What is it?
Frost & Sullivan estimates that there were approximately
1.66 million information security professionals in 2007, ranging
from security analysts to
chief security officers. Frost and Sullivan expect this number
to rise rapidly to almost 2.7 million by 2012.
Their report, commissioned by the
International Information Systems Security Certification Consortium
(ISC)², which provides supplier-neutral security training and
qualifications, found that certified security professionals earned
up to 30% more than their uncertified peers. The survey looked
exclusively at ISC's qualifications, but there are plenty of
others, both supplier-neutral and supplier-specific.
Among suppliers, Cisco's Certified Security Professional
Certification (CCSP) and the various qualifications provided by
firewall specialist Checkpoint seem most in demand.
But for people seeking a career in IT security, a broader-based
generic qualification represents a better foundation. Frost and
Sullivan says there are now about 40 supplier-neutral
certifications worldwide, bringing confusion to the market, and
threatening to dilute the value of previously highly regarded
qualifications. We have room to look at two here: (ISC)²'s
Certified Information Systems Security Professional (CISSP), and
the British Computer Society's ISEB (Information Systems
Examination Board) Certificate in Information Security Management
Principles (CISMP).
Where did it originate?
ISACA, the Information Systems Audit and Control Association,
launched the first IT security qualification in 1979.
What's it for?
(ISC)²'s CISSP is based on (ISC)²'s Common Body of Knowledge
(CBK), which is described as "a taxonomy" which "establishes a
common framework of information security terms and principles which
allows information security professionals worldwide to discuss,
debate, and resolve matters pertaining to the profession with a
common understanding".
Full CISSPs must have five or more years' of experience in two
or more of a list of ten subject areas, including access control,
business continuity, information security and risk management,
security architecture and design, and regulatory compliance.
Without those five years' experience, you can still take the CISSP
exam and become an associate of (ISC)², or with one year's
experience, take the Systems Security Certified Practitioner (SSCP)
qualification.
BCS/ISEB's CISMP examines understanding of concepts such as
confidentiality, integrity, availability, vulnerability, threats,
risks and counter-measures current legislation and regulations
national and international standards and the business and technical
environments in which information security management takes place.
There is a year's experience requirement.
How difficult is it to master?
ISEB requires a one-week course from a recognised trainer.
Intensive CCISP training is available in as little as seven (in one
case, five) days CD Rom and online training is also available.
Where is it used?
Once only large organisations could afford to hire security
professionals. But 58% of the respondents to Frost and Sullivan's
survey came from organisations with fewer than 500 staff. More than
a third of overall respondents came from IT or professional
services companies.
The
UK government has its own Infosec Training Paths & Competencies
Scheme for information security professionals, run by the
Cabinet Office, and managed by UK security authorities and
universities which offer Masters-level IT security
qualifications.
Rates of Pay
Security analysts and administrators from £30k CISSPs from
£40k.
Training
The BCS
has a page of useful links to its own and other qualifications, and
resources such as publications, professional bodies and careers
sites
There is more information about
CISSP available online. CISSP courses are available from many
UK training companies.
See also the SANS Institute,
and ISACA, for IT governance
professionals.