Interview with David Shearer, CEO of (ISC)²


david-shearerName: David Shearer
Bio: David Shearer is the CEO of international cybersecurity certification organisation, (ISC)².

ASM: It’s been an interesting year in terms of cybersecurity – what have been the highlights for (ISC)²?

DS: It’s also been an interesting year for (ISC)². In 2016, cybersecurity has been increasingly regarded as a strategic international issue affecting all levels of society. By the year 2020, the number of networked devices (the internet of things) will outnumber people by six to one, transforming current conceptions of the internet. (Source: UN, ―Comprehensive study on cybercrime, UNODC, Vienna, 2013.) As mobile data usage and traffic has been increasing rapidly and substantially, faster than prevention technology – cybersecurity measures and policies, countries worldwide are at a higher risk of facing information security challenges more than ever before. Talent capacity building has been one of the most discussed topics in the global arena. No matter where I travelled this year—the Americas, Europe, Asia—I heard the term ‘talent capacity building’ in almost all discussion forums.

(ISC)² members remain at the forefront of cybersecurity, and since 2004, our Global Information Security Workforce Study continues to validate this significant talent shortage. Our members are overworked based on the limited number of qualified people in the workforce and consequently, many are falling behind in their duties. This is compounded by the lack of new people entering the profession. In addition, our members are increasingly involved in a range of audits that consume significant amounts of time, at the expense of operational cybersecurity requirements and responsibilities.

In 2016, we have tried to address the workforce shortage by speaking with various government agencies about how (ISC)² can collaborate with them to enhance the quality of the cybersecurity workforce and increase the numbers in the professional pipeline. Our recent signing of a memorandum of understanding (MOU) with Cyber Security Agency of Singapore (CSA) is one of those moves. The MOU allows CSA and (ISC)² to increase public cybersecurity awareness, and complement existing efforts in the development and maintenance of the cybersecurity competency framework in Singapore.

Details: &

At the same time, we asked our global regional offices to expand our International Academic Program (IAP) to a network of university partners, to provide them with access to the professional knowledge maintained by (ISC)²’s Common Body of Knowledge (CBK®) so that their graduates will be equipped with much-needed cybersecurity skills. We also advise the course designers and course accreditors to help them embed cybersecurity into degree modules and associated syllabi.

The Associate of (ISC)² program has been instrumental in helping over 15,000 people become full members since 2009. Our associate program provides a career path for individuals that do not have the requisite experience requirements, but are able to pass one of our rigorous exams. For example, the CISSP requires 5 years of experience, but an Associate of (ISC)² has six years to get the required experience. By using the (ISC)² digital badge, our Associates can validate that they passed our exam, and are progressing toward certification. Employers can look to Associates of (ISC)² as a way of building talent capacity by giving our Associates a chance to get the required experience while growing with their organizations.

At (ISC)² we believe that when it comes to cybersecurity, we need to look after the most vulnerable members of society – children and seniors – and do everything we can to ensure their safety. We’re trying to reach young hearts and minds through our Safe and Secure Online program, and we have engaged Garfield as our ‘spokes-cat’ to leverage the awareness programs to show young children that cybersecurity is an exciting field. Garfield and Friends brings international recognition to (ISC)²’s program for cyber security education for children.

ASM: How have the new services that have come online this year been received by your members?

DS: In 2016 we focused on increasing member benefits, including forming strategic partnerships with industry to help position our members for success.

We recognize that many of our members struggle to have the right level of staff, and they seldom have all the tools they need, like Security Information and Event Management (SIEM) technologies. Some of our members tell us they spend more time chasing vulnerability information and normalizing all the data, instead of actually patching and remediating vulnerabilities. For these members, we teamed up with Cytenna to bring Vulnerability Central to our members at no cost. Vulnerability Central empowers members to spend less time researching and normalizing vulnerability data and more time on targeted vulnerability remediation.

In addition, we partnered with the Institute for Applied Network Security (IANS), providing members access to their CISO Impact Diagnostics. We have a partnership with UCF and their Common Controls Hub, which helps our members make sense of more than 90,000 individual mandates from 800-plus laws and standards around the globe. We also are trying to help our members have more business-based discussion about the value of cyber, information, software and infrastructure security through partnerships with PivotPoint and their CyVar product that focuses on cyber risk valuation. We also have a partnership with RiskLens for discounted FAIR training and discounts on their tools that are based on the open FAIR standard.

We want the customer experience from candidate to member to be outstanding and continually improving. An endorsement process that is too convoluted and takes too long to complete does not provide a candidate on the path to membership with a great experience. We have just deployed a new online endorsement process that has cut the processing time by 49%, and we’re going to continue to look at other ways to improve our business processes to the betterment of our members.

Earlier this year we issued digital badges to our members. Digital badges make it convenient for employers and recruiters to validate the status of our members. It also helps members promote their competencies and capabilities to current and potential employers.

ASM: The cyber security skills gap seems to be in the news every week. What measures need to be taken in government and industry to address this?

DS: At (ISC)² our position has always been that cybersecurity is a global problem that requires a global response. Governments can absolutely play a key role in cybersecurity initiatives, such as security intelligence sharing and technology innovation transfers to the private sector. Governments have the ability to become security innovation centres and help move industry to new levels, but their role in their own intelligence-gathering efforts hold back the good it can do for its citizens. Legislative branches also wield the power to compel organizations to meet standards and set mandates for incident response and consumer protections. While indirectly affecting security, these actions help organizations quantify and address security risks lest they incur direct government intervention.

From a talent perspective, governments are struggling more than most because private industry is recruiting heavily and poaching government security staff faster than they can be replaced. Thus, governments have a large stake in developing methods to expand pipelines for security talent through academic partnerships and public-private ventures.

ASM: In some countries around the world, the idea of establishing information security as a regulated and governed profession has been mooted; what’s going on in the US and what are the views of (ISC)²?

DS: While cybersecurity is an international issue affecting all levels of society, we do not see a move towards licensure in the United States. However, we see there is a trend for compilation of a national competency framework and organizations are mapping towards that framework. For example, the DOD 8570 directive is mapped against the National Cybersecurity Workforce Framework (aka the NICE Framework) by NIST.

In the U.S., Department of Defense (DoD) 8570 directive was published in 2005 to address the concern of unqualified personnel performing very critical cyber functions. DoD 8570 directive requires its information assurance (IA) workers to obtain a commercial certification that has been accredited by ANSI or equivalent authorized body under the global ISO/IEC 17024 standard. This DoD-wide policy was made official in August 2004 and approved for implementation in December 2005. ISO/IEC 17024 establishes a global benchmark for the certification of personnel.

(ISC)2 was the first organization within the information technology sector to earn ISO/IEC 17024 accreditation for personnel certification for the CISSP. Now the SSCP, CAP, CSSLP, CISSP-ISSAP, ISSEP, ISSMP certifications have also been approved to the ISO/IEC Standard 17024.

In Asia, the National Infocomm Competency Framework (NICF), developed by IMDA and SkillsFuture in Singapore in close collaboration with the infocomm industry, is a national infocomm roadmap that articulates the competency requirements of key Infocomm professionals. Infocomm professionals and employers can leverage the NICF to determine the types of skills and competencies required for various infocomm jobs and to develop training strategies for the professionals to acquire these skills through accredited training providers. The NICF is an open system which allows international certifications and which also promotes knowledge exchange. CISSP, CSSLP and CCSP mapping to NICF has been approved.

Over the years we have witnessed many efforts by governments to create local standards or certifications for security professionals. We have advocated against this because while there may be good intentions, carrying the burden of maintaining these types of programs can be a drag on the government and programs can quickly become out-of-date or take a myopic approach to be valuable. (ISC)² spends a great deal of time and energy maintaining the body of knowledge on which our certifications are based, and we maintain an international cadre of experts to help keep them up-to-date. The body of knowledge we create transcends borders and is a great place to build from when it is applied to our certifications or even academic security curriculum.

ASM: Looking forward, what are your tactical and strategic aims for the next 12 months and the next 3 years?

DS:(ISC)² has begun a modernization initiative called the Digital End-to-End (DETE) program. In the next 12 months, the DETE program will be transforming the way (ISC)² does business. DETE will provide (ISC)² a single pane of glass and cross-functional business information to leverage analytics for comprehensive customer insights to provide more meaningful experiences and uncover new opportunities. I don’t want to give too much away about the program, as we will be announcing it next year.

Over the course of the next three years, you will see marked changes in (ISC)² as our DETE Program provides the business enablement we’ve needed to better serve our members and the profession. This will be in the form of better CPE opportunities, with immersion training focused on specific topics critical to keeping our members at the top of their game. (ISC)² will be better able to leverage one of our most valuable assets, the brain trust of our membership, that’s constantly gaining more experience and innovating solutions to handle the seemingly ever-expanding threat landscape. As our membership continues to grow, (ISC)² needs to find new ways to deliver value to our members. We’ll continue to explore business partnerships that can help advance the profession and best serve our hardworking members.

ASM: If you had one minute to tell kids about the information security industry as a career option, what would you say?

DS: I want to encourage more young people, especially young women, to join our profession. Women are fantastic performers in this profession. I have seen it first-hand. The industry needs young people from both genders and from all walks of life, races and backgrounds. Problems are best solved with diverse teams. Cybersecurity is going to continue to grow in importance. Books like Ted Koppel’s “Lights Out” that highlight the risks related to major cyberattacks will continue to raise awareness. Let’s just hope the global cybersecurity workforce can thwart such an attack. We need bright minds to join the team of good guys and gals trying to counter the growing number of bad actors.