By Avinash W Kadam
16 May 2006
Security professionals are expected to be proficient with a range of
security techniques, but which qualifications do you need to progress
Knowing which qualifications you need to progress your career is a
dilemma faced by every information security professional. With a
myriad of certificates to choose from which one will help you prove
that you can do your job better? Which one will be valued by
A security professional has to be proficient with a range of security
techniques. These include operating system security, network security,
application security, penetration testing and incident management
Many suppliers offer certificates that are restricted to specific
products. These are appropriate when IT security professionals need to
be familiar with specific infrastructure or systems. But you should
also consider acquiring certificates that are product independent. The
Sans Institute, for example, offers some excellent certificates under
the name "global information assurance certification".
Information security management is a fast growing discipline, and
security professionals are expected to have good exposure to various
security management approaches. Many organisations are planning to
have their information security management system certified to the ISO
27001 standard. Such organisations look for information security
officers with security management qualifications such as the CISSP
(certified information systems security professional), offered by the
International Information Systems Security Certification Consortium
Organisations also look for business continuity management
certification, and the Disaster Recovery Institute offers the CBCP
(certified business continuity professional) certificate.
Information security governance is another focus area for
organisations. This ensures that the efforts and direction of
information security programmes are in line with the business goals of
the organisation. To this end, it is worth considering the CISM
(certified information security manager) certificate from the
Information Systems Audit and Control Association (Isaca).
Security auditing is another qualification much sought-after by
employers. Possessing a good understanding of security audit
principles is a prerequisite to ensure that systems comply with audit
requirements. Isaca offers the CISA (certified information systems
auditor) for security auditors.
The different types of certificates complement each other, and IT
professionals need to have adequate knowledge of each of the domains
if they are to perform a full security role.
An IT manager may be required to perform many security-related
functions, so acquiring certificates in security management and
security governance will definitely be valuable. A security audit
certificate will prepare the IT manager to face security audits with
more confidence. Certified knowledge of security techniques will
improve confidence in technical matters.
An information security auditor may start their career with the CISA
qualification, but to gain deeper insight, they will have to acquire
sufficient experience in security techniques, security management and
Getting the certificate should be a by-product of gaining knowledge
and experience. Preparing for the certification examination makes one
focus on improving understanding of the subject. All the examinations
have objective-type questions that test a candidate on basic
understanding of the subject. Since the certificates are independent
of any products, testing is for conceptual clarity.
So does this mean that information security professionals need to get
all the certificates?
The fact is that security professionals have to perform all these
roles in their career. They will be using various security techniques,
be responsible for security management and security governance, and
may even be performing security audits. An information security
professional needs to acquire adequate knowledge, understanding and
experience in each of these areas. Getting this knowledge certified is
the best way to convey your expertise to the employer and gain
credibility in the workplace.
CV: AVINASH W KADAM
Avinash W Kadam holds a CISA, CISM, CISSP, CBCP and GSEC. He has been
president of the Mumbai Chapter of the Information Systems Audit and
Control Association, lead instructor at (ISC)2, mentor for the Sans
Institute and is director of MIEL e-Security.
=A9 2006 Reed Business Information Limited. All Rights Reserved.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.