories illustrate, sometimes
success means saying no to linear pro-
gression and conventional career paths.
In information security you have the
opportunity to work in any and every
industry imaginable and take on any
number of different roles, from pene-
tration testing to communications and
public relations, or even start your own
business.
If at any point you run into a road block
that may seem like a failure, think of
it as a sign that you need to take a step
back in order to move forward in the
right direction. If you recognize that
your path could look different than ev-
eryone elses, it can help you focus your
energy on finding yourself and getting
back on the right path.
The days of mandated corporate lad-
der climbing are behind us, so dare to
be different and blaze your own trail to
happiness in your career.
About the Author
Christa Pusateri is a trailblazer, problem
solver, entrepreneur, student, coach, sto-
ryteller, teacher, adventurer, and above
all else a devoted wife and mother. She
currently serves as the vice president for
the Tampa Bay Chapter, leads communi-
cations and public relations for Algenol
(www.algenol.com), the leader in world
changing biofuels, and teaches Entrepre-
neurship and Creativity at Florida Gulf
Coast University. She blogs and may be
reached at cmp@christapusateri.com.
October 2015 | ISSA Journal 9
Open Forum
The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to
the ISSA community. Open Forum articles are not intended for reporting news; they must provide insight, opinion, or commentary to initiate a dialog as to be expected from an
editorial. The views expressed in this column are the authors and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board.

FOR THOSE CONSIDERING TRAINING AND CERTIFICATIONS, of which there are many that apply in the informa-
tion security space, here is one perspective on the Certified Information Systems Security ProfessionalCISSP. The CISSP
has been around for a fairly long time, but the questions of its validity and currency come up at times. Both valid questions.
Is the CISSP right for you? Possibly. Can it be improved? Certainly. Are there alternatives? Yes. Ed.

Your CISSP Is Worthless. Now What?

By Dave Shackleford

O
K, so its
not really
worthless.
It can help you get a
job or a contract
but in the scheme of
todays infosec world?
Its really broken, in my opinion. Let me
break down my thought process, since
Im typically pretty upbeat about things.
Over the years, I have had more than a
few laughs with both clients and SANS
students about various aspects of the
CISSP. Few seem to really take it seri-
ously. Thats a big indicator.
Second, there are far too many things in
that cert/test that are completely and to-
tally useless to 99% of us in infosec. As
the information systems security pro-
fessional, I do not need to know about
fire extinguisher types, fence height,
or lighting. Sure, it may be interesting
knowledge, but not relevant to most
peoples infosec jobs, and thus extrane-
ous in the cert.
Third, the CISSP demonstrates no
hands-on skills. The test itselfcom-
pletely insane in its wording and content
in some casesjust makes you memo-
rize a bunch of concepts. We dont need
many, if any, theoreticians today. We
need tangible, real skills that can be
put to good use immediately. You may
argue that theory and research and risk
have a place. Sure. But I dont need that
in acert like this. I want someone who
can walk in the door and DO things, not
think about doing things. Or talk about
doing things. Or answer obtuse ques-
tions about things without being able to
perform hands-on tasks.
Ive had some people tell me Im proud
of my CISSP.
Really? Of what, exactly?
Studying for a test?
Taking and passing a long, obnox-
ious test?
Doing WORK for three to four years?
(wow, welcome to a CAREER)
Having a college degree (in some cas-
es)?
Acquiring CPE credits for random
things and events?
Getting someone to attest that you
are smart and/or awesome?
People, its broken.
HR offices are essentially discriminat-
ing against people who dont have one,
for really no good reason. This cert is
ridiculous. If you have to get one for
work, or compliance, or DOD 8570, or
somethingOK. But dont strut around
and act as though this really means you
have something unique or special
you dont. I know way too many CISSPs
who cant dissect a packet, configure a
firewall or IDS, write a script, perform
a real in-depth risk analysis, and so on.
That does NOT bode well for the future
of information security. If you argue
that its meant to be a broad, theory
or breadth of knowledge cert well,
I argue we dont NEED those. We need
more DO-ers.
So what do I propose?
I say scrap the whole thing. Start over.
Build a cert and program that tests fun-
damental skills and means something to
employers who really need things done.
Offer existing cert holders one year and
a free test to get the new one. Other-
wise, theyre out. We need to weed out
the people skating their way through
infosec on the back of a bunch of stupid
CPEs. Id love for the CISSP to mean
something, and see the industry rally
around it as a useful and legitimate in-
dicator of knowledge and skill.
About the Author
Dave Shackleford is the owner and prin-
cipal consultant of Voodoo Security and
a SANS analyst, senior instructor, and
course author. He has consulted with
hundreds of organizations in the areas
of security, regulatory compliance, and
network architecture and engineering.
He may be reached at dshackleford@voo-
doosec.com.
Annual Membership
Meeting
The Annual Membership
Meeting was held 12:00 pm
EDT, September 10th.
To access the recorded
version, visit
www.issa.org/?page=2015An-
nualMeeting.

10 ISSA Journal | October 2015

Association News
Please Join Your Colleagues in ISSAEF Annual Fund-Raiser Kick Off
Chicago
T
he Foundation is pleased to announce its fourth an-

D
ear ISSA Member,
For those outside the world of security, it is difficult,
if not impossible, to comprehend the true scale of
present and future security issues that are daily transform-
ing the lives of people, businesses, society, and the world at
large. Simultaneously, the promises of the ongoing techno-
logical revolution often tend to decry the recommendations
of cybersecurity professionalsyet, we are charged with mit- including:
igating risk and safeguarding the world from those enormous
security challenges.
Thus, our roles are also transforming. We must continue to
grow our security expertise even as we advance our skills in
effective communication and organizational leadership.
The ISSA International Conference offers unique guidance
and resources that were carefully selected to help securi-
ty professionals at all levels to achieve this strategic mix of
knowledge, skills, and aptitudes. It also provides you with ac-
cess to the strongest global network of experts across indus-
tries and skill sets. Join us to transform your career and your
organizations. ISSA
nual fund-raiser to be held in Chicago, Illinois, this
year in conjunction with ISSAs annual conference.
At our fund-raiser well be selling tickets to our drawing held
on Tuesday after lunch. Winners need not be present to win!
All winners will be notified at the conference to pick up their
prizes at the Foundation booth before the conference ends.
Stop by to learn about our scholarship programs and make
a tax-deductible donation for a chance to win great prizes,
A SANS-donated course from their entire catalogue of on-
line, in-person, or on-demand courses for 2016.
Great security books signed by the authors, such as:
Future Crimes by Marc Goodman
Data and Golaith by Bruce
Schneier
Spam Nation by Brian Krebs
With Murder You Get Sushi,
by Mary-Ann (Maddie) Da-
vidson
A Kindle Fire HD6, gift cards,
BOSE headphones, and much,
much more! Marc Goodman

The ISSA Education Foundation (ISSAEF) thanksSC Maga-

Upcoming International Web
Conferences Mark Your Calendar
Big Data Trust and Reputation, Privacy Cyber
Threat Intelligence
2-Hour Live Event: Tuesday, October 27, 2015
Start Time: 9:00 am US-Pacific/ 12:00 pm US-Eastern/ 5:00
pm London
Overview: The Internet is forever. If something is posted
on the net, there is no way to get it backor even correct it.
This webinar will talk about the potential uses of big data for
good and bad.
Moderator: Hari Pendyala, ISSA Fellow, Chennai, Asia Pa-
cific Chapter
Forensic Tracking the Hacker
2-Hour Live Event: Tuesday, November 17, 2015
Start Time: 9:00 a.m. US-Pacific/ 12:00 p.m. US-Eastern/
5:00 p.m. London
Moderator: Allen Wall, Senior Consultant, Information Risk
Management, HP Enterprise Security Services
Speaker: Dipto Chakravarty, EVP Engineering and Prod-
ucts, ThreatTrack Security Inc.
zine(a Haymarket Media brand)for its generous donation to
our annual scholarship fund.
See you in Chicago!
Pre-Professional Meet-Up Links
Introductory Meet-Up: https://www.youtube.com/
watch?v=3_FTI2d62Ss
Penetration Testing: Fireside Chat with Chris Simpson:
https://www.youtube.com/watch?v=dTXr5cop8_o
All about Entry-Level Security Certifications: https://www.
youtube.com/watch?v=GGlbE5JevEg
How to Get the Most out of Networking and Mentoring
Opportunities: https://www.youtube.com/watch?v=tsT-
4cvm_bTo
How to Land Your First Security Job: https://www.youtube.
com/watch?v=drWsKdrBVOE
ISSA, Raleigh Chapter
Triangle InfoSeCon 11th Annual Conference
October 8, 2015
Largest Infosec Conference in North Carolina
www.triangleinfosecon.com

October 2015 | ISSA Journal 11

 ISSA International Conference
OCTOBER 12-13, 2015 CHICAGO MARRIOTT DOWNTOWN CHICAGO, ILLINOIS
Advancing the Culture of Security
See Why You Should Attend!
https://youtu.be/hGJ5U_woHPs
Preparing for the Big One PREVIEW
Track: Incident Response
David Phillips
Managing Director, Cybersecurity Consulting, Berkeley
Research Group
Data breaches are going to continue to happen to
earnest companies. Many are simply not prepared for the situation,
bumbling the press comments, trampling on evidence, and not
recognizing the severity of the situation. All of this is increasing
the Fear-Uncertainty-Doubt to the public, David explains. The
only way to be prepared is to treat security as other industries have
treated high-risk environments. The board room cannot wait for
the Big One. From the Securities and Exchange Commission to
the American Bar Association to the White House, regulatory and
oversight bodies are foreshadowing the liability event. CxOs, board
members, shareholders, and insurance companies are going to feel
the punch as negligence suits become the norm. This session will
focus on a five-step process for developing an effective executive
cybersecurity program that demonstrates due diligence.
Preparing for a major privacy data breach requires a board-level
approach to coordination across general council, CISO, finance, HR,
IT operations, and partners. The IT security industry is focused on
selling point solutions that address a very limited part of the overall
security landscape, he adds. A deeper focus on the holistic prob-
lem is required in order to be prepared to rapidly detect and re-
spond to breaches.
Attendees will consider the broader sphere of the security environ-
ment that includes corporate politics, insurance mitigation, legal
protections, security cultural assessments, and security operations.
They will take away knowledge of the Layer 8 issues required to
properly respond to the Big One, how to measure and adapt an in-
fosec program on a new scale, and how to articulate security issues
to key decision makers.
Security is a people-centric issue; avoid relying on technology as
the solution, he concludes. Instead, focus on what it takes to build
a high-reliability organization.
See International Conference Guide Inserted
in the Journal for Full Agenda and All
Sessions
12 ISSA Journal | October 2015
Newly Added Featured Speaker:
James Trainor, Jr.
Assistant Director, Cyber Division, FBI
October 13: 10:15 am - 11:00 am, Salon 3
Register Now
www.issa.org/?issaconf_home
Groups of 10 or more save 20 percent on registration
fees. For more information, email Leah Lewis:
llewis@issa.org.
Diversified IT: Why the Security Workforce
Needs Qualified Women...and Men
Track: Business Skills for the Information Security Professional
Tammy Moskites
CIO and CISO, Venafi
Theres long been a need for more diverse candidates in informa-
tion technology, but lately the need is growing much stronger for
simply finding qualified security professionalsmen and women
aliketo enter the cybersecurity workforce. The personnel and
skills gap shortage is already starting to negatively impact the in-
dustry, Tammy explains. Many CISOs Ive met across the globe
have mentioned to me that they are having a difficult time find-
ing and hiring the right qualified people for the job. Thats a major
problem.A recent 2015 Frost & Sullivan report claims that the glob-
al workforce shortage of security professionals will reach 1.5 million
within five years, and the need for a wider skill set and strong com-
munications skills has never been greater.
So how do we build the next generation of cyber warriors and also
ensure that more females get interested at an early age in joining
the workforce? While there are some great certification and training
programs out there, we still need to find ways to encourage our kids
and college-aged students to get interested in the field. Thats a
critical part of solving this problem, she emphasizes. Its not just
about finding more women to create a diverse workforce; we sim-
ply cannot find enough qualified professionals in general.
This presentation will discuss firsthand lessons learned over Tam-
mys 30-year career span in IT and security. She will discuss the chal-
lenges of entering the workforce as a woman and how shes built
and grown her career. Shell also discuss how shes built and men-
tored great teams and where she sees the need for skills to evolve
as the threatscape has changed. Attendees will take away best
practices and key lessons learned from the personal challenges
she has overcome over the years. Im extremely passionate about
growing and mentoring great security teams, she exclaims. I be-
lieve strongly that we have a major skills-gap and a hiring crisis that
needs to be addressednow.
Attendees will understand why a more diversified workforce is
needed and how the gender gap can continue to dissolve with
more STEM programs and computer security college curricula. As
Tammy sums it up,This session will give infosec professionals first-
hand experience on how to build a successful team around them-
selves, have continued career growth, become great mentors to
their teams, and evolve their skills sets throughout their careers.
 DEVELOPING AND CONNECTING
ISSA CYBERSECURITY LEADERS GLOBALLY

Improving
Cybersecurity
Workforce Capacity
and Capability
Addressing the
Education-to-Workforce Disparity

By Marie A. Wright ISSA member, Connecticut Chapter

This article examines the chasm between demand and supply in the cybersecurity labor market.
It looks at the professional competencies established by the federal government to help align
industry cyber needs with education and training initiatives and offers suggestions to enhance the
partnerships between academia, industry, and professional associations.

Abstract than twice the rate of all other information technology (IT)
jobs [3]. They also took 36 percent longer to fill than all job
Across public and private sectors, there is a growing demand
postings [3]. Last year, Cisco estimated an industry shortage
for qualified cybersecurity professionals. Finding those in-
of more than one million security professionals worldwide
dividuals with the necessary knowledge, skills, and abilities
[4]. A recent Ponemon Institute survey of 504 human re-
(KSAs) to fill vacant positions has proven to be difficult. This
sources and IT security specialists in the United States found
article examines the chasm between demand and supply in
that the IT security function in most organizations was un-
the cybersecurity labor market. It looks at the professional
derstaffed, with 70 percent of the respondents reporting that
competencies established by the federal government to help
they had neither the depth nor breadth of qualified securi-
align industry cyber needs with education and training ini-
ty professionals [21]. In January 2015, ISACA conducted a
tiatives. It also offers suggestions to enhance the partnerships
global survey of 3,439 business and IT professionals in 129
between academia, industry, and professional associations
countries [12]. Ninety percent of the respondents said there
that will improve the KSAs of undergraduates who will soon
was a national shortage of skilled cybersecurity profession-
enter the cybersecurity workforce.
als. Another survey conducted earlier this year [13] seemed
to corroborate this. More than half of the 926 respondents

S
ince 2007, the demand for cybersecurity professionals
has risen dramatically. The cause is likely due to multi-
ple factors (e.g., greater connectivity, more vulnerabil-
ities, increased intruder awareness of the value of attacking
networks, and heightened public awareness of successful at-
tacks) [14]. According to Burning Glass Technologies, cyber-
security job postings grew 74 percent from 2007-2013, more
reported that it took their organizations anywhere from three
to six months to fill an open position, and that fewer than 25
percent of the applicants were qualified to fill the positions
for which they applied.
The demand for cybersecurity professionals is projected to
intensify over the next several years, largely due to the in-
creasing sophistication and persistence of cyber threats, and

14 ISSA Journal | October 2015

Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright
the growing pervasiveness of mobile devices and cloud ser-
vices in the business environment [9]. According to the most
recent (ISC)2 Global Information Security Workforce Study
[9], the estimated compound annual growth rate in global
demand for security professionals from 2014-2019 is 10.8 per-
cent, while the estimated compound annual growth rate in
global supply during that same five year period is only 5.6
percent. The numbers suggest that by 2019, there will be a
workforce shortage of more than 1.5 million cybersecurity
professionals.
The Bureau of Labor Statistics projects a 37 percent growth
in employment for Information Security Analysts through
2022, compared to an 11 percent average growth rate for all
occupations [2]; however, the title of Information Security
Analyst certainly does not describe all cybersecurity jobs.
Perhaps a better sense of the demand for cybersecurity work-
ers should be based on the number of organizations that
ought to be undertaking some measures to protect their sys-
tems, networks, and data from unauthorized access, use, or
harm [5]. In the United States there are approximately 456
agencies in the federal government [18], more than 90,000
state and local governments [26], almost 13,000 independent
school districts [26], approximately 7,200 public and private
colleges and universities [28], and more than six million firms
[25]. All should have someone responsible for cybersecurity
within their respective organizations.
Education and training initiatives
The first official recognition of the need for cybersecurity pro-
fessionals was the 2008 Comprehensive National Cybersecu-
rity Initiative (CNCI) [6]. The CNCI consisted of a dozen ini-
tiatives with the overall goal of helping to secure the United
States in cyberspace. Initiative #8 specifically addressed the
expansion of cyber education:
While billions of dollars are being spent on new technol-
ogies to secure the US Government in cyberspace, it is
the people with the right knowledge, skills, and abilities
to implement those technologies who will determine suc-
cess. However, there are not enough cybersecurity experts
within the Federal Government or private sector to im-
plement the CNCI, nor is there an adequately established
Federal cybersecurity career field. Existing cybersecuri-
ty training and personnel development programs, while
good, are limited in focus and lack unity of effort. In order
to effectively ensure our continued technical advantage
and future cybersecurity, we must develop a technologi-
cally-skilled and cyber-savvy workforce and an effective
pipeline of future employees. It will take a national strate-
gy, similar to the effort to upgrade science and mathemat-
ics education in the 1950s, to meet this challenge [6].
In 2010, in response to CNCI Initiative #8, the National Ini-
tiative for Cybersecurity Education (NICE) was established.
Led by the National Institute of Standards and Technology
(NIST), NICE consists of more than twenty federal depart-
ments and agencies. To achieve its mission of enhancing the
overall cybersecurity posture of the United States, NICE has
three goals: To increase national cybersecurity awareness, to
expand the pool of individuals prepared to enter the cyber-
security workforce, and to develop a globally competitive cy-
bersecurity workforce [17].
NICE National Cybersecurity Workforce Framework
The foundation of the NICE effort to standardize the cyberse-
curity field is the National Cybersecurity Workforce Frame-
work [8]. Version 1.0, released in August 2012, organized cy-
bersecurity into seven high-level categories, each comprised
of several specialty areas. Related job titles, tasks, and KSAs
needed to successfully complete those tasks were further de-
October 2015 | ISSA Journal 15
Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright
Categories
Securely Provision
Concerned with conceptualizing, designing, and
building secure IT systems with responsibility for
some aspect of the systems development
Operate and Maintain
Responsible for providing the support, administration, Network Services
and maintenance necessary to ensure effective and
efficient IT system performance and security
Protect and Defend
Responsible for the identification, analysis, and miti-
gation of threats to internal IT systems or networks
Investigate
Responsible for the investigation of cyber events or
crimes related to IT systems, networks, and digital
evidence
Oversee and Govern
Providing leadership, management, direction, or
development and advocacy so the organization may
effectively conduct cybersecurity work
Collect and Operate
Responsible for specialized denial and deception
operations and collection of cybersecurity information
that may be used to develop intelligence
Analyze
Responsible for highly specialized review and
evaluation of incoming cybersecurity information to
determine its usefulness for intelligence
Table 1 National Cybersecurity Workforce Framework
scribed within each specialty area [11].
By establishing a common taxonomy
and lexicon for cybersecurity workers,
and developing a baseline of tasks and
KSAs associated with cybersecurity pro-
fessionals [17], the framework defines
cybersecurity work irrespective of orga-
nizational structure or job title, and is
flexible enough to allow organizations to
adapt its content to their own workforce
planning needs [16]. In 2013, work began
on updating the framework to reflect the
latest changes in IT and the cybersecu-
rity field. The most recent version of the
16 ISSA Journal | October 2015
Specialty Areas
Secure Acquisition
Secure Software Engineering
Systems Security Architecture
Technology Research and Development
Systems Requirements Planning
Test and Evaluation
Systems Development
Data Administration
Customer Service and Technical Support
System Administration
Systems Security Analysis
Enterprise Network Defense Analysis
Incident Response
Enterprise Network Defense Infrastructure
Support
Vulnerability Assessment and Management
Digital Forensics
Cyber Investigation
Legal Advice and Advocacy
Strategic Planning and Policy Development
Training, Education, and Awareness
Information Systems Security Operations
Security Program Management
Risk Management
Knowledge Management
Collection Operations
Cyber Operations
Cyber Operations Planning
All Source Intelligence
Exploitation Analysis
Targets
Threat Analysis
framework is shown in Table 1. Source:
DRAFT National Cybersecurity Work-
force Framework Version 2.0, National
Initiative for Cybersecurity Careers and
Studies.1
ETA Cybersecurity Competency Model
In 2013, the Employment and Training
Administration (ETA) of the US Depart-
ment of Labor began working with the
more than twenty federal departments
and agencies that contributed to the
1 http://niccs.us-cert.gov/research/draft-national-
cybersecurity-workforce-framework-version-20.
NICE framework to develop a Cyberse-
curity Competency Model [7]. The goal
was to promote a better understanding
of the competencies and skill sets that
were essential to educate and train a
globally competitive cyber workforce
[10]. The resulting model incorporates
the competencies identified in the NICE
framework and expands on it by includ-
ing the competencies needed by average
workers who use technology, as well as
those needed by cybersecurity profes-
sionals [7]. The Cybersecurity Compe-
tency Model was launched in May 2014,
and is shown in figure 1 [1].
The pyramid structure conveys an in-
creasing level of content specialization,
from entry-level worker to senior-level
cybersecurity professional. The blocks
within each tier represent competency
areas (i.e., the KSAs necessary for suc-
cessful performance) [1]. At the bottom
of the pyramid, Tiers 1 through 3 repre-
sent the soft skills, the personal effec-
tiveness, academic, and workplace foun-
dation competencies essential for all in
the cybersecurity workforce. Tiers 4 and
5 (shown in yellow) show the technical
competencies that are cross-cutting to
the cybersecurity industry or indus-
try sector. The top tier (shown in blue)
represents the specialization of knowl-
edge and technical competencies within
management and within specific cyber-
security occupations [1].
Addressing the supply/demand
disparity
In spite of the federal governments ini-
tiatives to increase the supply of cyber-
security professionals, it will take time
to expand the workforce in response to
the heightened demand [14]. It may take
years to educate and train a sufficiently
qualified labor force; yet, there are things
that can be done in the short termby
industry, academia, and professional as-
sociationsthat can positively impact
the KSAs of undergraduates who will
soon enter the workforce. Following are
ten straightforward suggestions, offered
from the authors perspective as an ac-
ademic who has spent more than two
decades developing and updating under-
graduate information security courses
and programs.
Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright
Figure 1 Cybersecurity Competency Model
1 Industry security professionals and board members
from regional chapters of professional security associa-
tions should volunteer to be guest speakers in the IT and
security classes offered at local colleges and universities.
In spite of the fact that millennials (young adults, ages 18 to
26) have grown up in a digital environment, only one in four
indicates an interest in a career as a cybersecurity profes-
sional [23]. Most students are uncertain about cybersecurity
job responsibilities, and they need information, advice, and
encouragement from others outside of the academic sphere.
There is no more effective way to share career experiences, to
influence individual career choices, or to emphasize the need
for a stronger cybersecurity workforce, than to speak directly
to those still in school.
2 Security professionals from industry and board mem-
bers from regional chapters of professional security associ-
ations should volunteer to serve as advisory board members
for college or university departments that offer cybersecu-
rity or information security courses. Active board partic-
ipation is essential, and contributing to the advancement of
cybersecurity education is equally important. Academic ad-
ministrators listen to the feedback provided by external pro-
fessionals, and they typically listen more carefully than they
do to the information provided by their own faculty.
3 Businesses should establish more paid internships and
co-ops in cybersecurity. These offer the best of both worlds
to businesses and to students. Businesses have the opportu-
nity to hire, without obligation, knowledgeable and energetic
individuals from local colleges and universities who are eager
to contribute, and to do so at a (typically) lower pay scale on a
short-term basis. Students have the opportunity to gain the
practical, entry-level experience necessary for them to be-
gin their cybersecurity careers, while earning much-need-
ed money for their tuition expenses.
4 Businesses should make a more concerted effort to
donate their unused equipment to local colleges and
universities that are trying to develop their cyberse-
curity programs. Academic institutions operate in
the real world. They continually face budget cuts, and
oftentimes funding that should go to improve the
classroom learning environment instead becomes
redirected toward administrative and operating
expenses. Today, many publicly-funded universi-
ties receive less than 50 percent of their revenue
from the state. Businesses can help by donating
equipment they no longer need to colleges or
universities for educational purposes. By do-
ing so, businesses not only help students who
may be aspiring cybersecurity professionals,
they may be able to claim a tax deduction
for their equipment donations as well.
5 Business professionals and academ-
ics need to strongly encourage students
to join professional associations, at-
tend local chapter meetings, and network. Particularly for
those on the cusp of starting their careers, what you know
has to be supplemented with who you know. The benefits of
professional association membership are well known to those
already in the field, but students have not yet learned the ad-
vantages of developing professional relationships, being men-
tored, or having access to an array of resources and services
that are offered only to members. Students need help in de-
termining which of the many good security-related profes-
sional associations they should join. For example, by joining
the ISSA, students could take advantage of the Cybersecu-
rity Career Lifecycle (CSCL) program. As pre-professionals,
they could do a self-assessment of their KSAs, which would
help them to better understand what an aspiring professional
needs to know to enter the field, as well as the types of indus-
try roles they might be best suited to fill [20].
6 All security-related professional associations should
have low-cost student membership rates, and they should
offer scholarships for student members who are studying
cybersecurity. Some professional associations offer student
memberships at reduced costs, but not all do. Even fewer offer
student scholarships.2 Student membership in security-relat-
ed professional associations might be better spurred if stu-
dent financial needs were better understood. Since 2008, pub-
lic colleges and universities nationwide have increased tuition
by more than 27 percent to compensate for state funding cuts
[19]. Most of the nations undergraduates hold jobs while go-
2 ISSA offers student memberships. The ISSA Education Foundation (issaef.org)
awards annual scholarships andadministers ISSA chapter scholarships, such as
Denver and San Francisco chapters. In addition, several other ISSA chapters conduct
their own scholarship programs.
October 2015 | ISSA Journal 17
Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright
ing to school to pay for their educational expenses: 52 percent
work part-time, and another 20 percent work full-time [27].
The bottom line is that their discretionary income is limited.
7 Academics should encourage students to pursue certi-
fication. There are hundreds of cybersecurity-related certifi-
cations, and navigating through the confusing array can be a
daunting challenge. To make the process easier, the National
Initiative for Cybersecurity Careers and Studies (NICCS) de-
veloped a list of organizations that provide the professional
certifications needed for entry or promotion in the cyberse-
curity career field [22]. The list supports NICEs goal of facil-
itating the development of a globally competitive cybersecu-
rity workforce. Certification standards can help academia to
better align their cybersecurity curricula with current indus-
try needs [24]; however, these standards have a training focus
that should supplement, but not replace, education.
8 Academics should employ a multidisciplinary approach
to cybersecurity education. Traditionally, security courses
and programs have been housed in Computer Science or En-
gineering departments, which necessarily emphasize high-
ly-specialized, technical knowledge; however, cybersecurity
is more than just a technical discipline. It is a complex sub-
ject, whose understanding requires knowledge and expertise
from multiple disciplines, including but not limited to com-
puter science and information technology, psychology, eco-
nomics, organizational behavior, political science, engineer-
ing, sociology, decision sciences, international relations, and
law. [15] Although technical knowledge is important, recent
studies [9][13] have suggested that other attributes, such as
having a broad understanding of the security field, having
UPCOMING
Dont Miss This Web Conference!
Big DataTrust and Reputation,
PrivacyCyber Threat
Intelligence
2-hour live event 9:00 am PDT, 12:00 pm EDT,
5:00 pm London, Tuesday, October 27, 2015.
The Internet is forever. If something is posted on
the net, there is no way to get it backor even
correct it. This webinar will talk about the poten-
tial uses of big data for good and for bad.
Moderator: Hari Pendyala, ISSA Fellow and mem-
ber, Chennai, Asia Pacific Chapter.
Click here for more information.
For more information on our webinar schedule:
www.issa.org/?page=WebConferences.
18 ISSA Journal | October 2015
strong communications skills, and being able to understand
the business, may be more important for success as a cyber-
security professional.
9 Academics should incorporate realistic case studies and
practical simulations into the cybersecurity curriculum.
Classroom theory and hands-on practice have a reciprocal
relationship, where one informs and reinforces the other. The
case method, originally championed by the Harvard Business
School, uses case studies to emulate realistic business chal-
lenges. The information provided is typically complex and
insufficiently detailed, so students are challenged while their
judgment and leadership skills are strengthened. In the case
of simulations, learning occurs through hands-on actions,
and preferred outcomes tend to be based on experience. The
simulation environment provides constant and immediate
feedback, so students can adjust their actions based on the
information they receive. Both case studies and simulations
are operational scenarios in which specific skills are learned
and performance is evaluated within a realistic context. Mis-
takes will be made, and they often provide the best learning
experiences.
10 Industry professionals should work more closely with
academia to sponsor mock cybersecurity competitions.
Unlike large-scale competitions, such as the annual National
Collegiate Cyber Defense Competition sponsored by the De-
partment of Homeland Security Science and Technology Di-
rectorates Cyber Security Division, these mock competitions
should be much smaller and should occur more frequently
(e.g., monthly). They should have a practical, hands-on focus,
but they should not require the high level of technical profi-
ciency demanded by national cyber competitions in order to
encourage as much student participation as possible, includ-
ing those who are not majoring in Computer Science or IT.
After all, students majoring in non-technical disciplines may
have the right set of skills to become cybersecurity profes-
sionals [14].
Conclusion
Since 2007, the sharp increase in demand for cybersecurity
professionals has been met with a relatively small increase in
the number of individuals qualified to fill those jobs. In spite
of the federal governments initiatives to increase the supply
of cybersecurity professionals, the labor market is tight and is
projected to remain so for the next decade. It will take years
to educate and train a sufficiently qualified workforce. In the
meantime, there are actions that can be undertaken in part-
nership by industry, academia, and professional associations
that can help to improve the capacity and capability of the
cybersecurity workforce.
References
[1] Bertsche, Alyce Louise. The DOL Competency Model Clear-
inghouse. Webinar presentation for the North East Regional
Employment and Training Association, May 1, 2014 http://
docslide.net/government-nonprofit/competency-model-clear-
inghouse.html.
SECURING
Your World
Todays Warfighter requires the best tools to conduct combat in Cyberspace. n 5-10X faster than the
Our field-proven and award-winning network security products ensure your competition
critical data is safe from the inside out. n Application-aware for
With solutions configured to Military-grade specs, you can deploy the fastest precise control
and most advanced network security platform on the market. n Deep packet inspection
(DPI) streamlines traffic
Call to Schedule Your Free Application and Risk flow
Analysis of Your Network (571) 449-8375 n Security Zone level
fortinet.com/solutions/federal.html grouping

FortiDDoS FortiGate FortiGate Rugged

Denial of Service Protection High Performance Firewalls, Industrial Network Security
UTM and NGFW

www.fortinet.com
Improving Cybersecurity Workforce Capacity and Capability | Marie A. Wright
[2] Bureau of Labor Statistics, US Department of Labor. Infor-
mation Security Analysts, Occupational Outlook Handbook,
2014-15 http://www.bls.gov/ooh/computer-and-informa-
tion-technology/information-security-analysts.htm.
[3] Burning Glass Technologies. Job Market Intelligence: Re-
port on the Growth of Cybersecurity Jobs. 2014 http://
burning-glass.com/wp-content/uploads/Burning-Glass-Re-
port-on-Cybersecurity-Jobs.pdf.
[4] Cisco Systems, Inc. Cisco 2014 Annual Security Report
https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_
ASR.pdf.
[5] Committee on Professionalizing the Nations Cybersecurity
Workforce: Criteria for Future Decision-Making, Computer
Science and Telecommunications Board, Division on Engi-
neering and Physical Sciences, and National Research Council.
Professionalizing the Nations Cybersecurity Workforce?: Cri-
teria for Decision-Making, Washington, DC: National Acad-
emy of Sciences, 2013 http://www.nap.edu/catalog/18446/
professionalizing-the-nations-cybersecurity-workforce-crit-
eria-for-decision-making.
[6] Comprehensive National Cybersecurity Initiative https://
www.whitehouse.gov/sites/default/files/cybersecurity.pdf.
[7] Cybersecurity Competency Model, CareerOneStop Com-
petency Model Clearinghouse http://www.careeronestop.org/
competencymodel/competency-models/cybersecurity.aspx.
[8] FAQs. National Initiative for Cybersecurity Careers and
Studies http://niccs.us-cert.gov/footer/faqs.
[9] Frost and Sullivan, (ISC)2, and Booz Allen Hamilton. The
2015 (ISC)2 Global Information Security Workforce Study
https://www.isc2cares.org/uploadedFiles/wwwisc2care-
sorg/Content/GISWS/FrostSullivan-(ISC)-Global-Informa-
tion-Security-Workforce-Study-2015.pdf.
[10] Help and FAQs, CareerOneStop Competency Model Clear-
inghouse http://www.careeronestop.org/competencymodel/
faq.aspx.
[11] Interactive National Cybersecurity Workforce Frame-
work, National Initiative for Cybersecurity Careers and Studies
http://niccs.us-cert.gov/training/tc/framework/.
[12] ISACA. 2015 Global Cybersecurity Status Report http://
www.isaca.org/pages/cybersecurity-global-status-report.aspx.
[13] ISACA, and RSA Conference, State of Cybersecurity: Im-
plications for 2015 http://www.isaca.org/cyber/Documents/
State-of-Cybersecurity_Res_Eng_0415.pdf.
[14] Libicki, Martin C., David Senty, and Julia Pollak. H4cker5
Wanted: An Examination of the Cybersecurity Labor Market,
Santa Monica, CA: RAND Corporation, 2014 http://www.
rand.org/content/dam/rand/pubs/research_reports/RR400/
RR430/RAND_RR430.pdf.
[15] National Academy of Sciences, Computer Science and Tele-
communications Board, Division on Engineering and Physical
Sciences. At the Nexus of Cybersecurity and Public Policy:
Some Basic Concepts and Issues, May 2014 http://sites.na-
tionalacademies.org/cs/groups/depssite/documents/webpage/
deps_087875.pdf.
[16] National Institute of Standards and Technology. National
Initiative for Cybersecurity Education Strategic Plan, 2012
20 ISSA Journal | October 2015
http://csrc.nist.gov/nice/documents/nicestratplan/nice-strate-
gic-plan_sep2012.pdf.
[17] National Institute of Standards and Technology. NICE
Overview. Presentation at the Asia-Pacific Economic Coop-
eration, Womens Business and Smart Technology Seminar,
Beijing, China, May 23, 2014 http://mddb.apec.org/Docu-
ments/2014/PPWE/SEM2/14_ppwe_sem2_007.pdf.
[18] Number of Agencies in the Federal Government http://
www.numberof.net/number-of-agencies-in-the-federal-gov-
ernment/.
[19] Oliff, Phil, Vincent Palacios, Ingrid Johnson, and Michael
Leachman. Recent Deep State Higher Education Cuts May
Harm Students and the Economy for Years to Come. March
19, 2013 http://www.cbpp.org/research/recent-deep-state-
higher-education-cuts-may-harm-students-and-the-econo-
my-for-years-to-come?fa=view&id=3927.
[20] Parizo, Eric. Non-traditional Employee Recruitment May
Remedy Security Hiring Woes, November 2014 http://
searchsecurity.techtarget.com/opinion/Non-traditional-em-
ployee-recruitment-may-remedy-security-hiring-woes.
[21] Ponemon Institute LLC. Understaffed and at Risk: Todays
IT Security Department, 2014 http://www.hp.com/hpinfo/
newsroom/press_kits/2014/RSAConference2014/Ponemon_
IT_Security_Jobs_Report.pdf.
[22] Professional Certifications, National Initiative for Cyber-
security Careers and Studies http://niccs.us-cert.gov/train-
ing/professional-certifications.
[23] Raytheon Company. Preparing Millennials to Lead in Cy-
berspace, October 2014 http://www.raytheon.com/news/rt-
nwcm/groups/gallery/documents/digitalasset/rtn_210603.pdf.
[24] University of Phoenix and (ISC)2 Foundation. Cybersecu-
rity Workforce Competencies: Preparing Tomorrows Risk-
Ready Professionals, 2014 http://cdn-static.phoenix.edu/
content/dam/altcloud/doc/industry/cybersecurity-report.pdf.
[25] US Census Bureau. Appendix Table 1: Summary Statistics
by NAICS Sector and Enterprise Employment Size: 2012. Sta-
tistics of U.S. Businesses: Employment and Payroll Summary:
2012 http://www.census.gov/content/dam/Census/library/
publications/2015/econ/g12-susb.pdf.
[26] US Census Bureau. Government Organization Summary
Report: 2012 http://www2.census.gov/govs/cog/g12_org.pdf.
[27] US Census Bureau. School Enrollment and Work Status:
2011 http://www.census.gov/prod/2013pubs/acsbr11-14.pdf.
[28] US Department of Education, National Center for Educa-
tion Statistics. Table 105.50 Number of Educational Institu-
tions, by Level and Control of Institution: Selected Years, 1980-
81 through 2011-12 https://nces.ed.gov/programs/digest/
d13/tables/dt13_105.50.asp.
About the Author
Marie A. Wright, PhD, is a Distinguished
Professor of Management Information Sys-
tems at Western Connecticut State Univer-
sity. She has been actively involved in the
field of information security for more than
twenty-five years. She may be reached at
wrightm@wcsu.edu.
 Attend
ISSA International Conference the Fabulous
Party in the Sky
Chicago, Illinois October 12-13, 2015 at 360 Chicago!

Advancing the
Monday Night
October 12
Sponsored by

Culture of Security

Dont Miss the

Cyber Networking
Gala Reception
in the Exhibit Hall!
Sunday Night
October 11

Keynote Speakers
Vinton G. Cerf & Dan Geer

Photo credit: Choose Chicago

 Advancing the Culture of Security

Advancing the
Culture of Security
Join us for solution-oriented, proactive, and innovative sessions
focused on security as a vital part of business.

For those outside the world of security, it is difficult, if not impossible, to comprehend the true scale of present and future security
issues that are daily transforming the lives of people, businesses, society, and the world at large. Simultaneously, the promises
of the ongoing technological revolution often tend to decry the recommendations of cybersecurity professionalsyet we are
charged with mitigating risk and safeguarding the world from those enormous security challenges. Thus, our roles are also trans-
forming. We must continue to grow our security expertise even as we advance our skills in effective communication and organi-
zational leadership.
The ISSA International Conference offers unique guidance and resources that were carefully selected to help security professionals
at all levels to achieve this strategic mix of knowledge, skills, and aptitudes. It also provides you with access to the strongest global
network of experts across industries and skill sets. Join us to transform your career and your organizations.

Keynote Speakers Featured Speakers

Monday, October 12 Tuesday, October 13 10/12/2015, 10:00 am - 10:45 am
8:15 am 9:45 am 9:00 am 10:00 am Demetrios Lazarikos
CISO, vArmour

10/12/2015, 11:00 am - 11:45 am

Arlan McMillan
CISO, United

10/12/2015, 1:45pm - 2:30 pm

Jeff Reich
Chief Security Officer, Barricade

10/13/15, 10:15 am - 11:00 am

Vinton G. Cerf
Vice President and Chief
Internet Evangelist, Google
James C. Trainor, Jr.
Assistant Director, Cyber Division, FBI
Dan Geer
CISO, In-Q-Tel 10/13/2015, 1:45 pm - 2:30 pm
Dave Ostertag
Global Investigations Manager, Verizon DBIR

Diamond Sponsors

2 ISSA 2015 International Conference

 ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Welcome Cybersecurity Professionals!

Fellow members and leaders of ISSA and cybersecurity professionals,
it is our pleasure to welcome you to the 2015 ISSA International Conference.
ISSA selected this years theme, Advancing the Culture of Security, to reflect the tireless dedication of cybersecurity
professionals in creating the necessary culture shift within their organizations, in order to mitigate the challenges
posed by an ever-growing and changing threat landscape. In order to advance their security posture, organizations
must knock down management silos and allow cybersecurity to permeate the whole working environment. Cyber-
security is not only the job of Infosec professionals; it needs to become part of everyones job. It is becoming a relevant
question on the table of Boards of Directors and CEOs. It is a daily matter for executives and line managers alike. CISOs
are growing their staffs and increasingly participating in business-level decision making.
Over the past 26 years, ISSA members have been working diligently to manage the virtual explosion of information
technology, and its exponential growth. To quote Albert Einstein: The human spirit must prevail over technology.
As leaders of the cybersecurity profession, our greatest challenge is to ensure that our organizations cultures are resil-
ient and collaborative, using technology in an environment that is both secure and productive. This conference is our
opportunity to network, share success stories, pose important questions, and welcome the advice and suggestions of
our colleagues and experts of renown.
Thanks to all the volunteers and the staff who worked tirelessly to put together the program and every detail of the
event, to the exhibitors, to the speakers, and to all those who submitted a presentation, proposing great themes
among which it was difficult to pick. And finally, thanks to each and every one of you for joining us at the 2015 ISSA
International Conference.
Dr. Stefano Zanero Valeri L. Baldwin
Chair, ISSA International Conference President, ISSA Chicago Chapter

Conference Agenda at a Glance

October 10, 2015
CISO Forum:
5:00 pm 8:00 pm: CISO Forum Opening Dinner*
October 11, 2015
CISO Forum:
8:00 am 5:00 pm: CISO Forum Program*
Conference Events:
5:00 pm 7:30 pm: Conference Cyber Networking Gala
Reception
October 12, 2015
Conference Events:
7:00 am 7:00 pm: Conference Registration Open
7:15 am 8:15 am: Breakfast in Salon 3
8:15 am 9:45 am: Keynote Session Vinton G. Cerf:
Vice President and Chief Internet Evangelist, Google
9:45 am 4:00 pm: Exhibit Show Floor Open
12:00 pm 1:30 pm: CISO Panel Luncheon
1:45 pm - 2:30 pm: WIS SIG Presentation
4:00 pm 5:00 pm: Cyber Defense Center/Diamond
Sponsors
6:00 pm 9:00 pm: Chicago Welcome Reception: Party
in the Sky at 360 Chicago, sponsored by Bomgar
October 13, 2015
Conference Events:
7:00 am - 12:00 pm: Conference Registration Open
7:30 am - 8:30 am: WIS SIG Breakfast: Networking for
Success
8:00 am 9:00 am: Breakfast in Salon 3
9:00 am 10:00 am: Keynote Session Dan Geer:
CISO, In-Q-Tel
10:00 am 2:00 pm: Exhibit Show Floor Open
10:15 am - 11:00 am: WIS SIG Presentation
12:00 pm 1:30 pm: Awards Luncheon
4:00 pm 5:00 pm: Cyber Defense Center/Diamond
Sponsors
October 14, 2015
Chapter Leaders Summit
8:00 am 3:00 pm: Chapter Leaders Summit Program**
*CISO Forum is open to members of the CISO Executive Program
and qualified first-time guests.
**The Chapter Leaders Summit is open to all chapter officers and
board members of record at the time of registration. Please RSVP
online. If you have questions please contact chapter@issa.org.

ISSA 2015 International Conference 3

 Advancing the Culture of Security

Special Events
Saturday, October 10 (Evening Dinner) & Sunday, October 11 (All-day workshops 4th floor)
CISO Forum Opening Dinner: Saturday 5:00 pm 8:30 pm
CISO Forum Program: Sunday 8:00 am 5:00 pm Cyber Defense
CISO Forum is open to members of the CISO Executive Program and qualified first-time guests.
Center
Sunday, October 11: From 4:00 pm to 5:00 pm on
ISSA Conference Cyber Networking Gala Reception Monday and Tuesday, attend
special product demonstra-
5:00 pm 7:30 pm tions, receptions, prize draw-
All attendees are welcome to join us in the Exhibit Hall at this informal networking reception in
ings and more in the new ISSA
Salon 1 & 2.
Cyber Defense Center spon-
Monday, October 12: sored by Bomgar, Microsoft,
Spikes, Symantec, and Venafi.
CISO Panel Luncheon Sponsored by Look for your special invita-
12:00 pm 1:30 pm, Salon 3 tions in September, in your
Seasoned CISOs and C-level security professionals share their thoughts and insights on how to registration packet, and in the
advance the culture of security in your company from the corner office and beyond. ISSA Conference Mobile App!

Party in the Sky at 360 Chicago Sponsored by

6:00 pm 9:00 pm
All attendees are welcome to join us at this informal, networking event at 360 Chicago! Voted Best View in America by Travel & Leisure
Magazine. ISSA has exclusive use of 360 Tilt Observatory.
360 Chicago, 875 N. Michigan Avenue, 94th Floor. Exit the Marriott on the N. Michigan Avenue side of the lobby. Turn left onto N. Michigan Ave. Walk seven
blocks to Chestnut. Cross Michigan Avenue and go down the stairs to the plaza entrance to the John Hancock Center. The entrance to 360 Chicago will be on your
left. You will be directed through the 360 Chicago Concourse to the 94th floor elevators. Handicap entrance on Delaware St.

Tuesday, October 13:

International Awards Luncheon Sponsored by
12:00 pm 1:30 pm
The International Awards Luncheon will be held in Salon 3 is open to all attendees. Join the Whos Who of the information security
community and toast the influential leaders who have demonstrated a superior level of expertise, effectiveness, and dedication to the
advancement of the profession.
2015 Award Winners:
Hall of Fame Honor Roll Presidents Award for Public Service:
Shon Harris (posthumously) Alex Grohmann Hacking Exposed: Stuart McClure,
Jeff Reich Mark Williams Joel Scambray, George Kurtz
Kevin Richards Dave Reed Organization of the Year:
Volunteer of the Year Chapter of the Year Microsofts Trustworthy Computing
David Vaughn Large: Phoenix Chapter Group
Jordan Lombard Small: Puerto Rico Chapter

Wednesday, October 14:

Chapter Leaders Summit
8:00 am 3:00 pm, Kane/McHenry Room
Whether you are a new or long-time chapter board member, this one-day summit is a must. The Chapter Leaders Summit is designed to
provide you with leadership tactics to support, strengthen, and further develop your chapter and enhance member value. How can you
make it easy for members to get the most out of their membership?
**The Chapter Leaders Summit is open to all chapter officers and board members of record at the time of registration. Please RSVP for the Summit
online. If you have questions, please contact chapter@issa.org, 866 349 5818 (toll free within the US) or + 206 388 4584 (international).

4 ISSA 2015 International Conference

 Advancing the Culture of Security

Chicago Marriott Downtown

Photo & Video

Disclaimer
Cyber Defense
By attending the ISSA Center
International Conference, Oct. 12 and 13
you will be entering an area 4:00 pm 5:00 pm
where photography, video,
and audio recording may
occur. By attending, you
consent to photography,
audio recording, video re- ROOM LOCATIONS
cording, and its/their release,
publication, exhibition, or Huron ...............................................4th floor
reproduction to be used for Indiana/Iowa .................................6th floor
news, webcasts, promo-
tional purposes, telecasts, Kane/McHenry .............................3rd floor
advertising, inclusion on
websites, or any other pur- Lincolnshire ...................................6th floor
pose by ISSA and its affiliates Michigan/Michigan State .........6th floor
and representatives. You
release ISSA, its officers and Northwestern/Ohio State.........6th floor
employees, and each and all
persons involved from any OHare........................................... 10th floor
liability connected with the Purdue/Wisconsin.......................6th floor
taking, recording, digitizing,
or publication of interviews, Salons 1-3 .......................................7th floor
photographs, computer
images, video and/or sound
recording. Exhibit Hall
Exhibit Hall Hours:
Registration Sunday, Oct. 11
Registration 5:00 pm 7:30 pm
Hours: Monday, Oct. 12
Sunday, Oct. 11 9:45 am 4:00 pm
7:00 am 7:00 pm
Tuesday, Oct. 13
Monday, Oct. 12 Keynote Room 10:00 am 2:00 pm
7:00 am 4:30 pm
Tuesday, Oct. 13
7:00 am 12:00 pm

6 ISSA 2015 International Conference

 ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Exhibitor Booth #
Alert Logic ...................................304
Be Sure to Visit All Our Solution Providers Bay Dynamics.............................119
Bit9, Inc. ........................................218
in the Exhibit Hall Bomgar............................ 207 & 209
Cimcor, Inc ..................................221
Sunday, October 11: 5:00 pm - 7:30 pm Monday, Oct. 12: 9:45 am 4:00 pm Clearswift.....................................306
Comodo .......................................300
Tuesday, Oct. 13: 10:00 am 2:00 pm Contact Singapore ...................217
CyberArk ..................................... 305
Damballa ..........................Corner A
DocAuthority .............................101
Dtex Systems..............................320
Corner C Corner D Esentire.........................................200
ESET ...............................................123
Fortinet............................ 312 & 314
Exhibit Hall Salon 1 & 2 Forum Systems ..........................103
Great Bay Software ..................114
InfoBlox ........................................110
Inspired eLearning ...................203
Intelisecure .................... 115 & 117
ISSA Foundation ............ Corner D
Keeper Security .........................307
MediaPro ........................ 311 & 313
Microsoft......................... 214 & 216
MNJ Technologies ....................106
Nexum Inc. ..................................317
ObservIt .......................................116
OpenDNS........................ 105 & 107
PhishLine ........................ 204 & 206
PKWARE........................................222
Pulse Secure ...............................205
Qualys ...........................................223
SANS....................................Corner C
Secunia .........................................319
Sergeant Laboratories ............201
Skybox ..........................................316
Spikes............................... 113 & 212
Sunera...........................................104
Symantec ........................ 109 & 208
Tenable .........................................308
Corner A Corner B The Security Awareness
Company .....................................122
ThreatTrack .................................100
Venafi ............................... 213 & 215
Exhibit Hall Entrance Veracode ......................................322

Diamond Sponsors Platinum Sponsors

Gold Sponsors Silver Sponsors

Partner Sponsor
www.ISSAEF.org

ISSA 2015 International Conference 7

 Advancing the Culture of Security

ISSA Conference Tracks: ISSA Career Counseling and

Networking Center
Mobile Security: Wireless, Mobile Apps, Tablets and Smartphones Career counseling by appointment;
Employers: bring and post your job
Application Security: Application Security, Security Development Life Cycle openings here.
Huron Room, 10th Floor
Infrastructure: Endpoint Security, Network Security, Data Loss Prevention,
Pen/Vulnerability Testing, Security Intelligence, Data Protection, Architecture

Incident Response

Laws and Regulations: Legal Updates, GRC, Standards

Business Skills for the Information Security Professional: Presenting the business case for Information Security, Career
Paths for Information Security Professionals, Privacy

Securing the End User: Security Awareness Training, Social Media, Access Control

Monday, October 12
International Conference Registration Open: 7:00 am 4:30 pm, 7th Floor Registration
Breakfast: 7:15 am 8:15 am, Salon 3

Opening Keynote Address Vinton G. Cerf: 8:15 am - 9:45 am, Salon 3

Break in Exhibit Hall: 9:45 am 10:00 am, Salon 1 & 2

Session Information Follows the Session Grids

Breakout Session One: 10:00 am 10:45 am
Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
The Value Featured Speaker Sponsored Session Pathways to
Proposition for Embracing and Harnessing Empowered
Federated Digital Securing the Innovation Security
Identity Services Internet of Things to Address Leadership
Kane/McHenry (IoT) Emerging Northwestern/Ohio State
Salon 3 Security
Challenges Silver Bullet
SELinux Integrity Indiana/Iowa for Identifying
Instrumentation Hacking
Lincolnshire 1&2 and Session
Information Theft
Sponsored Session
in ERP Systems
Malvertising, Purdue/Wisconsin
Drive-by
Downloads, and
Web Exploits:
Stop Them All
with Browser
Isolation
Michigan/Michigan State

8 ISSA 2015 International Conference

 ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Monday, October 12

Breakout Session Two: 11:00 am 11:45 am

Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
Cisco Annual Understanding Mainframe Patient Portal Making the Sponsored Session
Security Report & Defending Security: Security: Business Case The Fight
Kane/McHenry against Data A Practical Ensuring Security for Session Against Phishing:
Breaches as Part Overview & Enhancing Information Defining Metrics
of a Custom Lincolnshire 1&2 Patient Privacy Security That Matter
Software Northwestern/Ohio State Purdue/Wisconsin Michigan/Michigan State
Development
Featured Speaker
Process
Indiana/Iowa Information
Security Needs a
Reboot
Salon 3

CISO Panel Luncheon: 12:00 pm 1:30 pm, Salon 3

Seasoned CISOs and C-level security professionals share their thoughts and insights on how to advance the Sponsored by
culture of security in your company from the corner office and beyond.
Moderator: Tim Stanley: Risk Management Consultant, Cummins Inc.
Panelists: Mary Ann Davidson: Chief Security Officer, Oracle Corporation; Tim Rains: Chief Security Advisor, Microsoft Worldwide Cybersecurity Business Unit; Deborah Snyder: Acting Chief
Information Security Officer, New York State Office of Information Technology Services; Tim Virtue: Chief Information Security Officer, Texas.gov

Breakout Session Three: 1:45 pm 2:30 pm

Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
Why Traditional Its Not a Preparing for the Cybersecurity ISSA Women Striking the Right
Perimeter Cyberwar, Its a Big One Due Diligence of in Security SIG Balance between
Security Lifestyle Lincolnshire 1&2 a Vendor: Legal Presentation: Security and User
Approaches Salon 3 Requirements TAP Into Your Enablement in
Sponsored Session
Leave Your APIs and Beyond Potential Cloud Platforms
The New Security Northwestern/Ohio State
Exposed to OHare Purdue/Wisconsin
Stack 2015
Threats
Indiana/Iowa 2020 Architecting
Michigan/Michigan State Your
InfoSecurity/
Cybersecurity
Organization,
Teams, and
Careers
Kane/McHenry

Refreshment Break in Exhibit Hall: 2:30 pm 3:00 pm, Salon 1 & 2

Breakout Session Four: 3:00 pm 3:45 pm

Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
The Permissions Infosec in the Preventing, Diversified IT: Security & the
Gap Hot Seat: How Insuring, and Why the Security Internet of Things
Indiana/Iowa to Accomplish Surviving Fund Workforce Purdue/Wisconsin
Breach Response Transfer Fraud Needs Qualified
Readiness Northwestern/Ohio State Women...and
Lincolnshire 1&2 Men
Kane/McHenry
Sponsored Session
House of Lies
Michigan/Michigan State

Sponsor Prize Drawings: 3:45 pm 4:00 pm, Salon 1 & 2

Cyber Defense Center, 6th floor Diamond Sponsors: 4:00 pm 5:00 pm

Bomgar Microsoft Spikes Security Symantec Venafi
Indiana/Iowa Lincolnshire 1&2 Northwestern/Ohio State Purdue/Wisconsin Michigan/Michigan State

ISSA 2015 International Conference 9

 Advancing the Culture of Security

Tuesday, October 13
International Conference Registration Open: 7:00 am 12:00 pm, 7th Floor Registration
Women in Security Breakfast: Networking For Success: 7:30 - 8:30 am, Room Kane/McHenry
Join us for a WIS SIG breakfast filled with cybersecurity fun-facts, networking oppo rtunities, and plenty of ways to earn some great SWAG.
Interact with peers and women luminaries in the field whom are working to bring information, opportunity, and success to each of you. Celebrate
with and recognize those leaders whom have made the past five years of WIS SIG possible.
Breakfast: 8:00 am 9:00 am, Salon 3
Keynote Address Dan Geer, 9:00 am - 10:00 am, Salon 3
Exhibit Hall Open: 10:00 am 2:00 pm, Salon 1 & 2
Break in Exhibit Hall: 10:00 am 10:15 am, Salon 1 & 2

Breakout Session Five: 10:15 am 11:00 am

Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
The Future of Practical N-Gram Embedded Like Data
Mobile App Application Analysis in a Tick Cyber Classification
Security Security for the Suspect Author Intelligence Discovery
Kane/McHenry Real World Identification Northwestern/Ohio State and Response
Indiana/Iowa of Anonymous Prioritization
Email Purdue/Wisconsin
Lincolnshire 1&2

ISSA Women
in Security SIG
Presentation:
Looking to 2020
Are we too late?
OHare

Breakout Session Six: 11:15 am 12:00 pm

Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
Applied Privacy Medical Device Taking Control Stake Your Cyber Security How to Be a Sponsored Session
Engineering: Safety and of Control Reputation Liability Highly Effective Build an Adaptive
User-Controlled, Security (MeDSS): Addressing on Your Cyber Insurance: Need CISO Top 10 Awareness
User-Monetized Assessing and Cybersecurity in Security Incident It or Leave It Performance Program Based
Mobile Managing Industrial Control Response OHare Success Factors on NISTs
Advertising Product Security Systems Program CSIRT Purdue/Wisconsin Cybersecurity
Kane/McHenry Risk Lincolnshire 1&2 Northwestern/Ohio State Framework
Indiana/Iowa Michican/Michigan State

Awards Luncheon, 12:00 pm 1:30 pm, Salon 3 SPONSORED BY

Party in the Sky Work Hard

1,000 Feet above the Town!
MONDAY NIGHT 6:009:00PM
Play Hard
Sponsored by

Party with the stars in the sky and the stars of cybersecurity in
Tilt!
the 360 Chicago Observatory. Take advantage of ISSAs private
use of 360 Chicagos 30-degree, all-glass, tilt-out stations for a
new angle on Chicago and the Magnificent Mile!
See page 4 of this guide for directions.

10 ISSA 2015 International Conference

 ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Tuesday, October 13

Sponsor Prize Drawings, 1:30 pm 1:45 pm, Salon 1 & 2

Breakout Session Seven: 1:45 pm 2:30 pm

Mobile Security App. Security Infrastructure Incident Response Laws & Regs. Business Skills The End User
Security or Lets Hack a Featured Speaker Current Trends Sponsored Session Computer
Convenience? House 2015 Verizon and Our Methods Preventing the Security for SMB/
Enabling a Lincolnshire 1&2 Data Breach for Defense Inevitable Government
Collaborative Investigation Northwestern/Ohio State Safeguarding Purdue/Wisconsin
Work Report Critical Assets in
Sponsored Session
Environment Salon 3 the Age of the
Information
Kane/McHenry Mega-Breach
Michigan/Michigan State Security Beyond
Tools and Toys:
How Do We
Advance the
Culture Side of It?
Indiana/Iowa

ISSA Cyber Security Career Lifecyle Program Sessions: 3:00 pm 3:45 pm

Join ISSA for our first Cybersecurity Career Lifecyle(TM symbol) (CSCL) Working Group Sessions. The CSCL program exists to enable professionals to steer their individual career paths by
providing guidance and resources needed to achieve their long-term career goals. These working groups will divide conference attendees into the five stages of the lifecycle. Please join the
working group that best fits your current place in the lifecycle to learn about ISSAs offerings to your specific CSCL level, give you advice for advancing to the next level, and provide feedback on
what services ISSA can provide to grow this program.
Pre-Professional Working Entry Level Working Group Mid-Career Working Group Senior Level Working Security Leader Working
Group Group Group
Lincolnshire 1&2 Indiana/Iowa Northwestern/Ohio State Kane/McHenry Purdue/Wisconsin

Sponsored Session
Securing our Future: Lessons From the Human Immune System
Jeff Hudson: CEO, Venafi
Michigan/Michigan State

Cyber Defense Center, 6th floor Diamond Sponsors: 4:00 pm 5:00 pm

Bomgar Microsoft Spikes Security Symantec Venafi
Indiana/Iowa Lincolnshire 1&2 Northwestern/Ohio State Purdue/Wisconsin Michigan/Michigan State

Cyber Security Career Lifecycle Levels and Descriptions

PRE-PROFESSIONAL: any individual who has not yet obtained a position working in the cybersecurity field. This may in-
clude anyone who has interest in working in this area with or without formal training and education in the field. Examples
of individuals and or situations who may be part of this phase are those who are switching careers (former military, IT, retail,
law enforcement, etc.), and students (high school or university).

ENTRY LEVEL: An individual who has yet to master general cybersecurity methodologies/principles. Individuals in this
phase of the life cycle may have job titles such as associate cybersecurity analyst, associate network security analyst, or
cybersecurity risk analyst, for example.

MID-CAREER: An individual who has mastered general security methodologies/principles and has determined area of
focus or specialty. Individuals in this phase of the life cycle may have job titles such as network security analyst, cybersecu-
rity forensics analyst, application security engineer, and network security engineer. Individuals who are nearing the senior
level may begin to hold job titles such as senior network security engineer or senior cybersecurity analyst, for example.

SENIOR LEVEL: An individual who has extensive experience in cybersecurity and has been in the profession for 10+ years.
These individuals have job titles such as senior cybersecurity risk analysis, principal application security engineer, or director
of cybersecurity, etc.

SECURITY LEADER: An individual who has extensive security experience, ability to direct and integrate security into an
organization. These individuals have job titles such as Chief Information Security Officer, Chief Cybersecurity Architect, etc.
After extensive periods of leadership, some become recognized industry leaders.
Note: if the session fits multiple levels, the lower and higher levels will be displayed.

ISSA 2015 International Conference 11

 Advancing the Culture of Security
Breakout Sessions
Monday, October 12, 2015
Breakout Session One: 10:00 am 10:45 am
Featured Speaker
Embracing and Securing the Internet of Things (IoT)
Demetrios Lazarikos: CISO, vArmour
Track: Infrastructure
10/12/2015, 10:00 am - 10:45 am
Salon 3
Smarter, connected products offer increasing
amounts of opportunities and capabilities that span
across multiple boundaries. The IoT space is the new norm. The use
of these smarter, connected products will force businesses to raise
a new set of strategic choices related to how information security
is integrated into these complex IoT ecosystems. Veteran CISO
Demetrios Lazarikos (Laz) will review how IoT has been adopted as
the fastest disruptive technology in recent years, the information
security considerations that come with it, and what can be expected
for future integration.
Sponsored Session
Harnessing Innovation to Address Emerging Security
Challenges
Moderator: Dr. Michael C. Redmond, PhD
Panelists: Gautam Aggarwal: Chief Marketing Officer, Bay Dynamics;
Sean Blenkhorn: Senior Director of Solutions Engineering, eSentire, Inc.;
Jack Daniel: Tenable Network Security, Inc.; Kevin Sapp: Vice President,
Strategy,
Track: Incident Response
10/12/2015, 10:00 am - 10:45 am
Indiana/Iowa
2015 is a year in cybersecurity like we have never seen before. The
year is not even completed and we have seen numerous cyber
attacks showing themselves in the form of breaches, denial of
service, ransomware, and many more. These are just a few of the
threats that keep many CISOs up at night. They say two types of
companies exist in the United States: those that have been hacked
and those who dont know they have been hacked. You know the
risks; now find out the solutions in this invigorating session made up
of a panel of experts.
Pathways to Empowered Security Leadership
Moderator: Marci McCarthy: President & CEO, T.E.N.
Panelists: Todd Fitzgerald, Global Director Information Security, Grant
Thornton International, Ltd.; Larry Lidz, CISO, CNA Insurance; Jeff Reich,
CSO, Barricade; Richard Rushing, CISO, Motorola
Track: Business Skills for the Information Security Professional
10/12/2015, 10:00 am - 10:45 am
Northwestern/Ohio State
The evolving security leader can seamlessly blend technical
knowledge with business acumen to serve as a trusted partner to
the board and the businessbut no one starts at the top. During
this invaluable panel discussion, top CISOs and information security
leaders will share personal stories about when and where their
12 ISSA 2015 International Conference
careers began, what pivotal events launched them into leadership,
and what has empowered them to grow stronger in the field.
Security professionals at any level of experience will benefit from
hearing the advice, knowledge, and personal challenges these
leaders have faced on their pathways to empowered leadership.
The Value Proposition for Federated Digital
Identity Services
Stu Vaeth: Senior Vice President, Business Development,
SecureKey
Track: Mobile Security
10/12/2015, 10:00 am - 10:45 am
Kane/McHenry
Mobile devices are becoming the defacto method
for marketing, retail, payments, and social activities. However, as
consumers hop from channel to channel, keeping their personal
information both accessible and secure is a huge challenge. In
this session, SecureKey SVP of Business Development Stu Vaeth
will showcase the government of Canadas award-winning
implementation of a federated digital identity service and discuss
how it is enabling Canadian consumers to simply and securely access
government services with the credential of their choice.
SELinux Integrity Instrumentation (SII)
Dr. Mike Libassi: Adjunct Professor and Sr. Performance
Engineer, Colorado Technical university
Track: Infrastructure
10/12/2015, 10:00 am - 10:45 am
Lincolnshire 1&2
As a security reference monitor SELinux configuration
integrity is critical. SELinux users battle complexity of the
configuration and have few methods to verity its setup. There is
a lack of methods to ensure SELinux configuration compliance.
This doctorate dissertation research created a set of algorithms to
monitor the configuration of SELinux and alert to changes. SII also
offers the ability to see relationships between service and SELinux
policies based on type/domain. The panel will cover the research and
offer a live demo of the framework used during research.
Sponsored Session
Malvertising, Drive-by Downloads, and Web Exploits:
Stop Them All with Browser Isolation
Ben Strother: Director of Business Development, Spikes
Security
Track: Infrastructure
10/12/2015, 10:00 am - 10:45 am
Michigan/Michigan State
All businesses rely on web applications, but connecting to the
Internet introduces the risk of running untrustworthy code from
servers outside your organizations control. Effectively defending
against web malware threats requires isolating web content in
disposable virtual machines run on hardened appliances in your
organizations demilitarized zone. Isolation effectively shields your
endpoints from web-based malware while allowing them to browse
the web safely and protects your network.
Silver Bullet for Identifying Hacking and
Information Theft in ERP Systems
Moshe Panzer: CEO, Xpandion
Track: Business Skills for the Information Security
Professional
10/12/2015, 10:00 am - 10:45 am
Purdue/Wisconsin
The modern hacker to ERP systems knows the current technologies
and is well prepared for them. The only unbreakable method for
identifying hacking attempts and information theft is monitoring
ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

ISSA 2015 International Conference 13

 Advancing the Culture of Security

Monday, October 12 Session Two

user activity and identifying suspicious behavior. This session will software project is complete and bolting security on through the
focus on identifying irregular user activity from different angles, use of security software or network security countermeasures is not
activity in multiple systems environments, static and dynamic effective enough. To have a chance to build a secure system, a team
controls over user activity, and more. Real-life examples about requires the active support of developers and for the organization to
identifying hackers and internal frauds using these methods will be adopt a written information security policy that influences business-
shown. model decisions and the requirements-gathering process.
Breakout Session Two: 11:00 am 11:45 am Sponsored Session
The Fight Against Phishing: Defining Metrics That
Cisco Annual Security Report Matter
James Natoli: Systems Engineering Manager, Cisco Systems Inc. Mark Chapman: President and CEO, Phishline
Track: Mobile Security Track: Securing the End Users
10/12/2015, 11:00 am - 11:45 am 10/12/2015, 11:00 am - 11:45 am
Kane/McHenry Michigan/Michigan State
Discussion of the results of a study that Cisco does every year. 1700 Phishing and social engineering attacks are at the heart of most
customers in nine different countries were followed and studied. significant data breaches. Threats targeting the human layer
The 2015 Cisco Annual Security Report is a look into the attackers and continue to evolve beyond the obvious. In this session, explore
the practices of the defenders. This is an industry product-agnostic how a risk-based approach applied at the human layer improves
presentation; no vendors products are discussed. If you want to take organizational resilience and user-level resistance to these threats.
a look at the report check it out free here.
Understanding and Defending against Data Mainframe Security: A Practical Overview
Breaches as Part of a Custom Software Joe Sturonas: Chief Technology Officer, PKWARE, Inc.
Development Process Track: Infrastructure
Frank S. Rietta, MSIS: Senior Developer, Rietta Inc. 10/12/2015, 11:00 am - 11:45 am
Track: Application Security Lincolnshire 1&2
10/12/2015, 11:00 am - 11:45 am Whether you started on mainframes, still working
Indiana/Iowa with them, or have never seen a mainframe, this is a practical view
Security incidents that lead to data breaches have into the security capabilities of todays z/OS systems. Mainframes
been happening a lot, from the latest Anthem Blue Cross breach started out in the glass house and host much of an enterprises
to Target to Home Depot to breaches including the MongoHQ critical sensitive data, but they are not in the glass house anymore.
incident that lead to the BufferApp compromise. Waiting until a They are just a node on a TCP/IP network and look like any other

Securing
YOUR WORLD
Secure Your Critical Business Assets
at Every Network Entry Point from the Inside Out.
As many as 93% of U.S. businesses believe they are vulnerable to internal network
threats. In todays dynamic and dangerous cyber threat environment, a perimeter-only
defense strategy is no longer enough. Jobs, brands and reputations are at risk.

Built for security and performance, only Fortinet can easily handle the protection of
the internal network, as well as protect every other entry-point to corporate data.

Join the 225,000 organizations worldwide that choose Fortinet

to secure their most critical business assets.

www.fortinet.com
Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered
trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet.

14 ISSA 2015 International Conference

 ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Monday, October 12 Session Two

server. But is it being protected like the other servers on the network?
This is a survey of the ways z/OS mainframes are being protected
today and will include some demonstrations to illustrate some of the
common security capabilities.
Patient Portal Security: Ensuring Security and
Enhancing Patient Privacy
George Bailey: Senior Security Advisor, Purdue
Healthcare Advisors
Track: Laws and Regulations
10/12/2015, 11:00 am - 11:45 am
Northwestern/Ohio State
The US national health IT strategy is calling for the deployment of
patient portals and expanded patient engagement. This session is
will introduce some application, network, and security operation
best practices to ensure a secure and privacy-preserving patient
portal. The session will close with a discussion on identity and access
management recommendations for establishing a robust and secure
patient enrollment process.
Making the Business Case for Information
Security
William Perry: Chief Information Security Officer,
California State University Office of the Chancellor
Track: Business Skills for the Information Security
Professional
10/12/2015, 11:00 am - 11:45 am
Purdue/Wisconsin
Often ill-equipped with outdated defenses, education is a prime
target for cybercriminals. In fact, a recent cybersecurity threat
report names education as the sixth most targeted industry in the
world. Between budget restraints, security policies, and often a
misperception about the risk, higher education security professionals
and business executives undoubtedly face a significant challenge.
Please join California State University CISO William Perry to learn
how the California university system is protecting its most sensitive
information against todays advanced cybercrime. Mr. Perry will
share his security road map as it relates to several key elements of
developing an effective strategy and business case.
Featured Speaker
Information Security Needs a Reboot
Arlan McMillan: CISO IT Security, Risk, and
Compliance, United Airlines
Track: Business Skills for the Information Security
Professional
10/12/2015, 11:00 am - 11:45 am
Salon 3
Breaches are increasing in both size and frequency, but most
information security teams means and methods remain unchanged.
As financial and reputational losses continue to mount, boards are
demanding that the same rigor and discipline used in measuring
their financial and business risks be applied to how cyber risk is
evaluated. To achieve this, the existing information security paradigm
must be broken. The professions continued focus on tools and
technology to protect complex organizations doesnt and wont
work. While a core function of an information security team will
always be cyber response, the profession must pivot away from
acting as the sole team that protects the enterprise to the team
that evaluates risk and directs coordinated action from across the
enterprise. This talk will discuss the changing role of the information
security team and its leadership and introduce a formalized
methodology to measure and communicate cyber risk. Attendees
will come away with over 300 metrics, KPIs, and KRIs to use in their

InteliSecure introduces
CRITICAL ASSET PROTECTION
I SSA I n tern ati on al Its time to elevate security initiatives above traditional, Visit our booth
Co n feren ce protect everything thinking. The cyber defenses
companies are using can no longer reliably keep 115/117
critical data safe.

RISE ABOVE
for a chance
InteliSecure has pioneered a new perspective on to rise above
protecting those critical data assets that directly impact

THE NOISE
the noise
an organizations bottom line and reputational integrity.
Using expert human intelligence and cutting-edge
and win a
technologies, we develop Critical Asset Protection drone of
ProgramsTM (CAPPs) specifically tailored to protect your own.
your organizations most valuable data.
Learn more about Critical Assets and innovative ways
to protect them by attending InteliSecure CEO,
Robert Eggebrechts presentation.

Preventing the Inevitable: Safeguarding Critical

And get a whole Assets in the Age of the Mega-Breach

NEW ANGLE DATE: 10/13/15 TIME: 1:45 pm 2:30 pm EST

on cybersecurity. LOCATION: Michigan State Room

at the ISSA International Conference

ISSA 2015 International Conference 15

 Advancing the Culture of Security
Monday, October 12 Session Three
organization and a framework to measure their gaps and successes.
Once implemented, youll be able to confidently answer the five key
questions that board-level executives are asking: How do I know
when the security program is working? Is my security program
aligned to the organizations desired risk profile? Can I report to
the board our current risk posture and quantify potential impact of
threats to the business? Is my organization more or less secure than
last year? Am I spending the right amount of money?
Breakout Session Three: 1:45 pm 2:30 pm
Striking the Right Balance between Security and
User Enablement in Cloud Platforms
Ron Zalkind: CTO and Co Founder, CloudLock
Track: Securing the End Users
10/12/2015, 1:45pm - 2:30pm
Purdue/Wisconsin
With the consumerization of IT, employees are self-
selecting and enabling third-party apps independently, blurring the
lines between sanctioned and unsanctioned IT. The security concerns
are understandable. However, many of these apps offer compelling
productivity and efficiency-enhancing benefits. When companies
deny access to certain applications, they get between their
employees and how they want to work. In organizations where this is
the case, it is clear that companies and policies are not keeping pace
with technology adoption and are failing their workers. This session
will reveal how organizations can strike the right balance between
security and user enablement in cloud platforms.
Sponsored Session
The New Security Stack: 20152020
James Brown: Product Manager, OpenDNS
Track: Incident Response
10/12/2015, 1:45 pm 2:30 pm
Michigan/Michigan State
What does it mean when we say the perimeter is
dead? We know that we now live in a world with myriad devices
with Wi-Fi and cellular connections, employees working outside the
office, and applications and data moving to the cloud. Its a brand
new IT landscape, with a boundless surface to protect from entirely
new threats, in a world filled with more sophisticated attackers. What
are we going to do? What should the new security stack look like?
Lets talk about how to re-establish the benefits of a secure network
perimeter in a world where one no longer exists. Join this session and
learn how to: Extend threat protection from your existing security
stack, beyond the traditional network perimeter; Leverage how
the Internet already works to enforce always-on security and gain
global visibility into emerging threats; Watch as attacks are staged by
observing changes in the Internets infrastructure.
Architecting Your InfoSecurity/Cybersecurity
Organization, Teams, and Careers
David Foote, Co-founder, Chief Analyst and Chief
Research Officer, Foote Partners LLC
Track: Business Skills for the Information Security
Professional
10/12/2015, 1:45 pm - 2:30 pm
Kane/McHenry
Information technology as an engine of enterprise innovation and
competitiveness has caught many IT leaders and professionals
unprepared. For years theyve been slow to address persistent
human-capital problems ranging from IT skill deficits, hiring/
retention issues, and pay inequalities to murky promotion paths
and ineffective professional development programs. Coming to
the rescue: applying traditional architecture principles to infosec/
cybersecurity human capital and workforce management. Known
as people architecture, it is now the most dominant strategy for
executing mission-critical IT-business initiatives effectively and
16 ISSA 2015 International Conference
predictably. In this session industry analyst David Foote will define
the pillars of infosec/cybersecurity people architecture, describe its
components, and reveal whos doing it and how theyre doing it.
Why Traditional Perimeter Security Approaches
Leave Your APIs Exposed to Threats
Sachin Agarwal: Vice President, Product Marketing and
Strategy, Akana
Track: Application Security
10/12/2015, 1:45pm - 2:30pm
Indiana/Iowa
More and more enterprises today are doing business by opening up
their data and applications through APIs. Though forward-thinking
and strategic, exposing APIs also increases the surface area for
potential attack by hackers. To benefit from APIs while staying secure,
enterprises and security architects need to continue to develop
a deep understanding about API security and how it differs from
traditional web-application security or mobile-application security.
Cybersecurity Due Diligence of a Vendor:
Legal Requirements and Beyond
Marilyn Hanzal: Associate General Counsel, University
of Chicago Medical Center; Rich Skinner: Executive
Advisor, S3 Venture Group
Track: Laws and Regulations
10/12/2015, 1:45 pm - 2:30 pm
Northwestern/Ohio State
The objective of this panel discussion is to review the legal
requirements that form the foundation of an entitys compliant
cybersecurity-vendor due-diligence model, understand why
exceeding the legal requirements can cause legal liability, appreciate
the value of certain vendor contract terms including insurance
requirements, and discuss challenges with static versus ongoing
due-diligence activities. The conversation will look at these issues in
all industries, but will include particular focus on highly regulated
industries, including healthcare.
ISSA Women in Security SIG Presentation: TAP into Your
Potential
Jyothi Charyulu: Senior Principal Application Architect,
Sabre Inc.
Track: Business Skills for the Information Security
Professional
10/12/2015, 1:45 pm 2:30 pm
OHare
TAP into your potential helps you create an effective road map that
identifies your #1 goal, an action plan and a sustainable program to
make your #1 goal a reality. You will understand the success factors
that got you at your current level of mastery. You will then work
on identifying your top 10 goals, prioritize your topmost goal, and
create an action plan for it. Finally, you will create a program plan,
complete with risk analysis/mitigation plans/back up action plans.
The TAP workshop will train you to generate immense success in
every endeavor.
Its Not a Cyberwar; Its a Lifestyle
Jeff Reich: Chief Security Officer, Barricade
Track: Infrastructure
10/12/2015, 1:45pm 2:30pm
Salon 3
How much does security cost? Probably too much.
The key to success in protection, defense, and offense in the non-
kinetic world is having the right people do the right thing. With the
proliferation of attacks, breaches, disclosures, and malware one could
make the case that we are at war continuously. Rather, we need to
view this as normal and adapt accordingly. Walking down the street
does not engage you into a war on crime, just as being online does
not place you into cyberwar. The discussion during this session will
 ISSA International Conference October 1213, 2015 Chicago, Illinois, USA
Monday, October 12 Sessions Three and Four
point out opportunities to improve security by not training and
hiring more security professionals. Contrary opinions are welcome.
Preparing for the Big One
David Phillips: Managing Director, Cybersecurity
Consulting, Berkeley Research Group
Track: Incident Response
10/12/2015, 1:45 pm - 2:30 pm
Lincolnshire 1&2
The board cannot wait for the Big One. From the Securities and
Exchange Commission to the American Bar Association to the White
House, regulatory and oversight bodies are foreshadowing the
liability event. CxO, board members, shareholders, and insurance
companies are going to feel the punch as negligence suits become
the norm. Preparing for a major privacy data breach requires a board-
level approach to coordination across general council, CISO, finance,
HR, IT operations, and partners. The session will focus on a five-step
process for developing an effective executive cybersecurity program
that demonstrates due diligence.
Breakout Session Four: 3:00 pm 3:45 pm
Diversified IT: Why the Security Workforce Needs
Qualified Women...and Men
Tammy Moskites: CIO and CISO, Venafi
Track: Business Skills for the Information Security
Professional
10/12/2015, 3:00 pm - 3:45 pm
Kane/McHenry
Theres long been a need for more diverse slate of candidates
in information technology, but lately the need is growing much
stronger for simply finding qualified security professionals
men and women aliketo enter the workforce and grow long
and rewarding careers in cybersecurity. A recent 2015 Frost &
Sullivan report said that the global workforce shortage of security
professionals will reach 1.5 million within five years, and the need
for a wider skill set and strong communications skills has never been
greater. So how do we build the next generation of cyber warriors
and also ensure that more females get interested at an early age
in joining the workforce? This presentation will discuss firsthand
lessons learned from Tammy Moskites, Venafis CIO/CISO, who has
enjoyed a 30-year career span in IT and security. Tammy will discuss
the challenges of entering the workforce as a woman and how shes
built and grown her career over the years. Shell also discuss how
shes built and mentored great teams and where she sees the need
for skills to evolve as the threatscape has changed.
Sponsored Session
House of Lies
Aamir Lakhani: Senior Security Strategist, Fortinet
Track: Incident Response
10/12/2015, 3:00 pm - 3:45 pm
Michigan/Michigan State
Social engineering tactics from attackers are not new,
and have been used for decades. Social engineering attacks have
had some of the most devastating consequences in the most recent
data breaches. Their scope goes beyond phishing links and fake
profiles. Modern social engineering tactics have been used to stage
complex modern attacks. This talk will look at case studies of modern
data breaches, taking in-depth look at the social engineering tactics,
and examine how complex attacks were launched and bypassed
traditional cyber security defensive devices. Lastly, we will conclude
by examining what these organizations could have done to mitigate
ISSA 2015 International Conference 17
 Advancing the Culture of Security
Monday, October 12 Session Four
these attacks and how they could have protected themselves. We will
look at policies, procedures, and next-generation security devices
that may help combat this risk.
Security and the Internet of Things
Nick Percoco: Vice President, Strategic Services, Rapid7
Track: Securing the End Users
10/12/2015, 3:00 pm - 3:45 pm
Purdue/Wisconsin
Wearables. Smart homes. Connected cars. As
technology becomes more pervasive, attackers are growing more
sophisticated, cyberespionage is becoming a real-world concern, and
breaches are skyrocketing. For security professionals, the challenge
of contending with shadow IT while still finding the time to stay
abreast of external threats can feel like a perfect storm designed
to derail security programs. In this talk, Nick Percoco will 1) Address
how the Internet of things impacts security, 2) Forecast where the
industry will go in 5, 10, and 15 years, and 3) Provide a road map for
how organizations can position their security program for success
amidst an uncertain future.
Infosec in the Hot Seat: How to Accomplish
Breach Response Readiness
Peter Sloan: Partner, Husch Blackwell
LLP;
Rob Rudloff: Partner, RubinBrown LLP
Track: Incident Response
10/12/2015, 3:00 pm - 3:45 pm
Lincolnshire 1&2
In many organizations, executive management has off-loaded
preparedness for data breach response to the CISO. But the subset
of security incidents that are significant data breaches will require
TAKE YOUR SECURITY
FURTHER.
Predictive, cloud-delivered network security.
Threat protection for off-network users
Predict attacks before they happen
Worldwide coverage in minutes
18 ISSA 2015 International Conference
coordinated execution of interrelated activity channels: Security,
legal, forensic, law enforcement, regulatory, insurance coverage,
public relations, stakeholders, , and personnel management. IT
security response preparedness is necessary, but not sufficient.
Many of these activities may be beyond the CISOs reach, creating
a dangerous mismatch of authority vs. accountability. This session
will explore how CISOs can help their organizations move beyond
incident preparedness to effective breach response readiness.
Preventing, Insuring, and Surviving Fund
Transfer Fraud
Nick Merker, CISSP, CIPT: Attorney, Ice Miller LLP; Nick Reuhs: Attorney, Ice
Miller LLP; Stephen Reynolds, CIPP/US Partner Ice Miller LLP
Track: Laws and Regulations
10/12/2015, 3:00 pm - 3:45 pm
Northwestern/Ohio State
It usually isnt sexy from a technical perspective, but more and more
businesses are feeling the effects of fund transfer fraud. Whether it is
a spear phishing attack, social engineering, or malware specifically
tailored to obtain online banking credentials, hundreds of thousands
of dollars are at risk to these attacks. If your business is not prepared
for and properly insured against these items, you could be left
holding the bag. Overseas organized crime is using increasingly
sophisticated methods to gain temporary control of commercial
accounts and to initiate fraudulent wire transfers. Over the past year,
new fraud techniques have proven increasingly effective, and US
companies are becoming victims of these attacks at an alarming rate.
 ISSA International Conference October 1213, 2015 Chicago, Illinois, USA

Monday, October 12 Session Four and Cyber Defence Center Tuesday, October 13 Session Five

The Permissions Gap

Lee V. Mangold: Managing Security Engineer,
GuidePoint Security
Track: Infrastructure
10/12/2015, 3:00 pm - 3:45 pm
Indiana/Iowa
In this presentation, Lee Mangold will discuss how excessive
permissions in operating system and application architectures
have been the primary contributing factor in the majority of data
breaches. Lee will show how best practices are not filling this
permissions gap and offer actionable discovery and remediation
techniques.
Cyber Defense Center Diamond Sponsors
October 12, 4:00 pm - 5:00 pm, 6th floor
BomgarIndiana/Iowa
MicrosoftLincolnshire 1&2
Spikes SecurityNorthwestern/Ohio State
SymantecPurdue/Wisconsin
VenafiMichigan/Michigan State
See pages 23 and 24 for session descriptions.
Tuesday, October 13, 2015
Breakout Session Five: 10:15 am 11:00 am
Featured Speaker
James C. Trainor, Jr., Assistant Director, Cyber Division, FBI
10/13/15, 10:15 am - 11 am
Salon 3
ISSA Women in Security SIG Presentation: Looking to
2020Are we too late?
Jill Rhodes: Vice President and Chief Information Security Officer,
Trustmark Companies
Track: Incident Response
10/13/2015, 10:15 am 11:00 am
OHare
Everyday, we work to protect our companies, organizations,
government from the information security threats around us. Our
focus is on controls, educating our associates, determining how best
to fund our efforts, engaging our senior leadership, and keeping
our organizations names off Krebs Online. That said, we somehow
are missing the big picture related to where we, as a nation, are in
terms of protecting ourselves. The public sector and private sector
are starting to work together, but there are so many constraints
that even this leaves much to be desired. In this presentation, the
presenter applies the often used Capability Maturity Model to our
nation to see how secure we are as a nation and then presents
ideas for how to think strategically in order to move our nation
forward over the next several years. Her current assessment is that
we are somewhere in the ad hoc to repeatable phase and that
to effectively address global information security threats over the
coming years, our nation will need to define a multi-tier, integrated
approach. This approach will be discussed during the session.

Are your people walking a tightrope?

GAIN KNOWLEDGE
CHANGE BEHAVIOR
BUILD A RISK-AWARE CULTURE

Creating Adaptive Learning Experiences in

Security, Privacy, and Compliance

(800) 726-6951
Security Awareness Privacy Awareness Compliance Training
awareness@mediapro.com

ISSA 2015 International Conference 19

 Advancing the Culture of Security
Tuesday, October 13 Session Five
The Future of Mobile App Security
Vincent Sritapan: Program Manager for Mobile Security
R&D, Department of Homeland Security, S&T - Cyber
Security Division
Track: Mobile Security
10/13/2015, 10:15 am 11:00 am
Kane/McHenry
Do you know what your mobile app is doing? Are you relying on
app markets to protect you? Todays mobile apps are riddled with
defects that hackers can exploit. Vincent Sritapan, a Cyber Security
Division program manager at the Department of Homeland Security
S&T, will discuss ongoing research for securing mobile technology.
He will present a current project in mobile app archiving that can
continuously inventory apps from mobile app markets like iTunes,
Google Play, Windows Phone Store, and includes over 83 global app
marketplaces. He will discuss the future of mobile app security and
where R&D is taking us.
Practical Application Security for the Real World
Andrew Leeth: Product Security Engineer, Salesforce
Track: Application Security
10/13/2015, 10:15 am 11:00 am
Indiana/Iowa
Web applications are undoubtedly our future for
interacting with businesses and data. Companies trust their data
and reputations with applications, which most times provide
Internet-accessible avenues inside the firewall. This presentation will
demonstrate web-based attacks through live demos and touch upon
mitigation strategies. Tools for application testing will be discussed
and tested against our vulnerable applications. Further, we will
discuss the effort needed to fix these vulnerabilities. As a security
Plan
Train
Test
Measure
Take
Action
phishline.com | 262.546.1867
20 ISSA 2015 International Conference
professional, you will be able to give the proper fixes and understand
the level of effort needed by developers.
Embedded Like a Tick Cyber Intelligence
Jeff Bardin: Chief Intel Officer, Treadstone 71
Track: Laws and Regulations
10/13/2015, 10:15 am 11:00 am,
Northwestern/Ohio State
Most intelligence collection in IT shops is driven
exclusively by technology and technical information. This provides
only a fraction of the necessary data, information, and potential
actionable intelligence needed. Creating online personas helps
round out the collection efforts and serves to establish a beach head
in target communities of interest. Know your adversaries as they
know you, gathering information about their intent before execution
of that intent.
N-Gram Analysis in Suspect Author Identification of
Anonymous Email
Paul Herrmann, CISSP, EnCE, CISA, CPP: President,
eVestigations Inc.
Track: Incident Response
10/13/2015, 10:15 am 11:00 am
Lincolnshire 1&2
In late 2010, a Fortune 100 companys executives were being
threatened via anonymous email. Multiple anonymous remailers
prevented standard IP-tracing techniques. eVestigations Inc.
developed a system and protocol utilizing current linguistic
techniques to successfully identify the perpetrator. Empirical
authorship analysis has a long history, primarily as it relates to literary
works of unknown or disputed authors. One such technique known
PhishLine is an enterprise
software-as-a-service solution
that combats phishing
through a combination of
social engineering,
phishing simulations,
security awareness training,
and metrics.
| sales@phishline.com
 ISSA International Conference October 1213, 2015 Chicago, Illinois, USA
Tuesday, October 13 Sessions Five and Six
as N-Gram Analysis has shown promise in identifying the most likely
author of known texts when presented with candidate authors
having predefined text samples of undisputed authorship.
Data Classification Discovery and Response
Prioritization
Tim Plona: Business Solution Architect, Freeport-
McMoRan
Track: Securing the End Users
10/13/2015, 10:15 am 11:00 am
Purdue/Wisconsin
Data classification and secure handling are something companies
desire to do. This presentation will demonstrate how a company
can attack the topic. It shares the methodology for how sensitive
data sets can be identified, risk qualified, and quantified. Through
use of this model measurements can be made on risk and progress
towards remediating the risk issues a company faces. Lastly, through
measurement and reporting, senior management can be made
aware of data risks and progress towards improving the secure
handling of sensitive data.
Breakout Session Six: 11:15 am 12:00 pm
Sponsored Session
Build an Adaptive Awareness Program Based on NISTs
Cybersecurity Framework
Tom Pendergast: Director of Awareness
Solutions, Instructional Design
Manager, MediaPro; Steven Conrad:
Managing Director, MediaPro
Track: Securing the End Users
10/13/2015, 11:15 am 12:00 pm
Michican/Michigan State
NISTs Cybersecurity Framework describes a Tier 4: Adaptive program
as one that uses a process of continuous improvement incorporating
advanced cybersecurity technologies and practices to respond to
evolving and sophisticated threats in a timely manner. The question
is, how? In this presentation, well discuss the range of options you
have to plan, measure, train, analyze, and continually adapt your
program to shifting risks. Youll come away armed with options for
raising the bar on your end user awareness efforts.
Applied Privacy Engineering: User-Controlled,
User-Monetized Mobile Advertising
Kevin ONeil: CISSP, CYVA Research Corporation
Track: Mobile Security
10/13/2015, 11:15 am 12:00 pm
Kane/McHenry
Observation: primitive data objects cannot protect
or govern self. CYVA Research has designed a self-protecting, self-
governing mobile object, a self-determining digital persona that
enforces privacy and empowers the right of persons to be secure in
their human-digital existence. These technologies are being built in
accordance with our guiding architecture principles: human-digital
dignity and human-digital integrity. Human-digital integrity: never
separate peoples data from their policies, and the capability for them
to enforce governance over the use of their human-digital identity
wherever they exist.
Stake Your Reputation on Your Cyber Security
Incident Response Program CSIRT
Dr. Michael C. Redmond: CEO and Lead Consultant,
Redmond Worldwide
Track: Incident Response
10/13/2015, 11:15 am 12:00 pm
Northwestern/Ohio State
Learn best practices for CSIRT programs, plans, playbooks, and
testing. A cybersecurity incident response program is a must for
any organization using the Internet. It must be robust yet flexible.
Unfortunately in spite of all of the cyber events, many companies
are taking a long time to respond. Teams must be trained and
have written procedures. Time is critical. Every incident costs the
organization money and reputation.
Cyber Security Liability Insurance: Need It or Leave It
Moderator: Andrea Hoy: President, ISSA
Panelists: Ronald Raether: Partner - Troutman Sanders; Brian Thornton:
President, ProWriters
Track: Laws and Regulations
10/13/2015, 11:15 am 12:00 pm
OHare
This session will feature three speakers perspectives on a new type of
insurance, cyber-insurance. It will cover what cyber-insurance is, how
organizations are using it, and how it can be used in an organizations
IT security/ risk program, including how it plays a role in a sound
data governance model. Attendees will also learn what they need
to know in evaluating different cyber-insurance options, whether it
makes sense for their company, and how to present their information
security program to the cyber-insurance market.
Taking Control of Control Addressing
Cybersecurity in Industrial Control Systems
Daniel Ziesmer: ISSO, Bechtel Corporation
Track: Infrastructure
10/13/2015, 11:15 am 12:00 pm
Lincolnshire 1&2
Industrial control systems (ICS) have become
something of a third rail in cybersecurity circles. Managing
everything from light dimmers to elevators to the electricity we all
rely upon, ICS automates many aspects of our everyday physical
environments, but its historically insecure architecture represents
growing and significant security risk that is difficult to manage using
traditional security approaches. Even worse, it has become a nearly
irresistible target for those seeking to wreak havoc by jumping the
gap from information disruption to real-world destruction. This
presentation highlights how the failures to secure ICS are presenting
real threats to everyday business operations. More importantly,
however, this presentation attempts to present a series of ideas
for real change to combat these threats, ideas that can be used by
security professionals in their respective environments to start fixing
the more immediate problems, mitigate the current and near future
risks, and provide leadership to effect change into the future.
Medical Device Safety and Security (MeDSS):
Assessing and Managing Product Security Risk
John Lu: Principal, Cyber Risk Services,
Life Sciences and Healthcare Industry,
Deloitte & Touche LLP; Muhammad
Kashif: Manager, Cyber Risk Services,
Life Sciences and Healthcare Industry,
Deloitte & Touche LLP
Track: Application Security
10/13/2015, 11:15 am 12:00 pm
Indiana/Iowa
The US Food and Drug Administration (FDA) has recently signaled a
significant shift in a paradigm that is relevant for many stakeholders
in the networked medical-device arena by pointing out that as
medical devices are increasingly interconnected via the Internet,
hospital networks, other medical devices, smart phones, electronic
health records, and third-party cloud solutions, there is an increased
ISSA 2015 International Conference 21
 Advancing the Culture of Security
Tuesday, October 13 Sessions Six and Seven
risk of cybersecurity attack. Such an attack could affect how a
medical device operates and ultimately endanger human health
or worse, human life. This session will explore the cybersecurity
risks related to networked medical devices including the types of
vulnerabilities currently observed in both wired and wireless
medical devices in hospitals and large health systems. This session
will also highlight Deloittes framework for addressing the evolving
recommended practices and standards for assessing, designing,
testing, and manufacturing more secure networked medical devices.
How to Be a Highly Effective CISO Top 10
Performance Success Factors
Brian Schultz, CISSP, ISSMP, ISSAP, CISM, CISA: Technical Director, Cyber
Architecture and Advisory Services, Battelle; Bob Bigman: President,
2BSecure; Dave Cullinane: Co-founder, TruSTAR
Track: Business Skills for the Information Security Professional
10/13/2015, 11:15 am 12:00 pm
Purdue/Wisconsin
Join Brian Schultz, who has served as an advisor to many CISOs,
for a CISO panel discussion to explore the top 10 performance
success factors of highly effective CISOs. Topics will include
identifying your adversaries, marking your enterprise crown jewels,
optimizing security posture based on ROI, performance beyond
compliance, meaningful benchmarking in your industry, dealing
with inappropriate reporting structures, effective C-suite and
board communications, recruiting and retaining exceptional talent,
building and maintaining a collaborative CISO mentor network, and
contributing industry thought leadership.
Breakout Session Seven: 1:45 pm - 2:30 pm
Sponsored Session
Information Security beyond Tools and Toys: How Do
We Advance the Culture Side of IT?
Moderator: Sali Osman: Security & Risk Management
Advisor, ARAMCO.
Track: Securing the End Users
10/13/2015, 1:45 pm - 2:30 pm
Indiana/Iowa
Companies spend a big chunk of the IT budget in security tools
testing, deployment, and maintenance. Mature companies realized
(early on) the importance of processes and methodologies around
these tools. What companies and the industry as a whole are still
struggling with is advancing the institutional culture, (i.e., the
attitude of employees, clients, suppliers, and partners). This session
will share some organizational initiatives (global) to overcome the
flat learning curve.
Current Trends and Our Methods for Defense
Adam Keown: Security Consultant / Solutions Architect,
TEKsytems
Track: Laws and Regulations
10/13/2015, 1:45 pm - 2:30 pm
Northwestern/Ohio State
In the past several years a growing list of computer breaches has
scarred numerous US entities from financial industries, healthcare
providers, and the entertainment industry. Adam Keown will provide
direct experience about the impact of these breaches from his time
in the FBI and more recently as a private consultant at TEKsystems.
He will discuss methods of attack, defensive measures for reducing
risk, and briefly look into a crystal ball.
22 ISSA 2015 International Conference
Lets Hack a House
Tony Gambacorta: Vice President, Operations, Synack
Track: Infrastructure
10/13/2015, 1:45 pm - 2:30 pm
Lincolnshire 1&2
When we bring cameras, automation controllers, and
other Internet of things devices into lives, what risks do they bring
with them? You may see a camera, but an adversary sees a feature-
rich platform to attack your network infrastructure. In this session
well provide an introduction to device hacking with no engineering
background required.
Security or Convenience? Enabling a
Collaborative Work Environment
Guy Bunker: Senior Vice President of Products, Clearswift
Track: Application Security
10/13/2015, 1:45 pm - 2:30 pm
Kane/McHenry
We live in a highly connected world, and we have
become dependent upon the convenience of email, the cloud, and
other collaboration tools; but in this effort to increase productivity,
security has been compromised. However, organizations do not need
to choose between security and convenience. In this presentation,
Dr. Guy Bunker will explore the full scope of vulnerabilities presented
by email and collaboration tools, as well as new information-borne
threats, critical information hidden in metadata and document
revision history, and advanced persistent threats (APTs) within active
content. Dr. Bunker will share how to enable collaboration without
compromising security.
Sponsored Session
Preventing the Inevitable Safeguarding
Critical Assets in the Age of the Mega-Breach
Robert Eggebrecht: Co-Founder, President, and Chief
Executive Officer, InteliSecure
Track: Business Skills for the Information Security
Professional
10/13/2015, 1:45 pm - 2:30 pm
Michigan/Michigan State
Data security is top-of-mind for organizationsfrom board members
to front-line employees and their customers. Organizations are
on guard, and rightly so: 2014 was an unprecedented year. Are data
breaches now ubiquitous, a virtual certainty? Join InteliSecures
president and CEO, Robert Eggebrecht, as he discusses how to build
a critical asset protection program (CAPP) that prevents data loss and
protects critical assets. Highlights include:
Prioritizing your organizations crown jewels based on revenue,
income, reputation, and core operational impact
Aligning your security risk and the corresponding plan
Recognizing and responding to external and internal threats
Featured Speaker
2015 Verizon Data Breach Investigation Report
Dave Ostertag: Global Investigations Manager, Risk Team, Verizon
Track: Incident Response
10/13/2015, 1:45 pm - 2:30 pm
Salon 3
The 2015 Data Breach Investigations Report (DBIR) is out and marks
the eighth consecutive year that Verizon has published this highly
regarded report. The 2015 DBIR provides a detailed analysis of almost
80,000 incidents, including 2,122 confirmed data breaches. The key
findings in the report are:
The methods of attack are becoming increasingly sophisticated
often involving a combination of phishing, hacking, or malware.
We found that in the last year, 23 percent of recipients opened
 ISSA International Conference October 1213, 2015 Chicago, Illinois, USA
Tuesday, October 13 Session Seven, CSCL Program Sessions, Cyber Defense Center
phishing messages and 11 percent clicked on attachments.
Nine patterns still cover the vast majority of incidents (96 percent)
of the breaches in this years dataset.
We found that company size has no effect on the cost of a breach.
Computer Security for SMB/Government
Marv Stein: Sr. Security Consultant, TDAmeritrade
Track: Securing the End Users
10/13/2015, 1:45 pm - 2:30 pm
Purdue/Wisconsin
What makes an effective information security
program for a small organization? This educational presentation is
intended to promote awareness of the importance of need for IT
security, understanding of IT security vulnerabilities, and corrective
measures.
CSCL Program Sessions: 3:00 pm 3:45 pm
Sponsored Session
Securing Our Future: Lessons from the Human Immune
System
Jeff Hudson: CEO, Venafi
Track: Threats and Responses
10/13/2015, 3:00 pm 3:45 pm
Michigan/Michigan State
All signs point to a future world of more complex,
harder-to-detect cyber threats. Our adversaries are exploiting
what seems to be our strengths. Intel predicts the next big hacker
marketplace to be in the sale of digital certificatesalready selling
for more than $1000 each on Russian marketplaces. Gartner expects
50% of network attacks to use encrypted SSL/TLS in less than two
years. Whats to do? The human immune system has evolved to
defend and destroy complex and oftentimes overwhelming attacks.
What can we learn from it? How can we create a future thats more
resistant as we use more software, more clouds, more apps, and
more connected devices.
Cyber Defense Center Diamond Sponsors
October 13, 4:00 pm - 5:00 pm, 6th floor
BomgarIndiana/Iowa
MicrosoftLincolnshire 1&2
Spikes SecurityNorthwestern/Ohio State
SymantecPurdue/Wisconsin
VenafiMichigan/Michigan State
Bomgar
Close the Door to Cyber Attacks with Secure Vendor Access. This
session will feature:
LIVE! Cyber Attack & Defense. Watch a cyber-attack unfold live
to show you how your vendors can unwittingly leave the door
open to your network and understand how to prevent these by
managing, controlling and auditing all vendor access
Best practice recommendations on how to secure vendor access
to your organization. Hear top tips to protect your company and
customer data, infrastructure and assets from cyber-attacks by
securing vendor access while improving productivity.
Spikes Security
All businesses are now reliant on web applications. But how can
you protect your organization from web malware when browsers
are connected directly to the Internet and can run untrusted code
ISSA 2015 International Conference 23
 Advancing the Culture of Security

Monday, October 12 and Tuesday, October 13 Cyber Defense Center

from servers outside your control? This interactive session will cover
how isolation technology can prevent browser-borne malware from
entering your corporate network and infecting endpoint devices.
Youre invited to learn the basics of isolation technology:
How its implemented outside your network
How it prevents users from connecting directly to the Internet
How its different from detection-based technology
Microsoft Monday
Exploitation Trends: From Potential Risk to Actual Risk.
Microsoft researchers have studied some of the exploits discovered
over the past several years and the vulnerabilities they targeted.
Understanding which vulnerabilities get exploited, who exploits
them, the timing of exploitation, and the root causes, all help
security professionals more accurately assess risk. Development
practices that help minimize vulnerabilities will be discussed.
Microsoft Tuesday
Moving to the cloud in a Compliance-driven World. As cloud
adoption skyrockets, you might find it complex to deploy innovative
services while simultaneously trying to meet demanding compliance
requirements. This is because many IT regulations and standards
were not designed for the cloud, and frequently fail to address its
unique qualities. In this session you will learn what it takes to deploy
a Microsoft Azure cloud solution that addresses the requirements
of regulatory standards such as ISO 27001 / 27018, FedRAMP, PCI,
and HIPAA. The presentation will look at a shared responsibility
model where deploying good security principals can facilitate
a successful adoption of a cloud service, while meeting your
compliance regulatory requirements. What you will learn: How kicks off at the conference.
Azure can help you meet global compliance requirements such as
ISO 27001 / 27018, FedRAMP, PCI, and HIPAA How security controls
such as at-rest data encryption, key management, virtual machine
protection, logging and monitoring, anti-malware services, identity
management, and access controls, can help protect your solution
and advance your compliance posture.
Venafi
Evolving Public Key Infrastructure. Critical updates needed to
keep up with our changing world Several industry trends are forcing
organizations to take a strong look at their PKI. Factors such as the
need to encrypt more data, the expanding network perimeter, the
viewpoint that digital keys should be rotated more frequently and
unplanned events such as Heart Bleed all put significant pressure
on an organization to modernize their PKI environment to keep
pace with change. This one hour workshop will walk through the
history of PKI, why it is long overdue for a comprehensive upgrade
and the factors that are driving this sea change within our industry.
Topics such as automated life-cycle management, security controls
and policy considerations, centralization strategies and enterprise
adoption will be addressed. Participants will take away a broader
awareness of the challenges they face as well as actionable strategies
that can be used for subsequent planning steps within their own
organization.
You Can Help the Next Generation of
Cybersecurity Professionals!
Partner with the ISSA Educational Foundation
Stop by our booth and learn how. Our annual fund-raiser
www.issaef.org
www.ISSAEF.org

MOBILITY AND BYOD CREATE

SECURITY CHALLENGES:
Pulse Secure gives IT the tools
to manage them.

Schedule Your Demo Today!

Call 844-807-8573

24 ISSA 2015 International Conference

 DEVELOPING AND CONNECTING
ISSA CYBERSECURITY LEADERS GLOBALLY

Planning for a Career in

the Department of Defense
Cybersecurity Workforce
By John Gray ISSA member, Rainier Chapter

The author discusses how the Department of Defense cybersecurity workforce is organized, how
to prepare for a cybersecurity position, and the appropriate combination of education, training,
and experience in which to progress into advanced responsibilities.

Abstract ployer of choice for cybersecurity workers, including in the

positions of military, federal or civil service, and defense con-
Career opportunities in the Department of Defense cyberse-
tractor personnel.4 The intent is to provide challenging and
curity workforce are at an all-time high, with thousands of
rewarding professional opportunities that will inspire cyber-
additional cybersecurity experts projected to be hired in the
security workers to remain in the government workforce for
near future. Details are presented on how the workforce is or-
their entire career. They advocate that an individuals career
ganized, how to prepare for a cybersecurity position, and on
progression should consist of a variety of challenging roles,
the appropriate combination of education, training, and ex-
responsibilities, and opportunities including those in techni-
perience in which to progress into advanced responsibilities.
cal, non-technical, and managerial positions.
Needs and opportunities Skill-set requirements

A
ccording to the US Bureau of Labor Statistics,1 em-
ployment for information systems security special-
ists will grow by almost 40 percent by 2022, mak-
ing it one of the nations fastest growing careers. Numerous
studies and reports find that there is a nationwide shortage
of qualified information systems security professionals, and
nowhere is this felt more than in the Department of Defense
(DoD). According to a 2011 Government Accounting Office
report, the number of full-time employees in the DOD with
significant information system security responsibilities ex-
ceeds 87,000; while the Office of Personnel Management re-
ports that the DoD cybersecurity workforce numbers 19,000
personnel.2 In addition to covering losses due to transfers,
retirement, and terminations in this sizable workforce, the
DoD is planning to hire 4,000 more people with cybersecu-
rity skills over the next two years.3 To address the problem
of retention, the DoD is endeavoring to make itself the em-
1 http://www.bls.gov/ooh/computer-and-information-technology/information-
security-analysts.htm.
2 http://www.gao.gov/new.items/d128.pdf.
3 http://www.bloomberg.com/bw/articles/2014-04-15/uncle-sam-wants-cyber-
warriors-but-can-he-compete.
Government mandates drive the demand for security spe-
cialists, with the DoD 8570.01M Information Assurance
Workforce Improvement Program5 manual requiring that
DoD civil service employees, military personnel, and defense
contractors with elevated privileges to government informa-
tion systems be trained and certified in information security
depending upon their role and level of access.6
Government information systems security specialist posi-
tions generally require a bachelors degree in information
security, computer information systems, network security,
computer science, or a related field of study; however, because
skilled security professionals are in demand, an associate de-
gree or a combination of education, professional security cer-
tifications, and relevant experience will likely result in close
consideration. An applicants resume should detail any spe-
cialized experience that demonstrates his or her knowledge
of security measures in protecting information, information
4 http://dodcio.defense.gov/Portals/0/Documents/DOD Cyberspace Workforce
Strategy_signed(final).pdf.
5 http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf.
6 http://www.itcareerfinder.com/it-careers/it-security-specialist.html.

October 2015 | ISSA Journal 21

 Planning for a Career in the Department of Defense Cybersecurity Workforce | John Gray
systems, or networks from threats; skill in ensuring that an
information system is compliant with applicable information
assurance policies, procedures, and best practices; ability to
provide guidance to personnel on how to secure a system; and
knowledge and application of information assurance princi-
ples and test and assessment methods.
Many universities and community colleges have comput-
er engineering, computer science, and information security
programs. When considering an education geared towards
cybersecurity, considering the aca-
demic institutions listed on the Na-
Certs serve to filter tional Security Associations list of
out unqualified National Centers of Academic Ex-
cellence in Information Assurance
personnel as (IA)/Cyber Defense (CD) will en-
most DoD cyber sure that the curriculum has been
vetted for strength in specific IA
workforce positions and CD focus areas.7 Computer se-
specify a specific curity education programs should
professional include courses in various operat-
ing systems administration, net-
certification as a working, network security, host-
requirement. based security, intrusion detection,
hardware and software configu-
ration, and computer forensics.
Security professionals should also develop their communi-
cation skills as they are typically responsible for educating
and recommending solutions to technical and non-technical
employees regarding information security issues.
Professional information technology (IT) and security certi-
fications provide an employer with an indication of an indi-
viduals skill, knowledge, and aptitude and usually command
increased earning power. They also serve to filter out unqual-
7 https://www.nsa.gov/ia/academic_outreach/nat_cae/.
Security of IOTOne and One Makes Zero
2-Hour Event Recorded Live: Tuesday, September, 22, 2015
Biometrics & Identity Technology Status Review
2-Hour Event Recorded Live: Tuesday, August 25, 2015
Network Security Testing Are There Really Different Types
of Testing?
2-Hour Event Recorded Live: Tuesday, July 28, 2015
Global Cybersecurity Outlook: Legislative, Regulatory and
Policy Landscapes
2-Hour Event Recorded Live: Tuesday, June 23, 2015
Breach Report: How Do You Utilize It?
2-Hour Event Recorded Live: Tuesday, May 26, 2015
Open Software and Trust--Better Than Free?
2-Hour Event Recorded Live: Tuesday, April 28, 2015
A Wealth of Resources for the Information Security Professional www.ISSA.org
22 ISSA Journal | October 2015
ified personnel as most DoD cyber workforce positions spec-
ify a specific professional certification as a requirement. Can-
didates must either hold or obtain the particular certification
within a certain period of time after being placed in the posi-
tion. Vendor-neutral certifications provide employers with an
indication of an individuals general IT and cyber skills, while
specific operating system, network, or security certifications
serve to establish more advanced or focused skills.
Individuals with prior military service and/or possessing a
security clearance generally have a competitive advantage in
the hiring process. Employers recognize that job candidates
with prior military service typically have a reliable work eth-
ic, good communication skills, are loyal to their employers,
and overall are productive workers. While it does not guar-
antee being selected, veterans preference laws give eligible
veterans an advantage over many other applicants. A security
clearance assures government employers that the applicant is
familiar with safeguarding national security information and
that they do not have a criminal background. Cyber positions
requiring elevated privileges, including having the ability to
modify security settings, typically must be filled by an indi-
vidual having a security clearance; therefore the demand for
IT professionals with a security clearance is high.8
The cybersecurity workforce management guidance, DoD
Directive 8140.01,9 advocates that qualified government ci-
vilian and military personnel, augmented where appropriate
by contracted services support, be employed as an integrated
workforce in order to provide an agile, flexible response to
constantly changing cybersecurity requirements. Policy re-
quires IA practitioners and managers be trained and quali-
fied to an approved baseline requirement, depending on the
position they fill. The Information Assurance Workforce Im-
8 https://news.clearancejobs.com/2015/06/23/benefits-security-clearance/.
9 http://www.dtic.mil/whs/directives/corres/pdf/814001_2015_dodd.pdf.
Click here for On-Demand Conferences
www.issa.org/?OnDemandWebConf
Continuous Forensic Analytics Issues and Answers
2-Hour Event Recorded Live: April 14, 2015
Secure Development Life Cycle for Your Infrastructure
2-Hour Event Recorded Live: Tuesday, March 24, 2015
What? You Didnt Know Computers Control You? / ICS and
SCADA
2-Hour Event Recorded Live: March 2, 2015
Cybersecurity New Frontier
2-Hour Event Recorded Live: February 24, 2015
Security Reflections of 2014 & Predictions for 2015
2-Hour Event Recorded Live: January 27, 2015
Dorian Grey & The Net: Social Media Monitoring
2-Hour Event Recorded Live: Tuesday, November 18, 2014
Planning for a Career in the Department of Defense Cybersecurity Workforce | John Gray
Figure 1 Cybersecurity workforce structure
provement Program manual details the specific qualifications
and certifications on which to train, qualify, and manage
the IA workforce. The ultimate vision of the guidance is to
have a workforce of IA professionals who have the knowledge
and skills to effectively prevent and respond to cyber attacks
against government information, information systems, and
information systems infrastructures.
Career progression
The DoD cybersecurity workforce (CW) is divided into four
categories: information assurance technical (IAT), manage-
ment (IAM), system architecture and engineering (IASAE),
and computer network defense service provider (CND-SP).
Each category has levels based on where the position is lo-
cated within the overall cybersecurity workforce and infor-
mation system environment as detailed in figure 1. The IAT
category is represented by the pyramid on the left side; the
pyramid on the right represents the IAM and IASAE catego-
ries. Each pyramid has lines dividing it into three functional
levels which are related to the system architecture, not to an
individuals grade or experience.
Immediately above the base of both pyramids is the com-
puting environment, functional level 1. This level is expected
to be made up of the largest number of cybersecurity pro-
fessionals. The second level of the pyramids is the network
environment with the population of workers projected to be
somewhat smaller than that of level 1. Level 3, the smallest
level, represents the enclave, containing advanced network
and information system IA professionals. CND-SP positions
are not tied to the environment or IA functional levels, but to
specific job roles on a computer network defense team. The
specialties are Analyst, Infrastructure Support, Incident Re-
sponder, Auditor, and Manager. The arrow pointing upward
between the two pyramids depicts a requirement for more ad-
vanced certifications as the professional level increases.
IA technical
IAT level 1 personnel are tasked with making their comput-
ing environment (CE) less vulnerable by correcting flaws
and implementing security in the hardware or software in-
stalled in their various operational systems or devices. IAT
level 2 personnel provide network environment (NE) and ad-
vanced-level CE support. They focus on intrusion detection,
finding and fixing unprotected vulnerabilities, and improv-
ing security on a systems network infrastructure. They also
are qualified to perform numerous functions of IAT level 1.
The personnel in IAT level 3 focus on support of the enclave
environment; monitoring, testing, and troubleshooting hard-
ware and software security issues on the numerous systems
which may be in it. In general they have mastery of the func-
tions of both the IAT level 1 and level 2 positions.
IA management
IA management level 1 and 2 personnel are responsible for
managing the operation of an information system within
their CE or network, ensuring that it is functional, secure,
and in compliance with all security requirements. Personnel
in these positions perform a variety of security-related tasks,
including the development and implementation of system
information security standards and procedures, generating
compliance reports, and overseeing certification and accred-
itation efforts. IAM level 3 personnel are responsible for en-
suring that all information systems in an enclave are func-
tional and secure. They determine the enclaves long-term IA
needs and acquisition requirements in order to accomplish
operational objectives. They also develop and implement in-
formation security standards and procedures through the
certification and accreditation process.
IA system architecture and engineering
IASAE level 1 personnel apply knowledge of security policies,
procedures, and structure to design, develop, and implement
an information system, system components, or system archi-
tectures. IASAE level 2 personnel apply their knowledge of
security policies, procedures, and workforce structure to de-
sign, develop, and implement a secure network environment.
Finally, persons filling an IASAE level 3 position are respon-
sible for the design, development, implementation, and/or in-
Donns Corner
By Donn Parker
ISSA Distinguished Fellow
Silicon Valley, USA Chapter
Over and Out
I HAVE RUN OUT OF MAXIMS TO AMUSE, educate, and chal-
lenge you. More of them would carry tedious detail that I have
tried to avoid. At this stage in retirement from my career, I am
always the generalist.
A collection of all of my maxims may be found here.
Donn Parker, CISSP, retired, and information security
pioneer, donnlorna@aol.com.
October 2015 | ISSA Journal 23
Planning for a Career in the Department of Defense Cybersecurity Workforce | John Gray
Figure 2 Approved baseline certifications
tegration of a security architecture, system, or system compo-
nent for use within the entire range of environments.
IA computer network defense service provider
CND-SP analyst personnel use the data collected from a va-
riety of CND tools, such as intrusion detection system alerts,
firewall and network traffic logs, and host system logs, in
order to analyze events that occur on their assigned system.
CND-SP infrastructure support personnel test, implement,
deploy, maintain, and administer the infrastructure systems
that are required to effectively manage a network and its re-
sources. This includes routers, firewalls, intrusion detection
and prevention systems, and other devices and tools as de-
ployed within the network environment or enclave. CND-
SP incident responder personnel investigate and analyze re-
sponse activities related to cyber incidents, including creating
and maintaining incident tracking information; planning,
coordinating, and directing recovery activities; and incident
analysis tasks such as examining information and supporting
evidence related to an incident. CND-SP auditor personnel
perform assessments of systems and networks within the net-
work environment or enclave and identify where they deviate
from acceptable configurations or polices. They achieve this
through compliance audits, penetration tests, or vulnerabil-
ity assessments. A CND-SP manager oversees the computer
network defense and is responsible for producing guidance
for the network environment or enclave, assisting with risk
assessments and risk management, and for managing and su-
pervising the CND technicians within the organization.
Certifications
Professional certifications map to the different IA categories,
specialties, and levels to which they apply. An individual
needs to obtain only one of the approved certifications for
the IA category or specialty and level to meet the minimum
requirement. Higher-level IAT and IAM certifications satisfy
lower-level requirements; however, higher-level CND-SP and
IASAE certifications do not. Each position has one or more
qualifying certifications as detailed in figure 2. The baseline
24 ISSA Journal | October 2015
certification usually must be obtained within six months of
an employee being placed in the particular IA role. Contrac-
tors should have the appropriate certification when entering
the contract. Employees need to maintain their certification
status by completing continuous learning requirements as
defined by the respective certification provider (e.g., (ISC),
ISACA, CompTIA, etc.). IATs are also required to obtain an
appropriate operating system or computing environment
certification in addition to the IA or security certification re-
quirements.
DoD employees should register their certifications in the De-
fense Workforce Certification Application. This is the author-
itative database for all DoD military, civilian, and contractor
personnel who hold 8570-related certifications. Registering
their certifications in the database ensures that the DoD is
aware of an individuals certification status and that the in-
formation is validated by the certification provider.
There has been controversy about how the DoD 8570 manu-
al focuses too much on certifications rather than taking into
account an individuals experience or degree. Its replacement
is the DoD 8140 Cyberspace Workforce Management Policy
manual, a document that amplifies the requirements of DoD
Directive 8140.01. It is projected to be issued within the next
year and supposedly addresses this issue.
Moving through the various cybersecurity workforce levels
is a process of acquiring skills and experience. Personal de-
velopment for information assurance employees is generally
divided into three levels as well. Entry-level or apprentice po-
sition skills and experience should include having an under-
standing of and being able to perform basic operating system
administration, networking, security principles, and security
review processes. Depending on the type of position being
filled, other areas of familiarity may include public key infra-
structure procedures, network monitoring applications, and
network device or database configuration, management, and
administration. While not a prerequisite for employment,
individuals are encouraged to develop an understanding of
financial management, contract management, and technical
writing.
In addition to a more in-depth knowledge of their particular
computer or networking specialty, mid-grade infosec pro-
fessionals are expected to demonstrate knowledge and skills
regarding DoD security policy requirements, certification
and accreditation processes, information system monitoring,
vulnerability management and reporting, incident response
investigation, and business continuity procedures. Acquiring
additional skills in the areas of team leadership, negotiating,
mentoring, project management, business process develop-
ment, and cost modeling further demonstrates their profes-
sional growth.
Senior-level personnel are expected to also have knowledge
of systems and network architectures, strategic planning, IA
metrics development and analysis, risk assessment and man-
agement, configuration control management, verification
and validation processes, contingency planning, and infos-
 Planning for a Career in the Department of Defense Cybersecurity Workforce | John Gray
ec policy interpretation and development. Other skills may
include management and leadership; conflict, project, and
financial management; quality and continuous improvement
processes; and strategic planning.
All employees are encouraged to develop interpersonal skills
in the areas of teamwork, ethics, writing, communication,
and problem solving in order to become a more well-rounded
employee.
Conclusion
Job security, excellent benefits, competitive pay including lo-
cality pay, vacation and sick leave, and a retirement system
that is exceptional compared to much of the private sector
are just a few of the reasons people seek federal employment.
Some people consider government careers because of desir-
able travel opportunities, availability of training, and the
ability to locate jobs nationwide or even overseas. Following
the guidelines listed above to develop ones cybersecurity
skill set establishes a solid foundation for career growth. Ca-
reer opportunities in the DoD cybersecurity workforce are at
The Curmudgeon There are two types of people on the Internet
THIS MONTHS TOPIC: THE INFOSEC CAREER PATH. Where to be-
gin? How about with reality?
There are two types of people on the Internet: Those who know
theyve been hacked, and those who dont yet know theyve been
hacked. Yes, I plagiarized. Its part of my job.
What I have observed over decades (I am a curmudgeon) are two pop-
ulations entering the field.
First is people who grew up with information security: categorizing,
marking, stamping, storing, adhering to various standards, etc. It was
all about paper, or files, or filing systems; then it was about retention;
legal requirements; and other governances. (Thats a whole other top-
ic.) They have systems, requirements, rules, and demand that every-
one strictly adhere to them.
The second is we who came up from the systems and computing
environment. We understood the effects on the systems, how intrud-
ers progressed, where intruders could go from there, but might not be
able to express the ultimate effects to the business-droids in charge.
For us, the situation is obvious. We then fall victim to a common bias:
assuming other people have the same knowledge and understand-
ing.
Then, sometimes, theres a really strange third group. The transla-
tors. They often have gray beards and irascible attitudes. They proba-
bly arent in the trenches, dealing with trouble tickets AND intrusions,
invasions, phishing, spearphishing, whaling, or the specific attacks on
that organization.
They really do not want to adhere to the absolute rules imposed by
the first group, when those rules damage the business or mission. But
they know things need done legally and properly. They can speak
geek and speak business-droid, ROI, etc.
Treasure them.
They translate to the business-speak of: OK, its known by this
name; what it means to us is: It will expose you to these legal actions
an all-time high, and even if an individuals career spans only
a few years, it can provide opportunities for gaining valuable
training and experience and fulfill a desire for serving the
public good. The experience gained can be a stepping stone to
expanded opportunities and higher wages and compensation
in the public sector.
And while the career progression detailed in this article is
focused on service in the United States Department of De-
fense, the basic tenants are applicable to government service
in other nations, and can also be a template for developing
ones information security skills in general.
About the Author
John Gray, CISSP-ISSEP, PMP, is an infor-
mation systems security analyst with over 15
years experience in information security and
IT. He is employed by the Department of De-
fense, focusing on certification and accredi-
tation, cross-domain solutions, and informa-
tion security management. John may be reached at jgraydiss@
wavecale.com.
that are likely to cost you <amount> in the courts, lost goodwill, lost
profits. You should have done these things in the past. Now, you need
to do those things and fight this public action, to defend your busi-
ness and protect your revenue stream. If you do not, you are likely to
suffer <damages>. Its your decision. (Keep a copy of your memo for
record somewhere other than work!)
Translators also work the other way: The CxOs are interested in these
threats. We have to treat these threats because theyre the bosses. We
might approach this problem by doing <actions>. We might be able
to treat practical things by including these circumstances and explor-
ing some alternatives. How may we do this at least quasi-legally with-
out changing real operations? Theyve taken the bosses interests
and sought ways to leverage them to what needs to be done.
Please believe me, from personal experience: if you can meet this
sweet spot, you have lifetime employment. Organizations will com-
pete for you. Co-workers will claw you back.
This, Grasshopper, should be your path. You should consider this
deeply.
You should study many things, such as CxOs motivations (read Snakes
in Suits); your corporate infrastructure and core strengths; your com-
petitors, their motivations, their legal limitations (or lack thereof); and
most especially, your personal strengths. Find coping techniques for
your weak areas.
When the CxOs get caught out, they hunt up someone to noisily
blame and fire. Sometimes, that is your acknowledged
and accepted position; charge them for it, until they
squeak and then some. They have deep pockets and
you might be a while finding work. Remember the
two types of people....
Welcome. To the Real World.
Your local, grumpy, tie-wearing,
un-impressed, and suspicious Curmudgeon
October 2015 | ISSA Journal 25
 DEVELOPING AND CONNECTING
ISSA CYBERSECURITY LEADERS GLOBALLY
Information Security Career
Path
By Yuri Diogenes ISSA member, Fort Worth Chapter
The author discusses key decision points regarding an information security career, the options
available, and how to succeed in this field.
Abstract
Nowadays access to information is not a problem; everyone
can find answers for a wide variety of topics and learn about
them without many requirements. At the same pace the in-
formation lands in every device across the planet, the num-
ber of vulnerabilities discovered on a daily basis also grows,
which is causing a higher demand for qualified security pro-
fessionals across the industry. How these security profession-
als will learn and continuously develop themselves to handle
this demand will vary. This article will go over key decision
points regarding an information security career, the options
available, and how to succeed in this field.
A
ccording to an analysis performed by Peninsula Press
using numbers from the Bureau of Labor Statistics,1
the demand for information security professionals is
expected to grow by 53 percent by 2018. While this might not
look like a big number across three years, the real alarming
number comes in the same analysis when they state: it was
found that 209,000 cybersecurity jobs in the US are unfilled.
The struggle to fulfill these positions is a reality not only in
the private sector but in government as well. The government
is aware of this shortage, and in July 2014 the Homeland Se-
curity Cybersecurity Boots-on-the-Ground Act2 passed the
House with the intent of helping the Department of Home-
land Security (DHS) to recruit and retain cybersecurity pro-
fessionals.
Recently the National Security Agency (NSA) started a pro-
gram for middle and high school students, to teach them
1 Ariha Setalvad, Demand to Fill Cybersecurity Jobs Booming, March 31, 2015 -
http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/.
2 Eric Chabrow, Senate Passes Cybersecurity Skills Shortage Bill: Measure Aims
to Boost IT Security Employment at DHS, September 20, 2014 http://www.
bankinfosecurity.com/senate-passes-cybersecurity-skills-shortage-bill-a-7340/op-1
26 ISSA Journal | October 2015
ethical hacking skills.3 This initiative is just another fact that
shows the government recognizes the need to expand the
skills of young students and ensure that they learn about in-
formation security. Adding information security-related dis-
ciplines into the core school curriculum can have a great ben-
efit for the future generation that will grow way more aware of
what needs to be done to stay secure. This goes beyond secu-
rity awareness because it can also lead students to learn more
about secure coding, which is the real root of the problem.
But while this is not happening, what should be done for the
current generation and how should you improve your skills?
What path should I take?
The information security career has many ramifications,
from a very specialized Pentester to a more generalized Se-
curity Analyst who needs to know a variety of topics about
security. This means that the first step you should take is to
perform a self-assessment and decide where you want to go
in your career, what you like to do, and how to advance in
that particular field. This is an important point because many
times people decide what they will do based solely on market
demand. Blindly following this rationale can be dangerous
because you might end up working in a field that you dont
like and one which may have a negative impact on how you
grow in your position. As a result you will not evolve and
soon or later will start looking for another job. Regardless of
what pays more, you must be passionate about what you are
going to embrace in your next career move. Some security
professionals are already in this situation, having to work
in a branch of this field where they dont feel passionate; the
rationale is the same: find your next career move by doing
this self-assessment and discovering what motivates you in
3 Hanna Sanchez, National Security Agency Teaches Students Ethical
Hacking, Cybersecurity, Jul 20, 2015 http://www.ischoolguide.com/
articles/18948/20150720/national-security-agency-students-ethical-hacking-
cybersecurity.htm.
Information Security Career Path | Yuri Diogenes

this area. Nowadays everyone talks about hacking, ethi- fulfill that particular position you need a Masters in Cyber-
cal hacking, cybersecurity, and other terms. Dont let the security, make it happen and go after it.
buzz distract you; understand deeply what you want to do
and pursue the right path to your next move. Specialist or generalist?
Once you decide which path you will take, evaluate what you Ten years ago the demand to have very specialized profes-
already have to offer. In general, there are three core compo- sionals was greater than today. If you knew one specific fea-
nents that you must assess regarding the field that you are ture within a product, you were of extreme value to the com-
going to work: pany. I remember when companies were hiring Exchange 5.5
professionals that were specialized in
Experience: do you have the required experience on that
troubleshooting mail flow. Those pro-
field?
Professional certification: do you have the profession-
fessionals needed to know deeply how
to debug the protocol and know deep-
Regardless of
al certifications that are required for the job that you are ly how to troubleshoot connectors what pays more,
looking for? between Exchange and Lotus Notes, you must be
Degree: do you have a degree that can be helpful in that among other specific features. They
field? didnt need to know how to restore an passionate about
This self-assessment is very important as it allows you to un-
Exchange database; they didnt even what you are
derstand your strengths and weaknesses. The goal is to en-
need to know how to create an user
account; as long as they were level 400
going to embrace
sure that once you detect your weakness, you start working
in mail-flow troubleshooting, they in your next
on a plan to fulfill the gap. If the result of this self-assessment
shows that you need a specific certification in order to be
had the job. Not anymore! career move.
more competitive, than you already know what to do: study With cloud computing everything
and obtain the certification. changed. Broad knowledge is now
more important for all IT segments and especially for infor-
A survey performed by SANS in 20144 shows that experience
mation security professionals. With cloud computing grow-
is a key factor for a better salary in the information security
ing in such a fast pace, it becomes extremely important that
field. The same survey also reveals that certification is a criti-
security professionals are aware of the essential characteris-
cal component for career success in the information security
tics defined by NIST6 and how the threat landscape is going
arena. What should we conclude with this? Having both is the
best scenario for a security professional. While experience is 6 The NIST Definition of Cloud Computing http://csrc.nist.gov/publications/
for the most part directly related to the jobs that you have nistpubs/800-145/SP800-145.pdf.
had in the field, you can also obtain experience by attending
trainings and conferences and helping your community. Ini-
Career Opportunities

V
tiatives like Security BSides5 are available in many locations
in the world. You can propose a presentation or volunteer to isit the Career Center to look for a new op-
work in their meetings. By engaging yourself in communities portunity. These are among the current job
like this you will gain knowledgeand you will also expand listings you will find [as of 9/21//15]:
your network. Project Control/Project Scheduler MD
Pursing a Masters or PhD degree in information assurance, Advanced Analytics Manager CA
cybersecurity, or any other field related to information secu- Information Technology Security Analyst FL
rity is definitely a choice to consider. However, in this case
IT Security Analyst Threats and Vulnerabilities
you must analyze the return on investment and ask yourself: Monitoring NY
will it be worth it in the long term? The investment is not only
Architect - Security Information OH
financial; it is also the time that you put to obtain these high-
er degree. As part of your career plan in security you must Identity Access Manager MA
establish your vision; as part of this vision, ask yourself: what Instructor of IT/Cybersecurity HI
do I want to achieve in this field? If you want to work in the Program Director, Cybersecurity/Information
academic field or research, pursuing a Masters or PhD should Technology VA
definitely be in your plans. The other scenario that can lead Director, Information Security CA
you to go after these degrees is job requirements; if you want IS Policy Administrator TX
to work for a specific company and you know that in order to Chief Information Security Officer WI
Manager Information Security MA
Information Security Analyst MO
4 Cybersecurity Professional Trends: A SANS Survey https://www.sans.org/reading-
room/whitepapers/analyst/cybersecurity-professional-trends-survey-34615.
5 Welcome to the Security BSides Community Wiki http://www.securitybsides.
Visit www.issa.org/?CareerCenter
com/w/page/12194156/FrontPage.

October 2015 | ISSA Journal 27

Information Security Career Path | Yuri Diogenes

to look like in this scenario. In other words,

Job Duties:
understand the threat landscape for each
Planning and implementing security
one of the essential characteristics below: measures to protect computer systems,
On-demand self-service networks and data
Responsible for preventing data loss and
Broad network access service interruptions
Job Title: Security Analyst
Resource pooling Create, test, and implement network disaster
Past experience: recovery plans
Rapid elasticity Perform risk assessments
Firewall Expert
Measured service (Certified Professional) Install and configure firewalls and other
security measures
Security certifications in cloud computing Train staff on network and information
will reflect this by covering a variety of sub- security procedures (Security Awareness
jects in different areas. The domains included Training)
in the Certificate of Cloud Security Knowledge
The company
(CCSK)7 for example, will cover the following
needs someone with Broad knowledge in many areas
subjects: deep knowledge
Cloud Architecture of firewalls to Deep knowledge in one area
troubleshoot and
Governance and Enterprise Risk manage them!
Legal and Electronic Discovery Figure 1 Generalist and specialist in one area

Compliance and Audit

In this scenario we have a classic example of a job that re-
Information Life Cycle Management quires a broad knowledge in many areas, but on top of that it
Portability and Interoperability needs also someone with deep knowledge in one specific area.
In this scenario your previous experience, or even the experi-
Traditional Security, BCM, D/R
ence that you accumulated over time, can have a big impact.
Data Center Operations This is also a competitive advantage if you are competing for
Incident Response a position with other candidates because your previous certi-
fications and experience will be considered by the employer.
Application Security
Security is very dynamic; your specialty today might not be
Encryption and Key Management so relevant in a few years. However, the knowledge that you
Identity and Access Management accumulate with each project and certification and by per-
forming the daily tasks are very valuable over time. The key
Virtualization
to staying relevant is to stay up to date and be flexible while
Security-as-a-Service focusing on performing your work in the field that you feel
ENISA Document passionate.
You need to know the security capabilities of a variety of Core skills for information security professionals
technologies and how these security capabilities will inte-
grate with each other. The scope of what needs to be covered Now that you understand the general considerations regard-
is broad and it can be deep in some circumstances, which ing which path you can take, how do you resolve the gener-
means you might be a generalist in one area and a specialist alist/specialist dilemma? This is important for building your
in another area. It is fair to say that a CCSK-certified profes- security foundation. If you are new in this area, and you want
sional will have a very broad knowledge of each one of those to know what you should learn about security, the best advice
domains, and at the same time it is possible to have another is to obtain a vendor-neutral certification such as CompTIA
security professionals specialized in one single domain, such Security+. The current exam (SY0-4018) is very broad as you
as Incident Response. can see in the core domains of this exam:

Another very common scenario is you are the generalist but Network Security
you are also the specialist for one area. For example, you are Compliance and Operational Security
a security professional working in the incident response field; Threats and Vulnerabilities
you know your process and what needs to be done to investi-
gate an incident. However, you are also the guy who knows Application, Data, and Host Security
more about computer forensics on your team. Figure 1 shows Access Control and Identity Management
an example of how this usually looks like and why it happens. Cryptography

7 Certificate of Cloud Security Knowledge https://cloudsecurityalliance.org/ 8 See the entire exam objectives here http://certification.comptia.org/docs/default-
education/ccsk/. source/exam-objectives/comptia-security-sy0-401.pdf

28 ISSA Journal | October 2015

 SECUREWORLD
See Globally. Defend Locally.
Distilling the global complexities of cybersecurity down to
your city, your network, your shot at a decent nights sleep

2015 Conferences: Cincinnati - October 6

Register for a conference near you with Denver - October 15
these discount codes: ISSA, ISSASWP,
ISSAEO and save up to $200 Dallas - October 28 & 29
For our complete schedule, visit
Bay Area - November 4
www.secureworldexpo.com Seattle - November 11 & 12

Featured Keynotes:

Carl Herberger Colonel Cedric Leighton Christopher Pierson Demetrios Lazarikos James Beeson Larry Ponemon
Vice President of Security USAF (ret.) and CEO, Cedric General Counsel & Chief IT Security Researcher CISO Chairman and Founder of
Solutions, Radware Leighton Associates Security Officer, EVP and Strategist GE Capital Americas the Ponemon Institute
Viewpost

The 2015 SecureWorld Expo conference theme is the Secret Service. We partnered with one of our
countrys most valuable organizations to bring you stories about the electronic crimes task force.

SecureWorld Digital:

Connecting you to larger forums, articles and gatherings to shape the conversation. Visit us today
at www.secureworldexpo.com to sign up for exclusive web conferences and subscribe to the
SecureWorld Post.

Web Conferences: SecureWorld Post:

Shaping the Conversation

www.secureworldexpo.com
 Information Security Career Path | Yuri Diogenes

This is a very broad scope because it covers subjects like Certified, CompTIA Network+, CompTIA Cloud+, CompTIA
BYOD, SCADA, Incident Response, and other topics that are Mobility+, MCSE, MCTS and MBA. Currently Yuri works for
relevant for anyone who wants to either start working in se- Microsoft as Senior Content Developer for the Enterprise Mo-
curity or boost his or her security career by obtaining a more bility Team and as Professor for the Master of Security Science
general certification. One of the course from EC-Council University. Yuri is co-author of Win-
advantages of starting with a broad dows Server 2012 Security, Forefront TMG Administrators
As anything you do certification in the security field is Companion, and a Security+ book (in Portuguese). You can
that you can decide which area you follow him on Twitter @yuridiogenes or reach him at yurid@
in life, progressing want to focus on in case you want microsoft.com.
in this field to specialize. For example, after ob-
becomes easier if taining this certification you might
conclude that you want to invest
you are passionate, more time and effort to become
self-driven, and a Computer Forensics Analyst. If
thats your choice, you can start
have the discipline with GIAC Certified Forensic An-
to pursue the vision alyst (GCFA)9 or EC-Council C|H-
of what you want FI (Computer Hacking Forensics
Investigator).10 The reasons that
ISSA Journal 2015 Calendar
for your career. lead you to choose one certification Past Issues click the download link:
over another can vary: job require-
ment, financial restrictions, etc. It
JANUARY
Legal and Regulatory Issues
is important to research and verify what certification will ag-
gregate more value not only for your resume but also your FEBRUARY
own knowledge. What you are going to learn throughout the The State of Cybersecurity
preparation phase is vital; if you are going to spend hours and
hours studying for an exam, you better like the subject and be MARCH
Physical Security
very passionate about what you are about to embrace.
APRIL
Conclusion Security Architecture / Security Management
If information technology is already a very dynamic field, MAY
information security is even more challenging because it Infosec Tools
changes on a daily basis, and one change can have collateral
damage in different areas. Be aware that these challenges can JUNE
be overwhelming, but they are also full of opportunities to The Internet of Things
highlight the quality of your work. As anything you do in life, JULY
progressing in this field becomes easier if you are passion- Malware and How to Deal with It?
ate, self-driven, and have the discipline to pursue the vision
of what you want for your career. Make sure to participate AUGUST
and network with other professionals, because this will help Privacy
to identify areas that you can explore more, and it gives you
real-world scenarios that you might not be exposed to if you
SEPTEMBER
Academia and Research
are working on your own.
Last but not least, follow this simple advice and stay hungry OCTOBER
for knowledge: The more I learn, the more I realize how Infosec Career Path
much I dont know. Albert Einstein NOVEMBER
Social Media and Security
About the Author Editorial Deadline 9/22/15
Yuri Diogenes, MS in Cybersecurity Intelli-
gence & Forensics Investigation (UTICA Col- DECEMBER
lege), CISSP, CASP, E|CEH, E|CSA, Comp-
Best of 2015
TIA, Security+, CompTIA Cloud Essentials You are invited to share your expertise with the association and submit an
article. Published authors are eligible for CPE credits.
9 GIAC Certified Forensic Analyst (GCFA) http://www.giac.org/certification/ For theme descriptions, visit www.issa.org/?CallforArticles.
certified-forensic-analyst-gcfa.
10 C|HFI Certification http://www.eccouncil.org/certification/computer-hacking- EDITOR@ISSA.ORG WWW.ISSA.ORG
forensics-investigator.

30 ISSA Journal | October 2015

 DEVELOPING AND CONNECTING
ISSA CYBERSECURITY LEADERS GLOBALLY
Career Paths: How I Got Here
Three ISSA members answered our call to know what career path they took, how it served them,
and what path they would recommend for future generations of information security professionals.
My Unexpected Infosec
Career Path
By Ashley Schwartau ISSA member, Middle
Tennessee Chapter
T
here is not a specific career path that lands you in the
infosec industry. Everyone has a different journey
and must be open to the opportunities that present
themselves, especially the unexpected ones!
I never expected to work in this industry. Yet here I am. A
woman working in infosec.
I did not go to school for IT, and I had no interest in pursuing
a security-related career. Yet, here I am.
Somehow, completely by accident, I have spent the last ten
years of my life preaching infosec ideals and becoming an in-
formation security professional. How did this even happen?
I blame it on my dad, really.
He has been in this industry and run his business out of the
house for my entire life, so my childhood was full of securi-
ty software, consulting calls with clients, and swag brought
back from security conferences. I even learned the alphabet
on a keyboard at 18-months old. He started taking me to Def-
Con when I was 16, and one of my chores in high school
was compiling a list of security-relevant news to be used in
a weekly newsletter sent out to clients. (I got paid and it sure
beat scrubbing toilets like my friends were doing for spending
money!) Concepts like social engineering, white hat hacking,
Wi-Fi sniffing, and the importance of backup were common-
place for me, and it was not until high school that I realized
maybe not everyone knew Kevin Mitnicks name or was as
paranoid about downloading a virus on Napster as I was.
While my dad gave me odd jobs to do for the company here
and there, and I learned from my mom as she did design work
in CorelDraw, neither of them ever pushed me to join the
family business. They urged me to pursue my dreams, which
ranged from becoming the art director of an entertainment
magazine in New York to editing movie trailers in Los An-
geles.
I transferred colleges a few times, my major switching from
multimedia (with a fine arts focus) to digital media (a com-
bination of comp sci, web development, and graphic design).
I interned at the college TV station and in my fifth (and fi-
nal) year of school set out to create a documentary in order to
teach myself how to edit video. What was the documentary
about, you ask. Hackers. I filmed Hackers Are People Too at a
few conferences and premiered it at DefCon 16 on 08/08/08.
Even for a personal project, I could not get away from infosec.
I may not have known it then, but making that movie only
cemented my future in this industry.
After graduating college, I moved home to get my bearings
and figure out where I was going. Would I really venture to
the City of Angels to pursue film, or head into the Big Apple
to join the failing publishing industry? After working a lame
retail job, and not finding any other leads, I felt lost. But then
my dad offered me something I had never seen as an option:
join his company full time. They were ready to expand their
services and jump into e-learning, and I knew enough about
the subject matter to develop content and savvy enough with
software to figure out how to do what he needed.
I took the job willingly but with every intention of finding
something better down the line. Then our client base expand-
ed. I started coming up with new ideas for teaching the same
old security lessons, and I found myself in a full-time position
in an industry I had spent most of my life trying to avoid. And
I was actually having fun! Pretty soon we needed more help,
and we hired my first assistant. Not long after that we need-
ed to hire another team member and another and another
and another. Here we are in 2015; the company with an entire
production staff and me, fully invested in an industry I now
have no intention of leaving.
As Creative Director of The Security Awareness Company, I
work hands-on with all of our clients, building and launching
information security awareness campaigns. I develop train-
ing materials to teach users how to protect company data and
the importance of following security policy. I have seen secu-
rity initiatives of all shapes and sizes both succeed and fail,
and have learned what the security teams must do in order to
get buy-in from users and C-levels.
On the surface, to many of my friends, my job may not seem
like an obvious infosec career. I run the creative depart-
ment, after all. But the work my team and I produce is en-
trenched in security, focused on re-imagining and teach-
ing age-old problems such as passwords, compliance, data
breaches, and phishing. It is impossible to work on awareness
materials without becoming somewhat of a subject matter
October 2015 | ISSA Journal 31
Career Paths: How I Got Here | Ashley Schwartau, Dora Baldwin, and Roza Winston
expert yourself. So while my skills might serve me in other
industriesmarketing, advertising, publishingmy knowl-
edge base and experience with clients awareness programs
make me a infosec professional.
So what advice would I give to future infosec
professionals?
Throw away preconceptions about what infosec is
The infosec industry calls on a wide variety of people with
myriad skills, everything from sysadmins and pentesters
to the people who design simulated phishing attacks. Look
around the vendor floor of any conference and you will see
the kind of variety I am talking about. Software developers,
phishing companies, awareness training, cloud services,
MDM, VPNs, hardware developers...and each of those com-
panies has a need for programmers, designers, marketers, ad-
ministrators...a range of people with a range of skills that are
not all deeply technical. Infosec is not just a technical field,
and you can thrive in this industry as long as you have a base
understanding of the issues and passion for the subject mat-
ter.
Widen your focus
One of the mistakes I see students make in all industries is
choosing a career path and never veering off road. Many of
the people I went to school with wanted to be graphic design-
Easy and
Convenient!
www.issa.org/store
Weve stocked our shelves with ISSA merchandise
featuring our logo. Visit our online store today its
easy and convenient to securely place your order and
receive great ISSA-branded items.
Computer Bags Short-Sleeve Shirt Long-Sleeve Shirt
Padfolio Travel Mug Baseball Cap Fleece Blanket perfect your craftthat proves more than sitting through
Proud Member Ribbon Sticky Note Pads (12 pk.)
Place Your Order Today: ISSA Store!
32 ISSA Journal | October 2015
ers, so they took graphic design classes and scoffed at those
of us who ventured into other areascomputer networking,
film editing, PHP, creative writing, theme park design, inter-
active performance. They saw no need for any skills that were
not in the basic job description of a designer. But as someone
who now leads a production department, having an under-
standing of all those others areas has only made me better at
my job. And the same goes for any job in the infosec field. You
should know more than just what your dream job expects of
you. You should understand the roles of the people you work
with and for. Learn everything you can about everything
networking, programming, designing, managing. Coding
was never my forte, but I understand it enough to talk to our
programmers and web development team with confidence
and savvy. And while I am not a CISO myself, I understand
the problems they face on a daily basis and constantly educate
myself about new threats so that I can better serve the people
I work for. You will be an asset to your team if you can ex-
pand your knowledge base beyond the limited scope of your
specific job title.
Be open to opportunities
This relates to my point above. Lets say you are headed to-
wards being a pentester, and the job market is kind of scarce
in your city. But a position opens up for the help desk at a lo-
cal healthcare company. Take it. Is it exactly what you want to
do? Not at all. But being at the help desk puts you on the front
lines of defense, receiving calls from users who dont know
what to do or cant login to the company network. You will
see many weaknesses that Future Pentester You will be able
to exploit. Help Desk You can keep track of the most com-
mon mistakes made by users and help the security team build
targeted awareness training. Look for learning opportunities
in any job, and think about how it can help you reach your
dream job. Remember, I wanted to be the art director of a
major magazine, and now I oversee the production depart-
ment of a company that creates videos, e-learning modules,
and magazine-like newsletters, so in reality, I have my dream
job. Or something better.
School is important but not the most important
Its been a long-held misconception that a college degree is
necessary to be a successful member of a workforce. Atti-
tudes toward this are changing, and I am of the firm belief
that college is not for everyone nor does it mean you know
everything thing about your field. Our companys first intern
was a graphic design college graduate with a minor in comp
sci and a 4.0 GPA. He interviewed really well, but when he
came to work for us proved he knew zilch about anything we
needed him to do. Now, when we hire people we do not even
ask about college because a degree proves nothing. But work
experience, and lots of it, does. Going out and taking the ini-
tiative to learn more, getting certified and working hard to
four (or five!) years of college and coming out with a piece of
paper. Frankly, I do not even know where my piece of paper
is, nor do I care. My degree did not prepare me for this job
Career Paths: How I Got Here | Ashley Schwartau, Dora Baldwin, and Roza Winston

or this industry. The things that truly prepared me were at- One final piece of advice for the ladies
tending conferences, joining the ISSA, staying up to date on Have confidence in yourself and your abilities. Do not let a
security news, talking to our clients, and putting in a lot of male-dominated industry intimidate you away from it. I wish
long hours working to get better. You can learn a lot in school, that the stigmas surrounding STEM industries would just
yes, but there are just so many things that can not be taught in fade away because I think they scare off smart people who
a classroom and must be learned from real experience. In my would have a lot to contribute. Like I said, infosec is not any
opinion, the infosec field is a prime example of one in which a one thing or meant only for one
degree is not entirely necessary to becoming a well-educated, type of person. As a woman in
knowledgeable, and skilled professional. this industry, which has been a As a woman, it is
boys club for a long time, you
Be willing to say I dont know
will face adversity and discrim- even more important
Technologies change so rapidly and new threats pop up so
often, we all must be in constant learning mode. None of us
ination and eye-rolling. You to know your subject
can ever say, Yup, I know everything about security! While
will be spoken down to and
many will assume that you do
matter and become
many of the issues and lessons have not changed over the last
not know what you are talking knowledgeable about
twenty years (passwords! breaches! malware! Oh my!) the
technical specifics and speed at which bad things can hap-
about. As a woman, it is even everything that
more important to know your
pen are only ramping up. Our daily news feeds overflow with
subject matter and become touches your area of
criminal hacks and APTs and data breaches galore, and as
industry professionals we must all maintain a current knowl-
knowledgeable about every- expertise.
thing that touches your area
edge of these issues and an understanding of new technolo-
of expertise. You must develop
gies. But there is a lot to keep up with. It can be overwhelming.
a thick skin and confidence to keep your head raised high.
So ask for help. Talk with your colleagues, join professional
Keep learning, keep pushing, keep bettering yourself. The
development groups, ask your company for additional train-
women I meet in this field impress me on many levels, with
ing (even if it is not directly related to your role), subscribe
skill sets ranging from over-my-head technical expertise to
to journals like this one, and attend conferences. Never stop
master-level, geek-wrangling management skills. So, if you
learning. This is not an industry in which you can afford to
can hurdle the gender divide and the few detractors you will
stagnate, because if you do, you will be left behind.
meet along the way, you will be rewarded with a fascinating

October 2015 | ISSA Journal 33

Career Paths: How I Got Here | Ashley Schwartau, Dora Baldwin, and Roza Winston
industry full of passionate, hard-working, smart people who
you can teach you a lot and want to hear your ideas.
Like I said, it was never my intention to become an informa-
tion security professional, but despite my best efforts, here I
am. And I love it. I love this industry. Infosec is full of inter-
esting challenges. As we become more reliant on technology
and as the Internet of things becomes more ubiquitous, this
industry is only going to grow and become more mainstream.
Infosec is not just for the nerds. It is not just for the techies. It
is an industry for anyone who is passionate about technolo-
gy and making it more secure. It is for anyone who wants to
make the Internet a safer place and secure the information of
the people who use it. So go forth, educate yourselves, and do
not lock yourself in a box. You never know where your career
path may lead you, but if it brings you to infosec, there is defi-
nitely a place for you. It just may not be the one you expected.
About the Author
Ashley Schwartau is the Creative Director at
The Security Awareness Company and has
worked in this industry pretty much her en-
tire life. Whether its working with the LMS
team, developing e-learning modules, or help-
ing our designers on a big project, she loves
the unique challenge of creating a compelling
awareness program from the ground up. Shes the creator of the
2008 documentary, Hackers Are People Too, and often writes
blog content for blog.thesecurityawarenesscompany.com. You
can reach her at ashley@thesecurityawarenesscompany.com.
A Transition into Tech
By Dora Baldwin ISSA member, Inland Empire
Chapter
A
s an undergraduate I had aspirations of becoming
a top-performance track and field athlete. The ma-
jority of my time was spent on the field priming for
competition and breaking records, while my time off the field
was spent changing my academic focus every semester: I tra-
versed from English to Psychology, to Africana Studies, to Pi-
ano, to Photography, to Spanish, and finally to Marketing. By
the end of 4.5 years, I managed to walk away with a degree in
Business Administration: Entrepreneurship.
After graduation I spent a year living abroad before decid-
ing to return to pursue my masters degree. I had just decid-
ed upon studying public administration when cybersecurity
caught my attention during the new-student orientation. The
thought of a cyber war between the black hats versus white
hats was intriguing enough to pull my interest away from
red tape and bureaucracy. After all, my recent retirement as a
track and field sprinter had left my competitive spirit feeling
a bit malnourished. What began as an interest quickly trans-
formed into an appetite for more knowledge. Although I did
34 ISSA Journal | October 2015
The thought of a cyber war between the
black hats versus white hats was intriguing
enough to pull my interest away from red
tape and bureaucracy.
not come from a traditional computer science background,
my competitive spirit and passion for knowledge propelled
me to learn more about security and technology.
Shortly afterwards, I joined the CyberCorps: Scholarship for
Service1 (SFS)program as a supplement to my public adminis-
tration degree. Finding a program that provided mentorship
and aligned with my objectives was paramount to establish-
ing a strong foundation in cybersecurity. The SFS program
in particular provided mentorship in academic coursework,
extracurricular activities, student teaching, and internships
as they related to cybersecurity and the public sector.
Within time, I began following several security associa-
tions(ISC), ISSA, and ISACAto stay abreast with current
news and events. I joined several local community groups
to expose myself as much as possible. My involvement with
communities outside of the academia helped me cultivate
new relationships with professionals and experienced hobby-
ists.
Additionally, I tracked down a calendar of security confer-
ences to see which of them I could benefit from attending.
DefCon 23 left a memorable impression of what it means
to live in constant paranoia that the stranger sitting next to
you is inconspicuously trying to capture data from your cell-
phone, laptop, or wallet (I will forever hold a heart-throbbing,
adrenaline-rushing soft spot in my heart for you, DefCon).
Furthermore, attending the National Science Foundation
(NSF) Cyber Security Summit2 was monumental in helping
me transition from a non-techie to techie-in-training.
Attending the NSF Cyber Security Summit dramatically
changed my mind-set by allowing me to interact with leaders
in information security. When they inquired about my per-
sonal career goals, I realized the error of my ways: I admitted
to them that I had limited technical skills, and as a result I
would better serve management or policy. In the back of my
mind, however, I was looking to get my hands a little more
dirty; the challenge of learning something new and explor-
ing technology was what had attracted me to the field, but
yet, I was referring to my management background out of
fear of looking incompetent. Fortunately, the speakers I met
offered me guidance that helped to broaden my perspective.
Susan Ramsey, from the University Corporation for Atmo-
spheric Research, assured me that there was still time for me
to explore new interests. She encouraged me to stay focused
and whatever I aspired to do would become a reality with de-
termination and time. This brief exchange of dialogue was
critical in helping me realize that industry leaders did not
1 https://www.sfs.opm.gov.
2 Center for TrustworthyScientific Cyberinfrastructure http://trustedci.org.
Career Paths: How I Got Here | Ashley Schwartau, Dora Baldwin, and Roza Winston
succumb to limiting beliefs; perhaps they had already gotten
over them or they never had them to begin witheither way,
I understood that if I wanted to grow, I would have to repro-
gram my way of thinking.
As a student, I offer a perspective of someone who has merely
begun studying information security. I find it important to
divulge my experiences thus far to inspire those who are in-
terested in transitioning from a non-tech to tech background.
I cannot promise it will be an easy transition, but I believe
it will be rewarding for those who commit to it. When fac-
ing any lingering doubts, my remedy has been to return to a
child-like state where curiosity is foremost and possibilities
are unlimited. I advise all new techies to explore whatever
topics interest them. It is important that the questions you
ask are not geared towards seeking validation or permission
to pursue (Should I? Can I? Do you think I?). Instead, physical and social sciences, composition, and the like. Grate-
questions should be indicative of a mind already made up
with a simple inquiry of Where do I get started?
About the Author
Dora Baldwin is a graduate student of Cal-
ifornia State University, San Bernardino,
where she is pursuing her Masters of Public
Administration with an emphasis in cyberse-
curity. She is a recipient of the CyberCorps:
Scholarship for Service, which is an academ-
ic program funded by the National Science
Foundation and co-sponsored by the Department of Home-
land Security. After graduation, she aspires to work in the
public sector and specialize in network and computer systems
security. She may be reached at baldwindora@gmail.com.
Outside Looking In
By Roza Winston ISSA member, Central Ohio
Chapter
T
his is an article detailing the journey of a willing but
inexperienced and unskilled worker attempting to
break into the infosec field.
The road of life twists and turns and no two directions are
ever the same. Yet, our lessons come from the journey, not the
destination. Don Williams, Jr.
Career paths are but journeys, mostly direct ones (i.e., with
the exception of information security, which heretofore was
not a linear path, but one of winding and unfolding byways).
Ask any chief information security officer or any over-worked
infosec practitioner and you will find this to be truemost
arrived in this profession via allied or indirect channels. Some
were industrial engineers or communications specialist, oth-
ers occupied various technology slots, and most learned on
the job.
That, however, is no longer the case. As the field of infor-
mation security matured, and regulations and standards
evolved, formal curricula sprang up to train the masses of as-
piring cyber warriors, as they have been dubbed by higher ed.
Where once those interested in pursuing this field only found
computer science programs, now interested parties can find
specialized degrees in cybersecurity/information security/cy-
ber defense in a number of universities. Here in Ohio alone
there are a number of accredited four-year universities offer-
ing bachelors and masters degrees in information security:
Franklin University in Columbus, Ohio; Wright State in Day-
ton; and Tiffin University in Tiffin, Ohio, no less! Some may
argue the merit of such programs, for they liken the curricula
to be more akin to trade school fare; yet, such grumblings
do not account for the non-traditional student who might be
changing careers, or the accredited liberal arts program in-
corporating the traditional core of requirements: humanities,
fully these programs proliferate, and logically so, if the gap
between supply and demand is to be remedied.
Short of formal education, someone interested in information
security, but either unable or uninterested in pursuing high-
er education, can still amass quite a bit of knowledge, if not
experience, from an abundance of alternative sources: pro-
fessional associations, MOOCS, podcasts, vendors webcasts,
industry journals, white papers, government and consumer
websites, think tanks such as the Brookings Institute3 and
Pew Research,4 YouTube channels, blogs, and the websites of
educational organizations and institutions.
My own introduction to this field and subsequent quest for
knowledge began one day while listening to an NPR show
broadcasting daily out of the American University called the
Kojo Nnamdi Show,5 which is a two-hour magazine show fea-
turing news, politics, and social issues. Yet, it was his lively
Tech Tuesday program, which he hosts on the first Tuesday
of the month, that grabbed my attention. Like many workers
in sedentary occupations looking for an opportunity to break
up the monotony, I happened upon this show quite unexpect-
edly and found it not only informative, but entertaining as
well. With his regular panel of guests from the surrounding
areaChief Futurist Allison Druin from the University of
Maryland; hardware and software consultant Bill Harlow
from Mid Atlantic Consulting; and John Gilroy, Director of
Marketing and Business Development at BLT Global Ven-
turesexploring the myriad ways that technology touches
every aspect of lives, they take what can be a dull topic and of-
ten turn it into shtick, making for a truly engaging show. This
show whetted my appetite for information on this fascinating
field of information security and acted as the launching pad
for further exploration.
Once sparked, my curiosity lead me on a unique journey
where I would pick up, sort out, and assemble bits and often
bytes (had to include that pun) of information from varied
3 www.Brookings.edu.
4 www.pewresearch.org.
5 https://thekojonnamdishow.org.
October 2015 | ISSA Journal 35
Career Paths: How I Got Here | Ashley Schwartau, Dora Baldwin, and Roza Winston
sources: at the SANS Institutes website6 I learned of the 20
Critical Security Controls and worked to memorize as many
as I could. I downloaded security policies and procedures as
a blueprint for any that I might find myself drafting, comb-
ing through their white papers and vendor webcasts. I culled
information about intrusion detections systems such as Snort
and discovered how SEIMs are designed to work. At the US
Cert website,7 I read security bulletins and signed up for
alerts, and at a related government website, OnGuard On-
line,8 I learned the definition of malware, how to secure my
computer, and other cyber safety tips together with the im-
portance of doing so. The National Institute of Standards and
Technology 9 site offered best practices and information relat-
ing to efforts to improve critical infrastructure. The Brook-
ings Institute10 offered up panel discussions on information
security. Open Web Application Security Project11 (OWASP),
Build Security In,12 and the Software Engineering Institute at
Carnegie Mellon University13 all provided training and infor-
mation on secure programming and software assurance. Def-
Con placed videos of their conference on YouTube for view-
ers to learn about forensic detection strategies such as RAM
analysis, and I learned of something called RAM Scraping.
Eli the Computer Guy14 and Professor Messers15 YouTube
channels expanded my knowledge on application ports and
protocols and exfiltration techniques like keylogging. Blog-
gers and journalists at Dark Reading16 discussed the latest
threats and merits of various breach remedies. A number of
states placed their training videos online, most notably those
geared toward Attorney Generals. MOOCS, such as those at
Coursera,17 offered free online learning in disciplines such as
risk management, information security, programming, cryp-
tography, etc.. Finally, ISSA Central Ohio Chapter,18 in its of-
fering of certification classes, provided detailed learning on
each of the ten domains of information security, combined
with monthly meetings and an annual summit that treats
each topic in depth. Representatives from each modality
train, teach, and speak at these events and freely post infor-
mation at their social media sites as well.
I could elaborate more about the enormous about of free
training and education online, in certification books and
classes, and at seminars and workshops, but I have already
provided enough of a cross sampling for you to get the pic-
ture. At each venue, I learned of shady characters (threat ac-
tors) looking to exploit vulnerabilities in networks and sys-
6 https://www.sans.org/.
7 https://www.us-cert.gov/.
8 https://www.onguardonline.gov/.
9 http://www.nist.gov/.
10 http://www.brookings.edu/.
11 https://www.owasp.org.
12 https://buildsecurityin.us-cert.gov/.
13 http://www.sei.cmu.edu/.
14 https://www.youtube.com/user/elithecomputerguy.
15 https://www.youtube.com/user/professormesser.
16 http://www.darkreading.com/.
17 https://www.coursera.org/.
18 http://www.centralohioissa.org/.
36 ISSA Journal | October 2015
tems (threat landscape) and the varied means by which they
do so (threat vectors), but of greater importance I learned the
precautions that I could take, and teach others in my circle to
take, to prevent, or at least lessen the chance of, a breach to my
personal network and of the enterprise system where I work.
Formal training, though decidedly important to human re-
source departments at major corporations and perhaps a ne-
cessity for a comprehensive understanding of the field, need
not be the only avenue toward gaining entry into this field. As
has been demonstrated here, there are untold channels from
which to gain training. With a bit of ingenuity and fortitude
individuals desiring to do so can build a considerable body
of knowledge in the field, which they can then use to gain a
foothold in the door; perhaps not at large established corpo-
rations, but given the severe shortage of skilled workers and
the projection of an ever-widening gap in talentas set forth
in the 2015 (ISC)2 Global Information Security Workforce
Study released by Frost & Sullivan, stating that globally it
is expected that the information security workforce short-
age will reach 1.5 million in five years19surely such an
individual can either find or create an opportunity for one-
self as a consultant, a contractor to very small businesses, a
security software salesperson, or by partnering with a start-
up, or interning with a managed services company, and/or,
alas, volunteering with a non-profit or social service agency
to gain experience. These opportunities abound. My own
such experience to date has been limited to participation in
a few programming projects geared toward children in mid-
dle school, which is an annual event organized by one of the
professional associations to which I belong; the other two in-
stances have been with a small podiatry office that needed ev-
erything from written policies to a vulnerability assessment
and a small communications/tech company.
My paralegal background, combined with the former expe-
rience of working under directors in the heavily-regulated
medical industry, served me well in these circumstances and
underscores the idea that by bringing together past work ex-
perience, particularly if that experience has been in an allied
profession, with newfound knowledge, the aspiring infosec
practitioner can launch a career in cybersecurity, keeping in
mind that technology is no panacea, that information securi-
ty is holistic in nature and requires a myriad of approaches as
well as ongoing training.
Chiefly what I have learned is that the more I learn, the more
there is to know and there are new discoveries and adventures
around the corner.
About the Author
A former paralegal and administrative assis-
tant (an end user personified), Rosa Winston
is an aspiring infosec practitioner. She may be
reached at rzw122@gmail.com.
19 Frost and Sullivan, The 2015 (ISC)2 Global Information Security Workforce Study.
Mountain View, CA: Booz Allen Hamilton, 2015 https://www.isc2cares.org/
uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-(ISC)-Global-
Information-Security-Workforce-Study-2015.pdf.
 ISSA Membership Application
Return completed form with payment. * Required Entries

* Name _____________________________________________________ Certifications ___________________________________

* Employer ___________________________________________________ * Email ________________________________________
Job Title ___________________________________________________ * Preferred phone number for receiving calls: (choose one)
* Preferred address for receiving mailing (choose one): n Home n Professional n Home n Mobile n Professional
* Address 1 __________________________________________________ * Phone ________________________________________
Address 2 __________________________________________________ Fax _________________________________________
* City ________________________________ State/Province ___________ * Country ____________ * Zip/Postal Code _____________

In order to obtain personal information and account access over the phone, ISSA Member services will ask your provided security question.
* Security Question:_____________________________________________ * Security Answer: ________________________________
* Only Online Journal: n Yes n No Annual general membership dues of $95 per year include $28 for a one-year subscription to the ISSA Journal.

ISSA Privacy Statement: The ISSA privacy statement is included in the Organization Manual, and is provided for your review at www.issa.org/?PrivacyNotice.

To enable us to better serve your needs, please complete the following

information:
Membership Fees
Your Industry (Select only ONE number from below and enter here) _______________________________
Membership Categories (descriptions on back)
A. Advertising/Marketing J. Engineering/Construction/Architecture S. Manufacturing/Chemical
B. Aerospace K. Financial/Banking/Accounting T. Medicine/Healthcare/Pharm. General Membership: $95 (USD) plus chapter dues
C. Communications L. Government/Military U. Real Estate 2-Year: $185 (USD); 3-Year: $275 (USD); 5-Year: $440 (USD)
D. Computer Services M. Hospitality/Entertainment/Travel V. Retail/Wholesale/Distribution
E. Security N. Information Technologies W. Transportation/Automobiles Government Organizational: $90 (USD) plus chapter dues
F. Consulting O. Insurance X. Energy/Utility/Gas/Electric/Water Student Membership: $30 (USD) plus chapter dues
G. Education P. Internet/ISP/Web
H. Computer Tech-hard/software Q. Media/Publishing Y. Other ___________________ CISO Executive Membership: $995 (USD) plus chapter dues
I. Electronics R. Legal

Your Primary Job Title (Select only ONE number from below and enter here) _________________________ *Membership Category _______________________________
1. Corporate Manager/CIO/CSO/CISO 9. Operations Manager 17. Engineer (See above)
2. IS Manager/Director 10. Operations Specialist 18. Auditor
*Chapter(s) _______________________________________
3. Database Manager, DBA 11. LAN/Network Manager 19. President/Owner/Partner
(Required within 50 miles of local chapter - list on reverse)
4. Database Specialist, Data Administrator 12. LAN/Network Specialist 21. Financial Manager
5. Application Manager 13. Security Specialist 22. Administrator Referring Member & Chapter __________________________
6. Applications Specialist 14. Contingency Planner 23. Educator
ISSA Member Dues (on reverse) $ _______________
7. Systems/Tech Support Manager 15. Sales/Marketing Specialist
24. Other________________
8. Systems Programmer/Tech Support 16. Independent Consultant
Chapter Dues x Years of Membership $ _______________
Your Areas of Expertise (List all that apply) ______________________________________ (on reverse)
A. Security Mgmt Practices E. Security Architecture I. Operations Security Additional Chapter Dues $ _______________
B. Business Continuity/Disaster Recovery F. Applications/Systems Development J. Physical Security (if joining multiple chapters - optional)
C Network Security G. Law/Investigations/Ethics K. Telecommunications Security
D. Access Control Systems/Methods H. Encryption L. Computer Forensics Total Membership Dues $ _______________
ISSA Foundation Donation $ _______________
ISSA Code of Ethics A tax-deductible contribution, as allowed by US tax code, can be
The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that made in addition to your ISSA Membership Payment. For more infor-
mation on the foundation and its programs, visit www.issaef.org.
will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve
www.ISSAEF.org

this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA
Total (dues + ISSA Foundation) $ _______________
has established the following Code of Ethics and requires its observance as a prerequisite for continued
membership and affiliation with the Association. As an applicant for membership and as a member of ISSA, I
have in the past and will in the future: Print out and mail or fax form to:
Perform all professional activities and duties in accordance with all applicable laws and the highest ISSA Headquarters
ethical principles; 12100 Sunset Hills Road, Suite 130, Reston, VA 20190
Promote generally accepted information security current best practices and standards; Fax +1 (703) 435-4390
Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the
Phone +1 (866) 349-5818 www.issa.org
course of professional activities;
Discharge professional responsibilities with diligence and honesty;
Refrain from any activities which might constitute a conflict of interest or otherwise damage the
reputation of employers, the information security profession, or the Association; and You may fill out the form and submit it electronically as an email
Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or attachment. You will need an email account to send it.
employers.
Submit by EMAIL to: member@issa.org
Signature __________________________________________ Date ______________
ISSA Member Application 01/15
 Risk Radar: Real-World Rogue AV | Ken Dunham
Please check the following:
Membership Categories and Annual Dues Where would you place yourself in your career lifecycle?
General Membership: $95 (USD) plus chapter dues n Executive: CISO, senior scientist, principal or highest level in respective field
Professionals who have as their primary responsibility information systems security in the private n Senior: department manager or 7+ years in respective field
or public sector, or professionals who supply information systems security consulting services to n Mid-Career: 5-7 years with an identified field of security specialty
the private or public sector; or IS Auditors, or IS professionals who have as one of their primary n Entry Level: 1-5 years, generalist
responsibilities information systems security in the private or public sector; Educators, attorneys n Pre-Professional: Student or newcomer exploring the field
and law enforcement officers having a vested interest in information security; or Professionals with
primary responsibility for marketing or supplying security equipment or products. Multi-year mem- The most important aspects of my membership for the current membership
term are:
berships for General Members, are as follows (plus chapter dues each year): 2-Year: $185; 3-Year:
$275; 5-Year: $440. n Build or maintain professional relationships with peers
n Keep up on developments and solutions in cybersecurity, risk or privacy
Government Organizational: $90 (USD) plus chapter dues n Establish a professional development strategy to achieve my individual career goals
This membership offers government agencies the opportunity to purchase membership for an em- n Increase my personal visibility and stature within the profession
ployee. This membership category belongs to the employer and can be transferred as reassign- n Share my knowledge and expertise to advance the field
ments occur. When an employee is assigned to this membership, he or she has all of the rights and n Develop the next generation of cybersecurity professionals
privileges of a General Member.
n Earn CPEs/CPUs to maintain certifications or credentials
Student Membership: $30 (USD) plus chapter dues n Access to products, resources and learning opportunities to enhance job performance
Student members are full-time students in an accredited institution of higher learning. This mem- n Problem solving or unbiased recommendations for products and services from peers
bership class carries the same privileges as that of a General Member except that Student Members n Gain leadership experience
may not vote on Association matters or hold an office on the ISSA International Board. There is no n All n None
restriction against students forming a student chapter.
Most challenging information security issue?
CISO Executive Membership: $995 (USD) plus chapter dues n Governance, risk and compliance
The role of information security executives continues to be defined and redefined as the integration n Securing the mobile workforce and addressing consumerization
of business and technology evolves. While these new positions gain more authority and respon- n Data protection n Application security
sibility, peers must form a collaborative environment to foster knowledge and influence that will n Security and third party vendors n Security awareness
help shape the profession. ISSA recognizes this need and has created the exclusive CISO Execu- n Threat updates n Legal and regulatory trends
tive Membership program to give executives an environment to achieve mutual success. For more
n Endpoint security n Incident response
information about CISO Executive Membership and required membership criteria, please visit the
n Strategy and architecture
CISO website http://ciso.issa.org.
n All n None
Which business skills would be most valuable for your professional growth?
Credit Card Information n Presenting the business case for information security
n Psychology behind effective security awareness training
Choose one: n Visa n MasterCard n American Express n Budgeting and financial management n Business forecasting and planning
n Management and supervisory skills n Legal knowledge
Card # ___________________________________ Exp. Date ____________
n Presentation skills n Negotiation skills
Signature ________________________________ CVV code _____________ n Written and verbal communications
n All n None

ISSA Chapters & Annual Dues Changes/additions visit our website www.issa.org

At-Large ............................ 25
Asia Pacific
Chennai............................... 0
Hong Kong .......................... 0
Philippines ........................ 20
Singapore.......................... 10
Sri Lanka ........................... 10
Sydney ................................ 0
Tokyo ................................ 30
Victorian.............................. 0
Europe, Middle East
& Africa
Brussels European ............ 40
Egypt ................................... 0
France ............................... 00
Irish................................. 155
Israel ................................... 0
Italy ................................... 65
Netherlands ....................... 30
Nordic ................................. 0
Poland................................. 0
Romania .............................. 0
Saudi Arabia........................ 0
Germany............................ 30
Spain................................. 60
Switzerland........................ 80
Turkey ............................... 30
UK ..................................... 0
Latin America
Argentina............................. 0
Barbados ........................... 25
Brasil................................... 5
Chile ................................. 30
Colombia ............................ 5
Ecuador ............................... 0
Lima, Per........................... 5
Puerto Rico ....................... 35
Uruguay .............................. 0
North America
Alamo................................ 20
Alberta............................... 25
Amarillo ............................ 25
ArkLaTex ............................. 0
Baltimore........................... 20
Baton Rouge...................... 25
Blue Ridge......................... 25
Boise ................................. 25
Buffalo Niagara.................. 25
Capitol Of Texas ................ 35
Central Alabama .................. 0
Central Florida .................. 25
Central Indiana .................. 25
Central New York................. 0
Central Ohio ...................... 20
Central Pennsylvania......... 20
Central Plains.................... 30
Central Virginia ................. 25
Charleston......................... 25
Charlotte Metro ................. 30
Chicago............................. 30
Colorado Springs .............. 25
Connecticut ....................... 20
Dayton............................... 25
Delaware Valley ................. 20
Denver............................... 25
Des Moines ....................... 30
East Tennessee .................. 15
Eastern Idaho ...................... 0
Eastern Iowa ........................ 0
Fort Worth ......................... 20
Grand Rapids ...................... 0
Greater Augusta................. 25
Greater Cincinnati ............. 10
Greater Spokane ................ 20
Hampton Roads................. 30
Hawaii ............................... 20
Inland Empire .................... 20
Kansas City ....................... 20
Kentuckiana....................... 35
Kern County ...................... 25
Lansing ............................. 20
Las Vegas.......................... 30
Los Angeles ...................... 20
Madison ............................ 15
Mankato ............................ 20
Melbourne, FL................... 25
Memphis ........................... 30
Metro Atlanta..................... 30
Middle Tennessee ............. 35
Milwaukee ......................... 30
Minnesota ......................... 20
Montana ............................ 25
Montreal.............................. 0
Motor City ......................... 25
Mountaineer ...................... 25
National Capital................. 25
New England ..................... 20
New Hampshire ................. 20
New Jersey ........................ 20
New York Metro................. 55
North Alabama .................. 15
North Dakota ..................... 25
North Oakland ................... 25
North Texas ....................... 20
Northeast Florida............... 30
Northeast Indiana .............. 10
Northeast Ohio .................. 20
Northern New Mexico........ 20
Northern Virginia............... 25
Northwest Arkansas........... 15
Oklahoma .......................... 30
Oklahoma City................... 25
Omaha................................. 0
Orange County .................. 20
Ottawa ............................... 10
Palouse Area ..................... 30
Phoenix ............................. 30
Pittsburgh ......................... 30
Portland ............................ 30
Puget Sound ..................... 20
Quebec City......................... 0
Rainier............................... 20
Raleigh .............................. 25
Rochester .......................... 15
Sacramento Valley............. 20
San Diego ......................... 30
San Francisco ................... 20
SC Midlands ..................... 25
Silicon Valley .................... 30
South Bend, IN (Michiana) .. 25
South Florida .................... 20
South Texas....................... 30
Southeast Arizona ............. 20
Southern Indiana ............... 20
Southern Maine................. 20
Southern Tier of NY............. 0
St. Louis............................ 20
Tampa Bay......................... 20
Tech Valley Of New York.... 35
Texas Gulf Coast ............... 30
Toronto.............................. 20
Tri-Cities ........................... 20
Triad of NC ........................ 25
Tucson, AZ ........................ 10
Upstate SC .......................... 0
Utah .................................. 15
Vancouver ......................... 20
Ventura, CA ....................... 30
West Texas ........................ 30
Yorktown ........................... 30
ISSA Member Application 01/15
 HIDE OR

SEEKTRACK, PURSUE, AND NEUTRALIZE THREATS.

The longer threats remain undetected, the more damaging they become.
Take control of your information and fight threats on your terms. Its time
to start advancing security. Take the next step at symantec.com

Copyright 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or
its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

October 2015 | ISSA Journal 39