All IT staff need security certification, says (ISC)2

Businesses have been urged to offer all IT professionals formal training in IT security, even if security forms only a part of their work.

Businesses have been urged to offer all IT professionals formal training in IT security, even if security forms only a part of their work.

Security certification body (ISC)2 said that all IT professionals need formal training in security principles if security policies are to be implemented properly.

"Information security people converse in their own language, just as IT people converse in their own language. We need a common language and a common understanding," said Tony Baratta, director of professional programmes at (ISC)2.

"If people in IT are doing information security type work, they need to understand security because they are going to be implementing it. And they need to implement it in accordance with the security policy of the organisation."

The certification body is concerned that organisations are neglecting security training for general IT professionals, as more organisations form dedicated IT security departments.

Research by (ISC)2 found that reporting lines for security increasingly sit outside the IT department, with only 29% of chief information officers having ultimate responsibility for security in their organisation.

"What we are seeing is that there are people who will never pursue [security certification] or a dedicated information security career who have significant responsibility for information security. As much of the information security function moves out of IT, there is a risk that these people will not receive any training or certification," said Baratta.

(ISC)2 is encouraging IT professionals who do not have formal security qualifications to study for its SSCP (systems security certified practitioner) certificate.

The qualification is designed to validate IT professionals' mastery of the technical implementation of systems security and their ability to collaborate with information security managers and executives responsible for security policy.

(ISC)2 said that taking a formal qualification in security could give IT professionals more flexibility in their career options, providing a foothold to move into security.

"As time goes on, people might have a change of interest and decide they might not want to continue down the technical path. They may decide they want to get involved in security directly. If they have an SSCP, it gives them that option," said Baratta.

The SSCP qualification is open to IT professionals with at least one year's experience in one of seven areas: access controls analysis and monitoring cryptography networks malicious code risk, response and recovery security operations and administration. The examination costs about £200.

Certification plan aims to close the door on hackers >>

Security career guide offers pay and training tips >>

ISC(2) extends IT security scholarships >>

More on ISC(2) >>

David Lacey’s security blog >>
The latest ideas, best practices, and business issues associated with managing security

Stuart King’s risk management blog >>
Dealing with the operational challenges of information security and risk management

Comment on this article: [email protected]

Read more on IT risk management