The four domains of data security

Security professionals are expected to be proficient with a range of security techniques, but which qualifications do you need to progress your career?

Security professionals are expected to be proficient with a range of security techniques, but which qualifications do you need to progress your career?

Knowing which qualifications you need to progress your career is a dilemma faced by every information security professional. With a myriad of certificates to choose from, which one will help you prove that you can do your job better? Which one will be valued by employers?

A security professional has to be proficient with a range of security techniques. These include operating system security, network security, application security, penetration testing and incident management techniques.

Many suppliers offer certificates that are restricted to specific products. These are appropriate when IT security professionals need to be familiar with specific infrastructure or systems. But you should also consider acquiring certificates that are product independent. The Sans Institute, for example, offers some excellent certificates under the name “global information assurance certification”.

Information security management is a fast growing discipline, and security professionals are expected to have good exposure to various security management approaches. Many organisations are planning to have their information security management system certified to the ISO 27001 standard. Such organisations look for information security officers with security management qualifications such as the CISSP (certified information systems security professional), offered by the International Information Systems Security Certification Consortium (ISC)2. 

Organisations also look for business continuity management certification, and the Disaster Recovery Institute offers the CBCP (certified business continuity professional) certificate.

Information security governance is another focus area for organisations. This ensures that the efforts and direction of information security programmes are in line with the business goals of the organisation. To this end, it is worth considering the CISM (certified information security manager) certificate from the Information Systems Audit and Control Association (Isaca). 

Security auditing is another qualification much sought-after by employers. Possessing a good understanding of security audit principles is a prerequisite to ensure that systems comply with audit requirements. Isaca offers the CISA (certified information systems auditor) for security auditors.

The different types of certificates complement each other, and IT professionals need to have adequate knowledge of each of the domains if they are to perform a full security role.

An IT manager may be required to perform many security-related functions, so acquiring certificates in security management and security governance will definitely be valuable. A security audit certificate will prepare the IT manager to face security audits with more confidence. Certified knowledge of security techniques will improve confidence in technical matters.

An information security auditor may start their career with the CISA qualification, but to gain deeper insight, they will have to acquire sufficient experience in security techniques, security management and security governance.

Getting the certificate should be a by-product of gaining knowledge and experience. Preparing for the certification examination makes one focus on improving understanding of the subject. All the examinations have objective-type questions that test a candidate on basic understanding of the subject. Since the certificates are independent of any products, testing is for conceptual clarity.

So does this mean that information security professionals need to get all the certificates?

The fact is that security professionals have to perform all these roles in their career. They will be using various security techniques, be responsible for security management and security governance, and may even be performing security audits. An information security professional needs to acquire adequate knowledge, understanding and experience in each of these areas. Getting this knowledge certified is the best way to convey your expertise to the employer and gain credibility in the workplace.


Avinash W Kadam holds a CISA, CISM, CISSP, CBCP and GSEC. He has been president of the Mumbai Chapter of the Information Systems Audit and Control Association, lead instructor at (ISC)2, mentor for the Sans Institute and is director of MIEL e-Security.



Read more on Privacy and data protection