Businesses have been urged to offer all IT professionals
formal training in IT security, even if security forms only a part
of their work.
Security certification body (ISC)2 said that all
IT professionals need formal training in
security principles if security policies are to be implemented
properly.
"Information security people converse in their own language,
just as IT people converse in their own language. We need a common
language and a common understanding," said Tony Baratta, director
of professional programmes at (ISC)2.
"If people in IT are doing information security type work, they
need to understand security because they are going to be
implementing it. And they need to implement it in accordance with
the security policy of the organisation."
The certification body is concerned that organisations are
neglecting security training for general IT professionals, as more
organisations form dedicated IT security departments.
Research by (ISC)2 found that reporting lines for security
increasingly sit outside the IT department, with only 29% of chief
information officers having ultimate responsibility for security in
their organisation.
"What we are seeing is that there are people who will never
pursue [security certification] or a dedicated information security
career who have significant responsibility for information
security. As much of the information security function moves out of
IT, there is a risk that these people will not receive any training
or certification," said Baratta.
(ISC)2 is encouraging IT professionals who do not have formal
security qualifications to study for its
SSCP (systems security certified practitioner)
certificate.
The qualification is designed to validate IT professionals'
mastery of the technical implementation of systems security and
their ability to collaborate with information security managers and
executives responsible for security policy.
(ISC)2 said that taking a formal qualification in security could
give IT professionals more flexibility in their career options,
providing a foothold to move into security.
"As time goes on, people might have a change of interest and
decide they might not want to continue down the technical path.
They may decide they want to get involved in security directly. If
they have an SSCP, it gives them that option," said Baratta.
The SSCP qualification is open to IT professionals with at least
one year's experience in one of seven areas: access controls
analysis and monitoring cryptography networks malicious code risk,
response and recovery security operations and administration. The
examination costs about £200.
Certification plan aims to close the door on
hackers >>
Security career guide offers pay and training
tips >>
ISC(2) extends IT security scholarships
>>
More on ISC(2)
>>
David Lacey’s security blog >>
The latest ideas, best practices, and business issues associated
with managing security
Stuart King’s risk management blog
>>
Dealing with the operational challenges of information security and
risk management
Comment on this article:
computer.weekly@rbi.co.uk