Evolution of Information Security 29
that other options exist, such as outsourcing the security function. Some companies
have recognized the importance of security and decided that they do not have the
staff to do it, so they outsource some portion of the security responsibilities to experts
in the area for a reasonable price.
SECURITY CERTIFICATIONS
One of the major forces in the evolution of information security is that a “body of
knowledge” is slowly being carved out. This is being driven by a number of factors
including industry certifications such as the CISSP (Certified Information Systems
Security Professional) and CISA (Certified Information Systems Auditor), which
have defined a body of knowledge that someone needs proficiency in to become
certified, and employers who are trying to fill security-related positions and adver-
tising for these skill sets. The information security profession itself has, to some
extent, led the way in defining what information security is. International organiza-
tions have played a role. For example, Information Systems Security Certification
Consortium, Inc. (ISC)
2
, the body that administers the CISSP certification, has
defined a common body of knowledge that security personnel are tested on before
they can receive the CISSP certification. This body of knowledge includes opera-
tional, management, and technical concepts related to information security.
As the body of knowledge has become more defined, there has been a prolifer-
ation of certifications in the information security profession. The certifications have,
to some extent, established standards of knowledge for the profession similar to
those of other professions such as accounting and IT. As some of the certifications
have gained in popularity, the demand for them has also risen. Some employers now
either require a certification or a commitment to obtain a certification within a
specified period of time as a condition of employment. Employers are having their
own employees with security responsibility obtain relevant security certifications to
help them in their jobs. These certifications are establishing minimum standards of
knowledge for information security professionals. Although certifications today are
differentiators or “nice to haves” for security professionals, they will become require-
ments in the future.
As more security professionals become certified, certification should be kept in
perspective. For the information security profession, security certifications establish
minimum standards of knowledge that security professionals should have. Like other
certifications, security certifications are mostly based on examinations. Candidates
must be able to take a test reasonably well. A certification does not necessarily mean
that a person has mastered the subject material. Conversely, someone without a
certification can be an expert.
From a security assessment perspective, certifications show a certain level of
competence in information security or a specialty area of security, depending on the
certification. In addition, some of the certifications have minimum experience
requirements, which can give an indication of the level and type of expertise a
security professional has. It must be stressed, however, that a certification does not
take the place of real world experience, as is true in other professions.
AU1706_book.fm Page 29 Tuesday, August 17, 2004 11:02 AM