Finding your way: An overview of information security industry qualifications and associations

When it comes to industry associations, a sense of direction is imperative
When it comes to industry associations, a sense of direction is imperative

A recent high level assessment by a specialist UK recruitment consultancy revealed over 130 vendor neutral qualifications in the information security industry. Therefore, as a starting point, a set of questions should be asked by any new-comer or person wishing to change career to enter the information security industry:

  • Which are the best information security qualifications to obtain?
  • Which qualification(s) makes you the most employable?
  • Which certifications help to provide the highest salaries?
  • Is there any value in joining information security groups and if so, which ones offer the best value?

Without the answers to the above questions, you could find yourself in the same situation as Alice in Alice in Wonderland by Lewis Carroll: “One day Alice came to a fork in the road and saw a Cheshire cat in a tree. “Which road do I take?” she asked. “Where do you want to go?” was his response. “I don’t know,” Alice answered. “Then,” said the cat, “it doesn’t matter.”

Below are outlines of some of the more prominent organisations and their respective service offerings, concentrating on vendor neutral and nationally/internationally recognised services.

International Information Systems Security Certification Consortium, (ISC)²

Established in 1989 as a not-for-profit organisation with the aim of developing a Common Body of Knowledge (CBK) and certification programme for information security students and professionals, (ISC)² is now recognised as one of the worlds leading bodies in this field, winning numerous industry awards. It has over 60 000 members across 135 countries. If you’re a student or ‘career changer’ considering moving into the field of information security, or just starting out in the information security workforce, you are eligible to become an Associate of (ISC)² which provides official guidance and support, as well as the opportunity to take the CISSP or SSCP prior to completion of sufficient industry work.

"While most (if not all) (ISC)2 credentials require a proven track record of industry experience, those new to information security can opt to join the associate programme."

(ISC)² qualifications currently offered include:

  • Certification and Accreditation Professional (CAP) – predominantly aimed at civilian, state and local governments in the US including those responsible for formalising processes used to assess risk and establish security requirements, as well as ensuring information systems possess security commensurate with the level of exposure to potential risk.
  • Systems Security Certified Practitioner (SSCP) – aimed at individuals working towards positions such as network security engineers, security systems analysts, or security administrators as well as non-security disciplines that require an understanding of security.
  • Certified Secure Software Lifecycle Professional (CSSLP) – covers security implications in software development, requirements capture, design, implementation/coding practices, testing, acceptance, deployment, operations, maintenance and disposal.
  • Certified Information Systems Security Professional (CISSP) – this is the most popular (ISC)² credential. The CISSP was the first in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Standards Organization) Standard 17024:2003. CISSP certification is predominantly aimed at senior and mid-level managers who are working toward, or have already attained, positions as CISO, ISO, CSO or senior security engineers.

CISSP Concentrations: (the following are credentials offered to certified CISSPs):

  • Information Systems Security Architecture Professional (ISSAP): aimed at chief security architect and analysts responsible for implementation of security programmes as well as development, design, analysis and consultancy.
  • Information Systems Security Engineering Professional (ISSEP): developed in conjunction with the US National Security Agency (NSA), the ISSEP is aimed at those responsible for incorporating security into projects, applications, business processes, and information systems.
  • Information Systems Security Management Professional (ISSMP): covers managerial elements such as balancing business objectives and budgets, project management, risk management, preparing and delivering a security awareness programme, and managing business continuity.

Educational support, materials and free membership seminars and events are provided by (ISC)² and these are also supplemented by strategic partnerships with chapter organisations such as the Information Systems Security Association (ISSA).

Information Systems Audit and Control Association (ISACA)

With origins dating back to 1969, ISACA has over 86 000 members worldwide. It is a commonly held view among information security practitioners that ISACA is to the information systems audit and control education field what (ISC)² is to the information systems security field. ISACA is a global, award winning organisation, specialising in information governance, control, security and audit disciplines.

ISACA qualifications include:

  • Certified Information Systems Auditor (CISA) – is the most popular credential within the ISACA portfolio and is globally recognised, aimed at IS audit, control, assurance and/or security professionals who are predominantly responsible for the control, monitoring and assessment of an organisation’s information technology and business systems.
  • Certified Information Security Manager (CISM) – a management focussed credential aimed at individuals responsible for design, oversight and assessment of an enterprise’s information security programme. CISM covers the core competencies and international performance standards that those who have information security management responsibilities must master.
  • Certified in the Governance of Enterprise IT (CGEIT) – is aimed at professionals who have management, advisory, or assurance responsibilities as defined by a job practice consisting of IT governance related tasks and knowledge. The credential enables professionals to more effectively respond to the growing business demand for a comprehensive IT governance programme that defines responsibility and accountability across the enterprise.

ISACA also operates a chapter network with more than 175 chapters established in over 70 countries. These aim to provide members education, resource sharing, advocacy, professional networking and additional benefits at a local level.

"[ISACA chapters] aim to provide members education, resource sharing advocacy, professional networking and additional benefits at a local level."

SysAdmin, Audit, Network Security (SANS) Institute

SANS, which turns 20 this year, is widely viewed as the largest, most trusted source for information security training and certification in the world. In addition to maintaining the largest collection of information security research documents (as well as operating the internet’s early warning system – Internet Storm Centre), it provides the Global Information Assurance Certification (GIAC) programme.

GIAC was founded in 1999 and over 26 000 people have successfully passed exams within the GIAC suite of credentials and the level of offerings cover four levels of competency (introductory, intermediate, advanced and highly advanced), across five disciplines (security administration, management, legal, audit and software security).

Offerings are split between GIAC certifications – comprehensive modules, aligned to role based disciplines, (corresponding to topics presented in SANS full five to six day courses and typically requiring a four month study/completion time frame), and GIAC Skills Test and Report (STAR) – smaller, more specialist modules, based on one or two day SANS training.

British Computer Society (BCS) / Information Systems Examination Board (ISEB)

The British Computer Society (BCS) is the only Chartered Engineering Institution for Information Systems Engineering. Through the Information Systems Examinations Board (ISEB), the BCS provides the following industry-recognised qualifications that measure competence, ability and performance in many areas of information security:

  • Foundation Certificate in Information Security Management Principles (CISMP) – is a foundation level credential, designed to provide the required level of knowledge necessary for individuals who have security responsibility as part of their day to day role, or who are thinking of moving into a security or security-related function.
  • Practitioner Certificate in Business Continuity Management – covers a hands-on approach to business continuity management, making use of current industry standards.
  • Practitioner Certificate in Data Protection – a qualification for those with data protection responsibilities, as well as providing an effective conversion route for those needing to update their knowledge of – and practice under – the 1998 Data Protection Act.
  • Practitioner Certificate in Freedom of Information – covers all aspects of the Freedom of Information Act 2000 (FOIA) and the Freedom of Information (Scotland) Act 2002 (FOISA) and their implications to public and private sector organisations, as well as to individuals.
  • Practitioner Certificate in Information Risk Management – covers a hands-on approach to Information Risk Management, making use of current international standards.

Other prominent offerings

While the above associations represent the key information security qualification providers in terms of industry recognised credentials at the foundation level, there are a significant number of additional offerings to take into account. Some of the more prominent examples include:

  • Computing Technology Industry Association (CompTIA) – offers a number of technology based certifications, including the Security+ certification which tests for security knowledge for individuals with two years industry experience.
  • International Council of Electronic Commerce Consultants (EC-Council) – a member organisation that is responsible for managing the Certified Ethical Hacker (CEH) credential.
  • Communications-Electronics Security Group (CESG) – is the Information Assurance (IA) arm of GCHQ, responsible for the provision of the CESG Listed Adviser Scheme (CLAS) and the IT Security Heath Check Service (CHECK).
  • British Standards Institute (BSI) – a leading business services provider responsible for the governance of the Internal Auditor 27001 and Lead Auditor 27001 certifications.

Vendor neutral membership services

Whereas the above certification providers provide formal levels of support, educational material, training, networking and membership services, the following organisations provide vendor neutral membership service value to information security professionals:

  • The Institute of Information Security Professionals (IISP) – is an independent not-for-profit body governed by its members which was established with the support of ISACA, SANS and (ISC)2 among others. Full membership of the institute is emerging as an internationally recognised professional standard qualification for information security professionals, and is subject to a rigorous peer review. The key aim of the IISP is to provide a universally recognised and accepted focal point for the information security profession by 2010.
  • Information Security Systems Association (ISSA) – a not-for-profit, international organisation providing educational forums, publications and peer interaction opportunities to enhance the knowledge, skills and professional growth of its members.
  • Open Web Application Security Project (OWASP) – a global, open community focused on improving the security of application software. Participation is free and all related materials are available under a free and open software license.

Credentials are key

The question of whether or not information security qualifications – such as the ones outlined above – can be deemed essential, has recently been addressed with feedback from industry forums, recruitment agencies and employers. The general consensus suggests a growing requirement for at least one foundation credential.

For specialist roles, a more focussed credential is useful, for example, IT audit roles are regularly advertised in line with a CISA certification requirement. A brief trawl of the more popular specialist recruitment sites on the internet will reveal relatively high instances of requests for CISSP, and CISA certified individuals.

A 2008 information security salary and career survey for SC Magazine, conducted with research data from Millward Brown (, revealed that of 536 respondents, 38% held either a CISSP or other credential from (ISC)², while ISACA certifications − including the CISA and CISM – was held by 16% of respondents. CompTIA came third, with 14% of respondents earning CompTIA Security+, Network+ or A+ credentials.

While 36% of respondents stated a lack of recognised professional certification, there is a growing agreement among recruiters that such credentials do provide an initial foot in the door, although the combination of real-world experience, education and training is key.

Recruitment agency advice

The recommended advice from specialist recruitment agencies in the UK follows a common thread: Information security professionals should obtain one of the foundation qualifications as they are considered a valuable baseline; they should ensure that any qualifications sought are applicable for the role you are in or are seeking to move into, and also consider the specific line of business they operate in.

Continue your education

Most, if not all, of the information security qualifications outlined here require a degree of Continuing Professional Education (CPE) credits in order to demonstrate a growing level of knowledge and experience.

The respective professional bodies offer a growing number of ways in which to demonstrate and earn CPE credits, including – but not limited to – exam supervision, authoring papers, reviewing books, giving presentations, and providing consultancy in conjunction with new exam questions and training materials. Membership bodies such as ISSA and OWASP also provide opportunities to gain additional CPEs in a similar way.

Membership of multiple information security organisations can mount up in terms of expenses (membership fees plus investment of time), hence the importance of reviewing each group carefully in terms of their respective values in order to ascertain whether their service offerings justify the expense.

The respective maturity of information security foundation credential organisations and membership groups has led to increasing requests for further collaboration initiatives – from sharing of event calendars to prevent overlap of meeting dates, to more advanced joint ventures. Encouragingly, such projects are becoming more prevalent where such organisations find common ground, resulting in better value for members.

As the Lewis Carroll quote alludes to, if you don’t know where you’re going, any road will get you there. However, a sense of direction, the investment in complimentary credentials and the harnessing of membership services in conjunction with enhanced business knowledge and experience, will provide an excellent foundation for a successful career in information security.

Peter Drabwell, CISSP, is assistant vice-president IT Risk with Credit Suisse.

What’s hot on Infosecurity Magazine?