Print
Discuss
Send to friend
RSS feedsAs security becomes ever more important, firms are keen to ensure that the people responsible for guarding their data have the right skills.
Many firms that manage security in-house have appointed a chief security officer (CSO) to oversee strategy. But even firms that outsource most of their security management have found it is useful for an in-house manager to co-ordinate security processes across their organisations.
Demand for security managers is therefore growing, but there is a shortage of experts in this field. This shortfall has caused salaries for security professionals to rise. Research firm Giga Information Group reports the example of a chief security officer at a US media firm being paid $225,000 (£154,000) plus up to 40 percent in annual bonuses, and a manufacturer paying its head of security $185,000 (£127,000) plus 25 percent in bonuses.
To justify such salaries, companies want to ensure that security managers have the right skills. This may be a question of assessing an individual's practical experience of security systems and processes, but there is a growing emphasis on professional qualifications. There are a number of certification programmes available, including the Certified Information Systems Security Professional (CISSP) course, the Security Certified Network Professional (SCNP) course, and the Global Information Assurance Certification (GIAC) course.
These courses cover IT security issues including hacking techniques, firewalls and intrusion detection, along with more advanced and business-related elements such as forensics, law, ethics and business continuity.
The Computing Technology Industry Association (CompTIA) is developing its own vendor-neutral certification standard. CompTIA is working with industry and government bodies and hopes the standard will become a globally accepted validation of security knowledge.
Certification can help employers find the right skills. John Holland, chief executive of business solutions provider Qinetiq's Trusted Information Management Division, which offers security services and training, said, "If two people with equal experience apply for the same position and one can demonstrate some form of certification, that stands them in good stead."
Jim Duffy, managing director at security training provider ISC2, which offers the CISSP course, says professional certification can reassure employers. But the type of certification they require will depend on the security expert they want, said Duffy. For positions such as network security engineer, some vendor-specific certificates might be sufficient. "[On the other hand] a broad professional qualification like CISSP might be seen as essential for a head of information security role, or a policy-writing information security consultant," he said.
Although certification can be valuable for a security professional, practical experience is crucial for the top jobs. "You would never not hire someone with years of experience because they didn't have that [certification] tick on their CV," argued Bob Ayers, director of security architecture at security firm @Stake. He added that certification may give a candidate an advantage, but without practical experience it would be unlikely to clinch a job.
Recruiting an inexperienced security manager could prove costly in the long term, warned Omar Kheir, senior trainer at Tech-Connect, which offers SCNP courses at its UK centres. "Those with vast experience and certification may cost more, and someone with limited experience and certification may initially cost less," he said. "But inexperienced staff will ultimately cost more, due to expenditure caused by mistakes or poor productivity."
Have your say: contact IT Week
del.icio.us
Digg this
reddit!
