You’re a Canadian IT security professional and you want to implement a new system that will offer incredible security features for every employee at your workplace. Do you fully understand the business implications of what you’re trying to do? If so, are you able to explain your initiative in a way that will spur your managers or executives to get on board?
According to Steven Johnston, who is on the staff of the Office of the Privacy Commissioner of Canada and also a member of the Advisory Board of the Americas for IT security accreditation firm (ISC)2, this is often where existing university and college training falls down.
Johnston says while the IT security education he’s aware of — and there aren’t all that many options — certainly address the technology aspects of IT security, they don’t generally address the business side.
“One of the common complaints that I hear is that the IT security practitioners can’t relate that well to the business side of the organization so they tend not to speak the same language as the CEO or the CFO. That presents problems for them when they’re trying to put forward a case for additional funding or additional people,” says Johnston.
Gareth Hughes, a director at TRM Technologies Inc., an Ottawa-based information technology, systems engineering and consulting firm, agrees it’s an issue, but argues that there are generic certifications out there in the area of security that are mostly product-independent.
However, since TRM is a consulting company, by definition its services involve the provision of expert advice. It is looking for people with a lot of work experience in addition to whatever academic qualifications and certifications they might hold.
“Somebody who came out of school with a university degree and (acquired a CISSP-like designation) might not be sufficient for our needs, but I’m sure there would be positions open to people like that. CISSP is respectable. It’s a lot of material knowledge.”
Sarah Bohne is director of communications at (ISC)2. Her organization issues the credentials to those meeting the necessary competency requirements of the Certified Information Systems Security Professional (CISSP) and its related concentrations, including the Systems Security Certified Practitioner (SSCP). There are about 2,200 certified members in Canada holding one of the organization’s credentials.
Bohne says (ISC)2 offers a lot of education choices for credential holders and those who are interested in pursuing credentials. It introduced and published a career guide last year for students who are interested in IT security but unsure where to start.
Students who want to assess their level of knowledge in the domains that (ISC)2’s credentials cover can also take e-learning courses. “We have a partnership with a group called VCampus Corp., so that’s certainly a convenient option for most people. It really depends on what kind of learning mode works best for them.”
For those who have the education and who wish to become more qualified at problem-solving in the workplace, Bohne recommends another approach. The Associate of (ISC)2 program lets students without the number of years of work experience required to become certified, actually sit for the CISSP or SSCP exam. If they pass, they have five years to acquire their required work experience. Then, as long as they are endorsed by someone already certified, they can apply for the certification. “It’s a great way for them to assess their knowledge and figure out where their strengths and weaknesses are, and also to make sure that it’s the career that they want,” says Bohne.
But more importantly, Bohne says based on the results of the recent (ISC)2 annual global workforce study, the organization has realized that information security professionals’ roles are becoming more complex. “It’s no longer sufficient for them to just have technical acumen. They also need to have business savvy.” To that end it is augmenting its (ISC)2 events, “which are pretty information security focused now,” and adding topics such as “How to make a presentation to the board.” Bohne says, “We’re looking to provide some resources for professionals to augment their softer skills and business knowledge.”