Despite this, companies still tend to scoff at their worth and adopt the attitude that experience is more important than a piece of paper. Experience is very important, but it does need to be reinforced by qualifications - a pilot wouldn't fly a plane without the necessary qualifications, so why shouldn't an employee dealing with an organization's IT security also have the proof that they are fully skilled and qualified in what they do?
Just as you would feel uncomfortable having an operation performed by an unqualified surgeon, companies should consider the implications of having an unqualified individual looking after its security. Even if it is to verify that that individual has a sound knowledge of security, having a certificate to prove this knowledge will give an organization and its customers peace of mind. If the company is a financial institution, for instance, the need to keep customer data confidential is crucial - organizations cannot afford to risk losing such vital information.
IT security is not simply a technology issue, it is a business issue and something that can affect any organization. The events of September 11 changed the way businesses protect their assets, so it is important that staff are trained in order to ensure that data and information are stored effectively and securely. The introduction of security qualifications in the U.S. has proved a success following 9/11, and such qualifications are now emerging as a powerful force in the U.K.
(ISC)2 is a not-for-profit organization originating from the U.S. with offices all over the world including Asia and Europe. (ISC)2 is new to Europe and has been created in order to promote best practice amongst security professionals, as well as provide certifications based on an international information security standard. (ISC)2 offers the Certified Information Systems Security Professional (CISSP) qualification, which is also new to the U.K. and is the one of the most comprehensive and highly-regarded security certifications in the industry. The CISSP qualification is accredited by (ISC)2, and promotes the common body of knowledge (CBK) which is the required amount of knowledge an individual should know in order to be a successful security professional. These areas of knowledge are:
- access control systems and methodology
- applications and systems development
- business continuity planning
- law, investigation and ethics
- operations security
- physical security
- security architecture and models
- security management practices
- telecommunications, network and internet security
In order to qualify for the CISSP course, an individual must have at least three years experience. This ensures that students have a sound knowledge of IT systems and business practice. IT security is becoming more and more of a business critical issue every day. As the threat of terrorist attacks in the U.K. increases, companies need to ensure they have the necessary procedures in place, and ensure experienced staff are qualified to deal with all eventualities.
IT security is not to be taken lightly, and the CISSP qualification reflects this. All applicants must adhere to a code of ethics, and are also subject to a random security audit upon passing the exam, prior to receiving the certificate. The exam itself is six hours in duration and is taken one month after attending the course.
This may seem like a lot of effort and all rather extreme for a qualification, but if security is a serious issue for companies, then shouldn't this be reflected in the qualification? If 85 percent of businesses will go bust if its systems go down for a week, this is an extremely serious issue, especially if the IT department fails to identify the problem or, even worse, fails to be prepared for the situation. Recent research has shown that three-quarters of employees in the U.K. have never had formal training on how to use the internet and email to minimize security threats. Not only that, but 80 percent of respondents to that survey said they were ill-equipped to deal with viruses should they occur. These statistics show there is still a significant knowledge gap when it comes to IT security, and although information security professionals are looking at the bigger picture when it comes to implementing strategy, they should not forget the more straightforward elements. After all, it only takes one email to bring down a whole network.
These days there are many external forces at work trying to cause some form of cyberdamage to an organization. Such forces include hacking. This is not just a consumer issue as a hacker can, and will, get into a corporate network. Another form of hacking is distributing viruses via email. The LoveLetter and Bugbear viruses famously brought down the networks of the largest corporations. There is also the issue of business continuity as September 11 proved the very harsh reality that businesses are not invincible to the external environment.
IT security is not just about installing a firewall, undertaking penetration tests every once in a while, and then crossing your fingers and hoping for the best. IT security should be part of an organization's overall business strategy and should be reinforced by a valid qualification that proves there is an individual who is competent, confident and, perhaps more importantly, prepared for all eventualities and able to protect a company's vital assets.
Robert Chapman is co-founder of the Training Camp U.K. (www.trainingcamp.co.uk).