A security industry group has announced a new initiative to reel in entry-level information security professionals, a move that foreshadows increasing competition in the infosec certification and training market, as well as the struggle new security pros face in seeking out knowledge that can jump-start their careers.
ISACA has launched a new slate of infosec training and resource programs. Called the Cybersecurity Nexus (CSX), the program combines research, guidance, certificates and certifications, education, mentoring and community collaboration, all geared toward ushering more would-be security pros into the industry.
We clearly see all enterprises are becoming very concerned about security, but are lacking the skill set.
Robert E. Stroud,
Robert E. Stroud, president-elect of ISACA and vice president of strategy and innovation at Islandia, N.Y.-based CA Technologies Inc., said the initiative is meant to provide practical knowledge, training and advice to ease new security pros into the industry, whether they're recent college graduates, work in other IT disciplines, or are on a non-traditional career path.
The ultimate driver for the program's creation, Stroud said, is the shortage of qualified information security professionals. ISACA conservatively estimated that the industry needs between 600,000 and 900,000 more people to meet the current demand; (ISC)2 Executive Director W. Hord Tipton said recently that the field needs as many as 2 million more practitioners in the next five years.
"We clearly see all enterprises are becoming very concerned about security, but are lacking the skill set," Stroud said. "Many of our student members identify security as an area they want to get into, and [then] they found they didn't have the right skills to be effective in the field."
Though Rolling Meadows, Ill.-based ISACA is largely known as an IT audit organization, Stroud said nearly 25% of its 120,000 members worldwide work in information security. He acknowledged the organization sees CSX an opportunity to grow its ranks to include those new to infosec.
The cornerstone of ISACA's CSX program is a new certificate-certification combination. Set to launch in September, the organization's first-ever security certificate, the Cybersecurity Fundamentals Certificate (CFC), will require individuals pass a knowledge-based exam. Stroud said CFC will help employers validate an applicant's mastery of basic infosec concepts among candidates that lack practical experience.
Accompanying it next year will be a mid-level security certification – currently unnamed -- geared toward those who have between three and five years of industry experience. Stroud said the mid-level certification will push infosec practitioners beyond basic fundamentals by combining technical knowledge with management and communication skills.
Supporting the certificate and certification programs will be a variety of new training vehicles, ranging from one-hour webinars to multi-day in-person and online courses.
Once its new programs debut, ISACA hopes the entry-level certificate and the mid-level certification will not only usher new technologists into the industry, but also create a smooth information security certification path that leads practitioners to its advanced certifications, including the popular Certified Information Security Manager (CISM) certification.
Growing information security certification competition?
ISACA's moves may signal a renewed competition in the infosec certification and training market. Its CISM designation has long competed with (ISC)2's gold-standard Certified Information Systems Security Professional (CISSP) certification, and its move toward the low-end of the market will place it squarely against other established certifications, namely CompTIA's well-known Security+.
Stroud, however, downplayed the competitive aspect of ISACA's maneuvers, noting that the organization partners with (ISC)2, and that its new certification and training programs will be unique by building on ISACA's experience in areas like IT governance and risk management.
(ISC)2's Tipton acknowledged that there "definitely is" increasing competition among training and certification organizations, particularly for new and young infosec professionals. He said the competition is inevitable given the explosive growth in IT security, but can only serve to benefit the industry in attracting new talent to the field, particularly women.
An ISACA member himself, Tipton said he's pleased to see ISACA add to its offerings for information security-focused members, though he doesn't believe they will affect the market for (ISC)2's certifications.
"With our certifications, our people are averaging $26,000 more in salary beyond those people practicing security without a certification," Tipton said. "And once we have them, we don't lose them. They tend to stay with us."
That said, (ISC)2's commitment to industry experience -- four years for the CISSP and one year for its less-revered SSCP credential -- may create an opportunity for ISACA to develop a relationship with infosec pros before (ISC)2 can. Tipton reaffirmed that (ISC)2 has no plans to alter its experience-centric strategy by creating an introductory-level certificate.
"We don't have a program where somebody can come in cold, take a test and become a member of (ISC)2. We didn't start out that way and we haven't grown that way," Tipton said. "The thing that differentiates us from practically all the other certification organizations is the absolute requirement for experience; we do not waive it."
Training vs. certification: Not one in the same
Information security training expert Shon Harris, president of Plano, Texas-based training firm Logical Security, said even in light of ISACA's plans to draw new recruits into information security, she doesn't blame (ISC)2 for staying true to its experience-focused roots.
"I don't know that it's their responsibility to do that," Harris said. "It would be very expensive for them to build out a program that would bring somebody up from entry level to where they can be useful in the field."
Harris said she believes there is an opportunity for ISACA's efforts to succeed, but its program must be structured to support not only the fundamentals of IT and information security, but also do so in a way that builds participants up slowly over a long period of time.
Making sense of certifications
Confused by all the information security certifications? Check out SearchSecurity's recently updated resources.
SearchSecurity's guide to IT security certifications
SearchSecurity's guide to vendor-specific security certifications
SearchSecurity's guide to vendor-neutral security certifications
SearchCloudSecurity's guide to cloud computing security certifications
"We do need more people in our market, but we need people who have the skill set," Harris said. "CompTIA has done a better job than anyone though with Server+, Network+, Security+ and CASP. This is really a useful 'roadmap' to what needs to be learned and in what order."
Harris, though, said she is skeptical of the training offerings provided by all the infosec certifying bodies, because their business model depends on training people for their exams, not necessarily developing the skills needed to help future employers.
Tipton said contrary to what some believe, (ISC)2 has never been in the training business per se. He said (ISC)2 has built its strategy on partnering with colleges and universities because it's difficult to enter the information security field without a formal education based on a detailed, well-structured curriculum.
"I spend as much time explaining what CISSPs can't do, as I do explaining what they can do," Tipton said. "So training has to fill the gaps, but it does not, in my opinion, eliminate the need for that basic education in information security."
Despite those challenges, ISACA's Stroud believes his organization can succeed by becoming the destination for new information security professionals looking to begin their career journey.
"We want to help industry professionals advance their profession, promote their careers, and provide guidance and certification that the industry values," Stroud said.