http://www.eweek.com/article2/0,3959,548801,00.asp By Stephanie Wilkinson September 23, 2002 Security managers worth their salt are arming their companies with arsenals of technology such as firewalls and encryption. But it's the wise ones like Matthew Speare who know that it also takes well-trained foot soldiers to fight the constant information security battle. That's why Speare, IT risk management director at the $10 billion Ohio Savings Bank, recently fired off a memo to his security administrator strongly recommending that the bank steer as many IT staffers as possible to a new entry-level security certification called Security+. "I'm a strong believer in certification," said Speare, in Cleveland. "If there's one now that covers the basics, our guys need to know about it." Security+, from the Computing Technology Industry Association, is the latest among several security skills certification programs that are increasingly popular with enterprises. However, unlike many certifications, including CISSP (Certified Information Systems Security Professional), Security+ is targeted at entry-level IT security professionals. As such, say experts, it represents an attractive opportunity for IT pros seeking to find new opportunities in today's difficult job market. "There's a huge information security job boom ahead. There's going to be a land rush for talent starting in the first half of 2004," said David Foote, president of Foote Partners LLC, an IT work force research company based in New Canaan, Conn., and an eWeek online columnist. Driving that demand, said Foote, will be heightened awareness of security issues nationwide, accelerating e-business development and an overdue loosening of IT budgets. Security+ has been under development since the beginning of the year by CompTIA, a global computing industry trade association based in Oakbrook Terrace, Ill. According to Kris Madura, program manager for Security+, CompTIA recruited 24 people from industry, government and academia to form a steering council. The goal was to create a vendor-neutral certification that set a base line for security skills required by enterprises. Security+ is aimed at people who have at least two years of experience in networking and TCP/IP and who have gained a modicum of experience with security tasks. The certification lays down a core body of knowledge in five domains: general security concerns, communications, infrastructure, basic cryptography, and operational and organizational security. Security+ will also help organizations ensure that IT staffers already working as security experts don't have big holes in their knowledge and experience. "I've met many computer 'experts' in a given area—security, for example—who know the intricacies of computer software security yet lack fundamental and essential security skills," said Tivoli Software Project Manager Susan Farago, in Austin, Texas, a Security+ cornerstone committee member. "This cert will bridge that gap and enable candidates to demonstrate they possess the fundamental skills that serve as a solid foundation to build more technical or vendor-specific skills on." Following final refinements, the test will go live by the end of the year. The cost to take the test will be $149 for CompTIA members and $200 for nonmembers. (For more information, go to www.comptia.org.) That may be one of the wisest $200 investments a budding security professional could make, industry experts say. As it stands, security is already a pretty solid job bet. According to Foote Partners' survey of 30,000 IT professionals, security salaries have outperformed overall IT salaries for the last two years. Salaries and bonuses for corporate security positions increased by an average 3.1 percent and 9.5 percent, respectively, from the second quarter of last year to the second quarter of this year. Bob Johnston, manager of credentialing services for the International Information Systems Security Certification Consortium, in Kingston, N.H., the organization that administers the CISSP certification targeting advanced security experts, said the Security+ certification will help develop a much-needed road map for someone just getting into the field. "The traditional job path for a security person is to start as a network administrator monitoring logs or handling passwords. But the job is quickly becoming a lot more demanding and dynamic," said Johnston. "This kind of a certification will better prepare an entry-level person for advancing more quickly." In addition, by defining the field in terms of the basic skills and knowledge it requires, Security+ may help those who are curious about a security career decide if it's right for them, said Jeff Recor, Security+ cornerstone committee member and president of Olympus Security Group Inc., a security consultancy based in Rochester, Mich. "In my opinion, not enough of the right people are going into security these days," Recor said. "There's this persistent perception that being in security means you're an uber-hacker. So we get people who want to break networks. But security touches a lot of basic, day-to-day operations in all parts of the business, not just IT." So, will possessing the Security+ certification help you land a job? It can't hurt, said Speare at Ohio Savings. Speare fills five to 10 IT security positions each year. He said that while a certification such as Security+ might not automatically prompt him to pay more, it would be a tiebreaker when he's choosing between two equally experienced job candidates. In the end, say experts, Security+ may be one factor helping to make the IT security profession more, well, professional. "The state of security hasn't improved in process or technology over the last five to 10 years. We're still crawling. It's still an art, not a science," said Recor. "The goal is to get this base level of knowledge into most people's hands and start to make the profession more mature." Stephanie Wilkinson is a free-lance writer and can be reached at stephwat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 03:04:30 PDT