WITH all the things that have been going around with respect to information security, i.e. data leakage, breaches, hacking, IT laws and regulatory requirements, the information security guy has once again been thrust into the spotlight.
Gone are the times when security was just another item in the job description of programmers, network and systems administrators and the PC guy. It was simple really. The security of the codes and programs was expected to be taken care of by the programmer, the network security devices like firewalls were managed by the NetAds, the resiliency of the servers against attacks added to the job of the SysAds and the Anti-virus to the PC support people. Life was good.
Just like anything in life, nothing stays the same. Security issues along with the tech just got more sophisticated and complex. Hence focus, specialized knowledge and talents are now required to combat this fast-emerging threat to the confidentiality, integrity, and availability of the information technology ecosystem.
We know the need but the even bigger question is Who?
Equifax, an established credit bureau in the United States which was hit by a massive data breach a couple of weeks ago, got a lot of flak from the public because their chief information security officer (CISO) was deemed to not have any formal training in technology. She was a bachelor of arts graduate with a master’s degree in fine arts, major in in music composition, from the University of Georgia.
To be fair, the public fury over this seeming lack of qualifications is misplaced. I have worked with a lot of exceptional IT professionals whose formal education ranged from nursing, accounting, and even agriculture. Formal education does not guarantee competency. Heck some of the IT majors in high positions are even more clueless and just get by because of the good people under them (and their gift of gab and natural-born talent of selling themselves – giving credit where it is due). What I want to see is the continuing education and experience of the individual leading to their current position. Now, that paints a much better picture of qualification.
By experience, the most common candidates for the position of information security professionals are the ones that moved ‘naturally’ from IT positions like systems and network administrators. Familiarity with operating systems, network devices and protocols are excellent for network and systems security. Programmers and software developers on the other hand are perfect for applications security. Although there will be generalists, and depending on the size of the organization, information security does have fields of specializations best filled up if you really want to be serious (read: budget) about it.
For those venturing into this very profitable and sexy field of ‘hacking’, the training scene is replete with good courses. You must be wary about the ones giving them out though, it’s a dime a dozen these days with special offers and discounts most especially the online ones. Nothing against these but for most people, the classroom or belly-to-belly training is still more effective. The SANS Institute (www.sans.org), established in 1989 is by far and hands down the best information security and training institution for me. A bit pricey but all the instructors that conduct the trainings are always good teachers, with good speaking skills and are certified industry experts and practitioners. A course could set you back at an average of $2,000 but is definitely worth it. Formerly only available in the US, they have now ventured into Asia and now conducts training programs regularly. To start yourself in the InfoSec field, GSEC (GIAC Security Essentials) is the best entry-level training and certification. Afterwards, several tracks catering for both the technical or management career path are available as well. Other notable certification courses include: certified incident handler (GCIH), certified network defender (CND), network penetration testing and ethical hacking (GPEN), and advanced digital forensics, incident response, and threat hunting (GCFA).
The EC Council is also a very reputable InfoSec training and certification organization notable for their CEH, or certified ethical hacking course. Other noteworthy tracks are the EC Certified Security Analyst (ECSA) – a heavy on hands-on course and certification, and the ever-popular Licensed Penetration Tester (LPT).
For information security management positions, several certifications stand out as ‘must-haves’. The ever-reliable Certified Information Security Systems Professional (CISSP) from ISC2 is still the bar for most organizations, but the Certified Information Security Manager (CISM) from ISACA is also widely popular.
For those considering a career in information security audit, the Certified Information Security Auditor (CISA) from ISACA and the Certified Systems and Network Auditor (GSNA) from SANS are your best bet. Also for an international standard standpoint, getting the ISO27001 (Information Security Management System) auditor course would be of added benefit talent and career wise.
If you’re still confused on which path to take CompTIA (www.comptia.org) has an excellent Information Security Career Roadmap that you can refer to.
Evidently, there is no shortage of training and materials for one to become adept in the field of information security. This bodes well for individuals (regardless of what college degree they had) who want to take the leap to the world of offensive and defensive security. The various sources as described above are by no means complete but only serves to provide a ‘guide’ not just in honing your skills but knowing what qualifications the security guy you will be hiring should possess. Of course, it goes without saying – Nothing beats experience.