Human Resources Development in the

Field of Cyber Security

October 2014

Masayuki KOIKE

Director, Local Informatization and Human

Resource Development Office,

Information Service Industry Division,

Commerce and Information Policy Bureau,

Ministry of Economy, Trade and Industry (METI)

○ Many information systems in Japan are closely connected with practical business in enterprises and organizations. It is often the case that construction and operation of these information systems, including security measures, are entrusted to specialists (IT vendors).

○ In principle, engagement of personnel of enterprises- IT users with thorough knowledge on the details of their practical business is indispensable on occasion of the construction and operation of its information system with reflection on the details of practical businesses.

○ According to an estimation by the Information-technology Promotion Agency (IPA), there are around 265 thousand people working in the information security field in Japan and only 105 thousand people among them has necessary skills. Hence, it is necessary to organize certain education programs and trainings for the other 160 thousand people.

○ Besides, there are around 80 thousand human resources in potential shortage. It is an urgent challenge in light of information security policy of Japan to take necessary measures toward solution of this problem.

1

Source: New Information Security Human Resource Development Program (the

decision of Information Security Policy Meeting on May 19, 2014)

The Challenge in Cyber Security Human resources (1):

for Practical Business Players as Enterprises

･･･applicable both in springand in autumn ･･･available in spring ･･･available in autumn

On Information Technology Engineers Examination in Japan

○Reflecting on the lack of Information Technology Engineers and the demand for establishment of Programmer certifying examination, the Information Technology Engineers Examination (ITEE) started in 1969. Now around 500 thousand examinees participate every year and it is utilized by a number of enterprises and educational institutes.

○17.53 million people applied and 2.17 million participants passed in the period of 45 years by the end of 2013 FY. The ITEE plays an important role in IT human resources development in Japan.

2

For all the business people For IT Engineers (Vender side/ User side)

Basic

kn

ow

ledge r

equ

este

d t

o

every

bu

sin

ess p

ers

on

wh

o

utiliz

es IT

IT P

assp

ort

E

xam

ination

Advan

ced

Kn

ow

ledge/

Skill

Applied knowledge/S

kill

Fundamental knowledge/S

kill

IT S

trate

gis

t E

xam

ination

Sys

tem

s A

rch

itect

Exam

ination

Pro

ject

man

ager

Exam

ination

Netw

ork

Specia

list

Exam

ination

Data

base S

pecia

list

Exam

ination

Em

bedded S

yste

ms

Sp

ecia

list

Exam

ination

Info

rmation

Secu

rity

S

pecia

list

Exam

ination

IT S

erv

ice M

an

ager

Exam

ination

Sys

tem

s A

uditor

Exam

ination

Applied Information Technology Engineer Examination (AP)

Fundamental Information Technology Engineer Examination (FE)(IP)

(ST) (SA) (PM) (NW) (DB) (ES) (SC) (SM) (AU)

･･･available all year round

2013 FY 2012 FY 2011 FY

No. of applicants 56,452 57,944 57,243

No. of participants 36,905 39,092 37,198

No. of the successful 5,147 5,407 5,110

（% of the no. of SC

applicants to all）(12.0%) （11.9%） (9.9%)

% of pass 13.9% 13.8% 13.7%

【the statistical data of the Information Security Specialist

Examination (for the last 3 years)】

【Where located in the whole map of Information

technology Engineers Examination】

【The Targeted People】

Those who has established specialties as advanced IT engineer,

supports realization of security functions in plannig, requirements-

defining, developing, operating and maintaining information system

in accordance with information security policy, or equip information

system basis, and supports information security management as a

specialist of information security technology.

・Increase in the targeted cyber attack

・New type of unauthorized access・appearance of new type viruses

The threat of theft of secrets and stop of devices（The Threat of increase in loss of enterprises）

THREAT

Appropriate Security Management by Specialists is Necessary

Evaluation through national examination

National Examination to evaluate Security Specialists

【The scope of questions 】

○Planning, requirements-defining, development, operation and

maintenance of information security system （such as secure-

programming)

○Operation of information security (such as countermeasures

against unauthorized access)

○Information security technology (countermeasures against viruses)

○Management of development（such as Information security

management of development environment)

○Information security-related legal requirements (such as Copyright

Act, Personal Information Protection Act)

The Information Security Specialist Examination is…

3

(reference) the overview of the Information Security Specialist Examination (SC)

For All the Business people

For IT Engineer (Vender Side / User side)

Basic

kn

ow

ledge

IT P

assport

E

xam

ination

Ad

van

ced

Applied

Fundamental

ST

SA

PM

DB

ES

NW

SC

SM

AU

AP

FE

For IT Passport Examination adopted the Computer-Based Test (CBT) for the first time as a national examination in Japan.

☑You can choose the data/time of test in accordance with your schedule !!→ At any time all year round!

【How to Apply】 through internet （at the official website）【the Fee】 5,100 JP Yen (tax included)

【Test Schedule】 Application and Exmination available all year round

How to Apply

Examination is available at any time, anywhere, any times

you want.

Boucher Ticket system for group application available!【For more details on the Web site 】 Official Website (in Japanese)(https://www3.jitec.ipa.go.jp/JitesCbt/)

Official

Character of

IT Pass Exam.

ｉパス SEARCH

☑Approximately 120 test centers all over Japan→ Available wherever you want !

（※Exam schedule differs according to the test center）

☑You can check not only the result but also the score !（Able to check out the score after the exam at once.→ Able to check the score divided by sphere. Always new technologies are

reflected. You can try any times you want to make sure your level-up !

4

The score divided by

sphere

available(strategy,

management,

technology). Useful for

ability measurement.

Reference: The overview of IT Passport Examination (IP)

>Background>○Sharp Increase in Importance of Information Security

○The shortage of Information Security Human Resources both in quantity and quality

Necessary to improve IT literacy among the whole nationals including knowledge of Information Security. Necessary to excavate, foster and make use of Information Security Human Resources.

Increased the frequency of Information Security- related questions in all of the types of Information Technology Engineers Exams, including IT Passport Exam.

IT Passport Exam. Sharp Increase in the Percentage of Information

Security –related Questions (by twice)

Fundamental ITEngineer Examination（FE） Applied ITEngineer Exam.（AP）

In the morning exam increased the percentage ofSecurity related questions

In the afternoon exam the status of Information Security sphere has been changed from selective to obligatory.

Advanced Exam.

In the morning exam.Ⅰand Ⅱ increased the percentage of Security related questions

In IT Strategist Exam.(ST) and Project Manager Exam. (PM) added Security-related questions to the scope of morning exam.Ⅱ.

（Security questions appear in all the category of advanced exam）

※ Source: IPA Press Release http://www.ipa.go.jp/about/press/20131029.html （Note） IT Pass exam changed from May 7th 2014.The rest of exams changed from the spring exam in 2014.

5

METI Activity No.1: Strengthening the frequency of Information Security-related

questions in Information Technology Engineers Examination

6

The globalization of software technology and market has led to the increase in necessity of securing trans-border high-quality IT human resources and enhancing their liquidity. Therefore, METI is arranging coordination with the related institutions towards mutual recognition of IT Engineers Examination and enlargement of similar examination to ITEE.

To enlarge these arrangements in Asian region etc. for the sake of securing advanced human resources oversees and enhancing their liquidity.

The results achieved：

Mutual Recognition with 12 Asian countries/regions (Bangladesh, China, India, Korea, Malaysia, Mongolia, Myanmar, Philippine,Singapore, Thailand. Taiwan, Vietnam)

Arrangement of Common Examination through assistance in Asia: 7 countries （Bangladesh, Malaysia, Mongolia, Myanmar, Philippine, Thailand, Vietnam）

Information Technology Engineers Examination in Asia

Special MeasuresforImmigration Control on the base of Mutual Recognition To the passers and holders of

the examination and the

qualifications listed in Public

Notice of the Ministry of Justice,

a preferential immigration

treatment is applied. It is about

the criteria pertaining to the

status of residence, which is

required to work in Japan as

Engineer or for Designated

Activities.

Every examination and

qualification listed in the Public

Notice of the Ministry of Justice

can be counted as the points in

“ Points-based preferential

immigration treatment for highly

skilled foreign

professionals“ system.

＜Background＞○The rapid spread of portable devices such as

smart-phones and use of cloud services has lead

to mutual connection of systems and devices

inside and outside enterprises.

○The period of “Internet of Things” is coming up.

→Taking into account the complicatedness and

development in cyber attack techniques, it is

necessary for all the enterprises, including

manufacturing industry and critical infrastructure

industry, to design items/service and business

plan with care for external threats.

＜The shortage of information security human resources

＞○In Japan there is shortage of around 80 thousand information security

human resources. Among 260 thousand engineers involved in

information security measures 160 thousand perople have limited

capability (Estimation by IPA)

＜Challenge＞○Proactive measures should be taken not only by IT vendors

but also IT users.

○In light of spread of mobile devices, it is urgent task

especially for companies- IT users to develop human

resources who are capable of educating general users

inside the company and taking security measures in

cooperation with IT engineers.

＜Countermeasures forward＞○To create “information security management examination”

category which will evaluate the necessary knowledge and

capability of human resources in charge of security in

enterprises, within the framework of Informaton technology

Engineers Examination as a national examination

･･･

i7

○ To create a new category “Information Security Management Examination” with scope of

necessary knowledge for operation of security policy of organization, in order to solve the

problem of shortage of information security human resources in companies- IT users.

（Aiming at its start from 2016 FY.)

METI Actibity No.2： To consider the creation of a new examination

towards solution of Shortage of Human Rsources Issues

○ Information security sphere keeps changing rapidly. To handle the everyday-occuring new incidents and advaced incidents, it is not enough only to improve the quality of the general ability of personnel in charge of information security and solve the HR shortage. It is necessary to secure the cutting-edge human resources with advanced speciality who are capable of creating new solutions in accordance with environment change.

○ The human resources with advanced specialty can lead the engineers in charge of telecommunication sector. They can also contribute to improvement of ability of next generation of Information security human resources, and to protection from global attacks and to creation of new industry.

8

[Source: New Information Security Human Resource Development Program (the

decision of Information Security Policy Meeting on May 19, 2014)]

The Challenge for security Human Resources No.2

Need for the human resources with advanced specialty and cutting-edge ability

9

○To expand the range of young security human resources scouting and to create global top-level resources are necessary to appropriately deal with cyber attacks with high complexity.

○To hold training camp for youth (under 22 years old) by private companies and IPA and to transfer security technology, including the ethical aspect, and leading-edge know-how by front-line engineers. So far 480 students participated (in 2004FY- 2014FY).

○To arrange security camps in regional areas and to expand the skirt of security human resources through exchange programs.

※Security Camp Organization ConferenceEstablished to organize spread and enlarge “Security-Camp” with distinguished lecturers in Business and Education sectors to scout and foster young security human resources. The conference consists of 30 members-companies- organizations(as of Feb. 2014）.

Enlarge skirt and circle of young cutting-edge human resources hunting

Regional Contests

Local Lectures

exchanges caravans

Security Camp National Contest（training camp-style lecture）Lecturers The selected cutting-edge

human resources participate in security camp (general meeting)

2014 Security Camp : Main Results

To promote scouting and fostering young security human resources through Public-

Private Partnership

Security Camp Organization Conference

Exchange with

companis-conference members

Top-level engineers

Total participants：４３８ students （in 2004-2013 FY)

＜National Contest＞Period： August 12-16place：pref. Chiba Participants：４２

＜Regional Contest＞Period： May 31st - June 1st.Place: pref. AichiParticipants：101(the first day), 19(the second day)

Period ：August 29 - 31Place： pref. FukuokaParticipants：1０６(the first day), １９ (the second day)

Period ：September 13 - 14Place：pref. Fukushima Participants ：２０

※ To be organized in Hokkaido, Okinawa

METI activity No.3 : Overview of Security Camp

10

○In 2012 FY the first contest was organized as METI’s commissioned project to research feasibility and effectiveness of the CTF contest as a platform for practical training.

○From 2013 FY through Private- public Partnership.○In 2013 FY more than 1300 people participated※ＣＴＦ（Capture The Flag） is a contest in which participants struggle to get the flag- information stored in the system. It is practical training with

assumption of occurrence of information security attack.

PrivateSponsor

Japan Network security Association（ＮＰＯ）Implementation Committee

CTF Contest Organizer

National Contest

Regional Regional Regional Regional

Targeted Participants

Private Company,organization

Gov organization Students

support

2012 FY(research）

2013 FY～（Private- Public

Partnership）

supportentrust

Operated by NRI Secure Technologies and so on

Targeted Patticipants

Business person no younger than 23

※Other CTF Contest for students were also organzed

Information Security Policy meeting

Gov. bodies／organizations

Regardless of position, age and nationality

To organize Regional Contest from August. In March 2014 National Contest in Tokyo.

METI Activity No.4 ：CTF(Capture the Flag) Contest through Private- Public Partnership