Hot skills: Security
What is it?
Europe will need another 680,000 information security
professionals by 2008, according to a survey by IDC on behalf of
the International Information Systems Security Certification
Consortium (ISC2). The survey found that most hiring managers (93%)
preferred candidates with security qualifications. ISC2 offers
certificates for systems security practitioners (SSCP) and
professionals (CISSP), and is one of several bodies to provide such
qualifications. The survey found that security specialists are also
expected to understand business processes, to help minimise risks
as new systems are developed.
Where did it originate?
Isaca, the Information Systems Audit and Control Association,
launched the first qualification in 1979, followed by the Sans
(SysAdmin, Audit, Network, Security) Institute in 1989. ISC2 was
established in 1996.
What is it for?
ISC2's CISSP is for people responsible for developing
information security policies, standards and procedures, and
managing their implementation. SSCP certifies network and systems
administrators.
Isaca has certificates for information security auditors and
their managers (CISA and CISM). The Sans Institute's Giac (global
information assurance certification) covers many roles and
levels.
The British Computer Society has a certificate in information
security management principles, intended both for those already
doing it, and those who want to move into it.
What makes it special?
To quote ISC2, "certification establishes a consistent method
for assessing the skills and competence of individual
practitioners, and holds them to a high standard of ethical
behaviour."
But there are many competing standards - a host of other
industry and national qualifications, not to mention
supplier-specific programmes - to confuse the employer and the
candidate. CISSP and CISA are probably the most in demand, but
research employers' requirements in your field before committing
time and money.
How difficult is it to master?
The degree of testable knowledge and length of practical
experience varies. CISA requires a minimum of five years of
professional information systems auditing, control or security work
experience; academic study or time in other IT roles can be
substituted for a year or two of this.
Some industry commentators complain the requirement for
experience is being lowered to meet the demand, undermining the
qualifications. On average, respondents to the IDC/ISC2 survey had
13 years work experience in IT, and seven years specialised
security experience.
Where is it used?
IT security professionals work within organisations, for IT
services companies and management consultancies.
There is a growing requirement for independent practitioners to
help organisations meet the BS7799/ISO17799 standard.
What is coming up?
In 2004, the DTI estimated that only one in 10 UK companies
employed staff with proper security qualifications - a gap that
will have to be closed.
Rates of pay
From £30,000 for network administrators with SSCP to
£65,000-plus for experienced consultants and auditors with CISA and
CISSP.
Training
Most certification organisations use networks of approved
training organisations, and also endorse online and disc-based
courses.
For SSCP and CISSP
www.ISC2.org.
For Giac
www.giac.org.
For CISA and CISM
www.isaca.org.
For the BCS
www.bcs.org/BCS/Products/Qualifications/ISEB/Areas/InfoSecurityThe
International ISO 17799 Community Forum
For informaton on becoming a BS7799 auditor
www.17799.com