After nearly 30 years in the IT industry in a career spanning from teenage hacker innocently taking systems apart to trainer, seminar lecturer, published author and consultant, Les Bell decided to get a Certified Information Systems Security Professional (CISSP), his first certification.
Bell, who trains IT professionals in large multinational organisations and consults independently, noticed that the unifying thread that ran through his networking courses was security.
"I was teaching courses on networking and I was getting more and more questions on security application of protocols. I spent more time answering these questions and this led me naturally into teaching security and getting involved into security consulting. I got the CISSP credential as a consequence of this and developed a series of security courses" he said.
"I was interested in looking at management aspects of security, computer forensics and legal implications of what we're doing," he said.
It took Bell only a few weeks to get the CISSP.
"I'd been doing security for quite some time and it just took a few weeks to look at a couple of text books. It was not too difficult for me, almost a no brainer," Bell said.
Bell said the training helps him talk to his clients and gives weight to his advice.
"The piece of paper says that I'm not just experienced in one area, but I've got a broad knowledge base and understand why we're doing this. Why these things are going the way they are. It's important for an educator."
A CISSP is a high-level, vendor-neutral security certification administered by the International Information Systems Security Certification Consortium, otherwise known as (ISC)2, and consists of 250 multiple-choice questions, covering topics such as access control systems, cryptography and security management practices. The exam takes six hours to complete.
The handbook for the course covers everything from physical security or required high defence training of guard dogs to disaster recovery planning.
"The knowledge for CISSP is three inches deep and a mile wide. You've got to have knowledge on various backgrounds," Bell said.
While the primary market for this type of qualification is the security consultant, Bell said the CIO or IT manager can benefit from this qualification.
"It's really for security professionals and corporate CIOs. Information owners should be aware of it," he said.
"At the CIO level of a large enterprise, you would benefit from general knowledge of these areas; security should be part of your general portfolio," he said. "The information protection manager should have this type of qualification. Information is the lifeblood of most enterprises these days. Everyone has a need for security, but at large outfits like the military, government or banking and finance it's even more important."
ICS2 will not run a course in Australia unless there is a guaranteed demand.
"If, for example, one of the big accounting firms had enough students that want training, they bring out a CISSP qualified instructor from the US to do a one-week intensive course preparation for the CISSP exam," Bell said.
Iain Waters, chief technology officer for eSign, said the CISSP qualification is fairly insular to America.
"It wouldn't give a huge impact to the amount you can earn, but would make a difference in the success of the application."
While the CISSP is one of the only vendor-neutral security certifications, Waters said other security certifications that carry weight are from vendors whose products are used extensively in the enterprise.
Waters listed the Check Point network security certification, the ISS (Internet Security Systems) certification on VPN FireWalls and Cisco's various security specialist certifications such as CCIE Security.
However, Waters said the problem with vendor certification is the constant need to keep up to date. While Waters says the need for security certified professionals has taken off, those who have attained certifications face a constant battle to keep up to date with emerging technologies.
"Security certifications can increase marketability and asking price for graduates, but there is a point where they are not worth the paper they're written on. As products are upgraded, you have to keep up to date, or you fall behind," he said.
Waters said it is hard to pinpoint a salary for security professionals, saying it can range from a low $60K to more than $200K a year, depending on the market they work in.
Just as there had been a marked increase in demand for those that protect our information, so there has been an increase in demand for those that store it. Analysts predict an increasing need for storage management in the enterprise, likewise the growth of storage certifications in Australia is starting to develop.
Store up on certifications
Terry James, technical specialist and regional training manager for storage specialist Quantum, has been learning about storage for about two and a half years.
"I've been on training courses since I started [with Quantum]. It's never ending," he said.
"I have attained several certificates during my time in this position. I'm not sure of an exact number. At an estimate I would say about six," James said.
To round out his skills and stay current, James has attained certifications for performing support and maintenance, training people how to maintain hardware, application usage, and support and maintenance for various industry-related vendor products other than Quantum's, including storage competitors Network Appliance, Veritas and Brocade.
"In my training on how to support the product I get as much detail about the products as possible. It helps me in my support role to isolate [storage] issues. You've got to have an overall understanding to put the customer's system in place," he said.
"These training course are pretty extensive, not just anybody would do them. It's for people working on [storage products] on a daily basis," he said, adding this sort of specialisation would suit the value-added SAN reseller, rather than the IT manager.
"Most [IT managers] would turn to outsource support. It's getting too much for them. I can't see end users paying out huge amounts in getting certification in all that hardware equipment. A lot of trainers will not support end users doing the courses."
James said he "fell into" storage when he came over from New Zealand in 1999 during the Y2K hysteria and needed a job.
"I didn't want to get involved in that, so I applied for this position and I got it. I haven't looked back," he said.
Since then, he said, the storage market has hotted up and his skills are increasingly in demand.
"I have been offered a few positions since starting this role, and that in itself I believe is a huge confidence boost. It's an indication that I'm heading in the right direction career-wise, and that my efforts don't go unnoticed," he said.
However, in terms of salary, he added, "It hasn't yet yielded the remuneration that I would have liked to see.
"I like to think it puts you in a higher salary bracket, but until you go looking for other jobs it's hard to say. I was told categorically when I completed the Brocade training that it would add another $20K to my salary. It hasn't happened, but that's what they stated. Until I approach Brocade or Veritas and negotiate it's hard to say."
James's employer covered the cost of all courses and training.
He said all the courses have been useful in their own right, although some training doesn't get used as often.
"Unfortunately, if you don't use it you lose it".
To broaden his skills mix even further, James is interested in attaining numerous other application certifications, including certification on operating systems and other industry related hardware products as well.
To get to a management level position in IT, a certification is a bonus but not critical compared to management training. IT managers and CIOs that spoke to Computerworld said they had been in the IT game too long to get a certification now, but see the value in training their staff.
A CIO from a construction material supplier, who requested anonymity, said he was "too long in the tooth" to hold a certification, but his company invests heavily in training its troops.
For instance the entire IT shop, which consists of 110 people, are expected to work towards an Oracle certification.
"We run an Oracle shop so we expect Oracle DBA certification. If they don't have it when they start, we expect them to have it by the time they leave," he said.
The company is also keen on MCSE NT certification training for staff on its helpdesk.
As an incentive, those that decide to get the MCSE certification can move from helpdesk to join the 20-strong, dedicated NT team. The CIO said two had made this move in the past seven months.
When employing staff, the CIO said chances are higher for those that have a certification than for those that don't.
The company helps its staff undertake training with paid study leave and financial contributions to courses, but the CIO said he expects the staff to "have skin in the game as well".
"They must put their own time in it as well, and some of the money. Not a lot, but it should be enough that they'll want to [complete their studies]."
But when it comes to management level, he believes that a CIO needs an MBA nowadays, rather than certification training.
"Certification allows you to become a strong performer in your chosen field. You can use certification to go into management level. But for management level you need to get different skills which we also help with," he said.
Among his colleagues in IT management he found that many had only received one certification, if at all, to get into IT.
"When hiring management, we make management skills a priority, not technical skills," he said.
The supplier offers training to its 15,000 staff in Australia, not just in IT certification, but executive and management training as well as computer training across the entire team.
"We tend to train people to go elsewhere. The philosophy is push an organisation forward by giving people ability so they're attractive [as employees] to other organisations. We continually have people come through the organisation. As long as we are continually [training people], we are seen as high-quality employers and we tend to attract university graduates," he said.
One such student to undertake training to attain an MCSE 2000 certification is now an NT desktop server engineer. He said the company has supported him in his training.
"It pays for exams as long as you pass, which gives you a bit of an incentive," he said.
The NT support engineer said that opportunities for MCSE professionals have declined.
"A few years ago you'd see jobs advertised for $60K to $70K. Nowadays they are offering $45K to $60K, you need to know about other things like Notes and you need on-the-job experience. I don't know if it's because it has standardised, or because there is a slump." To further his career, the engineer plans to enrol in a Networking Technologies Diploma course offered by Dimension Data.
"I've been working here for a while, but eventually plan to move on to a higher and more challenging role. I want to go into design and move away from support to get a bit of joy," he said.
Australia's most wanted
While 2001 was the year of the big ticket IT implementations, 2002 is the year of security in this post September 11 world.
The Federal Government earlier attempted to encourage a migration of computer security professionals to our shores to increase the local security skill base. Yet Australia is in the middle of a job shortage with the number of jobs listed falling; the Federal Government has now moved to slow the flow of IT-based work visas.
In the 2002 migration occupations in-demand list (MODL), published annually by the departments of Immigration and Employment and Workplace Relations, a third of the IT related jobs listed are in the security field.
For the first time, the Certified Information Systems Security Professional (CISSP) is listed alongside firewall and Internet security, Java security, and e-commerce security specialties.
On top of their certification, these computing professionals would be expected to have at least 12 months experience working in this field.
Yet despite the lack of CISSPs in Australia, security experts say there is currently little demand for CISSP certification in Australia.
While this certification has been available for more than a decade, it has been more popular in North America with little demand here. In fact there are "only a handful" of experts that hold this certification employed in Australia. along with the shortage of certified security professionals there is also a shortage of job categories. The list of jobs on the MODL has shrunk to a dozen, from a high of 26 last year, and is expected to fall again to just a handful in the next few weeks.
Skills that have been removed from the high-demand list include: Oracle, MS SQL Server, Powerbuilder, Java, Java Script, Delphi, Visual Basic, Lotus Notes, Advanced Web Design, ASP, Data Warehousing, Unix, Solaris, Linux, Project Management, Systems Analysis, Broad Commercial Business Understanding, and Overall e-commerce.
Skills that have been added to the MODL include: Java security and e-commerce, Progress, Satellite Design, e-commerce security (non-programming skills), and CISSP.
Since 1999, when only five specialties were listed, C++ programming, SAP and Java have proved most in demand, making it on to the list each year.
PeopleSoft, Java and SQL Server have been stalwarts each of the past three years. However, Visual Basic, Lotus Notes (often used in government), advanced Web design and Linux have fallen out of favour.