Full-Speed Ahead: The Demand for Security Certification by James R. Wade

Transcription

1 Full-Speed Ahead: The Demand for Security Certification by James R. Wade It s no secret that technology is creating a more connected world every day. But as new technologies are released and adopted, the threats also increase. Historically, corporate America has been slow to install new security measures around these technologies until a problem gets out of control (for example, instant messaging). Instead, most companies are in continual catch-up mode and require a significant investment to overcome the emerging threat to their intellectual property, organizational assets and customer data. These emerging threats, along with a much more demanding regulatory environment, are creating a groundswell of demand for highly qualified, certified information security professionals who possess knowledge of general principles, as well as skills in areas specific to the needs of the employer. Internal and External Threats One of the most pressing threats today is the insider, an individual who may be an employee, contractor, vendor or strategic partner that accesses a network or computer environment for non-business purposes. The annual security study from the Computer Security Institute (CSI) and the FBI has long indicated that one of the greatest threats to an enterprise is the insider, but there s little case law from investigations to support that finding, so the emphasis in most organizations is still on hackers. However, those statistics shouldn t divert us from the fact that we need to pay attention to internal resources and how they re using the network. For instance, it s estimated that insiders waste up to three hours each day on the Internet engaged in activities that deplete resources and business productivity. Most companies allow some personal use and are reluctant to establish an onerous policy. But those companies that are monitoring Internet usage by their employees and partners are discovering shocking information, such as regular access to pornographic sites or use of instant messaging (IM) to bypass regulatory requirements with financial institutions. (The Securities and Exchange Commission requires institutions to keep records of all s for two years.) Another significant threat is intellectual property theft. With today s ability to move data, individuals can walk into an environment with a thumb drive and copy large quantities of data practically undetected. Few organizations restrict access to desktop or laptop computing resources to prevent or detect the introduction of unauthorized storage media. People who have physical access to an area can gain entry to unprotected systems and perhaps get access to proprietary data much easier than before. Another threat to intellectual property is the usage of IM. In the past, information security professionals have placed so much emphasis on protecting and regulating corporate e- mail structures that few organizations have looked at IM as a security issue and don t recognize the need to regulate it as they do . Voice over Internet Protocol (VoIP) is another emerging threat. In the past, companies regulated their telecommunications bills because they found that employees abused telecommunications resources. With the speed and the ability to transfer information via voice and data over the Internet, companies need to devise a new strategy to monitor

2 the use of that resource and the data that s being transmitted outside their own environment. In addition, companies are experiencing pressure from external regulators and new corporate governance rules such as Sarbanes-Oxley, which requires publicly traded companies to adequately protect their systems and information assets that impact the financial position. Organizations are making significant investments to comply with recent regulations and must anticipate the continuing pressure from regulatory requirements to protect sensitive and critical information. To neutralize these threats and comply with new regulations, organizations are increasingly looking to highly trained information security professionals for the answer. Companies understand that they need to hire the right professionals with the right expertise. Otherwise, the potential negative impact on their business could be enormous. Security Skills Demand The demand in recent years for these specific security skill sets and capabilities has outpaced the demand for more generalized IT knowledge, and the population of IT security professionals has grown quickly. In 2004, IT research analyst group IDC conducted the first major study of the global information security workforce, sponsored by the International Information Systems Security Certification Consortium (ISC)2. IDC analyzed responses from 5,371 full-time information security professionals in more than 80 countries that had purchasing, hiring or management responsibilities, with nearly half employed by organizations with $1 billion or more in annual revenue. The goal of the study was to provide comprehensive, meaningful research data about the information security profession to professionals, corporations, government agencies, academia and others. The study estimated the number of information security professionals worldwide in 2004 to be 1.3 million, a 14.5 percent increase over The number of professionals is expected to increase to 2.1 million by 2008 at a compound annual growth rate (CAGR) of 13.7 percent from Asia-Pacific is expected to grow at a faster CAGR of 18.3 percent during the same period, while the Americas and Europe, Middle East and Africa (EMEA) are projected to grow at a 12 percent CAGR and an 11.4 CAGR, respectively. Career opportunities are abundant in the field today. People can make security their career choice but develop other areas of expertise, such as voice, data or video. Others may choose a career path that leads to a management position, ranging from business continuity to chief security officer (CSO). Another career path for security practitioners may be the measurement and control of enterprise systems to provide independent assurance to the C-suite. Yet another choice could be information security product development and sales. More than 97 percent of the survey s respondents had moderate to very high expectations for career growth. The study stated that security professionals have experienced growth in job prospects, career advancement, higher base income and salary premiums for certification at faster rates than other areas of information technology. All this for a profession that barely existed 10 years ago.

3 A Shift in Corporate Culture In addition to a highly positive outlook for career opportunities, information security professionals also will find themselves in positions of higher responsibility in coming years. The study found that while most information security professionals reported to the IT department, many others were increasingly reporting directly to C-suite executives or a separate security department. This change has been slow to come and is still developing gradually, primarily because it s a change in the mindset about what information security is and isn t. Most C-suite executives see the IT department as the caretaker of all things related to information resources within an enterprise. It is logical to assume that the security of those resources should be the responsibility of that group. However, the traditional corporate governance model has always separated duties and responsibilities in order to offer a system of checks and balances. This hasn t been true with information security. In most organizations, the information security function has been under the control of the senior official charged with the development and operation of those resources, often the CIO. As a result, the culture of many organizations has to change in order to accommodate the movement or the transition of the information security function outside of the IT organization. Another point of struggle has been over what to do with information security after it s extracted from the IT group. Most organizations have been reluctant to create another direct report that they have to oversee and assume responsibility for. It s been difficult to make that required shift to create a separate information security entity that reports to the C-suite, bringing under its control all areas of sensitivity. Security issues are often seen as conflicting with fundamental business processes and perceived need. There s an ongoing battle in organizations between the need to stay connected to help the business grow and the need to protect the organization from significant risks. Organizations are asking themselves if that decision should be in the hands of those who are charged with providing easy access and availability to corporate resources or an information security professional who knows how to balance those risks against appropriate controls. The study shows that the trend is heading toward the latter, which is good news for security professionals and organizations seeking effective security. Most professionals agree that information security should be considered as soon as new business initiatives or strategic decisions are discussed. But professionals need to be able to put security risks in terms the C-suite will understand so information security will be allocated adequate resources separate from the IT budget. The reporting relationship within the corporate structure needs to be at the highest level and must be fully and formally integrated. For example, many organizations have a function that helps manage overall business risk for the enterprise. However, this function rarely has interface with the information security function. So many organizations are making business decisions without even considering the risks those decisions create for the enterprise s information assets. Organizations also will need to shift the way they think of their information assets. A piece of paper, a fax, a telephone even rubbish can be an information asset. The Benefits of Training and Certification With a growing demand for their skills and increasing respect and responsibility in the organization, information security professionals also are required to be highly trained

4 and to validate their expertise through certification. According to the study, information security managers believe continuing education and certification are important to the profession, with strong business acumen also becoming an essential ingredient for professional success. It is said that software is only as good as its last update. A constant refresh and maintenance of the technology is necessary to ensure peak performance and operational efficiency. The same could be said of the professionals developing, integrating, managing and maintaining these systems. Their skills and knowledge base must be kept current for them to properly perform in their assigned roles and functions. Otherwise, they become obsolete, just like the technology they interact with. This is why IT training has become an important issue for organizations HR departments and employees alike. Respondents in the study received an average of 10 days of training in 2003 related to information security, a number that was expected to increase by an average of 25 percent in Respondents identified security management practices, telecommunications and network security, and business continuity and disaster recovery planning as topics necessary for additional training and certification in For organizations staffing up to address security concerns, certifications have become one of the main differentiating elements when individual qualifications are evaluated and compared, similar to medical, accounting and legal professionals. Ninety-three percent of all respondents with hiring responsibilities said certifications were important in their hiring decisions. Hiring managers desire vendor-neutral certifications, such as the Certified Information Systems Security Professional (CISSP) or Certified Information Systems Auditor (CISA) to demonstrate overall knowledge, as well as vendor-specific certifications, such as the Cisco Certified Security Professional (CCSP) or Microsoft Certified Systems Engineer: Security (MCSE: Security), to demonstrate competency in the organization s specific computing environment. Security hiring managers cited several primary reasons why they prefer security personnel to obtain and keep current certifications. First and foremost, information security certifications verify that an individual has obtained and tested to a predetermined level of knowledge or common body of knowledge in particular security domains. Certifications also extract the guesswork for an employer and afford them some degree of comfort or guarantee regarding an individual s competency or knowledge level. In addition, some security hiring managers insist on information security certifications as a matter of personal preference. Certification also can be critical in terms of legal liability or corporate due diligence. The study found that security professionals with certifications have experienced growth in job prospects, career advancement, higher base salaries and salary premiums for certification at faster rates than other areas of information technology. Future Growth: The Right IT Skills, The Right Business Skills For information security professionals who wish to rise through the ranks of management to executive status, knowledge of management best practices and business-related skill sets are crucial. Although IT skills and security knowledge are important, they must be augmented with solid business understanding of policy,

5 processes and personnel for information security professionals to obtain the title of chief security officer or its equivalent. Individuals who are just entering the field should seek a mentor who is a professional practitioner to help guide their career and provide important advice for career choices. They also should seek internship opportunities through whatever means are available to them. Some universities have work-study programs, as well as mentoring programs and career days. It s important for those interested in the information security field to understand the profession. They may assume that if they have the propensity for technology, it s the right career choice for them. They may not realize that they need to have the ability to communicate effectively in person and in writing, give presentations and verbally interact with all business departments. For example, if you re working with the CFO or his team, you need to understand their needs to be able to influence their information security behavior and adapt your message to that group. According to IDC s analysis, the information security professional s role requires an effective combination of networking experience, security knowledge and understanding of traditional business factors, such as profits, revenue generation, productivity and the growing category of risk management. Connectivity to the computing infrastructure has dramatically changed the way organizations communicate, operate and transact on a daily basis. The need for increased protection of intellectual property, organizational assets, customer data and stakeholders has become a boardroom issue and top priority. Information security staff members are seen as the frontline firefighters in the battle against cyber-crime and other malicious activity. Proper education, certification and continuous training are essential elements to the successful execution of these positions that are growing in significance for the global information economy every day.

6 James R. Wade, CISSP, is a board member and past president of (ISC)2. He has more than three decades of information security experience, including serving as chief information security officer for KeyCorp and chief security officer for the Federal Reserve System. This article originally appeared in Certification Magazine,