Companies want security chiefs to understand business as well as technology. So what qualifications do security experts need?
Information security professionals are struggling to meet the increasing demands of prospective employers, and the proliferation of competing certification schemes is compounding the problem, according to industry experts.
At a roundtable event hosted by IT security certification body ISC2, attendees said the spread of IT has increased the requirement for security experts.
Iain Sutherland, founder of specialist recruitment agency Information Security Solutions, added that firms want IT security professionals with a strong business knowledge as well as a good technical grounding.
"The only way to get this sort of person is to [hire] someone who has come up through the information security ranks but has found time to go out and do an MBA," argued Sutherland. "IT security staff [make up] the highest proportion of [IT staff] taking MBAs, because firms are raising the bar all the time."
But Paul Dorey, chief information security officer for BP, argued that business judgement can be taught to IT security staff without requiring them to have an MBA. He added that the newly formed Institute of Information Security Professionals (IISP), which he chairs, could play a role here with its mentoring schemes and career development assistance.
"When graduates turn up to my company they don't have business judgement and we have to work hard to teach them," said Dorey. "The IISP [should be able] to help people achieve that level of business credibility."
But others raised concerns that the IISP would struggle to gain recognition in an already crowded marketplace, until it can prove its value to members.
"It's very important that certification bodies offer more than just a string of letters," said Chris Rodgerson, a student currently taking an MSc in information security. "I gave up my British Computer Society membership because I felt they had nothing to offer me – education is the most important [service that organisations can offer]."
Rodgerson added that the large number of certifications currently on offer makes it hard to decide which qualifications are required for certain jobs. " What I'm worried about is spending six months getting a CISSP [qualification] only to find out I don't need it for the job I'm going for," he said.
John Colley, chairman of ISC2, warned that although the ideal would be fewer, more specific qualifications, there are often overlaps between certifications.
BP's Dorey said the ISSP was set up not to duplicate the services and certifications already offered by other organisations, so it will complement rather than compete. "Knowledge qualifications struggle most on providing [up-to-date] education," he said. "The IISP will provide a structured programme around continuing knowledge but we won't address that initial fill-up of knowledge, which is why we need other [courses and qualifications like the CISSP's].
Information security professionals are struggling to meet the increasing demands of prospective employers, and the proliferation of competing certification schemes is compounding the problem, according to industry experts.
At a roundtable event hosted by IT security certification body ISC2, attendees said the spread of IT has increased the requirement for security experts.
Iain Sutherland, founder of specialist recruitment agency Information Security Solutions, added that firms want IT security professionals with a strong business knowledge as well as a good technical grounding.
"The only way to get this sort of person is to [hire] someone who has come up through the information security ranks but has found time to go out and do an MBA," argued Sutherland. "IT security staff [make up] the highest proportion of [IT staff] taking MBAs, because firms are raising the bar all the time."
But Paul Dorey, chief information security officer for BP, argued that business judgement can be taught to IT security staff without requiring them to have an MBA. He added that the newly formed Institute of Information Security Professionals (IISP), which he chairs, could play a role here with its mentoring schemes and career development assistance.
"When graduates turn up to my company they don't have business judgement and we have to work hard to teach them," said Dorey. "The IISP [should be able] to help people achieve that level of business credibility."
But others raised concerns that the IISP would struggle to gain recognition in an already crowded marketplace, until it can prove its value to members.
"It's very important that certification bodies offer more than just a string of letters," said Chris Rodgerson, a student currently taking an MSc in information security. "I gave up my British Computer Society membership because I felt they had nothing to offer me – education is the most important [service that organisations can offer]."
Rodgerson added that the large number of certifications currently on offer makes it hard to decide which qualifications are required for certain jobs. " What I'm worried about is spending six months getting a CISSP [qualification] only to find out I don't need it for the job I'm going for," he said.
John Colley, chairman of ISC2, warned that although the ideal would be fewer, more specific qualifications, there are often overlaps between certifications.
BP's Dorey said the ISSP was set up not to duplicate the services and certifications already offered by other organisations, so it will complement rather than compete. "Knowledge qualifications struggle most on providing [up-to-date] education," he said. "The IISP will provide a structured programme around continuing knowledge but we won't address that initial fill-up of knowledge, which is why we need other [courses and qualifications like the CISSP's].
Share this page
Email this page
Back to Top
Home
Edit Post
0 comments: