Security skills: aptly qualified or merely mollified?
IT security specialists want recognition and acclaim from their managers – but gaining the proper qualifications to endorse their status is not clear-cut.
Information security is gaining recognition as a critical business function, increasingly represented at senior management and director-level in many organisations. However, the route to the top is not completely addressed by the existing body of training and certification, nor is it well sign-posted.
Aspirants to the higher levels of the profession have to pick their way through a forest of academic qualifi-cations, certification programmes and training courses to find the most appropriate path. What are the right qualifications to go for? Conversely, an employer may well ask: How can I find someone with the right skills?
The situation has made some progress since Information Professional last featured IT security skills in its February/March 2005 edition. A 2005 IDC survey of European employers ranked information security as the most urgent IT recruitment priority of all, with 70% of respondents ranking it highest in their hiring plans for the coming 12-24 months. But the question of who to hire can be a vexing one.
There is still much uncertainty on the issue of what kind of credentials to look for in a practitioner, a situation that, traditionally, has resulted in many firms assigning this role to an IT generalist. In 2000, Steven Northcott, founder of the GIAC certification programme, conducted a survey from which he noted that less than one in 20 security professionals had the competence and knowledge required to completely secure a system.
Such a state of affairs highlights the need for trustworthy forms of skills certification. In recent years, a number of popular programmes have emerged, including the vendor-specific Cisco-Certified Network Associate (CCNA) and Microsoft-Certified System Engineer (MCSE) schemes. Both awards certify practitioners in their ability to perform relatively routine tasks such as installing firewall or antivirus software.
There are also many certification schemes available that recognise higher-level technical or managerial skills (see ‘Security certification at a glance’, p44). The most general programme is the CISSP award, while others, such as CISM and CISA address the requirements of security managers and auditors, respectively. In the technical domain, the most rigorous programme is the GIAC award.
The popularity of these schemes varies, for reasons that are not clear, according to Steven Furnell of the University of Plymouth’s School of Computing: “It is difficult to tell if the popularity of one over another is down to good marketing, or if there is a perception that some are generally better than others”, he said.
The CISSP programme, for example, is the most well-established, and the most often cited, in recruitment advertising. At present, there is little data demonstrating a link between these awards and professional advancement or salary (see ‘More money and status? p45).
The professional certification schemes are administered by a handful of industry bodies and tend to be viewed as largely complementary to each other. However, the fragmentary nature of the effort has its drawbacks. Some of the programmes overlap in their content and aims, for example.
In January 2006, the Institute for Information Security Professionals (IISP) launched with a mission to offer a more unified standardisation effort. Among other aims, the IISP is intended to support a simple and consistent framework of training and certification, working in close co-operation with the existing standards bodies.
The initiative is UK-based and funded, backed by the Department of Trade and Industry and the Cabinet Office, with sponsorship from firms such as BP and the Royal Bank of Scotland, and the involvement of the IEE. However, there is also a lot of support for the effort in the US and Australia, according to David Lacey, director of information security with Royal Mail, and one of those overseeing the formation of the institute.
What employers really think
There are many different specialisms within information security, and the requirements of employers differ depending on the area. John Butters, a management consultant and security specialist with Ernst and Young’s Information Systems Assurance Advisory Services (ISAAS), suggested that many still rely on closed networks of personal familiarity or word of mouth.
“A lot of banks like to get people who have worked in the security services,” he said. Less than half of the information security staff at ISAAS, for example, holds a qualification like CISSP, CISA, or CISM. “I would say it is useful but not essential,” Butters commented.
In the field of penetration testing, where the requirement is to identify vulnerabilities within a system, many employers, particularly the government, require practitioners to be qualified to carry out a set of tests known as IT Health Check (also known as simply CHECK), developed by the CESG. For individuals to gain CHECK-compliant certification, they have to demonstrate a few years of relevant experience, and sit a practical exam.
Academic courses offer practitioners, or those who would like to enter the field, an opportunity to gain a theoretical grounding in key concepts; and, in some cases, to pick up or acquire points towards certification. At time of writing, around 12 UK universities offer MSc or degree-level courses in information security and associated areas.
Pick a course, any course...
The focus of these courses varies. Those who attend the University of East London, for example, can do an MSc in Information Security and Computer Forensics. Students at Royal Holloway in London, on the other hand, can do an MSc in either Information Security or Secure E-commerce. There are also a number of MSc courses available in Network Security.
Steven Furnell recently investigated the relative value of academic qualifications and professional certification in the information security field. In one analysis, he looked at 30 IT security jobs advertised on the website www.totaljobs.com, in August 2005.
It appeared that the qualities most sought by employers, judging by the frequency with which they appeared in the wording of adverts, appeared to be relevant experience (22 mentions), followed by professional certification (18 mentions) and academic qualifications (four mentions). Only one advertisement asked for an academic qualification in information security, specifically.
The lesser perceived value of academic qualifications compared to professional certification could be attributed to a number of factors, Furnell suggested. Such courses are more general in their coverage and perhaps say less about an individual’s ability to perform in a particular professional role. However, many of the courses dovetail with the skills and learning objectives specified for professional exams and forms of certification, such as CISSP.
“It depends how well the course is designed,” according to Andrew Blyth, course director for the University of Glamorgan’s MSc programme.
For example, his own department’s course on penetration testing has been designed to prepare students for the CESG’s CHECK examinations. Similarly, students on some of the MSc programmes in network security have the opportunity to pick up CCNA certification as part of the course.
Another issue employers might have with such academic courses is a perceived inconsistency in their quality. There is no easy way of knowing if one institution offers a more rigorous course than another. In addition, there seems to be no clear agreement on the core skills and competencies.
Most would agree that a security manager who has to make business decisions should have a grounding in risk management, according to Furnell. However, this is an area that many courses do not cover.
One of the initiatives underway with the IISP is to encourage the sector to move towards a consensus on a ‘common body of knowledge’, which could define the scope of information security. This would make it easier to understand how different courses fit into an overall learning framework, and how they map onto particular job functions. An additional aim is to assess and certify the quality of the various academic courses available, validating them against a common standard.
The requirement for experience above all else becomes more acute at the senior levels of the profession. Practitioners at this level are distinguished by a range of ‘softer’ skills and their ability to apply technical and managerial concepts effectively, and to exercise good judgement, according to Barry Wise of the CESG, who is also involved in the formation of the IISP.
Such qualities are, obviously, difficult to acquire through formal, exam-based training and one of the additional aims of the IISP is to try to support this kind of personal development. This might be achieved by running relevant master classes and mentoring programmes, suggested Wise. “There is definitely a gap here, at present,” he said.
One overall factor that has slowed the effort to secure professional status for practitioners in this field is a lack of agreement on the different job functions and what they should be called. According to Kent Anderson, a member of the CISM certification board, many companies have been prone to over-inflating the prestige of lesser roles to attract interest.
“Many use the title ‘information security manager’ to refer to someone who simply manages a firewall,” he said. However, the CISM certification effort is attempting to popularise the use of this title to refer exclusively to more senior managers (see ‘Security certification at a glance’, opposite).
Organisations have been slow to appreciate the range of specialist skills required to support information security. The profusion of academic courses, certifica-tion programmes and training courses in this field can also be confusing, for employers and practitioners.
It is possible that these problems can be resolved with the presence of a single authoritative voice in the industry. The IISP is attempting to address this require-ment and a major announcement of the initiatives it will support is expected in the third quarter of 2006.
With the challenges that lie ahead, the need to address information security proactively is becoming ever more urgent. Technology is becoming more complex and difficult to manage, while the regulatory environment increasingly mandates that firms adhere to strict codes of practice.
The quantity of electronic intrusions or attacks on information systems is unlikely to decrease year-on-year, as does the level of damage they cause. Pondering this state-of-affairs – which has persisted in the face of significant increases in investment in information security over the last five to 10 years – leads to the suspicion that something, somewhere is awry.
Does being better qualified mean more money and status?
Few studies appear to have been conducted into the links between professional certification and career advancement. However, in January 2005 the SANS Institute released the results of a survey which, among other things, attempted to investigate the correlation between GIAC-accreditation and salary. These drew on the responses of 4250 globally-distributed participants, although a large proportion of these (42%) were technical specialists. The results reported a salary advantage of between 7% and 12.5% for those with GIAC certification compared to those without.
Last October, a survey by iProfileStats/ATSCo (Association of Technology Staffing Companies) suggested that IT security consultants’ pay had gone up by 22% on average over the previous 12 months and salaries for full-timers could top £45k before the end of 2005.
The survey said that rates for contract staff with security skills rose from £40 per hour in 2004 to £50 per hour in 2005. Full-time security consultants’ salaries increased by £7000, from £37,000 last year to £45,000 this year.
ATSCo chief executive Ann Swain said the survey’s findings prove organisations are taking action to address data security: “Data security is now a boardroom issue. Institutions need to address stakeholder and customer concerns about data integrity,” she said.
“Security consultants are wielding ever more influence and commanding larger pay packets. As more core business processes become dependent on IT demand for security, experts will rise,” predicted Swain.
Publicised security breaches involving theft of customer data have provided an additional spur to action, compelling organisations to re-evaluate their security, the survey found.
Yet despite the rewards, Swain warned that the short supply of IT consultants with security skills is “potentially problematic”.
IProfile/ATSCo cited recent incidents, where companies such as LexisNexis and ChoicePoint admitted that personal data held on hundreds of thousands of consumers had been stolen. NGS Consulting’s Chris Anley suspected that news of security breaches is forcing more organisations to tackle the issue.
TOP security certifications at a glance
The award of Certified Information Systems Security Professional (CISSP) first became available in 1989. It is administered by the US-based International Information Systems Security Certification Consortium, often abbreviated to (ISC)2. and is the most popular and well-known scheme. The recommended study programme gives a broad overview of the field, with a multiple-choice exam that covers 10 subject domains, including ‘Cryptography’ and ‘Law, Investigation and Ethics’.
Members have to maintain the qualification on an ongoing basis through the acquisition of at least 120 Continuing Professional Education credits every three years. More information at www.cissps.com
The Certified Information Security Manager (CISM) programme is intended to afford recognition to those with the technical and managerial abilities to oversee an enterprise-wide system. Such a role requires an understanding of business goals and IT strategies, as well as the ability to define sensible security policies, from deciding what firewalls should do to the company’s code of practice for employee use of email and the Internet. The award is administered by the US-based Information Systems Audit and Control Association (ISACA) – www.isaca.org.
The Certified Information Security Auditor (CISA) award recognises practitioners who can audit an organisation’s security policies and practices. It is also administered by ISACA – www.isaca.org.
Founded in 1999, the Global Information Assurance Certification (GIAC) programme operates in conjunction with training courses taught by the SANS Institute. It addresses the skills required by technical specialists at all levels. The study programme includes topics such as Intrusion Detection, Incident Handling, Firewalls and Perimeter Protection, Forensics and Hacker Techniques. The exams must be re-taken every two to four years, depending on the type of certification. More details at www.giac.org.