By Mary K. Pratt
December 04, 2006
Brian Haddock, Patricia Myers and Marjan Rajabi started their careers in
very different places: Haddock repossessed cars, Myers worked in
banking, and Rajabi was an electrical engineer. Now, however, they share
a common link: Theyre all information security professionals.
Such a diversity of backgrounds might seem odd, but this emerging field
is attracting a variety of workers who are drawing on their prior
business experience whatever it might be to develop the kind of
technological safeguards and corporate policies that keep companies
information assets secure.
Through self-directed study and on-the-job learning, Haddock, Myers and
Rajabi each earned a certification that indicates both broad knowledge
and practical experience as an information security professional. But
while many have taken that path in the recent past, the professions
maturation is raising the bar on job requirements in the field. Hiring
managers say they still want to see certification, but they also look
for an IT degree ideally one focusing on information security as well as
There are great security people who didnt come in with a degree, and I
dont take someone out of consideration if they dont have a degree. But
were starting to see much more emphasis on professional training and
college, says Jim Molini, who holds a CISSP designation. Molini is
deputy program manager for enterprise services at The Mitre Corp., a
not-for-profit government contractor with headquarters in Bedford,
Mass., and McLean, Va.
These changing standards dont come as a surprise to industry leaders
such as Myers, who holds the CISSP-ISSMP certification and is
chairperson of the (ISC)2 board of directors and the information
security manager at a large specialty retailer.
The nonprofit (ISC)2, or International Information Systems Security
Certification Consortium, has certified more than 42,000 information
security professionals in 110 countries. The 17-year-old organization
issues the CISSP and several related designations.
In 1986, Myers was working in the finance division of a bank when she
was tapped to develop an information security program. She joined the
Information Systems Security Association (ISSA), took security-related
classes and reached out to colleagues doing similar work. At that time,
there were no colleges and universities that were offering courses,
Myers says. You learned by taking [noncollege] courses, finding a good
support group of people who already knew the business and attending
Today, however, Myers says companies are increasingly looking for
professionals who have more formal training and experience in
information security a trend that follows the rise of reputable training
and academic programs such as those offered by (ISC)2 and some colleges.
She points out that some schools are now even offering doctoral degrees
in information assurance.
These evolving standards correspond to the broadening responsibilities
of information security professionals, says Bill Hodge, who holds the
CISA and CISSP certifications and is the owner of W.L. Hodge Consulting
LLC, a Knoxville, Tenn.-based firm focusing on information systems
governance. We define who or what has access to what information when,
Information security professionals once installed firewalls, password
protections and encryption programs; now they manage them. But they also
have to deal with the complex applications that help companies comply
with a growing list of federal and state regulations aimed at protecting
sensitive data. These regulations include the Gramm-Leach-Bliley Act,
the Health Insurance Portability and Accountability Act and the
Thats absolutely driving the need for these professionals, says Audrey
Pantas, chief information risk officer at Xerox Corp.
Hodge got into information security through his work as an accountant,
drawing on the IT experience he had gained as a help desk worker in
college. He says didnt like tax work but enjoyed developing software. So
he was happy when he landed a job at PricewaterhouseCoopers doing IT
audits, where he examined the controls in companies information systems.
That led to looking at systems overall, giving him experience in the 10
domains required for CISSP certification.
Hodge says holding the certification is crucial. If you want to be in
the industry, its great to have a level of experience. But to prove you
have the level of knowledge, you have to have the certification, he
says. Hodge earned his CISSP designation in 2005.
Brian Haddock, CISSP, a security engineer at Magellan Health Services
Inc. in Avon, Conn., agrees. With so many people coming into the
profession from other fields, certification shows that you have enough
education and experience to do the job, he says.
Haddock repossessed cars and worked as a private investigator before
getting into IT in 1997, when he took an entry-level technical position.
Drawing on his prior experience as a PI, he immediately foresaw that
companies would need security people.
At the time, many companies were coming online and using communication
technologies for their business, Haddock says. I knew it was a matter of
time before these businesses would have to learn to use this technology
in a secure manner. I knew thats where my niche would be.
He educated himself, grilling colleagues for lessons on IT systems, the
Internet and security. He practiced his emerging skills on his home
network, and he took a CISSP certification prep course at Georgetown
Despite all that, Haddock says he still felt he needed actual
certification to verify all that he had learned, so he earned it in
2003. He says he expects future information security professionals to
have even stronger credentials.
Going forward, I dont know how youre going to get into information
security without a college degree and an understanding of business, says
Haddock, who adds that hes enrolling in college-level business classes
to beef up that area of his resume.
Pantas agrees that information security experts need strong technical
skills and business knowledge as well as degrees and certifications. She
started her career as a programmer, moving up through the IT ranks as
she earned a bachelors degree in organizational management and an MBA.
She worked on Xeroxs disaster recovery plan after the Sept. 11 attacks,
a role that helped her land her current job in 2003.
As much experience as she has, though, Pantas says she wants to earn
CISSP certification. Certification in itself is valuable, she says,
explaining that the CISSP designation proves that the holder has
obtained the required experience and expertise. Plus, security
professionals are required to continue learning in order to hold on to
the certification, a point not lost on executives.
Despite that, Pantas says she doesnt make certification a requirement
for job applicants though she does prefer it. If theyve got the right IT
background and business skills, she says, its easier to teach them the
But some see the door closing for noncertified candidates. Companies
that once hired information security professionals who didnt hold
degrees or certifications are now emphasizing or even requiring
certification. When I see a certification, I see theyve really gone a
few steps beyond what others in the profession might have done, says
Mitres Molini. Employers are also increasingly seeking people with
college degrees or concentrations in information security.
In response, DeVry Universitys Keller Graduate School of Management
offers an MBA with concentrations in security management and information
security, as well as a graduate certificate in information security.
Likewise, Colorado Technical University has a masters in management with
an information systems security concentration. And Iowa State University
offers a masters in information assurance.
Such education and training are required on top of standard IT skills to
land a job today. Candidates must have solid IT abilities, business
acumen and interpersonal skills, such as the ability to communicate and
And theres more. Its a mind-set, says Rajabi, the electrical engineer
who now holds a CISSP and is IT risk management and security service
manager at Farmers Insurance Group of Companies. Its understanding that
security has to be adequate and reasonable; you have to value security
but understand your risks and not be too paranoid.
"There will be a strong demand for people who have the education, the
experience, the certification and show true professionalism, says Dorsey
Morrow, CISSP, ISSMP and director of legal services at (ISC)2.
Its a tall order, but the payoff is big. Several information security
professionals confirm that salaries in the field can easily exceed
Pratt is a Computerworld contributing writer in Waltham, Mass. Contact
her at marykpratt (at) verizon.net.
Subscribe to InfoSec News