Simply buying firewalls, intrusion detection systems and anti-virus software to prevent IT disasters is like sending money to a university and expecting a PhD by return post. It's not that easy. Without trained people, the investment in IT security may be worse than useless if it leads the enterprise into false confidence.
Kevin Henry is an instructor with the IT security certification agency (ISC)2. As he noted, "Having the right people responsible for security is not unlike any other key management or operational role in that it is always a serious and often thought-provoking decision."
Security certifications, like (ISC)2's CISSP designation (Certified Information Systems Security Professional), are designed to give managers confidence that the people they hire will make the most of the security hardware and software they oversee. But the letters after the names can mean many different things, and there are lots of letters.
Rick Bellwood, senior departmental emergency response officer with Natural Resources Canada in Ottawa said, "When I think of certification, there are two sides - technical and management." Vendor-specific certifications, like those offered by Cisco or Microsoft are technical in nature, Bellwood said, but may be restricted to the range of one product, "which is great if you want to be a firewall guru." The risk is that a security practitioner might have a blind spot in other areas covered in what's called the Common Body of Knowledge.
On the management side, he continued, "The CISSP has often been described as a certification that is a mile wide and a foot deep, because it covers a vast area and you do not go into the nuts and bolts the way a technical certification would, but you definitely touch base with each one of those 10 areas in the Common Body of Knowledge."
Randy Sutton, president of Elytra Enterprises, an Ottawa-based IT security company said, "In the federal government, the de facto certification, the one that comes out on the RFP (request for proposals), is the CISSP. That's what clients ask for." Sutton said that despite the belief that the CISSP is a technical type of certification, "It is really a management and general security knowledge certification. It means you know something about security but you can't assume that someone with a CISSP knows intrusion detection or firewalls in practice. Probably about 80 per cent of those CISSPs have never actually had their hands on any equipment."
So somebody hiring a CISSP should be aware they may need other people with more specialized certifications? "Absolutely," Sutton said. "The CISSP is just a certification that gets someone in the door."
People who gradually take on security responsibilities within an organization might not recognize they lack the skills, and the perspective, to do the job properly.
"This has often led to a very narrow view of security - based only on their own experience rather than a comprehensive understanding of the many areas related to information systems security such as business continuity planning, identity management, and incident handling techniques," Kevin Henry explained. "Since they have not had either experience or exposure to those areas they often continue in their comfort zone of competence and miss many opportunities to provide further value to their organizations. This is where a certification and its associated training can provide a real eye-opening and visionary experience to security personnel."
Within CIO organizations, Randy Sutton believes, senior managers need to know that a process to assure security is in place. "If you are going to hire a general IT security manager with no background in security, or if you are going to take an IT security manager who used to be a firewall expert, you are running some risk. The higher you go in the hierarchy, the more general IT security specialists should be," Sutton said. "A good profile for a junior to intermediate IT security specialist is CISSP, Cisco CCNA (Cisco Certified Network Associate), and one or two of the SANS (SysAdmin, Audit, Network, Security Institute) specialities, such as vulnerability assessment."
In many RFPs and supply arrangements, experience and ability are rated as equivalent to formal IT security certifications, but this does not reflect a shortage of qualified personnel, according to Kevin Henry. "The shortage is in regard to practical understanding and experience - not necessarily a shortage of people. A person that is definitely interested in working in the field will obtain the necessary qualifications. Many people pay for certification training on their own for that reason."
Henry explained that managers may want to hire applicants who have demonstrated ability and understanding, "with the understanding that the applicant will obtain the required certification within a reasonable time." The trend, however, seems to be towards mandatory certification, and some government departments in the United States have made CISSP a condition of employment.
While there are no objective performance measurements that allow managers or potential students to decide which IT security qualifications are most useful, RFPs, employment listings and ratings in security publications are all indications of how the market looks at the various certifications.
In today's fast-changing environment, IT security qualifications can 'stale-date' rapidly. As NRCan's Rick Bellwood said, "It will become worthless if you don't keep on top of things, that's for sure."
He believes an IT security certification can be considered current if obtained or refreshed within six months to a year. "I think that's an acceptable norm, because you're not going to be on top of everything. The big thing right now is wireless security, and to have everything for wireless addressed right now I think is impossible," he said. "I think it's fair to say for the CISSP that it is six to 12 months. In fact we have a new release coming out over the next couple of months, and it is updated every 12 to 15 months."
For his part, Randy Sutton believes CIO organizations should consider partial outsourcing of IT security.
"On the technical side, you can always find the experts. I would contract out the technical side, because if you don't work on it every day, you lose your skills," Sutton said. He believes that after security, business resumption is the next important challenge. "Once they've done all they can to prevent the worst from happening," he said, "a prudent manager will still ask the question, 'How do I keep my business going if these precautions are circumvented?'"