IT qualifications: security credentials

A guide to security qualifications for IT professionals

What is it?

Frost & Sullivan estimates that there were approximately 1.66 million information security professionals in 2007, ranging from security analysts to chief security officers. Frost and Sullivan expect this number to rise rapidly to almost 2.7 million by 2012.

Their report, commissioned by the International Information Systems Security Certification Consortium (ISC)², which provides supplier-neutral security training and qualifications, found that certified security professionals earned up to 30% more than their uncertified peers. The survey looked exclusively at ISC's qualifications, but there are plenty of others, both supplier-neutral and supplier-specific.

Among suppliers, Cisco's Certified Security Professional Certification (CCSP) and the various qualifications provided by firewall specialist Checkpoint seem most in demand.

But for people seeking a career in IT security, a broader-based generic qualification represents a better foundation. Frost and Sullivan says there are now about 40 supplier-neutral certifications worldwide, bringing confusion to the market, and threatening to dilute the value of previously highly regarded qualifications. We have room to look at two here: (ISC)²'s Certified Information Systems Security Professional (CISSP), and the British Computer Society's ISEB (Information Systems Examination Board) Certificate in Information Security Management Principles (CISMP).

Where did it originate?

ISACA, the Information Systems Audit and Control Association, launched the first IT security qualification in 1979.

What's it for?

(ISC)²'s CISSP is based on (ISC)²'s Common Body of Knowledge (CBK), which is described as "a taxonomy" which "establishes a common framework of information security terms and principles which allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding".

Full CISSPs must have five or more years' of experience in two or more of a list of ten subject areas, including access control, business continuity, information security and risk management, security architecture and design, and regulatory compliance. Without those five years' experience, you can still take the CISSP exam and become an associate of (ISC)², or with one year's experience, take the Systems Security Certified Practitioner (SSCP) qualification.

BCS/ISEB's CISMP examines understanding of concepts such as confidentiality, integrity, availability, vulnerability, threats, risks and counter-measures current legislation and regulations national and international standards and the business and technical environments in which information security management takes place. There is a year's experience requirement.

How difficult is it to master?

ISEB requires a one-week course from a recognised trainer. Intensive CCISP training is available in as little as seven (in one case, five) days CD Rom and online training is also available.

Where is it used?

Once only large organisations could afford to hire security professionals. But 58% of the respondents to Frost and Sullivan's survey came from organisations with fewer than 500 staff. More than a third of overall respondents came from IT or professional services companies.

The UK government has its own Infosec Training Paths & Competencies Scheme for information security professionals, run by the Cabinet Office, and managed by UK security authorities and universities which offer Masters-level IT security qualifications.

Rates of Pay

Security analysts and administrators from £30k CISSPs from £40k.


The BCS has a page of useful links to its own and other qualifications, and resources such as publications, professional bodies and careers sites

There is more information about CISSP available online. CISSP courses are available from many UK training companies.

See also the SANS Institute, and ISACA, for IT governance professionals.

Read more on IT jobs and recruitment