Training Security Foot Soldiers

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,548801,00.asp

By Stephanie Wilkinson 
September 23, 2002

Security managers worth their salt are arming their companies with
arsenals of technology such as firewalls and encryption. But it's the
wise ones like Matthew Speare who know that it also takes well-trained
foot soldiers to fight the constant information security battle.

That's why Speare, IT risk management director at the $10 billion Ohio
Savings Bank, recently fired off a memo to his security administrator
strongly recommending that the bank steer as many IT staffers as
possible to a new entry-level security certification called Security+.

"I'm a strong believer in certification," said Speare, in Cleveland.  
"If there's one now that covers the basics, our guys need to know
about it."

Security+, from the Computing Technology Industry Association, is the
latest among several security skills certification programs that are
increasingly popular with enterprises. However, unlike many
certifications, including CISSP (Certified Information Systems
Security Professional), Security+ is targeted at entry-level IT
security professionals. As such, say experts, it represents an
attractive opportunity for IT pros seeking to find new opportunities
in today's difficult job market.

"There's a huge information security job boom ahead. There's going to
be a land rush for talent starting in the first half of 2004," said
David Foote, president of Foote Partners LLC, an IT work force
research company based in New Canaan, Conn., and an eWeek online
columnist.

Driving that demand, said Foote, will be heightened awareness of
security issues nationwide, accelerating e-business development and an
overdue loosening of IT budgets.

Security+ has been under development since the beginning of the year
by CompTIA, a global computing industry trade association based in
Oakbrook Terrace, Ill. According to Kris Madura, program manager for
Security+, CompTIA recruited 24 people from industry, government and
academia to form a steering council.

The goal was to create a vendor-neutral certification that set a base
line for security skills required by enterprises. Security+ is aimed
at people who have at least two years of experience in networking and
TCP/IP and who have gained a modicum of experience with security
tasks. The certification lays down a core body of knowledge in five
domains: general security concerns, communications, infrastructure,
basic cryptography, and operational and organizational security.

Security+ will also help organizations ensure that IT staffers already
working as security experts don't have big holes in their knowledge
and experience.

"I've met many computer 'experts' in a given area—security, for
example—who know the intricacies of computer software security yet
lack fundamental and essential security skills," said Tivoli Software
Project Manager Susan Farago, in Austin, Texas, a Security+
cornerstone committee member. "This cert will bridge that gap and
enable candidates to demonstrate they possess the fundamental skills
that serve as a solid foundation to build more technical or
vendor-specific skills on."

Following final refinements, the test will go live by the end of the
year. The cost to take the test will be $149 for CompTIA members and
$200 for nonmembers. (For more information, go to www.comptia.org.)

That may be one of the wisest $200 investments a budding security
professional could make, industry experts say.

As it stands, security is already a pretty solid job bet. According to
Foote Partners' survey of 30,000 IT professionals, security salaries
have outperformed overall IT salaries for the last two years. Salaries
and bonuses for corporate security positions increased by an average
3.1 percent and 9.5 percent, respectively, from the second quarter of
last year to the second quarter of this year.

Bob Johnston, manager of credentialing services for the International
Information Systems Security Certification Consortium, in Kingston,
N.H., the organization that administers the CISSP certification
targeting advanced security experts, said the Security+ certification
will help develop a much-needed road map for someone just getting into
the field.

"The traditional job path for a security person is to start as a
network administrator monitoring logs or handling passwords. But the
job is quickly becoming a lot more demanding and dynamic," said
Johnston. "This kind of a certification will better prepare an
entry-level person for advancing more quickly."

In addition, by defining the field in terms of the basic skills and
knowledge it requires, Security+ may help those who are curious about
a security career decide if it's right for them, said Jeff Recor,
Security+ cornerstone committee member and president of Olympus
Security Group Inc., a security consultancy based in Rochester, Mich.

"In my opinion, not enough of the right people are going into security
these days," Recor said. "There's this persistent perception that
being in security means you're an uber-hacker. So we get people who
want to break networks. But security touches a lot of basic,
day-to-day operations in all parts of the business, not just IT."

So, will possessing the Security+ certification help you land a job?  
It can't hurt, said Speare at Ohio Savings. Speare fills five to 10 IT
security positions each year. He said that while a certification such
as Security+ might not automatically prompt him to pay more, it would
be a tiebreaker when he's choosing between two equally experienced job
candidates.

In the end, say experts, Security+ may be one factor helping to make
the IT security profession more, well, professional. "The state of
security hasn't improved in process or technology over the last five
to 10 years. We're still crawling. It's still an art, not a science,"  
said Recor. "The goal is to get this base level of knowledge into most
people's hands and start to make the profession more mature."

Stephanie Wilkinson is a free-lance writer and can be reached at
stephw () cfw com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.