Recognised certifications are vital to get your foot on the IT security ladder, and it can be well worth the effort as demand for specialists pushes up salaries
People trying to get into the booming world of IT security need to spend their time studying for some qualifications – and get a paper shredder, if those who recruit security specialists are to be believed.
“If you do not have qualifications, you are not coming in,” said Lewis Honour, security practice manager at systems company Logicalis Network Solutions. Honour describes himself as someone who “eats, sleeps, lives and breathes security”.
“If somebody tells me they are good at a specified security technology, what they say and what they can prove they can do are two different things. If someone can show they have got certification badges tattooed down their arms, that talks money to me.
“So if you want to improve your job prospects or salary, it is all about studying for exams.”
David Leyshon, managing director of technical recruitment firm CBSbutler, said, “In the security jobs market, certification is key. Most companies are looking for staff who can prove knowledge of certain technologies by having achieved specific accreditations. In particular, Cisco qualifications and Check Point firewall expert accreditations are something to aim for as soon as possible.”
This is confirmed by the latest annual survey by research group IDC for the International Information Systems Security Certification Consortium, (ISC)2. The survey found that 62% of security specialists surveyed were seeking qualifications this year – and 73% said their employers demand them.
This is where the commitment comes in. Honour said, “You can buy authoritative books on Check Point and other qualifications, and if you work at it, study on the train and instead of watching TV, you can get the exam. You can then start quite quickly as a firewall administrator, because of the market demand.
“So it is not like the old IT jobs’ vicious circle of no experience, therefore no job: if you get the security exams you can get a junior job, and that is your start. You can then build up your experience and move up the ladder.”
Study guides are also available for the demanding but highly regarded qualifications from independent bodies, notably (ISC)2 and the Sans Institute.
Such qualifications are tied to a code of professional ethics and they demand that people holding them keep their skills up to date. People holding the (ISC)2 CISSP (certified information systems security professional) qualification, for example, are expected to commit to an average of 40 hours of continuing professional development a year.
Putting professionalism in this area on a formal footing is the aim of the Institute of Information Security Professionals, launched at the start of the year with government and industry backing.
As well as having qualifications, prospective security specialists can improve their chances by showing commitment to their personal security, said Honour. “I want to know how seriously people take security, so at interviews I ask if they have a shredder at home. Identity theft is a big thing. The best security professionals are people who are paranoid about their own data being stolen.”
Another interview tip comes from Andy Clark, a director of digital forensics specialist Inforenz. “Good candidates will have modified their own computer to do unusual things, have hobbies displaying an interest in reverse engineering, and have experimented to understand what makes something work,” he said.
“On top of that we need people who are highly ethical and work within a clear moral framework.”
People already in IT can get into the many different aspects of security from a variety of roles.
According to Honour, experience in networking is especially useful. “Junior people often come from the networking side of our business. They might have done some Cisco certifications, and to them a firewall is just another device on the network, like a router, so they are familiar with it.”
People with broader experience range from penetration testers, business continuity specialists and forensics experts to business analysts and auditors who can do risk analysis, get to grips with business regulation and legal compliance, draw up standards and policies, and lead projects aimed at achieving formal security management standards.
“Most people in information security have come in almost by accident,” said Dave Martin, a specialist in the security practice at consultancy and systems company LogicaCMG.
“There are technical staff with a deep understanding of technical security risks and solutions, and people who come at the topic from the business perspective and can help senior management understand the value of their information and how a holistic approach to protection can be implemented.
“As in other areas of IT, the really tricky bit is finding people who understand the technology and can really talk business: this is where the greatest opportunities for employment and progression exist.”
The demand and the prospects are certainly good, according to research and anecdotal evidence.
“It is a totally candidate-driven market and demand for firewall engineers, security architects and network security consultants has gone into overdrive in both the permanent and temporary sectors,” said Leyshon.
“There simply are not enough of these people to go around, which means upward pressure on salaries and contract rates, and the sort of job prospects that have not been seen since year 2000 projects. Employers range from IT outsourcing companies and consultancies to any organisation with a large IT infrastructure, especially in the financial services sector.”
Honour’s experience at Logicalis bears this out: his team has grown by 50% in the past six months. And IDC’s research for (ISC)2 suggests that growth in the number of IT security jobs will be twice that of IT jobs as a whole over the next two years.
The imbalance of supply to demand is reflected in salaries, said Nick Prescot, head of IT security recruitment at Dome Recruitment, and a member of the security group at trade body the Recruitment and Employment Confederation.
“I am working to fill lots of roles with salaries of £40,000 to £50,000, but there are openings offering up to £150,000. People on £40,000 to £50,000 would be technical hands-on security engineers or IT engineers with a security element.
“In IT security, good people are always hard to find. In some areas of IT you know lots of good people who can fill a role, but in security it is hard to find someone with the required mix of qualifications, especially for the middle-to-senior levels. This is definitely an area to be in.”
Honour agreed, but for different reasons. “Every day is different. Security priorities and issues can change three or four times a day – you are fighting a continuing battle against the latest threats,” he said.
“An organisation might face thousands of attacks via the internet every day. And whereas, in the past, hackers attacked so that they could brag about it on bulletin boards, today the message boards have gone quiet, because they are now being paid thousands of pounds to set up particular attacks. It used to be about notoriety, but now it is about criminal activity. I could not think of a more exciting job that I would want to do.”
Independent qualification bodies
Institute of Information Security Professionals
International Information Systems Security Certification Consortium
Information Systems Audit and Control Association
British Computer Society