By Kris Madura, MBA, certification program manager CompTIA Security+

From the employer’s perspective, the process of filling IT security positions and developing career paths for these employees can be difficult. Organizations are scrambling to put together accurate job descriptions and finding it hard to identify job task needs. Further, IT managers and HR staffers are often unsure how to accurately match the experience, education, and certification of job candidates to openings.

This situation leads to unrealistic and unmet expectations by employers and is equally unsettling for job seekers. Acquiring the correct mix of experience, education, and certification to qualify for security jobs is tough when there are conflicting opinions on what constitutes the correct mix. One gauge managers and would-be security pros can use to measure expertise is a comparison to CompTIA’sSecurity+ Exam Objectives. These objectives can be used to write job descriptions, effectively evaluate candidates, or to create career paths for pros looking to move into a security role.

History of CompTIA
Two years ago, the Computing Technology Industry Association (CompTIA) began a collaborative effort with security organizations, U.S. government agencies, and suppliers—twenty-six organizations in all. (See Figure A.)
Figure A

CompTIA Security

Advisory Committee
VeriSign National Institute of Standards and Technology (NIST)
Symantec Argonne National Laboratory
RSA Security U.S. Secret Service
Entrust Federal Bureau of Investigation
Microsoft Cybersmuggling Center—U.S. Customs
Sun Microsystems Ascendant Learning
IBM/Tivoli Software Group Course Technology
Novell ElementK
Olympus Security Group Intense School
Motorola Marcraft International
Information Systems Security Association (ISSA) New Horizons Computer Learning Centers
Information Systems Audit and Control Association (ISACA) Sybex
VCCS—Institute of Excellence for Information Technology Tech-Connect

The central discussion concerned the issue of what constitutes the minimum acceptable level of IT security knowledge for a person to effectively perform an information security role. The consensus of these leaders from the public and private sector was that individuals demonstrating foundational-security capabilities would understand communications security, infrastructure security, operational/organizational security, basics of cryptography, and have a well rounded knowledge of general security concepts—access control, authentication, attack and malicious code risk reduction, auditing, logging, and system scanning, as well as the nuances of social engineering and the risks associated with it. The group concluded that foundational-security knowledge required, on average, either two years of on-the-job networking experience with some emphasis on security or equivalent classroom and laboratory work.

As the committee steered the development and launch of a new security certification, CompTIA Security+, each of the above subject areas was fleshed out, detailing what constituted foundational knowledge mastery. These details were published and are available today on the CompTIA Web site.

Employers and job seekers now have a public document that lays out the knowledge required to perform foundation-level work in security. This de facto standard is available to everyone—from employers developing job descriptions, to employees preparing themselves for their first or next job in security, to educators developing course objectives.

Building on the foundation
There are two general career paths in security, after the foundational knowledge is mastered: one for security managers and another for technical administrators. There are, however, overlapping skills that people on either path must have. Those in security management are managers first, but must ultimately have a strong technical background. Those on the technology career path must understand the business and social ramifications of security in addition to their technical expertise.�

The technical administrator’s general career path builds on the foundation level with both vendor-neutral and vendor-specific expertise. Organizations such as Information Systems Audit and Control Association, Information Systems Security Association, and Information Systems Forensics Association offer guidelines for technical knowledge mastery, including senior positions. These and other associations in security offer a look at concepts that span the industry. The guidelines serve as reliable indicators to both employer and job seeker of what to look for and what to prepare for.

Hardware and software companies have moved aggressively to create security certifications linked to their product and service offerings. Symantec, Microsoft, IBM, Sun Microsystems, Cisco, and others have detailed the required knowledge to support their products at various levels of expertise.

Vendor-neutral vs. vendor-specific
There is a constant debate among employers and job seekers alike about the value of an industry association vendor-neutral certification vs. the vendor-specific certification. The best advice is to include both as appropriate to the seniority of the job. Vendor-neutral certifications emphasize the “whys” while vendor-specific certifications emphasize the “hows.” People with both demonstrate their flexibility and problem-solving capabilities. We are seeing today a growing integration between vendor-neutral and vendor-specific certifications, which will help reduce this tug-of-war.

Management track
The International Information Systems Security Certification Consortium, Inc. (ISC2) has developed guidelines that are recognized for appropriateness in the general managerial track for security. Those wishing to be managers and those employers writing job descriptions for managers can research the ISC2 guidelines and clarify for themselves the expected areas of competency. Security managers should be able to prepare plan, implement, execute, and evaluate security programs.

Resources for security standards
Academia and commercial training organizations are developing curricula that incorporate some of the best thinking to date on preparing IT workers for managerial and technological career paths in security. Employers and job seekers have a ready source of information from these organizations as well. Continuing education credits, degrees, and certifications earned during these programs are guideposts for employers and credibility statements from job seekers.

Preparing security job descriptions or building capabilities for the next job requires clear information and a little research. That information is available now, from foundation-level requirements on up to the multiple layers of experience and education required for the senior-level manager and technologist.

The security infrastructure, including industry associations, suppliers, and academic and training organizations is deepening by the week. Use the resources and tips in this article and find order rather than chaos in the pursuit of information security.