The Growing Importance of Professional Certification in InfoSecurity, Mr Ed Zeitler, Executice Director, (ISC)2
Richard Swart: Hi, this is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com and CUInfoSecurity.com. Today we’ll be speaking with Ed Zeitler, executive director of ISC2. Ed has extensive experience has the head of information security at Fidelity Investments, Bank of America and Security Pacific National Bank. Good morning, Ed.
Ed Zeitler: Good morning, Richard.
Swart: Well, for our listeners who might not be familiar with ISC2 could you give us a quick overview or your organization?
Zeitler: As you said, we focus on education and certification of the work force--the information security work force -- but we are global in nature and intend to support the profession throughout their career. For example, we publish a resource guide for today’s information security professional. That’s a comprehensive source of knowledge and training globally for reference for our members. We publish a career guide to the information security profession. We offer scholarships annually--over $100,000 in scholarships annually to students doing research. Currently we have a security awareness materials website where we’re collecting security awareness material from all of our members. We have advisory boards that are global in nature. We have an advisory board for the Americas, for Asia, for Europe and for the government sector here in the United States. We’ve grown from 3,000 members to more than 50,000 members in the past six years, so we’re working hard to ensure that we have support for these members for our certified folks. But then the certification is the reason we’re here to form a community of professional information security people.
Swart: Well, talking about that I understand you recently conducted a global work force information security study. Could you tell us some of the results from that study?
Zeitler: Yes, certainly. The global information security work force study is conducted annually. We have three years worth of data now, so what we’re looking for is trends -- not necessarily the absolute number, but we’re looking for things that are changing in the work force from year to year. Information security is a maturing profession, and it will continue to grow globally, certainly the IDC [analyst] who we used in the last three years to do the actual survey has projected that there will be 1.5 million information people involved in information security globally this year, expected to grow to two million in 2010. So you can see the community is growing quickly, and we’re seeing a lot more movement into the business side of the house. The information security professionals are increasingly being required to have business understanding and communication skills as one of the main points that came out this year. I think anybody working in the industry is aware of that, but as information security becomes more critical to the executive suite, they are looking for information security people who have business in mind rather than solid technology backgrounds. Coming out of these information security studies, we have noticed that 85% of security hiring managers are looking for certified people now. That’s quite a ways up. Certain organizations have a large population of certified folks. For example here in the United States Microsoft, Booze-Allen Hamilton, EDS, Citigroup, Price Waterhouse, and so on have large staffs certified either by the [indiscernible] or the SSCP which we can talk about later.
Swart: Let’s go ahead and talk about those now. What are those certifications you were mentioning?
Zeitler: Yeah, the gold standard, if you will, for information security certification is our CISSP, certified information system security professional. This is a senior person who has a broad knowledge of information security and who tends to be the CISO of a corporation or the CSO, is responsible for setting the program, developing policies .That certification requires for you adhere to a security code of conduct, that you have a certain number of professional years in that position as an information security person. Right now it’s four years of experience; as of October 1st, we’ve increased that to five years of experience. You also need an endorsement by another certified person, another person who is credentialed as of October 1st, so we are--as you can see we continue to focus on the requirements, and the examinations are reviewed and updated that at least annually, often more times than that to make sure they’re all current. But what we’ve found is that there is still a need for the practitioner, if you will, the IT person who has IT--has security as part of their business, part of their responsibilities. In that case, we have what we call the SSCP’s, certified security practitioner, and that person is more the person implementing information security at the firewall or the network or a platform level or application level security people, and it’s much more specific to that level of person. It requires only one year of experience at this point in time in the information security field to be qualified for the SSCP. Again there’s an examination and a code of conduct and endorsements are required for that particular certification. The CISSP also--going back to the CISSP-- we have two concentrations that we talk about that are enhancements, or the next step up from the CISSP. It’s people who focus on management and concentrated in the management area, so you can get an ISSMP -- a management professional added to your CISSP. You have to have the CISSP first and then you can--then you have the option of the management professional certification on top of that, or the architecture professional on top of that if you have experience in the architecture area. To qualify for the MP and the AP, you have to have the CISSP and then you have to be able to pass an examination in that area. It’s also required experience in both of those areas that can be a part of your CISSP experience. I’m tying to not make this too complex, but there are a lot of pieces that fit together for the overall program. We have special certifications too that are typically--we worked to establish an EP, an engineering professional, on top of the CISSP that is very technical and very difficult to pass, and the NSA is asking their people to pass that certification, and that’s open to the public, too. We have non-NSA people taking that certification. So, you see--I’m sorry--we also have a Japanese credential that we’ve recently released working with the Japanese government. They have asked for specific examination again beyond the CISSP for their people and it is focused on Japanese regulations and customs. The Japanese government is asking all of their CISSP’s to pass the Japanese professional. In a rambling way, those are the certifications that we currently have available.
Swart: Well, you mention that you’ve gone from 6,000 to 50,000 members, and I know there’s a huge growth in the number of CISSP’s recently, is that just with your examination or is the role of certification in the information security industry itself changing?
Zeitler: Well, yeah, I think the role of certification is changing. It is being recognized by senior management now. Like I said, 85% of the hiring managers are expecting certification of one sort or another. But quite honestly the CISSP fills a gap. We don’t address the specific technology credentials such as Microsoft or Cisco has out there, and we are the generalist … so that growth is just a recognition of the need for credentials and the fact that we’re offering the first globally accepted credential in information security. All of our credentials are also accredited by the ISO standard 17024 that is the international standard for certification bodies. We’re very pleased with that. We were one of the first one s to have--or we were the first ones to have an information security professional accreditation of our certifications.
Swart: How is the field of information security itself evolving? What changes do you think are coming down the pipeline or are on the horizon, and what impacts will these changes have on the training and career needs of individuals?
Zeitler: Information security has seen a rapid growth in the last few years, again because of more regulation in the U.S., for example, in Europe, but also because of the awareness in the executive circles of the damage that can be done with information for each of--one sort or another. So, we’re riding that wave right now. All of a sudden recognition that these people are critical to the business, not just to the technology. I think that will continue to grow in that way. The technology is always going to be changing, always going to be introducing new threats and potentially that need professionals who understand that risk and understand those threats. So, if anything, it’s going to continue to grow. Wherever technology is being developed especially there’s going to be a need for specialist in security. So, I think we will see the information security profession grow as fast as the technology and the awareness of the information risk out there to our corporations.
Swart: If I was just getting started out in this field, where would I go to get high quality training?
Zeitler: Well, there’s certainly good high quality training available from vendors, and if you’re looking for a specific technology, a specific vendor product that’s a really good place to go. As far as information security training in general that’s a little more difficult. Certainly ISC Squared offers training. We’re very careful with our training program. Anybody doing any training for us has to be part of our certified staff that are monitored very closely and are the top level professionals in the area, and the material, of course, has to be updated and current. Materials have to be updated at least annually if not more often. That’s what you look for, if you will -- the quality of the instructors and the quality of the material that’s being taught. We, for one, we do not teach the exam. Our educational programs, in fact, under the ISO rules we cannot teach the exam. Some folks advertise that they do [teach the] CISSP exam or the SSCP exam, and that’s not really possible because the exam is totally separate from our education materials, and the exam is maintained very carefully so that there aren’t copies of the exam out there somewhere. Again, under the ISO accreditation, the examinations are very closely handled. What we teach is good information security across all 10 broad domains of the certification. The CISSP for example -- there are seven domains for the SSCP that we teach, but don’t go to somebody who says we can get you to pass the CISSP in two hours of training. Most of our training classes are in the five-day range. We have lots of training available via online also, and there’s a number of different ways you would find other offerings out there like it. Just again, be careful that you’re getting quality material and not someone trying to teach the test.
Swart: You mention the common body of knowledge that exists for both of those examinations, but earlier you said there was sort of a change where the business skills are becoming more and more important. Do you foresee any change in the content of the common body of knowledge?
Zeitler: The common body of knowledge is term we’ve coined for our expectation, if you will, for the material that an information security professional should be familiar with, and that is all encompassing. So in our common body of knowledge, we have historical, you know, information. We have current stuff. We have stuff that’s coming down the pipe that’s all part of that common body of knowledge. That is the source, if you will, for our--both for our examinations and for our training run by totally separate organizations, of course, so that that common body of knowledge is updated several times a year and there are, again, committees that support it. That common body of knowledge is changing dramatically annually, and it’s all part of maintaining our certifications and our training as being current also.
Swart: My last question for you, and then I’ll let you know; If you had a child just starting out in the field, what would you tell that child is the one thing to make sure that you learn?
Zeitler: There’s a couple of things. We’ve talked about this often as part of our certification program and what not, and we tend to back off to the point of saying it’s the integrity of the person that makes you successful in your career as an information security person. You need technical training, of course, you need to come through and understand the underlying technologies and whatnot that you’re going to be responsible for, but it’s more important that you have a well-rounded education in information security and that you maintain that integrity which is sometimes difficult today.
Swart: That’s good advice there, Ed. Well, thank you for your information. I’m sure our listeners will benefit greatly from it.
Zeitler: Well, thank you very much, Richard. I certainly appreciate the opportunity.
Swart: And your website is just isc2.org. if people have questions; is that correct?
Zeitler: Absolutely. Please, yes, contact us and our website has numbers and whatnot.
Swart: Very good. Well, thank you for listening. For other information on information security in the banking and finance industry or to listen to other pod casts, please visit us at www.BankInfoSecurity.com or CUInfoSecurity.com.