The Security Interviews: ISC2’s Clar Rosso on cyber diversity and policy
Computer Weekly catches up with ISC2 CEO Clar Rosso to talk about diversifying the cyber workforce and supporting cyber pros as they keep up with growing compliance and security policy demands
A little over a year after expanding a successful UK-based cyber professional certification pilot globally, with the goal of creating a million new security professionals, security training and certification specialist ISC2 says it is beginning to see some early impacts, and CEO Clar Rosso is hopeful of going further still.
The One Million Certified in Cyber Security programme offers free access to ISC2’s online, self-guided, entry-level course and the subsequent exam, which covers the basic principles of security including business continuity, disaster recovery and incident response, access control concepts, network security and security operations practice.
It is open to anybody wishing to expand their skills – and opportunities – in cyber, and focuses particularly on those working in, or who wish to work in, the small to medium-sized enterprise (SME) sector.
According to Rosso, ISC2 – which was known as (ISC)² until a few months ago – believes organisations that focus on developing entry-level security professionals will ultimately be better placed to accelerate the invaluable hands-on training those staff need to kickstart their careers.
And, incidentally, the decision to change the name by dropping the parentheses and upscaling the 2 may be helping elevate the profile of the organisation’s programme, she says.
Sitting down with Computer Weekly at an ISC2 seminar in London, Rosso says the rebrand came down to several factors, including a desire to change the focus of the now 35-year-old organisation, but also to enhance its accessibility in certain markets in the global south, where the extra punctuation was proving somewhat problematic.
A boost to cyber diversity
Indeed, at the time of writing, those working in markets in the global south have been the most eager to avail themselves of the One Million Certified programme. The US and UK are the first and third largest markets, respectively, and in between them sits India.
“One thing that has been interesting is that in emerging markets, this has been a big door-opener,” she says. “People have been saying it’s helping them get their feet in the door, and save money for whatever comes next.”
The scheme has so far seen 300,000 people begin their learning journey, about 75,000 of whom have sat their exams and 32,000 have become certified. Rosso is clearly pleased with the impact she has observed so far.
Right now, the ISC2 team is in the process of a data discovery exercise to find out more about who these individuals are and what they are doing after becoming certified. Rosso has already discovered that in developed markets such as the UK, there has been a significant increase in the percentage of people of colour taking its courses.
“In emerging markets, [the One Million Certified in Cyber Security programme] has been a big door-opener. It’s helping [people] get their feet in the door, and save money for whatever comes next”
Clar Rosso, ISC2
But in other areas, there is still work to be done. “On the gender side, compared to our overall membership it’s good, but we’re still not getting past some barriers,” says Rosso. “Approximately 12% of ISC2 members are women, and it’s getting closer to 25% on the programme, but that’s not good enough.
“There are barriers that we know about – among them being individuals without access to mentors from their peer group. And qualitatively we know that because of the rigour of ISC2 exams, people can be nervous about taking them, which seems to be the case no matter what, but seems to be more the case with women,” she says.
What can be done to tackle this nervousness? Rosso sat the entry-level exam herself and says she was confident in her abilities, having passed similar tests before, but confesses herself “amazed” at how worried the other candidates she met at the Pearson VUE test centre were.
“The stress is real, so we’ve introduced, to test this theory, an exam peace of mind package, where you can buy one exam and, for a lower price, get a retake, which has been massively successful. There are people who understand they may fail the first time, but if they’re not on the hook for $700-plus on the second go, they’re more inclined to stick with it,” she says.
“There are also exam readiness webinars, where people can ask last-minute questions, [and] we’re looking at starting a series of virtual mentoring groups to help. We [also] see in our chapters mutual aid networks of exam support developing too.”
“We are going to work with employers to implement best practices for recruiting, advancement and retention, but probably most specifically creating an inclusive environment in the workplace that will make women want to stay”
Clar Rosso, ISC2
Where have all the women gone?
Rosso – a former journalist and educator who transitioned into the world of accountancy before taking the reins at ISC2 in 2020 – acknowledges that more work needs to be done on getting women through the door by helping them to feel comfortable and confident in their abilities, but she is also concerned that not enough is being done to get them to stay in cyber.
Security initiatives targeting girls, teenagers and young women are all well and good, she says, “but generally, by the age of 35, most women have left the field”.
And no, she adds in response to the sadly obvious follow-on question, it’s not simply a case of people taking parental leave, because they’re not coming back.
“It doesn’t seem to be kid-related. Parenthood is not a factor,” she observes. “Those who do stay often talk about the cultural environment, so we’re looking at tackling that directly.
“We are going to work with employers to implement best practices within their organisations for recruiting, advancement and retention, but probably most specifically creating an inclusive environment in the workplace that will make women want to stay.”
Rosso says she was surprised by elements of both sets of regulations, notably very tight incident reporting timeframes mandated by the SEC, which have been the subject of much debate across the Atlantic. Similar concerns have been raised around the CRA, to which UK-based organisations will have to submit if they wish to work in the EU, regardless of Brexit.
“We need a more global set of standards and harmonisation,” says Rosso. “Different regulators do look to each other, and they try to follow one another’s leads, but as a professional association with over 500,000 members, we have to help provide the voice of the professional.”
“We are moving from a model where the consumer or the user bears the burden of security to those who best have the ability to handle it, which means the developers and the companies that are selling the software”
Clar Rosso, ISC2
One of the things Rosso believes all organisations would find valuable is if their C-suites and boards had a better understanding of cyber risk and how to evaluate that to begin with. She cites recent ISC2 research – conducted in the US only but likely of global relevance – which found that 88% of directors in the US were essentially illiterate when it came to cyber security.
“This could make a real difference,” she says. “I know from my time in financial services that board members with financial expertise are beneficial because they execute at a totally different level. It’s exactly the same for cyber.”
A second theme she picks out, which again relates to compliance, is the growing complexity of third-party risk management, supply chain security and security-by-design, all of which interrelate in some way as a risk magnifier for organisations. This is being thought about and tackled in both the UK – which has done world-leading work on this topic – and the EU, but, says Rosso, “nobody has an answer”.
“The overall theme that resonates everywhere is we are moving from a model where the consumer or the user bears the burden of security to those who best have the ability to handle it bearing the burden, which means the developers and the companies that are selling the software,” she says.
Rosso believes the next couple of years will be pivotal for such cyber policymaking, driven by the high-profile nature of threats and the near inevitability of experiencing some form of cyber attack, whether successful or not.
“I would pull that up a level and say it’s actually simple awareness that cyber is a national security and an economic security issue, and that’s why it can’t be ignored anymore,” she says.
Read more Computer Weekly Security Interviews
In a world of information sharing and 24-hour news cycles, the Defence and Security Media Advisory Committee has to balance national security and data privacy with freedom of the press.
There is growing demand for offensive security testing, but it needs a multi-layered skillset that can be hard to quantify. Bishop Fox’s CEO and co-founder explains why and shares some potential mitigation strategies.
