Security professionals are expected to be proficient
with a range of security techniques, but which qualifications do
you need to progress your career?
Knowing which qualifications you need to progress your career is
a dilemma faced by every information security professional. With a
myriad of certificates to choose from, which one will help you
prove that you can do your job better? Which one will be valued by
employers?
A security professional has to be proficient with a range of
security techniques. These include operating system security,
network security, application security, penetration testing and
incident management techniques.
Many suppliers offer certificates that are restricted to
specific products. These are appropriate when IT security
professionals need to be familiar with specific infrastructure or
systems. But you should also consider acquiring certificates that
are product independent. The Sans Institute, for example, offers
some excellent certificates under the name “global information
assurance certification”.
Information security management is a fast growing discipline,
and security professionals are expected to have good exposure to
various security management approaches. Many organisations are
planning to have their information security management system
certified to the ISO 27001 standard. Such organisations look for
information security officers with security management
qualifications such as the CISSP (certified information systems
security professional), offered by the International Information
Systems Security Certification Consortium (ISC)2.
Organisations also look for business continuity management
certification, and the Disaster Recovery Institute offers the CBCP
(certified business continuity professional) certificate.
Information security governance is another focus area for
organisations. This ensures that the efforts and direction of
information security programmes are in line with the business goals
of the organisation. To this end, it is worth considering the CISM
(certified information security manager) certificate from the
Information Systems Audit and Control Association (Isaca).
Security auditing is another qualification much sought-after by
employers. Possessing a good understanding of security audit
principles is a prerequisite to ensure that systems comply with
audit requirements. Isaca offers the CISA (certified information
systems auditor) for security auditors.
The different types of certificates complement each other, and
IT professionals need to have adequate knowledge of each of the
domains if they are to perform a full security role.
An IT manager may be required to perform many security-related
functions, so acquiring certificates in security management and
security governance will definitely be valuable. A security audit
certificate will prepare the IT manager to face security audits
with more confidence. Certified knowledge of security techniques
will improve confidence in technical matters.
An information security auditor may start their career with the
CISA qualification, but to gain deeper insight, they will have to
acquire sufficient experience in security techniques, security
management and security governance.
Getting the certificate should be a by-product of gaining
knowledge and experience. Preparing for the certification
examination makes one focus on improving understanding of the
subject. All the examinations have objective-type questions that
test a candidate on basic understanding of the subject. Since the
certificates are independent of any products, testing is for
conceptual clarity.
So does this mean that information security professionals need
to get all the certificates?
The fact is that security professionals have to perform all
these roles in their career. They will be using various security
techniques, be responsible for security management and security
governance, and may even be performing security audits. An
information security professional needs to acquire adequate
knowledge, understanding and experience in each of these areas.
Getting this knowledge certified is the best way to convey your
expertise to the employer and gain credibility in the
workplace.
CV: AVINASH W KADAM
Avinash W Kadam holds a CISA, CISM, CISSP, CBCP and GSEC. He has
been president of the Mumbai Chapter of the Information Systems
Audit and Control Association, lead instructor at (ISC)2, mentor
for the Sans Institute and is director of MIEL e-Security.