Beyond ACORN: Cracking the infosec skills nut

The federal government is working hard to convince us it is doing everything it can to prepare Australia against the persistent threat of cybercrime.

But just as important as overt displays of this new-found infosec focus is building and recognising the skilled professionals that will be critical to our future cyber defences.

Last month Minister for Justice Michael Keenan announced a new national policing initiative, dubbed ACORN (the Australian Cybercrime Online Reporting Network).

The network allows members of the public to report cyber crimes that may have affected them or their businesses, while also acting as a shop front for the federal government to proffer advice and guidance to the public on dealing with and defending against cybercrimes.

ACORN is the latest initiative to emerge from last year’s National Plan to Combat Cybercrime, published by the Attorney-General’s Department, which also identified the need to push cyber security awareness to the general public via three useful websites: www.staysmartonline.gov.au, www.cybersmart.gov.au and www.scamwatch.gov.au.

Later in November Prime Minister Tony Abbott used the official opening of the Australian Cyber Security Centre in Canberra to announce another review of Australia’s cyber security strategy (the last one was in 2008), setting expectations soon Canberra will lay down a strategy to raise the national cyber security readiness level to be equivalent to that of the UK, US, France and New Zealand.

All this strategic planning by the federal government comes as music to the ears of information security professionals.

But to make this security stance work, the professional community needs to respond to demand for quality services. These kinds of government initiatives should become the catalyst for change that the security profession in Australia needs.

Britain has already set a stellar model that Australia’s industry groups could adopt to work together and a certification framework that will reward skills and experience in the sector.

In the UK, the Institute for Information Security Professionals (IISP) works closely with the British Computer Society (BCS) and has established role definitions for the security profession that apply both in government and private sectors.

These roles are aligned with the Skills for the Information Age (SFIA) framework, which means that professional information security roles should be transferrable between any countries that also adopt SFIA (like we do here in Australia).

The IISP skills framework has actually extended SFIA to be completely information security focused, which allows experience and qualifications (academic and professional) to align with these defined roles so the IISP can then attest to an individual’s capability through a tiered approach to membership.

To become a full member, security professionals have to submit a detailed application, including references, CV, and even sit an interview. Therefore, IISP are adding a lot of value to the security professional’s careers because employers know for a fact that when they hire an IISP accredited lead security architect, their quality is assured.

The BCS acts as a certification body for training vendors providing courses against their plethora of information security syllabus materials, and these qualifications are recognised by both IISP and the UK government’s national technical authority for information security, the division of GCHQ called CESG.

Security professionals can choose with whom they align and what certifications suit them, but if they claim to be a lead security architect, they need to prove it through their number of years of working in the field, a certain mixture of experience and training, and they need to convince the panel of peers they are fit to do the job.

BCS acts as the certification body for information security examinations, as well as the accreditation body for training companies that provide courses to match their syllabi. This means security professionals get a level of protection that their investment in their certification is of value whether in private or public sector, and are relevant for their professional membership in IISP.

To become a government-accredited security professional, both BCS and IISP serve as conduits to entering CESG’s CCP scheme.

In Australia, we have equivalents for all of these organisations, but we don’t have the joined up approach that has emerged in the UK.

The Australian Computer Society could act as the certification authority for information security exams. It would also be possible for the ACS to offer a certification path that leads into an Australian Signals Directorate (ASD) security career.

The Australian Information Security Association (AISA) is Australia’s closest equivalent to the IISP.

As the professional body for security professionals in Australia, having AISA assume a more proactive role in helping manage the careers of information security professionals would do a great deal to nurture the quality of this profession.

Providing a consolidated set of role definitions for industry - especially hiring managers in companies - would be the logical next step.

Joining up with ACS, AISA could do great things like promoting the industry, career paths and creating competition in the training market, which will ultimately make Australia a safer and more secure place to be in cyberspace.

Many countries around the world are in a much better position than Australia to provide support for the information security professional in today’s threat environment.

The Prime Minister’s announcement of the review of cybersecurity strategy is a good first step, but we need the rest of the security community to break down the walls, join forces and help underpin any government strategy.

Maybe in three years time we’ll be connected using the same frameworks used in other nations, so that we can hire from France, New Zealand, the UK or US, knowing that the lead security architect flying in from overseas has exactly the same levels of skills and experience than if we hired locally. This may be a pipedream but it’s not beyond the realm of possibility.

Tony Campbell is a security professional and a trainer and course author in information security architecture principles. He has worked for the British Computer Society in the past and is a current member if AISA.