Come in with plenty of experience and be prepared for tough tests if you want security certification.
If you want a hot IT career that I promise will never be boring, think about a career in IT security. Now that more and more companies are developing Web sites and depending upon those sites for significant revenue or customer support, the need for IT security is greater than ever. Last year, cyber attacks cost businesses billions of dollars. The I Love You worm did more than $8 billion in damage alone, according to reports from the Carlsbad, Calif.-based research firm Computer Economics. Security experts around the world expect the number and severity of attacks to increase sharply in the next few years, only increasing the need for competent and resourceful IT security professionals.
I wanted to spend this column talking about security certifications because I believe that to be a true professional in the IT security field, you must consider some type of certification, and possibly multiple certifications. Certifications in security prove to your potential or current employers that you have the depth and breadth of knowledge needed to fend off sophisticated acts of cyber violence. Certifications also ensure that you have the training and experience needed to help your employers or clients make their way safely in the IT world.
Two major and widely recognized general-knowledge certifications are available in IT security, both created by industry groups. These are the certifications that pop up most often in help-wanted ads and company wish lists for IT security personnel. The International Information Systems Certification Consortium–known as (ISC)2–is a nonprofit organization created several years ago by government agencies, several IT firms, and Idaho State University. These groups have cooperated to create and maintain the Certified Information Systems Security Professional (CISSP) program.
You can find out about the CISSP program, and even download a study guide with sample questions, by visiting the (ISC)2 Web site www.isc2.org. I’ll warn you, though, that if you are just starting out in the security field or are looking for a quick way to enter the field, CISSP certification won’t help you. To sit for the certification exam, you must first prove that you have worked in the IT security field for three or more years. The exam is a tough one that really tests your security experience.
You should know about it, though, if you’re just starting out or getting ready to enter the field. (If you’re already an IT security professional, you should have already heard about the CISSP or have obtained certification). If you’re new to IT security and want to know what kind of knowledge and jobs to pursue, you can get a good idea by reading through the study guide and study resources (also on the Web site). You’ll be able to put yourself in the best position to obtain this certification–or the one I’ll talk about next–as soon as you can.
The Information Systems Audit and Control Association (ISACA) offers the Certified Information Systems Auditor (CISA) certification. To take this exam, you have to demonstrate a minimum of five years of IT security experience. You can take the exam and pass it before you have the full five years, but you can’t use the designation until you have the experience. To find out more about the exam and the requirements, go to the organization’s Web site www.isaca.org.
Once again, this is a certification that requires you to have significant experience–a few weeks in a classroom won’t help you. Think about it for a minute and you’ll understand why the organizations that created the certifications require so much experience. In IT security, education is no substitute for hands-on, nitty-gritty experience. So years of experience and training really are necessary to be an experienced, dedicated IT security professional.
Both organizations require continuing education and recertification exams periodically in order to keep the certification current once you’ve earned it. They do this because as quickly as the guys in the white hats can work and learn, the guys in the black hats have figured out some other way to search, seize, and destroy IT assets. If you enter the field as a professional, understand that continuing education and recertification will be a way of life.
In addition to these general-knowledge IT security certifications, there are a number of specialized IT security certifications that focus on specific areas of IT infrastructure, such as firewalls. Even disaster recovery, which you wouldn’t ordinarily associate with security, is a one of the areas of specialized IT security.
The SANS Institute www.sans.org has developed a number of specialized security certifications, including ones for Unix and NT environments. The High Tech Crimes Network www.htcn.org has developed several certifications, including the Certified Network Security Professional and the Certified Computer Forensic Technician.
To learn more about other specialty certifications, you can visit the Web site of the Information Systems Security Association Inc. www.issa-intl.org. On the site is a list of professional certifications related to security, with links to the Web sites of the various organizations. Here is a brief description of a few of the certifications described on the ISSA Web site:
Certified Business Continuity Professional (CBCP), offered by DRI International, is for professionals who have at least two years’ experience in business continuity/disaster recovery planning. DRI also offers the Associate Business Continuity Planner (ABCP) for people who don’t have at least two years of experience or who work in IT areas related to disaster recovery.
The Institute of Internal Auditors (IIA) offers several certifications related to IT security. The one that caught my eye is the CIA designation (Certified Internal Auditor). This certification exam tests the candidate’s knowledge of IT security risks, effective ways to control the risks, and how to ward off attacks. Don’t worry, you won’t have to know anything about international espionage.
The Association of Certified Fraud Examiners is a professional organization whose members are auditors, accountants, fraud investigators, and criminologists, among others. A few years ago the association put together the Certified Fraud Examiner program for members interested in demonstrating their knowledge of fraud detection and prevention–including ways of doing this in the IT world.
The American Society for Industrial Security (ASIS) developed the Certified Protection Professional (CPP) certification for IT security professionals who want to demonstrate their ability to create and manage complex security systems for medium and large businesses and organizations.
Shine up that badge
If all this talk about security certifications has you wanting to get involved, I’m glad; the IT world desperately needs more people to get involved in IT security careers. To date, there are only about 3,000 people who have sat for and obtained the CISSP designation. I estimate from my research that the number of certified IT security professionals totals only tens of thousands. That’s simply not enough people to handle today’s and tomorrow’s IT security load. That’s good news if you’re interested in (or already involved in) the field, because it means there’s plenty of room for new people. It’s a very real concern if your company needs IT security.
So if you’re interested in this field, it’s time to learn more about the profession of IT security. Do your research by visiting the Web sites mentioned in this article, read some of the books on the subject and check out the training opportunities. Plan to work toward, and obtain, the relevant certifications as soon as possible. Remember: We, the citizens of the IT world, really do need more people like you.
Contributing Editor Molly W. Joss also writes Ask Molly, a daily careers column on ComputerUser.com. Ask her an IT career-related question at [email protected]