Nick Langley checks out what security qualifications you need to join IT's traffic police
We may be seeing the rise of a new kind of auditor: the information security specialist. Top suppliers are talking up the market for the services of consultants who can parachute in, identify vulnerabilities, and draw up policies to make an organisation's IT systems as leakproof as rapidly evolving technologies will allow.
There is evidently a large gap between what the market says it wants and what it is willing to spend time and money on. According to the Department of Trade & Industry's Information Security Breaches Survey 2002, the number of UK businesses with a documented IT security policy has doubled since 2000, although that still represents only 27%. Yet 73% of UK businesses claim they rate security as a very high priority. Only 32% of large UK businesses have used external security consultants, but PricewaterhouseCoopers, which prepared the DTI report, expects this to increase.
One niche where external auditors are in demand is BS7799 compliance. Initially developed by the DTI to promote the use of electronic data interchange and similar technologies in inter-company trading, BS7799 has become internationally recognised as ISO17799. It provides rigorous criteria for everything from a business continuity strategy to the development, implementation and maintenance of a security policy.
According to the survey, only 15% of people responsible for security in the UK are aware of its contents. But PricewaterhouseCoopers reports that almost half the BS7799-compliant organisations have used third-party auditors to check compliance.
People able to provide a comprehensive approach to information security are in greater demand within organisations. They are employed both in drawing up security policies, and in specifying requirements for externally provided security services.
In a study for the DTI published in May 2002, independent security consultant Chris Sundt found that procurement requests often include poorly defined requirements, so providers have to spend significant amounts of time refining the requirement with the customer before being able to make a credible bid. "This is making it harder for responsible providers to agree sensible projects" the study says.
"Equally, unsophisticated buyers often accept a simple, cheap alternative without realising the risk implications. As with other consultancy disciplines, the buyer needs to have sufficient knowledge of the subject to be able to establish that the service has delivered a complete response to the requirement."
Software suppliers, too, need security services, to ensure that their products meet criteria laid down by government and other customers. Under the UK's Information Technology Security Evaluation and Certification scheme, the security features of IT systems and products are independently tested to identify vulnerabilities.
IBM Global Services provides formal, government-certified evaluations of supplier security products using its commercial evaluation facility. These services include pre-evaluation consultancy for products, help with documentation required for certification, and post-evaluation support for certificate maintenance.
How do you qualify?
So what qualifications will you need to get into the security policy and auditing business? Broadly there are two kinds, those dealing with specific products, and supplier-independent qualifications addressing a range of security issues. Sundt says MSc qualifications from Royal Holloway and University of Glamorgan are well respected. "Major organisations, including providers, use them to broaden the knowledge of their security practitioners," he says.
Keeping qualifications up to date is important, and both BCS Iseb and ISC2 have continuous professional development programmes. However, qualifications carry less weight than experience and a good CV. "Almost no one uses any qualifications or accreditations to decide the suitability of an [external] information security consultant or provider," says Sundt.
"It was disappointing to find few current qualifications or accreditation schemes mentioned by those contacted, even after prompting. Many remarked on the variable value of qualifications, from those sponsored by professional bodies (generally well regarded) to those that could be 'bought' from commercially motivated sources."
And while CISSP and the BCS/Iseb ISMB test knowledge of the principles of information security management, they do not really test the ability to apply that knowledge, Sundt says.
Intellect says that while qualifications are a useful part of the recruitment process, employers are looking for hands-on experience and a verifiable track record. Some companies are wary of qualifications, it says, as they can give little indication of the aptitude of the individual.
So you will still need to earn your spurs, after what will probably be a lengthy and demanding period of study. The likelihood is, however, that BS7799/ISO17799 will eventually become as much a requirement for trading, for government contracts in particular, as the ISO/BS 9000 quality standards.
ISBS 2002: www.security-survey.gov.uk
ITsec: Information Technology Security Evaluation and Certification scheme (UK system for testing and identifying vulnerabilities)
ISC2: International Information Systems Security Certifications Consortium offers CISS (certified information systems security professional) and SSCP (systems security certified practitioner)
BCS Iseb: British Computer Society Information Systems Examinations Board offers an information security management certificate.
IBM Global Services: commercial evaluation facility
Checkpoint - firewalls
Cisco - networks
Symantec - anti-virus.
BS7799 is a comprehensive set of information security controls
ISO 17799 is its international equivalent.
This was first published in May 2003