Human Resources Development in the Field of Cyber Security

Human Resources Development in the

Field of Cyber Security

October 2014

Masayuki KOIKE

Director, Local Informatization and Human

Resource Development Office,

Information Service Industry Division,

Commerce and Information Policy Bureau,

Ministry of Economy, Trade and Industry (METI)

○ Many information systems in Japan are closely connected with practical

business in enterprises and organizations. It is often the case that

construction and operation of these information systems, including

security measures, are entrusted to specialists (IT vendors).

○ In principle, engagement of personnel of enterprises- IT users with

thorough knowledge on the details of their practical business is

indispensable on occasion of the construction and operation of its

information system with reflection on the details of practical businesses.

○ According to an estimation by the Information-technology Promotion

Agency (IPA), there are around 265 thousand people working in the

information security field in Japan and only 105 thousand people

among them has necessary skills. Hence, it is necessary to organize

certain education programs and trainings for the other 160 thousand

people.

○ Besides, there are around 80 thousand human resources in potential

shortage. It is an urgent challenge in light of information security policy

of Japan to take necessary measures toward solution of this problem.

1

Source: New Information Security Human Resource Development Program (the

decision of Information Security Policy Meeting on May 19, 2014)

The Challenge in Cyber Security Human resources (1):

for Practical Business Players as Enterprises

･･･applicable both in spring

and in autumn ･･･available in spring ･･･available in autumn

On Information Technology Engineers Examination in Japan

○Reflecting on the lack of Information Technology Engineers and the demand for establishment of Programmer

certifying examination,

the Information Technology Engineers Examination (ITEE)

started in 1969. Now

around 500 thousand examinees participate every year and it is utilized by a number of enterprises and

educational institutes.

○17.53 million people applied and 2.17 million participants passed in the period of 45 years by the end of 2013

FY. The ITEE plays an important role in IT human resources development in Japan.

2

For all the

business people

For IT Engineers (Vender side/ User side)

Ba

s

ic

k

n

owl

ed

ge

requ

est

ed

to

every

bu

s

in

es

s

pers

on

wh

o

u

ti

lizes

IT

IT

P

a

s

s

p

or

t

E

x

a

m

in

a

ti

o

n

A

dv

a

n

ce

d

K

n

owl

ed

ge/

Ski

ll

Applied knowledge/S kill Fundamental knowledge/S kill

IT

Stra

tegis

t

Exami

n

a

ti

on

Sys

te

m

s

A

rch

it

ect

Exami

n

a

ti

on

Project

ma

n

a

g

er

Exami

n

a

ti

on

Network

Specia

lis

t

E

xami

na

tion

D atab as e Spe cia lis t E x ami nati on E mb ed d ed S ys te ms Spe cia lis t E x ami nati on Inf orm a ti on S ecuri ty Spe cia lis t E x ami nati on IT Serv ice Manag er E x ami nati on

Syst

ems

A

u

di

tor

Exami

n

a

ti

on

Applied Information Technology Engineer Examination (AP)

Fundamental Information Technology Engineer Examination (FE)

(IP)

(ST) _{(SA) (PM) (NW) (DB) (ES)} (SC) (SM) (AU)

2013 FY

2012 FY

2011 FY

No. of applicants

56,452

57,944

57,243

No. of participants

36,905

39,092

37,198

No. of the successful

5,147

5,407

5,110

（% of the no. of SC

applicants to all） (12.0%) （11.9%） (9.9%)

% of pass

13.9%

13.8%

13.7%

【the statistical data of the Information Security Specialist

Examination (for the last 3 years)】

【Where located in the whole map of Information

technology Engineers Examination】

【The Targeted People】

Those who has established specialties as advanced IT engineer, supports realization of security functions in plannig, requirements-defining, developing, operating and maintaining information system in accordance with information security policy, or equip information system basis, and supports information security management as a specialist of information security technology.

・Increase in the targeted cyber attack ・New type of unauthorized access ・appearance of new type viruses

The threat of theft of secrets and stop of devices

（The Threat of increase in loss of enterprises） THREAT Appropriate Security Management by Specialists is Necessary Evaluation through national examination

National Examination to evaluate Security Specialists

【The scope of questions 】

○Planning, requirements-defining, development, operation and maintenance of information security system （such as secure-programming)

○Operation of information security (such as countermeasures against unauthorized access)

○Information security technology (countermeasures against viruses) ○Management of development（such as Information security

management of development environment)

○Information security-related legal requirements (such as Copyright Act, Personal Information Protection Act)

The Information Security Specialist Examination is…

3

(reference) the overview of the Information Security Specialist Examination (SC)

For All the

Business people For IT Engineer (Vender Side / User side)

Ba

s

ic

k

n

owl

ed

ge

IT

Pas

spor

t

Ex

am

ina

tion

A

d

v

a

n

ce

d

Applied Funda mental

S

T

S

A

P

M

D

B

E

S

N

W

S

C

S

M

A

U

AP

FE

For IT Passport Examination adopted the Computer-Based Test

(CBT) for the first time as a national examination in Japan.

☑You can choose the data/time of test in accordance with your schedule !!

→ At any time all year round!

【How to Apply】 through internet （at the official website）

【the Fee】 5,100 JP Yen (tax included)

【Test Schedule】 Application and Exmination available all year round

How to Apply

Examination is available at any time, anywhere, any times

you want.

Boucher Ticket system for group application available!

【For more details on the Web site 】 Official Website (in Japanese)

(

https://www3.jitec.ipa.go.jp/JitesCbt/)

Official Character of IT Pass Exam.

ｉパス SEARCH

☑Approximately 120 test centers all over Japan

→ Available wherever you want !

（※Exam schedule differs according to the test center）

☑You can check not only the result but also the score !

（Able to check out the score after the exam at once.

→ Able to check the score divided by sphere. Always new technologies are

reflected. You can try any times you want to make sure your level-up !

4

The score divided by sphere

available(strategy, management,

technology). Useful for ability measurement.

>Background>○Sharp Increase in Importance of Information Security

○The shortage of Information Security Human Resources both in quantity and quality

 Necessary to improve IT literacy among the whole nationals including knowledge of Information Security.

 Necessary to excavate, foster and make use of Information Security Human Resources.

Increased the frequency of Information Security- related questions in all of the types

of Information Technology Engineers Exams, including IT Passport Exam.

IT Passport Exam.

 Sharp Increase in the Percentage of Information

_{Security –related Questions (by twice)}

Fundamental IT

Engineer Examination

（FE） Applied IT

Engineer Exam.（AP）

 In the morning exam increased the percentage of

Security related questions

 In the afternoon exam the status of Information

Security sphere has been changed from selective

to obligatory.

Advanced Exam.

 In the morning exam.Ⅰand Ⅱ increased the percentage of Security related questions

 In IT Strategist Exam.(ST) and Project Manager Exam. (PM) added Security-related questions to the scope of morning exam.Ⅱ.

（Security questions appear in all the category of advanced exam）

※ Source: IPA Press Release http://www.ipa.go.jp/about/press/20131029.html

（Note） IT Pass exam changed from May 7th_2014.

The rest of exams changed from the spring exam in 2014.

5

METI Activity No.1: Strengthening the frequency of Information Security-related

6

 The globalization of software technology and market has led to the increase in necessity of securing trans-border

high-quality IT human resources and enhancing their liquidity. Therefore, METI is arranging coordination with the related

institutions towards mutual recognition of IT Engineers Examination and enlargement of similar examination to ITEE.

 To enlarge these arrangements in Asian region etc. for the sake of securing advanced human resources oversees and

enhancing their liquidity.

The results achieved：

Mutual Recognition with 12 Asian countries/regions

(Bangladesh, China, India, Korea, Malaysia, Mongolia, Myanmar, Philippine, Singapore, Thailand. Taiwan, Vietnam)

Arrangement of Common Examination through assistance in Asia: 7 countries

（Bangladesh, Malaysia, Mongolia, Myanmar, Philippine, Thailand, Vietnam）

Information Technology Engineers Examination in Asia

Special Measuresfor

Immigration Control on the base of Mutual Recognition

 To the passers and holders of the examination and the qualifications listed in Public Notice of the Ministry of Justice, a preferential immigration

treatment is applied. It is about the criteria pertaining to the status of residence, which is required to work in Japan as Engineer or for Designated Activities.

 Every examination and

qualification listed in the Public Notice of the Ministry of Justice can be counted as the points in “ Points-based preferential immigration treatment for highly skilled foreign

＜Background＞

○The rapid spread of portable devices such as

smart-phones and use of cloud services has lead

to mutual connection of systems and devices

inside and outside enterprises.

○The period of “Internet of Things” is coming up.

→Taking into account the complicatedness and

development in cyber attack techniques, it is

necessary for all the enterprises, including

manufacturing industry and critical infrastructure

industry, to design items/service and business

plan with care for external threats.

＜The shortage of information security human resources

＞

○

In Japan there is shortage of around 80 thousand information security human resources. Among 260 thousand engineers involved in

information security measures 160 thousand perople have limited capability (Estimation by IPA)

＜Challenge＞

○Proactive measures should be taken not only by IT vendors

but also IT users.

○In light of spread of mobile devices, it is urgent task

especially for companies- IT users to develop human

resources who are capable of educating general users

inside the company and taking security measures in

cooperation with IT engineers.

＜Countermeasures forward＞

○

To create “information security management examination”

category which will evaluate the necessary knowledge and

capability of human resources in charge of security in

enterprises, within the framework of Informaton technology

Engineers Examination as a national examination

･･･

i7

○

To create a new category “Information Security Management Examination” with scope of

necessary knowledge for operation of security policy of organization, in order to solve the

problem of shortage of information security human resources in companies- IT users.

（Aiming at its start from 2016 FY.)

METI Actibity No.2： To consider the creation of a new examination

towards solution of Shortage of Human Rsources Issues

○ Information security sphere keeps changing rapidly. To handle the

everyday-occuring new incidents and advaced incidents, it is not enough only to improve

the quality of the general ability of personnel in charge of information security and

solve the HR shortage. It is necessary to secure the cutting-edge human

resources with advanced speciality who are capable of creating new solutions in

accordance with environment change.

○ The human resources with advanced specialty can lead the engineers in charge

of telecommunication sector. They can also contribute to improvement of ability of

next generation of Information security human resources, and to protection from

global attacks and to creation of new industry.

8

[Source: New Information Security Human Resource Development Program (the

decision of Information Security Policy Meeting on May 19, 2014)]

The Challenge for security Human Resources No.2

9

○To expand the range of young security human resources scouting and to create global top-level resources

are necessary to appropriately deal with cyber attacks with high complexity.

○To hold training camp for youth (under 22 years old) by private companies and IPA and to transfer security

technology, including the ethical aspect, and leading-edge know-how by front-line engineers. So far 480

students participated (in 2004FY- 2014FY).

○To arrange security camps in regional areas and to expand the skirt of security human resources through

exchange programs.

※Security Camp Organization Conference

Established to organize spread and enlarge “Security-Camp” with distinguished lecturers in Business and Education sectors to scout and foster young security human resources. The conference consists of 30 members-companies- organizations(as of Feb. 2014）.

Enlarge skirt and circle of young cutting-edge human resources hunting

Regional Contests

Local

Lectures exchanges caravans

Security Camp National Contest

（training camp-style lecture）

Lecturers The selected cutting-edge

human resources participate in security camp (general meeting)

2014 Security Camp : Main Results

To promote scouting and fostering young security human resources through

Public-Private Partnership

Security Camp Organization Conference

Exchange with companis-conference members Top-level engineers Total participants：

４３８ students （in 2004-2013 FY)

＜National Contest＞ Period： August 12-16

place：pref. Chiba Participants：４２ ＜Regional Contest＞

Period： May 31st - June 1st_.

Place: pref. Aichi

Participants：101(the first day), 19(the second day) Period ：August 29 - 31

Place： pref. Fukuoka

Participants：1０６(the first day), １９ (the second day) Period ：September 13 - 14

Place：pref. Fukushima Participants ：２０ ※ To be organized in Hokkaido, Okinawa

10

○In 2012 FY the first contest was organized as METI’s commissioned project to research

feasibility and effectiveness of the CTF contest as a platform for practical training.

○From 2013 FY through Private- public Partnership.

○In 2013 FY more than 1300 people participated

※ＣＴＦ（Capture The Flag） is a contest in which participants struggle to get the flag- information stored in the system. It is practical training with assumption of occurrence of information security attack.

Private

Sponsor

Japan Network security Association

_{（ＮＰＯ）Implementation Committee}

CTF Contest Organizer

National Contest

Regional Regional Regional Regional

Targeted Participants

Private

Company

,

organization

Gov organization

_Students

support 2012 FY (research） 2013 FY～ （Private-Public Partnership） support

entrust

Operated by NRI Secure Technologies and so on Targeted Patticipants Business person no younger than 23 ※Other CTF Contest for

students were also organzed

Information Security Policy meeting Gov. bodies／organizations

Regardless of

position, age

and

nationality

To organize Regional

Contest from

August. In March

2014 National

Contest in Tokyo.