With a strong concept of learning at this year’s Infosecurity Europe in London, Infosecurity took the opportunity to meet with the Institute of Information Security Professionals (IISP) general manager Amanda Finch to discuss its intentions on educating and training cybersecurity professionals.
Finch told Infosecurity that IISP began as a group of people who saw a need to accredit people for the profession and to represent the industry's people. While there are certifications, she said, they do not prove that you could do the job.
“We work with individuals to help them with their career development and work with organizations to help them create teams and improve their ability. We also work with academia to bring people into the community and link them up in the community, we accredit training and we work with government as well,” she said.
At the heart of this is the IISP skills framework, which saw a recent revision to include new skills groups for threat intelligence and assessment, threat modelling, cyber resilience, penetration testing and intrusion detection and analysis, as well as incident management, investigation and response, while also expanding the roles of enterprise and technical security architecture and redefining the skills profile for audit, compliance and testing.
Finch said that the original version was created ten years ago, and as well as new technologies, it has also simplified accreditation. “We use it to accredit people and we accredit people so they can evidence their capability and what we are interested in is competency; we like people to have CISSPs and Masters and training in courses, but until people have used that in action you can’t really call yourself a security professional,” she said.
“So what we get people to do is show evidence that they have applied that knowledge and those skills in the workplace and display evidence in ten areas which is reviewed by someone who has gone through the process at a senior level, so it is done through peer review. If it is junior level, it is done by associates but if it is a full member or fellow, then there is an interview process which is then overseen by a committee, so it's really robust.”
The new IISP framework also puts more focus on management, leadership and influence, business skills and communication and knowledge sharing. The four defined competency levels have also been expanded to six – two based on knowledge and four on measuring practical experience.
Finch, who previously ran the security team at M&S said that she learned on the job. Considering the relatively immature status of the cybersecurity professional, Finch said that is why new skills accreditation is needed. “We put a lot of thought into the framework as we wanted to have something that represented all of the varieties and disciplines as we need to have a lexicon of terms and something we can all adhere,” she said.
Finch said that the skills framework allows the various disciplines to be seen, and ‘it goes through the logical life-cycle of security’, particularly as people get deep-dive sets of skills. “This will form part of the IISP Knowledge Framework that will sit alongside the skills framework and define what knowledge people should have at the lower end of capabilities. We are not building a body of knowledge like the NCSC are, ours is a framework that will help employers and individuals know what is needed at what level.”
The skills and frameworks are there, but Infosecurity asked if there is enough opportunity to learn in this industry as people are looking for answers. Finch said that in terms of learning, it is really tough as there is a lot of material out there and it is hard to know where attention is being focused. So the IISP is approving training courses and it is referred back to the framework.
She said: “It is like any market, there is a lot of stuff out there and a lot of rubbish training. I believe that in this role you have to be continually learning, have an open mind as to where you get your information and have a clear idea of what you are wanting to learn about. I think a lot of people are getting more sophisticated about demonstrating what they know about their area.
“We say to people to point to where they think they are on the skills framework now and where they want to be in four years’ time, and what appropriate courses they need to look at to get on that journey and keep an eye on the reports and surveys on skills shortages. Really it is your career, and you’ve got to think about where you want to be and what makes you happy and you need to work out your career route and how you’re going to get there.”
Version 2.1 is now published and available free through the IISP website to members and to non-members on application.