Thirty years ago, information security was in its infancy. Many companies did not take threats to their infrastructure seriously. For those companies that did, the majority of people responsible for protecting information assets did not have a formal background or education in the field — they obtained their experience in information technology or related disciplines, transferring into information security only as the need arose. Information security professionals frequently reported to someone in IT and did not carry much weight with upper-management.
With today’s ever-growing advances in technology and the resulting increases in threats to information, the importance of and need for qualified information security professionals never has been higher. Organizations increasingly rely on information security professionals to protect not only their information assets but also their brand reputation, stock value and to meet compliance regulations.
In the “2006 Global Information Security Workforce Study” conducted by IDC and sponsored by International Information Systems Security Certification Consortium [(ISC)2], a majority of the 4,000 information security professionals who responded think technology alone cannot protect an organization’s information assets. People are the key to a secure organization, and employers are demanding qualified information security staff to effectively secure their infrastructure.
With the high value now placed on having qualified personnel, it is clear information security professionals have become an integral part of an organization’s business model.
Information security has grown to reflect a diverse community of individuals with varying strengths and aspirations, with an increasing number creating policy and reporting directly to executive management.
To have a successful career progression in information security, one must now go beyond IT skills and technical know-how to gaining management and communications skills, as well as an understanding of policy, processes and personnel.
Information security has evolved into a profession with recognized best practices, one in which people working at many levels can understand one another and have confidence in one another’s level of knowledge and competency.
For this reason, certification of knowledge, skills and abilities is becoming a necessity for professionals who want to advance their careers. As highlighted in the IDC study, the importance of certifications as a hiring criterion was ranked high by 85 percent of hiring managers.
(ISC)2, founded in 1989, was the first information security certification body and maintains some of the most rigorous standards in the industry.
Today, there are more than 50,000 (ISC)2 members in more than 129 countries who are recognized as the world’s premier information security professionals in private industry, government and education.
(ISC)2 certifications are based on the CBK, a continually updated taxonomy of information security topics developed and maintained by (ISC)2.
The CBK establishes a common framework of information security terms and principles that allows information security professionals worldwide to discuss, debate and resolve matters pertaining to the profession with a common understanding.
(ISC)2 credentials are vendor-neutral, and their differentiation from other security certifications lies in the breadth of knowledge and experience required before taking the certification examination. To maintain certification, the candidate also must be endorsed by another credential holder, abide by the (ISC)2 Code of Ethics and obtain audited CPEs.
To assist information security practitioners and professionals in meeting the ever-changing demands of their careers, (ISC)2 also offers numerous education opportunities such as CBK review seminars led by veteran certified information security professionals, as well as the (ISC)2 Security Leadership Series, which offers seminars and conferences on a variety of security topics to help its members meet their continuing professional education requirements. Using top thought leaders who discuss cutting-edge topics, (ISC)2 enables its members to stay abreast of the latest threats and solutions.
Below is a summary of the certifications offered by (ISC)2 and how they can assist information security professionals in advancing their careers.
Associate of (ISC)2
Although not a certification, the Associate of (ISC)2 program is designed for students or others at the beginning of their careers who have chosen a career path in information security and acquired knowledge of key information security concepts but do not yet have the work experience required for full accreditation. The program introduces associates to the rigors and ethics of the profession, and it gives them access to a vast network of security professionals and resources.
Associates must subscribe to the (ISC)2 Code of Ethics and maintain their status in good standing with (ISC)2. After passing one of the (ISC)2 examinations, associates have five years and two years, respectively, to acquire the necessary work experience to qualify for full Certified Information Systems Security Professional (CISSP) or Systems Security Certified Practitioner (SSCP) certification.
The SSCP is open to individuals with at least one year of relevant practical experience. It is the primary systems security administration credential for those who manage, monitor and enforce implementation of information security requirements and policies.
The SSCP certifies a depth of technical knowledge within these domains of the (ISC)2 CBK: access control, administration, audit and monitoring, cryptography, data communications, malicious code/malware, and risk, response and recovery.
The SSCP is designed to validate mastery of the technical implementation side of information security systems, as well as the ability to collaborate with information security managers and executives who write policy. It is complementary to vendor-specific certifications that validate detailed knowledge of a particular product.
For individuals with at least four years of validated work experience in designated areas of information security (or three years of experience, plus a bachelor’s or master’s degree in information security), the CISSP certification is recognized as the gold standard for management-level information security professionals worldwide.
The CISSP brings professional excellence, as well as the assurance the credential holder possesses the integrity, leadership and skills necessary to develop, implement and manage a program across all levels of the organization. It was also the first information security credential to be accredited under ANSI/ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel.
Those obtaining the CISSP often develop information security strategy, write information security policy, manage information security and personnel and ensure security policy is complying with industry regulations.
To obtain the CISSP, candidates are required to pass an examination that demonstrates a base level of knowledge in security best practices, policies and technologies across 10 domains of the CISSP CBK: information security and risk management, access control, cryptography, physical (environmental) security, security architecture and design, business-continuity (BCP) and disaster-recovery planning (DRP), telecommunications and network security, application security, operations security, and legal, regulations, compliance and investigation. The candidate also must be endorsed by a CISSP credential holder, abide by the (ISC)2 Code of Ethics and obtain audited CPEs to maintain certification.
Concentrations of the CISSP
As the security industry grows in size, complexity and speci