[ISN] Training Security Foot Soldiers

From: InfoSec News (isnat_private)
Date: Wed Sep 25 2002 - 00:31:40 PDT

  • Next message: InfoSec News: "[ISN] Cybercrime code ready"

    By Stephanie Wilkinson 
    September 23, 2002
    Security managers worth their salt are arming their companies with
    arsenals of technology such as firewalls and encryption. But it's the
    wise ones like Matthew Speare who know that it also takes well-trained
    foot soldiers to fight the constant information security battle.
    That's why Speare, IT risk management director at the $10 billion Ohio
    Savings Bank, recently fired off a memo to his security administrator
    strongly recommending that the bank steer as many IT staffers as
    possible to a new entry-level security certification called Security+.
    "I'm a strong believer in certification," said Speare, in Cleveland.  
    "If there's one now that covers the basics, our guys need to know
    about it."
    Security+, from the Computing Technology Industry Association, is the
    latest among several security skills certification programs that are
    increasingly popular with enterprises. However, unlike many
    certifications, including CISSP (Certified Information Systems
    Security Professional), Security+ is targeted at entry-level IT
    security professionals. As such, say experts, it represents an
    attractive opportunity for IT pros seeking to find new opportunities
    in today's difficult job market.
    "There's a huge information security job boom ahead. There's going to
    be a land rush for talent starting in the first half of 2004," said
    David Foote, president of Foote Partners LLC, an IT work force
    research company based in New Canaan, Conn., and an eWeek online
    Driving that demand, said Foote, will be heightened awareness of
    security issues nationwide, accelerating e-business development and an
    overdue loosening of IT budgets.
    Security+ has been under development since the beginning of the year
    by CompTIA, a global computing industry trade association based in
    Oakbrook Terrace, Ill. According to Kris Madura, program manager for
    Security+, CompTIA recruited 24 people from industry, government and
    academia to form a steering council.
    The goal was to create a vendor-neutral certification that set a base
    line for security skills required by enterprises. Security+ is aimed
    at people who have at least two years of experience in networking and
    TCP/IP and who have gained a modicum of experience with security
    tasks. The certification lays down a core body of knowledge in five
    domains: general security concerns, communications, infrastructure,
    basic cryptography, and operational and organizational security.
    Security+ will also help organizations ensure that IT staffers already
    working as security experts don't have big holes in their knowledge
    and experience.
    "I've met many computer 'experts' in a given area—security, for
    example—who know the intricacies of computer software security yet
    lack fundamental and essential security skills," said Tivoli Software
    Project Manager Susan Farago, in Austin, Texas, a Security+
    cornerstone committee member. "This cert will bridge that gap and
    enable candidates to demonstrate they possess the fundamental skills
    that serve as a solid foundation to build more technical or
    vendor-specific skills on."
    Following final refinements, the test will go live by the end of the
    year. The cost to take the test will be $149 for CompTIA members and
    $200 for nonmembers. (For more information, go to www.comptia.org.)
    That may be one of the wisest $200 investments a budding security
    professional could make, industry experts say.
    As it stands, security is already a pretty solid job bet. According to
    Foote Partners' survey of 30,000 IT professionals, security salaries
    have outperformed overall IT salaries for the last two years. Salaries
    and bonuses for corporate security positions increased by an average
    3.1 percent and 9.5 percent, respectively, from the second quarter of
    last year to the second quarter of this year.
    Bob Johnston, manager of credentialing services for the International
    Information Systems Security Certification Consortium, in Kingston,
    N.H., the organization that administers the CISSP certification
    targeting advanced security experts, said the Security+ certification
    will help develop a much-needed road map for someone just getting into
    the field.
    "The traditional job path for a security person is to start as a
    network administrator monitoring logs or handling passwords. But the
    job is quickly becoming a lot more demanding and dynamic," said
    Johnston. "This kind of a certification will better prepare an
    entry-level person for advancing more quickly."
    In addition, by defining the field in terms of the basic skills and
    knowledge it requires, Security+ may help those who are curious about
    a security career decide if it's right for them, said Jeff Recor,
    Security+ cornerstone committee member and president of Olympus
    Security Group Inc., a security consultancy based in Rochester, Mich.
    "In my opinion, not enough of the right people are going into security
    these days," Recor said. "There's this persistent perception that
    being in security means you're an uber-hacker. So we get people who
    want to break networks. But security touches a lot of basic,
    day-to-day operations in all parts of the business, not just IT."
    So, will possessing the Security+ certification help you land a job?  
    It can't hurt, said Speare at Ohio Savings. Speare fills five to 10 IT
    security positions each year. He said that while a certification such
    as Security+ might not automatically prompt him to pay more, it would
    be a tiebreaker when he's choosing between two equally experienced job
    In the end, say experts, Security+ may be one factor helping to make
    the IT security profession more, well, professional. "The state of
    security hasn't improved in process or technology over the last five
    to 10 years. We're still crawling. It's still an art, not a science,"  
    said Recor. "The goal is to get this base level of knowledge into most
    people's hands and start to make the profession more mature."
    Stephanie Wilkinson is a free-lance writer and can be reached at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 03:04:30 PDT