(ISC)2 publishes career guide for the security profession

* Career guide details certifications on offer from (ISC)2

"You wouldn't give an untrained person cheese and eggs and expect a perfect soufflé. But many companies seem to think that security is something you get by throwing a lot of money at hardware and software vendors, unpacking cardboard boxes and plugging in appliances." So writes Joel Snyder, a Network World Test Alliance partner and a senior partner at Opus One, in an article that's part of a Guide to IT Security in this week's Network World.

"You wouldn't give an untrained person cheese and eggs and expect a perfect soufflé. But many companies seem to think that security is something you get by throwing a lot of money at hardware and software vendors, unpacking cardboard boxes and plugging in appliances." So writes Joel Snyder, a Network World Test Alliance partner and a senior partner at Opus One, in a training story that's part of a series of articles entitled "The six worst security mistakes ... And how to avoid making them" in this week's Network World.

In his article, Snyder explains the importance of training for IT professionals who want to be able to build secure environments, and discusses the different kinds of training that should be considered. Also on the subject on security training, I want to draw your attention to a career guide that was published last month by (ISC)2, the organization that maintains and administers the Certified Information Systems Security Professional (CISSP) certification exam. The CISSP certification is often cited in Foote Partners' IT skills pay index in the best-performing certified skills category for certifications that command a bump in base salary for certain skills (see "Skills that help bump up your salary").

Although the career guide, entitled "Decoding the Information Security Profession," is aimed at school leavers, it could also be useful to IT pros considering a move into the security discipline. The guide provides a clear description of the different certifications available to security professionals, the different security job roles, shows the typical salary increases after certification, and the career path of a security expert.

(ISC)2 describes its CISSP certification as a "broad scope of knowledge [that] is not tied to any specific technology vendor or product." It adds: "Vendor-specific certifications, such as the Microsoft Certified Systems Engineer (MCSE): Security, are offered by technology vendors covering knowledge and content specific to their products... Both kinds ... play an extremely important role in the market ..." (I guess (ISC)2 has to say that as the guide is sponsored by Microsoft.)

The roster of (ISC)2 designations begins with Associate of (ISC)2, which "recognizes students or others at the beginning of their careers who have acquired knowledge of key information security concepts but do not yet have the work experience," according to the guide.

For working professionals, there is the Systems Security Certified Practitioner (SSCP) aimed at those working toward or who have already attained positions as senior network security engineers, senior security systems analysts or senior security administrators. The Certification and Accreditation Professional (CAP) was developed with the Department of State's Office of Information Assurance, and validates the formalized process used to assess the risks and security requirements of an information system.

The CISSP certification is aimed at mid- and senior-level managers in the roles chief information security officer, chief security officer, or senior security engineers. The CISSP credential demonstrates competences in the 10 domains of the (ISC)2's CISSP CBK, which the organization describes as "a common framework of information security terms and principles which allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding."

CISSP has three concentrations:

* Information Systems Security Management Professional (CISSP-ISSMP), for advanced information security managers who have a deeper management emphasis.

* Information Systems Security Engineering Professional (CISSP-ISSEP), for advanced information security risk management professional "who demonstrates mastery" of system security engineering, technical management, certification and accreditation, and information assurance regulations.

* Information Systems Security Architecture Professional (CISSP-ISSAP), for security architecture pros who focus on high-level security for enterprise-wide systems and infrastructure.

In its guide, (ISC)2 notes the typical job path and salary expectations as follows:

* University graduate - information security administrator (salary of $45,000 to $55,000), eligible for Associate of (ISC)2 program.

* 1-plus years work experience - information security administrator ($75,000), eligible for SSCP certification.

* 4-plus years work experience - information security analyst/engineer ($80,000), eligible for CISSP certification.

* 7-plus years work experience - information security manager ($100,000).

* 9-plus years work experience - director of IT or information security, chief security officer, or chief information security officer ($150,000-plus).

The full career guide can be downloaded here (PDF).

* Following on from the recent newsletter about updates to Cisco's CCNP exams, Cisco Press said it too has updated its training materials to support the changes. Cisco Press will publish 12 new titles by the end of the year, with books on all of the exams to be available by March 2007. For more information about the new materials Cisco Press will have to support the new CCNP exams, go here.

Copyright © 2006 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022