Moving Target: The Information Security Professional

Moving Target: The Information Security Professional
Moving Target: The Information Security Professional 

By Mary K. Pratt
December 04, 2006

Brian Haddock, Patricia Myers and Marjan Rajabi started their careers in 
very different places: Haddock repossessed cars, Myers worked in 
banking, and Rajabi was an electrical engineer. Now, however, they share 
a common link: Theyre all information security professionals.

Such a diversity of backgrounds might seem odd, but this emerging field 
is attracting a variety of workers who are drawing on their prior 
business experience whatever it might be to develop the kind of 
technological safeguards and corporate policies that keep companies 
information assets secure.

Through self-directed study and on-the-job learning, Haddock, Myers and 
Rajabi each earned a certification that indicates both broad knowledge 
and practical experience as an information security professional. But 
while many have taken that path in the recent past, the professions 
maturation is raising the bar on job requirements in the field. Hiring 
managers say they still want to see certification, but they also look 
for an IT degree ideally one focusing on information security as well as 
business acumen.

There are great security people who didnt come in with a degree, and I 
dont take someone out of consideration if they dont have a degree. But 
were starting to see much more emphasis on professional training and 
college, says Jim Molini, who holds a CISSP designation. Molini is 
deputy program manager for enterprise services at The Mitre Corp., a 
not-for-profit government contractor with headquarters in Bedford, 
Mass., and McLean, Va.

These changing standards dont come as a surprise to industry leaders 
such as Myers, who holds the CISSP-ISSMP certification and is 
chairperson of the (ISC)2 board of directors and the information 
security manager at a large specialty retailer.

The nonprofit (ISC)2, or International Information Systems Security 
Certification Consortium, has certified more than 42,000 information 
security professionals in 110 countries. The 17-year-old organization 
issues the CISSP and several related designations.

In 1986, Myers was working in the finance division of a bank when she 
was tapped to develop an information security program. She joined the 
Information Systems Security Association (ISSA), took security-related 
classes and reached out to colleagues doing similar work. At that time, 
there were no colleges and universities that were offering courses, 
Myers says. You learned by taking [noncollege] courses, finding a good 
support group of people who already knew the business and attending 
special conferences.

Today, however, Myers says companies are increasingly looking for 
professionals who have more formal training and experience in 
information security a trend that follows the rise of reputable training 
and academic programs such as those offered by (ISC)2 and some colleges. 
She points out that some schools are now even offering doctoral degrees 
in information assurance.

These evolving standards correspond to the broadening responsibilities 
of information security professionals, says Bill Hodge, who holds the 
CISA and CISSP certifications and is the owner of W.L. Hodge Consulting 
LLC, a Knoxville, Tenn.-based firm focusing on information systems 
governance. We define who or what has access to what information when, 
Hodge says.

Information security professionals once installed firewalls, password 
protections and encryption programs; now they manage them. But they also 
have to deal with the complex applications that help companies comply 
with a growing list of federal and state regulations aimed at protecting 
sensitive data. These regulations include the Gramm-Leach-Bliley Act, 
the Health Insurance Portability and Accountability Act and the 
Sarbanes-Oxley Act.

Thats absolutely driving the need for these professionals, says Audrey 
Pantas, chief information risk officer at Xerox Corp.

Winding Roads

Hodge got into information security through his work as an accountant, 
drawing on the IT experience he had gained as a help desk worker in 
college. He says didnt like tax work but enjoyed developing software. So 
he was happy when he landed a job at PricewaterhouseCoopers doing IT 
audits, where he examined the controls in companies information systems. 
That led to looking at systems overall, giving him experience in the 10 
domains required for CISSP certification.

Hodge says holding the certification is crucial. If you want to be in 
the industry, its great to have a level of experience. But to prove you 
have the level of knowledge, you have to have the certification, he 
says. Hodge earned his CISSP designation in 2005.

Brian Haddock, CISSP, a security engineer at Magellan Health Services 
Inc. in Avon, Conn., agrees. With so many people coming into the 
profession from other fields, certification shows that you have enough 
education and experience to do the job, he says.

Haddock repossessed cars and worked as a private investigator before 
getting into IT in 1997, when he took an entry-level technical position. 
Drawing on his prior experience as a PI, he immediately foresaw that 
companies would need security people.

At the time, many companies were coming online and using communication 
technologies for their business, Haddock says. I knew it was a matter of 
time before these businesses would have to learn to use this technology 
in a secure manner. I knew thats where my niche would be.

He educated himself, grilling colleagues for lessons on IT systems, the 
Internet and security. He practiced his emerging skills on his home 
network, and he took a CISSP certification prep course at Georgetown 

Despite all that, Haddock says he still felt he needed actual 
certification to verify all that he had learned, so he earned it in 
2003. He says he expects future information security professionals to 
have even stronger credentials.

Going forward, I dont know how youre going to get into information 
security without a college degree and an understanding of business, says 
Haddock, who adds that hes enrolling in college-level business classes 
to beef up that area of his resume.

Pantas agrees that information security experts need strong technical 
skills and business knowledge as well as degrees and certifications. She 
started her career as a programmer, moving up through the IT ranks as 
she earned a bachelors degree in organizational management and an MBA. 
She worked on Xeroxs disaster recovery plan after the Sept. 11 attacks, 
a role that helped her land her current job in 2003.

As much experience as she has, though, Pantas says she wants to earn 
CISSP certification. Certification in itself is valuable, she says, 
explaining that the CISSP designation proves that the holder has 
obtained the required experience and expertise. Plus, security 
professionals are required to continue learning in order to hold on to 
the certification, a point not lost on executives.

Despite that, Pantas says she doesnt make certification a requirement 
for job applicants though she does prefer it. If theyve got the right IT 
background and business skills, she says, its easier to teach them the 

Tougher Requirements

But some see the door closing for noncertified candidates. Companies 
that once hired information security professionals who didnt hold 
degrees or certifications are now emphasizing or even requiring 
certification. When I see a certification, I see theyve really gone a 
few steps beyond what others in the profession might have done, says 
Mitres Molini. Employers are also increasingly seeking people with 
college degrees or concentrations in information security.

In response, DeVry Universitys Keller Graduate School of Management 
offers an MBA with concentrations in security management and information 
security, as well as a graduate certificate in information security. 
Likewise, Colorado Technical University has a masters in management with 
an information systems security concentration. And Iowa State University 
offers a masters in information assurance.

Such education and training are required on top of standard IT skills to 
land a job today. Candidates must have solid IT abilities, business 
acumen and interpersonal skills, such as the ability to communicate and 

And theres more. Its a mind-set, says Rajabi, the electrical engineer 
who now holds a CISSP and is IT risk management and security service 
manager at Farmers Insurance Group of Companies. Its understanding that 
security has to be adequate and reasonable; you have to value security 
but understand your risks and not be too paranoid.

"There will be a strong demand for people who have the education, the 
experience, the certification and show true professionalism, says Dorsey 
Morrow, CISSP, ISSMP and director of legal services at (ISC)2.

Its a tall order, but the payoff is big. Several information security 
professionals confirm that salaries in the field can easily exceed 
$100,000 annually.


Pratt is a Computerworld contributing writer in Waltham, Mass. Contact 
her at marykpratt (at)

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods