Recognised certifications are vital to get your foot on
the IT security ladder, and it can be well worth the effort as
demand for specialists pushes up salaries
People trying to get into the booming world of IT security need
to spend their time studying for some qualifications – and get a
paper shredder, if those who recruit security specialists are to be
believed.
“If you do not have qualifications, you are not coming in,” said
Lewis Honour, security practice manager at systems company
Logicalis Network Solutions. Honour describes himself as someone
who “eats, sleeps, lives and breathes security”.
“If somebody tells me they are good at a specified security
technology, what they say and what they can prove they can do are
two different things. If someone can show they have got
certification badges tattooed down their arms, that talks money to
me.
“So if you want to improve your job prospects or salary, it is
all about studying for exams.”
David Leyshon, managing director of technical recruitment firm
CBSbutler, said, “In the security jobs market, certification is
key. Most companies are looking for staff who can prove knowledge
of certain technologies by having achieved specific accreditations.
In particular, Cisco qualifications and Check Point firewall expert
accreditations are something to aim for as soon as possible.”
This is confirmed by the latest annual survey by research group
IDC for the International Information Systems Security
Certification Consortium, (ISC)2. The survey found that 62% of
security specialists surveyed were seeking qualifications this year
– and 73% said their employers demand them.
This is where the commitment comes in. Honour said, “You can buy
authoritative books on Check Point and other qualifications, and if
you work at it, study on the train and instead of watching TV, you
can get the exam. You can then start quite quickly as a firewall
administrator, because of the market demand.
“So it is not like the old IT jobs’ vicious circle of no
experience, therefore no job: if you get the security exams you can
get a junior job, and that is your start. You can then build up
your experience and move up the ladder.”
Study guides are also available for the demanding but highly
regarded qualifications from independent bodies, notably (ISC)2 and
the Sans Institute.
Such qualifications are tied to a code of professional ethics
and they demand that people holding them keep their skills up to
date. People holding the (ISC)2 CISSP (certified information
systems security professional) qualification, for example, are
expected to commit to an average of 40 hours of continuing
professional development a year.
Putting professionalism in this area on a formal footing is the
aim of the Institute of Information Security Professionals,
launched at the start of the year with government and industry
backing.
As well as having qualifications, prospective security
specialists can improve their chances by showing commitment to
their personal security, said Honour. “I want to know how seriously
people take security, so at interviews I ask if they have a
shredder at home. Identity theft is a big thing. The best security
professionals are people who are paranoid about their own data
being stolen.”
Another interview tip comes from Andy Clark, a director of
digital forensics specialist Inforenz. “Good candidates will have
modified their own computer to do unusual things, have hobbies
displaying an interest in reverse engineering, and have
experimented to understand what makes something work,” he said.
“On top of that we need people who are highly ethical and work
within a clear moral framework.”
People already in IT can get into the many different aspects of
security from a variety of roles.
According to Honour, experience in networking is especially
useful. “Junior people often come from the networking side of our
business. They might have done some Cisco certifications, and to
them a firewall is just another device on the network, like a
router, so they are familiar with it.”
People with broader experience range from penetration testers,
business continuity specialists and forensics experts to business
analysts and auditors who can do risk analysis, get to grips with
business regulation and legal compliance, draw up standards and
policies, and lead projects aimed at achieving formal security
management standards.
“Most people in information security have come in almost by
accident,” said Dave Martin, a specialist in the security practice
at consultancy and systems company LogicaCMG.
“There are technical staff with a deep understanding of
technical security risks and solutions, and people who come at the
topic from the business perspective and can help senior management
understand the value of their information and how a holistic
approach to protection can be implemented.
“As in other areas of IT, the really tricky bit is finding
people who understand the technology and can really talk business:
this is where the greatest opportunities for employment and
progression exist.”
The demand and the prospects are certainly good, according to
research and anecdotal evidence.
“It is a totally candidate-driven market and demand for firewall
engineers, security architects and network security consultants has
gone into overdrive in both the permanent and temporary sectors,”
said Leyshon.
“There simply are not enough of these people to go around, which
means upward pressure on salaries and contract rates, and the sort
of job prospects that have not been seen since year 2000 projects.
Employers range from IT outsourcing companies and consultancies to
any organisation with a large IT infrastructure, especially in the
financial services sector.”
Honour’s experience at Logicalis bears this out: his team has
grown by 50% in the past six months. And IDC’s research for (ISC)2
suggests that growth in the number of IT security jobs will be
twice that of IT jobs as a whole over the next two years.
The imbalance of supply to demand is reflected in salaries, said
Nick Prescot, head of IT security recruitment at Dome Recruitment,
and a member of the security group at trade body the Recruitment
and Employment Confederation.
“I am working to fill lots of roles with salaries of £40,000 to
£50,000, but there are openings offering up to £150,000. People on
£40,000 to £50,000 would be technical hands-on security engineers
or IT engineers with a security element.
“In IT security, good people are always hard to find. In some
areas of IT you know lots of good people who can fill a role, but
in security it is hard to find someone with the required mix of
qualifications, especially for the middle-to-senior levels. This is
definitely an area to be in.”
Honour agreed, but for different reasons. “Every day is
different. Security priorities and issues can change three or four
times a day – you are fighting a continuing battle against the
latest threats,” he said.
“An organisation might face thousands of attacks via the
internet every day. And whereas, in the past, hackers attacked so
that they could brag about it on bulletin boards, today the message
boards have gone quiet, because they are now being paid thousands
of pounds to set up particular attacks. It used to be about
notoriety, but now it is about criminal activity. I could not think
of a more exciting job that I would want to do.”
Independent qualification bodies
Institute of Information Security Professionals
www.instisp.com
Sans Institute
www.sans.org/aboutsans.php
www.giac.org
International Information Systems Security Certification
Consortium
www.isc2.org
Information Systems Audit and Control Association
www.isaca.org
British Computer Society
www.bcs.org