In common with all IT professionals, information security specialists are very aware of the importance of qualifications in demonstrating competence to their current and future employers.
Information security is a complex, multidisciplinary field, though, and choosing a learning path that will deliver qualifications to support a 30-year career can be daunting. Clearly, no such path will be completely planned, and in a demanding, ever-changing technical environment, very few of us are able to predict our career much beyond five years!
We are campaigning to raise awareness of the shortage of cyber security skills, and the opportunity of higher salaries for individuals with the right skills and qualifications.
The spirit of this campaign is encapsulated in the marvellous quote from one of our customers:
“My company needed a cyber security champion and I needed the qualifications to prove it. I have quickly moved up the management ladder and can truly describe your training as ISO 27001 management rocket fuel.”
Collin Whitworth, CTA Data Services Ltd
While we believe that an ISO 27001 qualification is something no cyber security professional should be without, it is worth considering the other key qualifications that may be required.
Do you need the technical stuff?
Training and HR managers will often ask the question, “Do you want a technical job or a career in management?” The correct answer for a prospective cyber security professional should always be that they want both but not necessarily at the same time.
Any career in information security requires a knowledge of IT systems (hardware, software, networks), applications and the people that use them. It also requires an understanding of the bewildering array of threats and vulnerabilities that characterise the modern-day cyber attack. And, yes, it also needs an awareness of the security provided by commercial products from vendors large and small. (It’s a necessary evil.)
Start with the basics and learn your trade
I always advise those in the early stage of their careers to get as much practical experience as possible and look to achieve industry-standard qualifications offered by the likes of Microsoft, CISCO and HP. I am also an advocate of the vendor-independent learning path provided by CompTIA with their A+, Network+ and Security+ qualifications being highly valued worldwide.
And the very specialist stuff?
As experience grows, many individuals decide to specialise in ‘dark arts’ roles that include security architecture, penetration testing, digital forensics, incident management and security/compliance auditing.
It goes without saying that specialist training and qualifications will be required for these careers. I always advise that individuals choose industry-recognised qualifications awarded by independent organisations and assessed by examination. Good examples include Certified Ethical Hacker (CEH) or GIAC Certified Penetration Tester (GPEN) certificates.
Don’t leave management qualifications until later
Most senior careers (with higher salaries) involve becoming a manager or advising others about management. The role may be managing a technical team of specialists or managing all of the people, processes and technology associated with ensuring effective information security. The latter requires a thorough knowledge of asset and risk management and the controls required to mitigate the risks to an organisation. This is where the knowledge and skills associated with ISO 27001 qualifications such as ISO27001 Foundation and ISO27001 Lead Implementer have the greatest influence.
For the first cyber security management qualification I always recommend people in the UK to consider obtaining the Certificate in Information Security Management Principles (CISMP). This BCS certificate is widely recognised by employers and is approved by the UK Government in the CESG Certified Professional training scheme.
With five years’ or more experience, it’s time to consider preparing to take the (ISC)2 CISSP or ISACA CISM examination. These are the premier cyber security qualifications, and are usually a mandatory requirement for securing a senior management position.