![[LWN Logo]](/images/lwn.banner.gif)
Date: Mon, 31 Aug 1998 22:41:03 -0600 (MDT) From: mea culpa <jericho@dimensional.com> To: InfoSec News <isn@sekurity.org> Subject: [ISN] Certification Next Wave for Security Professionals Forwarded From: bluesky@rcia.com Internetweek Monday, August 31, 1998, 11:45 a.m. ET. Certification Next Wave for Security Professionals By RUTRELL YASIN Accountants are certified. Engineers are certified. Why not security professionals? As more security companies launch professional services divisions, IT managers could require their security consultants to have some industry-approved credentials that prove they have a high-level of technical proficiency and ethical code of behavior. Secure Computing Corp. wants to be ahead of this wave. The network security vendor, which established a services division in April, this week will announce that 17 of its professional services consultants have been certified by the International Information Systems Security Certification Consortium (ISC2). ISC2 awards the Certified Information Systems Security Professional (CISSP) designation to security experts who have passed a rigorous examination. The exam consists of all the major elements of the information systems security Common Body of Knowledge, ranging from access control to law, investigations and ethics. Security administrators familiar with the CISSP exam said the ISC2 stamp of approval would definitely carry weight in their decision of whether to bring in consultants. But they stopped short of saying it is a necessary requirement. "Would it be important for me?" to hire a CISSP-certified consultant, asked John Patterson, a security administrator at Oppenheimer Funds Inc., a stock-trading company with $75 billion in assets. "I don't know right now if I would make it a requirement. But if two consultants [are bidding for a project] and one had CISSP after his name, that would definitely weigh in his favor," Patterson said. But since there is a shortage of skilled experts in the industry, "we are not in the position to mandate that every security consultant should be certified." According to Linda Erickson, who earned her CISSP this summer, "There's a growing emphasis on professional certification for technology professionals across the board." Erickson is an administrator with the Minnesota Department of Human Services. "Industrywide certification helps set the baseline for professional relationships with our trusted business partners," she said. But to be effective, certification has to be relevant to what users are trying to do, said Aberdeen Group analyst Eric Hemmendinger. If a security company is doing penetration testing of an organization's infrastructure, then the consultant should know the different ways to break into networks. His knowledge is not product specific. On the other hand, if the consultant is deploying a specific product, "what you want is some confidence that he is knowledgeable about the solution," Hemmendinger said. For example, a consultant may know a lot about firewalls but very little about how to integrate them with other security tools, he added. Officials at Secure Computing view certifications as a way for its consultants to differentiate their expertise--at least on paper. Once they are in the door, their work speaks for itself, said John Sekevitch, vice president of professional services at Secure. The company wants all of its 35-member staff to be certified. With 17 consultants certified, Secure claims it has more certified professionals than any other IT company including AT&T and IBM. "Certification is the wave of the future," Sekevitch said. Currently, of the 20,000 security professionals--in government, commercial and international sectors--about 700 are certified. And 300 of those were "grandfathered in," receiving their credentials prior to the establishment of ISC2 in 1989, he added. Sekevitch also lauds ISC2 for demanding that certified security experts adhere to a strict code of ethics, a fact that is important due to the knowledge these experts hold. -o- Subscribe: mail majordomo@sekurity.org with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]