Invest in Your Career: Pat Myers, Chair of (ISC)2
In an exclusive interview, Pat Myers, chair of (ISC)2, discusses:
An (ISC)Â² Board member since 1999, Myers has more than 23 years experience in all facets of information security, working extensively in financial services for such companies as Charles Schwab, Inc., Wells Fargo Bank, American Express, and Williams-Sonoma, Inc. She was previously a Director with RedSiren and was "CyberDean" of their Information Security University. She served as Chairperson and President of the ISSA International Board of Directors and held numerous other international and chapter board positions prior to serving as ISSA's International President.
TOM FIELD: Hi. This is Tom Field, Editorial Director with Information Security Media Group. We are privileged today to be speaking with Pat Myers, Chair of (ISC)2. Pat, thanks so much for joining me today.
PAT MYERS: Thanks, Tom. I appreciate the invitation.
FIELD: Boy, there's so much to talk about, but I guess we'll start out with just some of the risks and the concerns. What would you say right now are the top risks and security concerns when you're looking at both the public and the private sectors in general,and financial services in particular. I guess that's where the headlines have been of late.
MYERS: You're right, Tom. You know, the continuum of hardware and software vulnerabilities that have been exploited by criminals to steal passwords and data is certainly a concern, especially with the most recently announced vulnerabilities of our two large software vendors, I'm sure you read about them.
The vulnerability of data also held on mobile devices is having much of the same vulnerabilities as laptops - it's a big concern. We have users downloading everything under the sun. But without the advanced defense mechanisms of the anti-spyware and the next generation of malware for the handheld and mobile devices.
FIELD: Pat, looking around, what impact do you see felt in information security because of the economic conditions we are all facing?
MYERS: Well, there's so much to be said on that front. There have been some recent surveys, some large organizations, and organizations are spending perhaps 60% less than prior years, 40% of the other survey recipients basically said that their spending is flat. So, security projects, you know, they are maybe not being cancelled all together, but they are being delayed from quarter to quarter. On the unemployment front, you know, all we have to do is pick up The LA Times, which reported 697,000 jobs lost - of course some of those are in the security area. Every day, it seems like, the newspaper validates that companies are downsizing and that .... This isn't just happening in the banking industry, of course, or in the areas where people got bailouts. All industries that are suffering from a lack of consumer spending, that have impacted their revenues, and are being impacted by the human resource pressures, if you want to put it that way.
As a result of the high unemployment, of course, it's become a buyer's market for employers who are looking to rehire individuals who have left their companies. So, they have a huge resume pool to select from. They can pick exactly the kind of people that they want, and so, you know, security people are in the same situation as everyone else. I think what we are seeing is in some companies, the pay rates have kind of dropped, and in other areas, companies are coming up with more "work at home" positions so that they can cut back on costly facilities. Having said that, due to the regulations that banks and other companies have, compliance is still going to be something that is on their minds, they're not going to sacrifice it totally. And this is certainly a time when security needs to be strong, and in fact, companies really require more security, and not less, in tough times.
FIELD: Now, what have you found to be the impact on awareness and training? Because the fear is always that in tough times, the training budget is always the first one that people look at.
MYERS: You're absolutely right. I think what we are finding in the training area is that what is happening is that people are allowing their employees to do more local types of training, in terms of their own security employees. As far as the awareness, I think what's happening is that there is still awareness; they're just not spending as much money as they would have. You know, I worked in awareness and training almost my entire career in security, and I've gone from having no money to spend on awareness, where you had to really come up with something really creative and imaginative, to having fairly large budgets, where you had the luxury of being able to produce very high quality, attractive materials for awareness and training.
FIELD: Now, from your vantage point, Pat, what do you see as, so far, being the top risk management and security issues that really are affecting people in 2009?
MYERS: Well, you know, I think a big risk is still to the potential of compromise of a company's intellectual property, customer information, which really can be viewed as the world's gold and silver and diamonds. You know? It's the most value that a company has. So, companies really need to be cognizant, also, of employee behavior during difficult economic times. You know, actions such as layoffs and lack of bonuses and pay increases can prompt people to do things that they wouldn't ordinarily do under good economic times. So, we need to be vigilant. So, there is a risk there to the company and its data. You know, the consequences of failing to mitigate data risks and the infrastructure is everywhere. You'll see, it comes out in identity theft, theft of credit card information, and these things continue to be in the forefront of the news. You may have read the recent report that said 9.9 million U.S. residents were victims of identity theft last year. You know, that is a 22% increase. And, the average cost of such an incident is up to $6.6 million.
FIELD: I know, it's scary stuff.
MYERS: Yes, it is. And, finally, you know, we really must continually assess the business practices and processes that we depend on to secure our data. Security must continue to be an integral part of the fabric of a company, even in downtimes. You know, employees are still your first line of defense in that area. So, you talked about security awareness and training - we can't let that go - we have to continually give the message. And I think companies, even though they may cut back on that area, they are still going to be doing that, and they are required to do it.
FIELD: You're exactly right. Pat, here's a chance to sort of tout the horn of (ISC)2. Where can banking and government and security leaders, in general, turn for some guidance and some best practices, in trying to tackle some of these challenges?
MYERS: Well, you know, Tom, there are so many places, many of them free. For example, there is a code called the "Standards of Good Practice," that you can download for free on the website of the Information Security Forum, the ISF. There are a number of high level security organizations that many Fortune 500 companies belong to. There are membership organizations they can turn to for intelligence on how to best address their security threats, and advice on information assurance best practices. The I4, which is International Information Integrity Institute, is out there. But, you know, you don't have to belong to the higher level organizations, either. ISA has a forum for Chief Security Officers, and there are many bodies of standards that you can look to, the PCI data security standards are out there. COSO [ph] the [indiscernible], you know, mentioning the ISO 27001. There's just so many places you can go to look for best practices.
FIELD: Now, in terms of training and awareness, one of the big challenges has been educating board members and C-level executives, especially at banks, on risk management and security best practices. What have you found to be effective in reaching the board and senior management?
MYERS: Well, you know, Tom, what I've seen in some of the very larger companies is that they have created a security and business risk council, which is comprised of the business leaders, governance leaders, legal, human resources, and audit compliance. So, this is a high level group that essentially provides advice and input to the CEO or the CFO on company risk and best practices. Alternatively, you know, you can certainly put a Chief Security Officer in the boardroom to give advice to the EVPs. Usually, only the largest companies have high level executives in security. Usually, they reach the position of Senior Vice President. I don't quite see too many that are at the EVP level, but certainly, with the convergence of data security and physical security, that is a potential for the future.
FIELD: Now, what do you find in government? Do you find that when you get to the senior levels, that there needs to be the same effort put together to educate senior leaders in government agencies, for instance?
MYERS: Absolutely. You know, I don't think they're any different than the private sector. There are a lot of government mandates, though, that have helped kind of spread the word at the higher levels of government. For example, our new Executive Director was a CIO of the Department of Interior. So, that tells us a lot.
FIELD: Sure. Now, through our security, we talked about this being a good market for security professionals, but the employers do have sort of the pick of the litter, if they want to. What should security professionals be doing now to really invest in and protect their careers?
MYERS: Well, you know, if you're protecting your company's data, then the second part really comes automatically, because you are investing in your career. My advice is to spread the responsibility around, and that is, as I mentioned, including something like a risk council. Be sure that you essentially document all of the, either the recommendations on your company's vulnerabilities, you know, and it certainly doesn't hurt to keep your resume up to date, either.
FIELD: Sure. What do you find differentiates a candidate in times like these, when there are so many applicants for a single job, even? What really stands out on a resume?
MYERS: You will see that job requirements today are preferred or required certifications. And they usually list what they are. So, they are looking for people who have a track record, and have experience, and they also have a certification. There are so many new certifications that have come about in the last few years, and concentrations in management, architecture, engineering. So, they are looking to pigeonhole, you know, specific skill sets that individuals have in the security area.
FIELD: You know, at (ISC)2, you've offered some new certification programs of late, haven't you?
MYERS: That's correct. We have just recently launched a certification for the Software Security Lifecycle Professional, the CSFLP, and we are in the process of now reviewing individuals who already have experience in this area that wish to get this certification, and we are very excited about it, because there is a terrific response already to this certification, around the globe. It is something that has been needed. As we started out our conversation, I talked to you about software vulnerabilities, and this particular certification goes direct to that problem.
FIELD: Right. Now, one last question for you, Pat. If you were going to offer advice to professionals, either looking to start a career in information security, or maybe they're mature in a career and want to switch into information security, what would you advise them?
MYERS: Well, they are two different questions. First of all, if you're not in the profession, and you want to start looking at going into the profession, I would suggest that you, first of all, start training yourself. You can do this, there are so many free courses out there, the web is full of information, that you review something like the common body of knowledge, which the profession uses to talk to each other about security, 10 different domains, and that sort of thing. So, get yourself familiar with the lingo, the language, the concepts of security. There are many IT jobs that have, as a side security function. A part of their job is, maybe not mainly security, but includes some security. So I would start out in that area. You know that in order to get one of our (ISC)2 certifications that you do have to have experience in the field. So, the more experience you can start out with, then the easier you are going to get your credentials a little bit later. Now, if you're already in the security field, then I suggest you consider advancing your career by looking at one of the other certifications, the concentrations that we have talked about already. And if you are in the career, and you find yourself out of a job, maybe if you have the luxury, you should step back and reboot yourself, by evaluating your career goals and objectives, and determining what is the next credential that you might need to look at for getting the few jobs that you already mentioned that are out there for the highly skilled.
FIELD: Pat, that's great insight, and I do appreciate you taking time to share some of your thoughts with us today.
MYERS: Well, thank you, Tom. I certainly appreciate being with you today.
FIELD: We've been talking with Pat Myers, Chair of (ISC)2. For Information Security Media Group, I'm Tom Field. Thank you very much.