A security qualification is a must but make sure it fits your field

Hot skills: Security


Hot skills: Security

What is it?

Europe will need another 680,000 information security professionals by 2008, according to a survey by IDC on behalf of the International Information Systems Security Certification Consortium (ISC2). The survey found that most hiring managers (93%) preferred candidates with security qualifications. ISC2 offers certificates for systems security practitioners (SSCP) and professionals (CISSP), and is one of several bodies to provide such qualifications. The survey found that security specialists are also expected to understand business processes, to help minimise risks as new systems are developed.

Where did it originate?

Isaca, the Information Systems Audit and Control Association, launched the first qualification in 1979, followed by the Sans (SysAdmin, Audit, Network, Security) Institute in 1989. ISC2 was established in 1996.

What is it for?

ISC2's CISSP is for people responsible for developing information security policies, standards and procedures, and managing their implementation. SSCP certifies network and systems administrators.

Isaca has certificates for information security auditors and their managers (CISA and CISM). The Sans Institute's Giac (global information assurance certification) covers many roles and levels.

The British Computer Society has a certificate in information security management principles, intended both for those already doing it, and those who want to move into it.

What makes it special?

To quote ISC2, "certification establishes a consistent method for assessing the skills and competence of individual practitioners, and holds them to a high standard of ethical behaviour."

But there are many competing standards - a host of other industry and national qualifications, not to mention  supplier-specific programmes - to confuse the employer and the candidate. CISSP and CISA are probably the most in demand, but research employers' requirements in your field before committing time and money.

How difficult is it to master?

The degree of testable knowledge and length of practical experience varies. CISA requires a minimum of five years of professional information systems auditing, control or security work experience; academic study or time in other IT roles can be substituted for a year or two of this. 

Some industry commentators complain the requirement for experience is being lowered to meet the demand, undermining the qualifications. On average, respondents to the IDC/ISC2 survey had 13 years work experience in IT, and seven years specialised security experience.

Where is it used?

IT security professionals work within organisations, for IT services companies and management consultancies.

There is a growing requirement for independent practitioners to help organisations meet the BS7799/ISO17799 standard.

What is coming up?

In 2004, the DTI estimated that only one in 10 UK companies employed staff with proper security qualifications - a gap that will have to be closed.

Rates of pay

From £30,000 for network administrators with SSCP to £65,000-plus for experienced consultants and auditors with CISA and CISSP.


Most certification organisations use networks of approved training organisations, and also endorse online and disc-based courses.



For Giac




For the BCS

www.bcs.org/BCS/Products/Qualifications/ISEB/Areas/InfoSecurityThe International ISO 17799 Community Forum

For informaton on becoming a BS7799 auditor


Read more on Hackers and cybercrime prevention