Threats of sabotage and a heightened awareness of vulnerabilities have motivated companies to move quickly to find ways to protect their digital assets, as well as their physical ones. I am not the only one taking note of this trend. Gartner predicts that by 2004, some 50 percent of the Global 2000 companies will hire executive staff to help take care of the company’s security needs. Gartner also asserts that within the next two years, many companies will require their Chief Information Security Officers (CISOs) and staff to be qualified by information security certifications.

Further, security is going to be one of the few areas in IT where there will be a demand for qualified applicants. Recently, I had a discussion with Katherine Spencer Lee about certifications and related topics. Lee is the executive director of Robert Half Technology, an IT placement firm. During the course of the conversation, I asked her about the “hot jobs.” Her response: “Anything having to do with security.”

I think that within the next year, companies are going to want their IT security staff members to earn certifications because such credentials give the president and CIO a sense of comfort. Network administrators without security certifications—and I do mean multiple certifications—are going to have to work very hard to convince companies that they have what it takes to move into a security management role.

All of this boils down to the simple fact that if you want to have a career in IT security, you’re going to have to get some certifications under your belt without delay. This is especially true for anyone who wants to work in middle to senior IT security management. Even if you are not the CISO, you’ll need to know something about IT security. It’s that important to the organization.

Certification programs
IT pros seeking security certifications should start their search by looking at the programs offered by the International Information Systems Security Certification Consortium, Inc.—(ISC)2. This nonprofit organization has certified thousands of information security professionals since 1989. It offers two certification programs: the Certified Information Systems Security Professional (CISSP) and the Systems Security Certified Practitioner (SSCP).

The CISSP requires four years of experience in IT security, or three if you have a bachelor’s degree. The SSCP requires one year of experience. Recertification requirements for both include continuing education and ongoing experience in the field.

New certification

(ISC)2 recently announced a five-year contract with the National Security Agency (NSA) to develop and administer a new certification program. The Information Systems Security Engineering Professional (ISSEP) will be for information security professionals who want to work for NSA, either as employees or outside contractors. The NSA will provide the subject matter experts to help develop the exam questions.

General vs. vendor-specific certifications
I like the fact that (ISC)2 requires experience for the certifications; doing so helps make these particular certifications worth more than the paper they’re printed on. You can’t learn all you need to know about IT security from reading a book or sitting in a classroom. You have to have field experience, the more the better.

I also like the fact that these certification programs are general in nature and not tied to a specific product. Don’t get me wrong: Someone in the company needs to know the nitty-gritty details of the security loopholes in a particular product, such as an operating system. I would argue, though, that the person for the job is not a security professional.

Security pros need to have a broader, more comprehensive view of the company’s data vulnerabilities and possible solutions. Lynn McNulty, a CISSP and government liaison for (ISC)2, explained why the organization feels a broader range of security knowledge is important.

“The field of information security is a very dynamic one,” McNulty said. “An information security professional is likely responsible for the policy development and the program management aspects of security.”

McNulty said it is much more important to have mastered the fundamental principles of information security than to have specific knowledge of the security-related settings of a vendor-specific operating system because that knowledge may quickly become obsolete. For example, McNulty said, “How many different operating systems has Microsoft released in the past seven or eight years?”

Choose carefully: Other certification options
You’re going to see a lot of training companies offering security programs for computer professionals. The number of schools offering these programs may well top the number that sprang up overnight a few years ago to offer network certification training. So before you put your money down, make sure that you are opting for a quality, well-known program with a track record of several years or more.

I like the (ISC)2 because it meets the selection criteria. However, I want to mention a few others so you will be able to do some research and choose the program that best fits your specific career plans and that takes advantage of your experience. All of the following programs are suitable for middle or senior-level IT managers or those aspiring to be security managers.

The Information Systems Audit and Control Association
The Information Systems Audit and Control Association has a new certification designed specifically for IT managers. The Certified Information Security Manager (CISM) covers several strategic areas of IT security, including risk and response management. The first CISM exam will be given in June 2003.

The National Defense University
The National Defense University, which is part of the Department of Defense, has several training programs for security professionals, including the National Security Executive Education program. This program offers certificates of completion in National Security Studies and is working on several other programs, including Homeland Security. Although the courses are not deeply technical, they would be a good background for anyone planning a long-term career in IT security consulting.

CompTIA, the organization that created the A+ and Net+ certification programs, has a cert for security. The Security+ is an entry-level certification that is vendor neutral. It is, however, a requirement for the more sophisticated security certification programs offered by Ascendant Learning LLC.

My take
I remember the cold feeling in the pit of my stomach when I read Clifford Stoll’s bookThe Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage back in 1990 when the first edition was released. The book was my first inkling that the computers we were creating to help us could also be used against us.

I firmly believe that we need IT security that goes beyond anything we ever thought we’d require. Companies must make IT security a top priority and will need a well-trained, ethical staff to help do that. Requiring IT security certifications is an integral part of developing such a staff.