Security Training and Certification: Confusion?
Lately there has been a lot of talk about security training and certification. The challenge when looking at this segment is that the marketplace for the security professional has yet to be clearly defined.
Depending on the responsibilities and functions of a security position and the infrastructure of the organization, someone in this role at one company can have a drastically different skill set from someone in a similar role at another company. Where are the standards we need to provide a more thorough definition for the role? And more importantly, how will these standards help ensure the security of our information and our technical systems?
In our current situation, everything surrounding the position can vary greatly, including the actual titles of the individuals performing the security functions for the organization. One study produced by the SANS Institute did an inventory of security titles and came up with 584 varieties—ranging from security analyst to network security engineer to security architect to data security manager. This obviously causes confusion for someone trying to enter IT security or branch into this space. So why is there so much variance and so little structure?
The reality is that security is more of a category than the clearly defined set of technologies and tasks that have historically underpinned all successful certifications. It is important to understand what is going on right now within security training and certification to identify how best to proceed. The industry itself, along with federal and state government agencies and corporations, is rallying to find a solution to define the security professional.
I believe that when all is said and done, security certification will fall into two broad categories, not unlike what we have seen in networking technologies, with the distinction of network administration versus network engineering. The network administrator maintains the system, whereas the engineer is responsible for installation, configuration and troubleshooting. I believe there will be core foundational skills that every security professional will require. These skills will largely be managed and certified by industry or professional associations in both the profit and not-for-profit sectors. Examples include CompTIA’s Security+ certification and the Security Certified Program (SCP) certifications from Ascendant Learning.
The secondary area of focus for security certification will be vendor-specific. These programs will layer upon the foundational skills taught in the vendor-neutral programs to ensure that IT professionals have the skill sets to manage specific security technologies. Examples include Check Point, Cisco and Microsoft.
The reality of security certification today is that there is no clearly defined, guaranteed path to becoming a holistic, well-recognized security professional. The good news is that with every month that passes, the framework for the security professional becomes clearer. As the roles are more clearly defined, the distinction of the skills and certifications required to fill these roles will also become more apparent.
With security being such a sensitive and demanding focus of the IT industry, certifications in this arena are going to be required as a prerequisite for the job more often. This will largely be driven by hiring managers’ need to identify the specific skills and knowledge needed to keep their networks, systems and information secure.
You should start with the foundational skills that will most likely be required of anyone who wants to be successful as an IT security professional. These are the basics, such as the principles surrounding general security concepts, communication security, infrastructure security, basics of cryptography and operational and organizational security. Then, based on your greatest area of interest or perceived market or corporate need, begin specializing in security technologies.
Fear not, security is here to stay. Any way you look at it, security training and certification is a positive attribute for an IT career path. It provides proof of professional achievement, increases your marketability, provides opportunity for advancement, fulfills training requirements and raises customer confidence. The opportunities for security professionals will continue to develop and grow, and any IT professionals who have a good understanding of security concepts and technologies have without a doubt strengthened their job mobility and earning potential.
Martin Bean is the chief operating officer for New Horizons Computer Learning Centers Inc., the world’s largest computer training company.