Featured news Skills development for information security professionals Improving transaction security for financial institutions Cisco releases source code for experimental block cipher Quarter of all UK attacks target web services and applications Spammers increasingly targeting Montreal Guide to protecting your site against phishing scams Critical flaw exposes admin passwords of nearly 32,000 servers Are your third-party vendors leaving the door open to hackers? TrueCrypt developer says forking the software is impossible Identity theft consequences and tips to stay secure Code hosting Code Spaces destroyed by extortion hack attack Authorization model for home automation Scan of Google Play apps reveals thousands of secret keys Five steps towards cyber breach preparation Would you run potentially malicious programs in return for a dollar? Being a CISO at a higher education institution A new defense against kernel-mode exploits Five great computer security tips that few people follow The state of GRX security Replicating NSA's gadgets using open source Skills development for information security professionals by Mirko Zorz - Editor in Chief - Monday, 23 June 2014. Bookmark and Share In this interview, John Colley, MD for (ISC)2 EMEA, talks about the challenges of his job, discusses critical information security areas, and tackles the future of certification. What's been your greatest challenge since becoming MD for (ISC)2 EMEA? How have your previous positions prepared you for this role? I should answer this question in the context of the way information security has changed in the last 10 years. When I joined (ISC)2, information security was seen very much as a niche area, and the importance of professional qualifications wasn’t recognized widely. I suppose information security was a relatively new discipline then, which made it difficult for people to assess its potential or how much investment was required not just for technology, but also from a ‘people’ standpoint. My biggest challenge and focus was to put the ‘people’ issue on the agenda of CISOs and CSOs; and to get their buy-in on the need to identify, nurture and develop talent in order to create a talent pool of well-rounded, qualified and skilled professionals. I recollect a discussion at a conference in Prague in 2004 – I was talking to a very senior, internationally recognized CSO about the need for qualifications in the security profession. At the time he simply couldn’t see its importance, however today he is a great advocate of qualifications and skills development for information security professionals. Even today, information security is still relatively new when you compare it to IT, but the field is growing fast and qualification is being taken seriously. Today, it is difficult to find a job without a CISSP or equivalent qualification. But I think, from an education and skills development standpoint, a lot more needs to be done still. My previous roles as Head of Risk Services at Barclays Group and Group CISO at the Royal Bank of Scotland gave me the opportunity to communicate with the security professional community on a peer-to-peer level. This experience has proved valuable and I’ve been able to draw on those relationships to further the skills development cause that is intrinsic to (ISC)2. In fact, the information security community is very well disposed to information and knowledge sharing – this kind of constructive approach benefits the profession as a whole. Based on what your members report, what areas of information security have emerged as critical this year? Presently there is a lot of talk about big data and the Internet of Things. In a pervasively ‘connected’ world, getting security right will be critical. This means that security will need to be embedded in products and services from the word ‘go’. Thus far, while there is recognition that more needs to be done to pre-empt insecure software (which is a major cause of security breaches), often security is tacked on at the end. This approach will almost certainly not work with the Internet of Things. In fact, already application vulnerability is a major concern of the information security profession. In addition to application vulnerabilities, hacktivism, cyber-terrorism and hacking also feature among the list of top security concerns. Security professionals continue to highlight the ongoing skills shortage saying that it is impacting their organizations' security incidence preparedness and the ability to discover and recover from breaches. How many people does (ISC)2 certify each year? How many of those are employed? We are unable to provide these statistics. However, I can confidently say that our membership is growing. Today we have nearly 100,000 members globally across 135 countries. In EMEA, we are almost 16,000 strong. When I started my role as MD at (ISC)2, we had 7000 members, we have more than doubled since.