Infosec certifications are now a standard trade requirement, but these only prove your security credentials. The next generation of security experts will need to be business savvy as much as they are technically knowledgeable, so how do they get this kind of knowledge?
There is no doubt that an infosec professional needs to be technically proficient, and education programs that support the CISSP (Certified Information Systems Security Professional) and SANS GIAC (Global Information Assurance Certification) credentials provide good technical training. But, believes Paul Rohmeyer, chief operating officer at security services firm Icons, these experts need more than just IT skills.
"Equally – or more – important is an awareness of how security should be dovetailed with business objectives," he says. "There isn't a class per se where someone [can acquire that]."
Lloyd Hession, CSO of BT Radianz, agrees that despite the abundance of security training and certification programs, they don't provide IT security professionals with the business know-how they need to be successful.
Oftentimes, he says, what holds security professionals back from being promoted to top-level security positions is their lack of business experience and acumen – specifically, an ability to communicate in business language, work with business units, and understand risk management.
So CSOs should focus on building business skills in their security managers, rather than having them go through more security-specific training, says Hession.
"Take your best and brightest security people and teach them more about business, rather than worrying about getting them CISSPs and CISMs (Certified Information Security Manager)," he says.
Anyone can pick up a book and pass a test in order to obtain a security certification, says Kevin Dickey, CISO for Contra Costa County in California. But the profession requires "a jack-of-all-trades, master-of-all-trades," with knowledge and practical experience in operations, system software, application development, and networking, he says. In all of these areas, an infosec professional needs to focus on the business objectives of the organization.
"You have to be able to talk to the owners of the business and help them discern from a risk management approach what they should be doing to make sure their business goals are met," says Dickey. "I have not seen any book that [teaches] this."
If a security executive does not have a clear understanding of the organization's business, they cannot build effective policies.
Indeed, a highly proficient security professional should have mastery in a wide range of disciplines, but should also know the business they are in.
"You have to recognize that being a good technologist is not enough," says Jon Gossels, president of security consulting firm SystemExperts. "You have to be a good business person first and a technologist second."
Depending on what a person's career interests are, a master's degree in business (MBA) might be ideal training. But, first and foremost, an information security professional needs to be proactive in learning about the business. Be curious, advises Gossels.
Dow Williamson, director of corporate development at (ISC)2, which issues the CISSP and SSCP credentials, says infosec professionals seeking career advancement to senior management must complement their certifications and expertise with personal development and business skills.
Those skills include interaction with C-level executives, strategic planning, presentation and public speaking, people management, budgeting, project management and marketing, he adds.
The best training for infosec officers might involve sending them out to work in various business units – such as help desk, operations and networking – to get an understanding of the problems those units face, suggests Dickey.
He sees the need for an academic degree that focuses on best practices, such as ISO 17799, which would also provide students with the means to communicate with business owners.
"There truly is a need today for a true academic process for becoming a chief information security officer," he says, adding that homeland security issues make the need more pressing than ever.
There are signs that the industry is waking up to those needs. Hession points out that a trend has been developing in some technical schools, such as the Stevens Institute of Technology in New Jersey, in which programs combine technical and business disciplines.
For his part, Stephen Northcutt, director of training and certification at the SANS Institute, says certification programs need to do more to address the compliance issues facing security professionals. The industry, he says, is "doing a horrible job teaching the regulations and compliance" to them.
SANS has taken steps to address this inadequacy, he says, with courses on ISO 17799 and the Payment Card Industry (PCI) Data Security Standard, and plans to do more.
Meanwhile, training and certification provider Security University has addressed regulatory issues since it opened in 1999, says Sondra Schneider, founder and CEO.
Security University's programs cover a wide range of security topics, from penetration testing to policies for Sarbanes-Oxley compliance. Security training needs to provide students with a broad base of knowledge so they can identify problems when they crop up, know how to react, and work with business managers to reduce risk, she believes.
Hybrid programs such as that at the Stevens Institute of Technology, and broader vision courses such as Security University, represent a new breed of training. So industry is taking notice of business needs, but a lot more needs to be done to make sure that infosec professionals are business people first, and geeks only second.