The Quest for the IT Security Professional
It has been more than a year since I last wrote about what continues to be one of the hottest occupations in the IT industry—the IT security professional. In some ways, much has happened in the security field in the past 12 months, and in other ways, nothing has happened at all. To get us all up to speed in this high-growth area, I thought it would be useful to provide an update on the most popular security certifications first, and then discuss what I believe are the areas that still require some attention if we are going succeed in building the perfect IT security professional.
- The Cisco Certified Security Professional (CCSP) track validates advanced knowledge of securing Cisco networks. The content emphasizes topics such as perimeter security, virtual private networks and intrusion protection, as well as how to combine these technologies in a single, integrated network security solution.
- CompTIA’s Security+ is geared toward IT professionals who want a one-exam certification covering a wide range of top-level security knowledge. The certification covers topics that every network administrator and engineer should know. This is a fast-growing certification, with about 10,000 CompTIA Security+ certified professionals worldwide.
- The Certified Information Systems Security Professional (CISSP) was created by the International Information Systems Security Certification Consortium (ISC)2 to be the “gold standard” for information security. The certification focuses on 10 bodies of knowledge, ranging from law, investigation and ethics to telecommunications, network and Internet security. Work experience is key for this certification, which requires candidates to have at least four years of direct full-time security professional work experience in one or more of the 10 bodies of knowledge.
- Microsoft has created a security specialization for its popular Microsoft Certified Systems Engineer (MCSE) and Microsoft Certified Systems Administrator (MCSA) certifications. To become certified as an MCSE: Security or an MCSA: Security, candidates take exams that are focused on specific security-related topics. If you are already an MCSE or MCSA, you must simply pass a few additional exams to add the security specialization to your credential. This has been a common path for many IT security professionals, with 3,100 MCSEs obtaining the security specialization as of July 2004.
- The International Council of E-Commerce Consultants (EC-Council) takes an offensive approach to prevent breaches with its Ethical Hacker certification. The motto is, “If you want to stop hackers from invading your network, first you’ve got to invade their minds.” This certification has gained popularity over the past year as organizations look to security professionals who can identify and fix vulnerabilities.
All of these certifications have experienced growth in the past year, and these are just a fraction of the security certifications available to IT professionals. However, one area of information security that is often neglected is security awareness training for the end user or non-IT knowledge worker. Two reasons for this may be the lack of standardized resources that organizations can turn to for training employees on security awareness and the fear of the costs of such a training program, due to the geographical diversity of knowledge workers.
Another area that has not been fully addressed within the past 12 months is identifying what a true security professional looks like. Last year, I made the observation, “Depending on the responsibilities and functions of a security position and the infrastructure of the organization, someone in this role at one company can have a drastically different skill set than someone in a similar role at another company.” Despite all of the rhetoric surrounding the need to develop a common set of standards to define the role, little progress has been made to agree upon a set of skills or competencies that all of these certifications map to. Common standards become even more important as the intersection between regulations, such as HIPAA, Sarbanes-Oxley and others, drives corporations to spend more time and attention on securing their information and infrastructure.
Let’s hope that over the next 12 months, some progress is actually made so all of you have a clearer understanding of how to build not just a one-time shot for certification in security but, if you choose to do so, a career as a security professional. No matter what, this area remains one of the hottest in terms of job growth. As you think about your career in IT and the certifications you should pursue, security offers enormous opportunities. That is definitely something you will not see change in the next 12 months.
Martin Bean is the chief operating officer for New Horizons Computer Learning Centers, the world’s largest independent IT training company.