Security covers so many areas of information technology (hardware, networking, identity, access, data protection and the like)that it should come as no surprise to find that security training has as many nuances as Pandora's box.
Any CV-savvy IT professional pitching for a job in the security field knows to make sure that their knowledge and skills can be tested and demonstrated. Fully-referenceable qualifications are also a must. Nevertheless, questions persist about the direction of ongoing certification.
Nerve-racking? Yes, particularly at exam time. Costly? Almost certainly, but that can be mitigated to some extent depending on choices about self-study and pre-testing routines.
Worth it? Yes, unreservedly. Even the naysayers agree that the top jobs out there go to those who not only demonstrate in lab tests that their problem-solving skills up to date, but also those who have multi-level knowledge derived from studying progressively more complex security topics.
Taking It VerticalBut which are the certifications with the greatest rewards? Ultimately, it depends where you want to direct your energies: stay with pure technology or take the business-oriented track.
IT security professionals - many of whom started as network administrators and honed their skills to become experts in Windows security, firewall maintenance or intrusion-detection and prevention systems, for example - always wonder where the next hot jobs are.
So too does David Foote, director of research firm Foote Partners, which periodically surveys thousands of technical and business managers to determine which IT jobs are in most demand - and which are on the wane. Foote says a recent survey of management opinion in 1900 companies suggests that, in the coming year, companies will be most interested in hiring security professionals with expertise in a few rising fields: incident response and forensics: wireless security: identity management and VoIP-related security.
Vendor-specific equipment certifications will also remain important, Foote says. In addition to the value of expertise in a particular product or technologies, an emerging trend that could have a significant impact on careers in IT security is industry specialization. Indicators are that companies are favouring applicants with "vertical industry" experience such as FMCG (fast moving consumer goods), retail, health-care, manufacturing, financial services, construction or other such specialist fields.
"Consider staying with a vertical industry," Foote advises. Employers and recruiters have indicated a preference for people who have gained knowledge of the patterns that relate to specific industries - technologies, problems, solutions and workflows, as well as business relationships and partnerships.
Rising ComplianceCompliance, however, spreads across all industries and, unlike some skills that fall beneath the radar, is not only not going to go away, it will intensify and spread its tentacles into many layers of business. To meet this need, auditing will grow as a component of IT security.
It was from this base that ISACA (Information Systems Audit and Control Association) grew from a collection of professional auditors into the vast organization it is today, which now conducts security training and certification courses for members from some 140 countries. ISACA has more than 170 chapters in over 60 countries worldwide. In Australia it has chapters in all mainland states and also in New Zealand and Papua New Guinea.
ISACA focuses on two credentials in information security, CISA (Certified Information Systems Auditor) and CISM (Certified Information Security Manager).
Since the Certified Information Security Manager credential was established in 2002, more than 6000 IT professionals have passed the exam, according to an ISACA spokesperson. CISA certification, on the other hand, requires candidates to submit evidence of a minimum of five years of work in information systems security and complete an exam, which is offered twice a year.
David Simpson, chairman of the CISM board, is based in Adelaide where he works with Secure Consulting. Simpson says he took the CISM exam some years ago to add more rigour to the security skills he had been developing for the previous 20 years. He says the ISACA courses that are run in Australia have been honed to reflect the "unique flavours" required for local governance and compliance laws.
Security Job BoomAn IDC study early this year reported a global workforce of more than 1.4 million IT security professionals with predictions that number will hit more than two million by 2010.
Kate Kaiser, an associate professor at a US university who led a Society for Information Management study of 104 CIOs to determine their skills needs for the medium term, says IT security is one of the 10 top skills that will become "newly important" to companies in the next five years.
Matt Whelan, technical director of Sydney-based ALC Training, says government and business have been increasingly looking to certifications as a way of setting standards and expectations. There has been some resistance to this from the "old school" on the basis they don't need a piece of paper to prove what they've learnt the hard way, he says.
"However, the younger generation has been quick to recognize the role of certification in validating competency and even the old guard is starting to accept the inevitable," Whelan says.
ALC Training, which runs courses in all capital cities, conducts CISSP (Certified Information Systems Security Professionals) and CISM courses which, according to an ALC spokesman, are the most requested certifications.
The training provider has recently added SABSA Institute training and certification to its offerings. The first of these courses will be held in 2007 and cover a foundation level of security strategy and planning and security service management. The next level, Practitioner, covers six security-based modules ranging from information assurance to intrusion and incident management. Master level training covers seven modules from management skills, crisis management and cryptographic techniques to digital forensics and investigations. The program can also provide courses to meet in-house needs.
According to research analyst David Foote, while competition for jobs might seem strong now, it's nothing compared to what the market will be like in 2010. Innovation, a levelled global playing field, and technology that eases many of the tasks now done manually, will turn today's hot skills into "must-haves" for competitive companies.
Certification will be a key decider in moving up the career ladder; the only really big question to answer will be which ladder: tech or business?
This article first appeared as part of Enterprise Focus: Security, a supplement, available with the August 9 2006 print edition of Computerworld.