Cybersecurity and IT governance professionals who are knowledgeable in their core field, but perhaps unsure how best to apply their skills to AI, blockchain, cloud and IoT now have a new certification course that can teach them the fundamentals of these emerging tech spaces.
ISACA today has announced the launch of its Certified in Emerging Technologies (CET) program, which allows participants to earn individual certificates in any of the four above areas of expertise and then collect all four for a full-fledged program certificate.
“It really depends on what your goals are and where you want your career to go,” said Dustin Brewer, senior director of emerging technologies and innovation at ISACA. Some career paths, like cloud computing, might require knowledge in all four disciplines, he noted, because it’s “one of those technologies that enables all those other technologies.”
This new course is a response to increasing demand for training that will allow professionals to upskill in key emerging technology spaces, helping them open up new career paths. In particular that’s true for cloud training, said Brewer. “It makes sense that that's what they want to look towards. Since the COVID-19 pandemic, the demand has only increased, as “we've seen cloud adoption just skyrocket,” he continued.
The goal of the certification program, said Brewer, is for candidates to gain a “fundamental grasp on the technology itself.” With that basic understanding of the technology, its applications and its inherent risks, the trainees then can take further steps in their education to learn how to more properly secure it.
The course includes self-led training aided by a study guide, virtual instructor-led training, exams and online labs “where we throw you into a live environment where you're actually interacting with some AI tools or you're actually interacting with IoT devices on a network,” said Brewer.
Each of the four disciplines requires its own unique set of skills and knowhow that can help bolster a résumé.
“Simply put, cloud has become the dominant IT system and the pandemic has accelerated cloud transition project timeline,” said Jim Reavis, CEO of the Cloud Security Alliance, which is partnering with ISACA on a separate Certificate of Cloud Auditing Knowledge (CCAK) training and examination program, designed to help professionals demonstrate expertise in auditing the security of cloud systems. “Managers and executives tell us they are looking for more employees with both technical cloud security and cloud assurance skills.”
But knowledge is often is short supply, and there’s a reason for that: “Education tends to trail innovation leading to an inevitable knowledge gap with emerging technologies,” Reavis explained. “Part of the issue with cybersecurity expertise as it relates to cloud computing is scope . Virtually all businesses are either providing or consuming cloud services. However, many technology professionals do not understand the security responsibilities that accrue to customers of cloud.”
Fortunately, the CET program will expose ISACA clients with limited cloud experience to key lessons revealing the advantages and challenges of running a cloud-based infrastructure. On one hand, you will reduce cost and transfer some of your risk to a third party. On the other hand, third-party cloud providers often won’t just let you assess and audit their digital assets the same way you would audit your own internal organization.
“Because you are utilizing infrastructure or software on somebody else’s server that you don't have physical access to, what does that mean for the IT audit community?” said Brewer, in describing the course’s key takeaways. “What does that mean for your cybersecurity and audit departments within your organization? How can they get into those devices? Is that in the service level agreements with the cloud vendor?
Additionally, the coursework reviews four key categories of cloud-based services: software-as-a-service, infrastructure-as-a-service, platform-as-a-service and security-as-a-service, and it also delves into the topic of cloud configuration management, including the importance of responsibly securing data stored online.
John Moor, managing director of the IoT Security Foundation, told SC Media that the IoT product industry suffers from a deficiency in cybersecurity expertise, “and this is backed up by the number of IoT press headlines, which identify a spectrum of issues from poorly designed systems lacking basic security features to more advanced vulnerability issues such as side-channel attacks.”
The world of IoT is a vast one to learn for infosec practitioners, but ultimately it comes down to seeing them tiny computers, said Brewer. “Some of them have outdated software, some of them have outdated drivers, which is why we have this cybersecurity issue that we're all looking at right now,” he said.
With that in mind, the CET course seeks to dissect various IoT devices into key components, including their hardware and processors IoT devices, their communications protocols, and their software, middleware and drivers.
“If you break down an IoT device, which is what we do, these are these are all possible attack vectors for somebody,” said Brewer. “If it's a physical attack, then we're talking about what's going on with chipset, or what's going on with the proximal access or physical access to the device. If it's remote access, how does it connect to the internet? Is it through 5G, is it through Wi-Fi?”
Additionally, “We go into how it how [IoT] integrates with the cloud and how it integrates with big data, and all the datasets that are from IoT – the different actuators and sensors that are you built into an IoT device to make it do whatever it needs to do in the real world, while also monitoring the real world as well,” Brewer noted.
Meanwhile, CET course’s AI offering will look at the ability to train a machine to recognize patterns and make decisions after feeding it large data sets.
“We're not really going to have anybody get in there and build an AI algorithm because we're talking about several semesters of college,” clarified Brewer. “But… if someone did take this and then they went to go take a college course on it to actually build their own algorithm, they'd be a lot more prepared to do that because they know a lot more of the vocabulary and understand a lot more of the fundamentals behind it.”
They will also be better informed as to the cybersecurity and privacy implications of AI. First, “there are the concerns that come along with utilizing AI when it comes to customer data or anything like that. Are you using it ethically?” said Brewer. “And then there's the part where we're utilizing AI to conduct cybersecurity operations. So you're using AI to detect heuristic anomalies within a network, you're using AI to ensure that you know it's not a false positive on your IDS.”
Finally, the CET blockchain training content teaches professionals about the technology’s growing array of business applications beyond mere cryptocurrency transactions.
“We've seen it in the physical supply chain, and we've seen it in some other case studies where companies are actually utilizing blockchain to track patients, or to track supplies or to track various types of information, not just financial transactions,” said Brewer.
“one of the things that brought it to our attention was just the fact that all there were all these kind of big name companies [and government agencies]… that were playing around the idea of implementing blockchain into their current infrastructure,” Brewer continued.
From a cybersecurity perspective, blockchain has the potential to solve the perennial challenge of preserving data integrity, because “we have this decentralized authority idea where the data is verified, and can never be changed it's immutable,” Brewer explained. At the same time, however, cybercriminals have attempted attacks on public and private blockchains, because “even though we're running this great new capability or system within our current infrastructure, it still is using our old infrastructure,” and that leaves users exposed to potential vulnerabilities.
Last month, ISACA also announced yet another certification program in which students, recent graduates and IT beginners can earn Information Technology Certified Associate (ITCA) certification by earning modular certificates through lessons in five different fundamental areas: computing, networks and infrastructure, cybersecurity, software development and data science.