http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=271851 By Mary K. Pratt December 04, 2006 Computerworld Brian Haddock, Patricia Myers and Marjan Rajabi started their careers in very different places: Haddock repossessed cars, Myers worked in banking, and Rajabi was an electrical engineer. Now, however, they share a common link: Theyre all information security professionals. Such a diversity of backgrounds might seem odd, but this emerging field is attracting a variety of workers who are drawing on their prior business experience whatever it might be to develop the kind of technological safeguards and corporate policies that keep companies information assets secure. Through self-directed study and on-the-job learning, Haddock, Myers and Rajabi each earned a certification that indicates both broad knowledge and practical experience as an information security professional. But while many have taken that path in the recent past, the professions maturation is raising the bar on job requirements in the field. Hiring managers say they still want to see certification, but they also look for an IT degree ideally one focusing on information security as well as business acumen. There are great security people who didnt come in with a degree, and I dont take someone out of consideration if they dont have a degree. But were starting to see much more emphasis on professional training and college, says Jim Molini, who holds a CISSP designation. Molini is deputy program manager for enterprise services at The Mitre Corp., a not-for-profit government contractor with headquarters in Bedford, Mass., and McLean, Va. These changing standards dont come as a surprise to industry leaders such as Myers, who holds the CISSP-ISSMP certification and is chairperson of the (ISC)2 board of directors and the information security manager at a large specialty retailer. The nonprofit (ISC)2, or International Information Systems Security Certification Consortium, has certified more than 42,000 information security professionals in 110 countries. The 17-year-old organization issues the CISSP and several related designations. In 1986, Myers was working in the finance division of a bank when she was tapped to develop an information security program. She joined the Information Systems Security Association (ISSA), took security-related classes and reached out to colleagues doing similar work. At that time, there were no colleges and universities that were offering courses, Myers says. You learned by taking [noncollege] courses, finding a good support group of people who already knew the business and attending special conferences. Today, however, Myers says companies are increasingly looking for professionals who have more formal training and experience in information security a trend that follows the rise of reputable training and academic programs such as those offered by (ISC)2 and some colleges. She points out that some schools are now even offering doctoral degrees in information assurance. These evolving standards correspond to the broadening responsibilities of information security professionals, says Bill Hodge, who holds the CISA and CISSP certifications and is the owner of W.L. Hodge Consulting LLC, a Knoxville, Tenn.-based firm focusing on information systems governance. We define who or what has access to what information when, Hodge says. Information security professionals once installed firewalls, password protections and encryption programs; now they manage them. But they also have to deal with the complex applications that help companies comply with a growing list of federal and state regulations aimed at protecting sensitive data. These regulations include the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act. Thats absolutely driving the need for these professionals, says Audrey Pantas, chief information risk officer at Xerox Corp. Winding Roads Hodge got into information security through his work as an accountant, drawing on the IT experience he had gained as a help desk worker in college. He says didnt like tax work but enjoyed developing software. So he was happy when he landed a job at PricewaterhouseCoopers doing IT audits, where he examined the controls in companies information systems. That led to looking at systems overall, giving him experience in the 10 domains required for CISSP certification. Hodge says holding the certification is crucial. If you want to be in the industry, its great to have a level of experience. But to prove you have the level of knowledge, you have to have the certification, he says. Hodge earned his CISSP designation in 2005. Brian Haddock, CISSP, a security engineer at Magellan Health Services Inc. in Avon, Conn., agrees. With so many people coming into the profession from other fields, certification shows that you have enough education and experience to do the job, he says. Haddock repossessed cars and worked as a private investigator before getting into IT in 1997, when he took an entry-level technical position. Drawing on his prior experience as a PI, he immediately foresaw that companies would need security people. At the time, many companies were coming online and using communication technologies for their business, Haddock says. I knew it was a matter of time before these businesses would have to learn to use this technology in a secure manner. I knew thats where my niche would be. He educated himself, grilling colleagues for lessons on IT systems, the Internet and security. He practiced his emerging skills on his home network, and he took a CISSP certification prep course at Georgetown University. Despite all that, Haddock says he still felt he needed actual certification to verify all that he had learned, so he earned it in 2003. He says he expects future information security professionals to have even stronger credentials. Going forward, I dont know how youre going to get into information security without a college degree and an understanding of business, says Haddock, who adds that hes enrolling in college-level business classes to beef up that area of his resume. Pantas agrees that information security experts need strong technical skills and business knowledge as well as degrees and certifications. She started her career as a programmer, moving up through the IT ranks as she earned a bachelors degree in organizational management and an MBA. She worked on Xeroxs disaster recovery plan after the Sept. 11 attacks, a role that helped her land her current job in 2003. As much experience as she has, though, Pantas says she wants to earn CISSP certification. Certification in itself is valuable, she says, explaining that the CISSP designation proves that the holder has obtained the required experience and expertise. Plus, security professionals are required to continue learning in order to hold on to the certification, a point not lost on executives. Despite that, Pantas says she doesnt make certification a requirement for job applicants though she does prefer it. If theyve got the right IT background and business skills, she says, its easier to teach them the security. Tougher Requirements But some see the door closing for noncertified candidates. Companies that once hired information security professionals who didnt hold degrees or certifications are now emphasizing or even requiring certification. When I see a certification, I see theyve really gone a few steps beyond what others in the profession might have done, says Mitres Molini. Employers are also increasingly seeking people with college degrees or concentrations in information security. In response, DeVry Universitys Keller Graduate School of Management offers an MBA with concentrations in security management and information security, as well as a graduate certificate in information security. Likewise, Colorado Technical University has a masters in management with an information systems security concentration. And Iowa State University offers a masters in information assurance. Such education and training are required on top of standard IT skills to land a job today. Candidates must have solid IT abilities, business acumen and interpersonal skills, such as the ability to communicate and negotiate. And theres more. Its a mind-set, says Rajabi, the electrical engineer who now holds a CISSP and is IT risk management and security service manager at Farmers Insurance Group of Companies. Its understanding that security has to be adequate and reasonable; you have to value security but understand your risks and not be too paranoid. "There will be a strong demand for people who have the education, the experience, the certification and show true professionalism, says Dorsey Morrow, CISSP, ISSMP and director of legal services at (ISC)2. Its a tall order, but the payoff is big. Several information security professionals confirm that salaries in the field can easily exceed $100,000 annually. -=- Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at marykpratt (at) verizon.net. _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Wed Dec 06 2006 - 22:25:41 PST