Tuesday, 26 January 2016

Why Cybersecurity Certifications Matter Or Not

Cybersecurity certification qualifications are becoming the norm in many job descriptions today as organizations seek quantifiable ways of measuring prospective employees’ expertise. However, certification alone should not be the yardstick in determining how well a potential candidate will fit into an organization. At the end of the day, experience as well as certification should be the criteria for hiring most security professionals, experts say.

Security certifications cover a range of disciplines and emerging security trends, from cloud computing to secure software coding to overall security management. So security professionals should have a grasp on where they want to take their careers as they try to determine what credentials are right for them.

Philip Casesa, director of product development and portfolio management with (ISC)², says certification validates that a security professional has a specific set of skills and capabilities. For human resources managers, certification provides a screening mechanism to match potential candidates with the skills, knowledge, and experience an organization is looking for in a security professional, he says.

Certification can also mean more dollars for a security professional. According to The 2015 (ISC)² Global Information Security Workforce Study, security professionals with certifications generally are paid $25,000 more than professionals who did not have certifications.

“Collectively, the average annual salary among the security professionals surveyed was $97,778. Differences between (ISC) ² members and other security practitioners exist. Non-member security practitioners reported an average annual salary of $76,363. The salaries among security professionals with an (ISC) 2 membership averaged $103,117 annually, a 35% premium over non-members,” according to the survey of 14,000 security practitioners globally.

The study did not drill down on the benefits of a specific certification over another, Casesa says. “Talking about what makes one certification more valuable than another really gets into what you want as a professional or what an organization is looking for,” he says.

Companies such as Cisco, Microsoft, and Oracle, for example, offer certifications specific to their products, to help ensure that professionals are qualified to install and maintain the products. And while those certifications are limited to specific products, that may be enough for an employer who wants those specific skills.

(ISC)² provides vendor-neutral certifications that focus on principles, knowledge, and capabilities associated with information security, Casesa says. (ISC)² provides two key certifications:  the Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP) for information security professionals, as well as certification in areas such as information security, system security, authorization, software development, digital forensics, and healthcare.

Other certification organizations include ISACA, which defines the roles of information systems governance, security, and auditing for information assurance professionals worldwide; the Cloud Security Alliance, which partners with (ISC)² on cloud computing certification; the E-Council, which offers an ethical hacking credential; and the SANS Institute, which offers testing and validation for secure software coding and penetration testing.

All of the various security certifications are compatible, but cover different security aspects and expertise. “Depending on what role you are looking for and where you want to take your career will determine what credentials are right for you,” Casesa says.

Certification a double-edged sword?

However, certification alone is not the answer. What about professionals who pass the tests and earn the certs but still do not have the experience and qualifications to handle today’s security threats?

“Certification is a good thing. There’s nothing wrong with having certification,” says Muneer Baig, president and CEO of security consultancy SYSUSA. Baig, who holds at least ten certifications, says that having certification as the only benchmark to validate a professional’s skills and knowledge, which seems to be a common occurrence these days given the computer talent shortage, is just wrong. 

Anyone with a good memory and who is a good absorber of text will be able to pass the CISSP exam because it covers what is in the CISSP book and study materials, Baig says. Even so, it is not an easy exam: it takes at least six hours and includes 250 questions.

“You are asked the same questions but in different ways to make sure you know what you are talking about. Having knowledge of the industry helps significantly,” but a good reader stands a good chance of passing the exam, he notes.

Baig says he has come across people without certifications who have experience and are more knowledgeable about security than some people who are certified. Therefore, to measure how well a person might perform on the job, you need a combination of certification and a person has validated qualifications, Baig says. "Any other way is a risk," he says.

“I don’t have a CISSP, but I have an undergrad and Masters [degree] in computer security and a graduate certificate in computer security,” says Adam Vincent, CEO of ThreatConnect, a developer of enterprise intelligence solutions. “However, I have a strong academic foundation and I did the job of a CISSP for eight- to 10 years, so I have the experience on the job of running security programs.”

Vincent says he would have learned some new things going through the CISSP program. The goal is to look at certification as a person’s academic foundation, which says that they can learn, memorize, and hopefully, remember most of what they learned when they come into your company. “But at the end of the day you have to look at what they have done and are capable of based on their experience,” Vincent says.

Casesa says aside from the test element to certification exams, security professionals have to demonstrate auditable experience in the areas they are being tested in. For instance, in the case of CISSP, they need five years of paid full-time work experience in two of the eight domains of the CISSP Common Body of Knowledge (CBK), which covers critical topics in security including risk management, cloud computing, mobile security, application development security, and more.

Moreover, in order to maintain their certification, professionals have to continue education and work in the security profession or the certification can be revoked, Casesa says.

“We consider certification really a lifetime commitment,” he says. Certification says, “you have made a commitment to your industry, your profession, and your career, and it will endure as long as the letters [certification acronyms] are on the other side of your name.”

10 Top Certs That Can Be Your Calling Card to a Better Career

A degree in information technology (IT) enables a student to develop a broad understanding of different disciplines and the role IT plays in business and daily life, but certification is evidence of up-to-date, hands-on skills in a specific discipline, technology, and product. Valid certifications also demonstrate to a potential employer that you are committed to continuous learning and are adaptable, qualities highly valued in a rapidly evolving industry.
A carefully chosen certification is a career investment. It’s important to decide on the right certification based on your interests, career goals, circumstances, and the market. This article covers 10 certifications that have broad application across several disciplines. Any IT professional will have a leg up with any of these certs, and as an added benefit, all in high demand by employers.
CompTIA A+, CompTIA Network A+, CompTIA Security +
These vendor-neutral foundation-level certifications validate a strong basic understanding of how IT systems and networks function in an organization, and of computer and network security.
The globally recognized entry-level CompTIA A+ is the first certification that many IT professionals earn before going on to specialize in a specific discipline — A+ has more than 1 million holders worldwide. An A+ certification demonstrates a solid knowledge base of software and hardware technologies commonly deployed in industry as well as of computer service skills. This certification validates computer service and Windows desktop operating system support skills.
CompTIA’s Network+ certification validates a holder’s expertise in designing, configuring, installing, managing, maintaining, and troubleshooting IT systems and network infrastructure.
The Security+ credential demonstrates fundamental knowledge of IT security and an ability to secure network devices, services, and traffic from threats. This qualification proves that the holder has hands-on experience in securing information and IT infrastructure. Security+ is a useful validation not just for IT security professionals but for anyone whose job entails managing networks, systems, and providing IT services.

EC-Certified Ethical Hacker (CEH)

Cybercrime today is a reality no organization can afford to ignore. Offered by the International Council of E-Commerce Consultants (EC-Council), CEH validates the holder’s ability to stop hackers from corrupting, stealing, or compromising data. The course exposes students to the technology and methodology employed by hackers to break into a system, trains them to detect vulnerabilities, and to patch gaps in the system.
Given the pace at which hackers are moving and the implications of a security breach, it’s imperative that organizations are technologically advanced enough to stay ahead of them. CEH is a comprehensive course covering detection of weaknesses, threats, and intrusions, OS attacks, and the latest viruses.
Data security is a round-the-clock concern for organizations everywhere and there is an ever-increasing need for professionals who can thwart cyberattacks by identifying system weaknesses and fixing them before a breach occurs.

Professional Scrum Master

Originally a software development qualification, the Scrum Master certification now applies to project management as well. Adaptability is at the core of this certification. As the business landscape continuously changes, organizations increasingly value Scrum Master certified software developers and project managers for the ability to factor in unpredictability and optimizing of outcomes despite changes in clients’ specifications during the development process.
The Professional Scrum Master course trains software developers and program managers to work as a team with a view to fulfilling a customer’s objective despite frequent changes in their business requirements. Scrum Masters are prepared for unpredictability and are trained to adapt to changes during the project development process without compromising efficiency, thereby producing the best possible result within the specified timeline and budget.
Offered by the Scrum Alliance, this is an all-around useful certification. A candidate is certified a Scrum Master once he passes an associate exam, which he is eligible to take only after attending a Certified Scrum Trainer’s class.

Certified Information Systems Security Professional (CISSP)

This broad-based certification is administered by the International Information Systems Security Certification Consortium, more commonly known as (ISC)2. This is a comprehensive computer security certification for people with at least four-to-five years of full-time work experience in a minimum of two of 10 specified areas of information security.
Earning this certification isn’t easy. Candidates must pass a single six-hour exam covering eight computer security domains. Among the topics addressed are risk assessment and management, access management, planning for business continuity and disaster recovery, security of applications and systems during the development stage, cryptography, legalities, ethics, and investigation, operations security, security of physical assets, telecommunication and network security, and security engineering.
Clearly, achieving CISSP isn’t for the faint-of-heart. With the high-demand for IT security professionals, however, the return for your effort is significant in salary and career opportunities. In order to keep their certification valid, candidates are required to earn a specified number of Continuous Professional Education (CPE) credits annually.

Project Management Professional (PMP)

Managed by the Project Management Institute (PMI), PMP certification commands higher international recognition than any other project management qualification. Across the world, the number of PMPs exceeds 600,000.
To certify as a PMP, a candidate needs to complete 35 hours of PMP-specific training and have at least 4,500 hours of experience in project management, if he holds a bachelor’s degree, or at least 7,500 hours of experience without a bachelor’s degree.
This course covers the entire project management cycle from starting and planning to executing, overseeing, and concluding a project. PMPs are trained to plan and manage all kinds of projects and not just a specific type.

ITIL v3 Foundation and ITIL Practitioner

IT Infrastructure Library (ITIL) is an internationally recognized standard for IT service management. It comprises what is known to be the most comprehensive and dependable set of guidelines for managing IT services in line with organizational goals. The focus is on training IT service professionals to implement the ITIL IT management framework in the work environment and to keep improving IT service delivery.
The entry-level ITIL v3 Foundation certification has a broad scope, covering IT management concepts and their application in any organization beginning with assessment and allocation of available resources, applications and operations management, capacity building, and managing unpredictability. This is a useful qualification for IT professionals across disciplines.
The new ITIL Practitioner certification is an advanced qualification offered as a follow-up to the Foundation certification. While Foundation validates knowledge of the different aspects and stages of the IT management lifecycle, Practitioner certification trains candidates to apply ITIL concepts in an organizational environment. This certification proves the holder has developed the expertise to achieve Continual Service Improvement (CSI), one of the core fundamentals of ITIL, in an organizational environment.
Originally created by the British government, ITIL certifications are now managed by AXELOS, a joint venture between the British government and Capita, plc.

Cisco Certified Network Professional (CCNP) Routing and Switching

Networks are a crucial part of an organization’s IT infrastructure. To ensure operational efficiency, organizations rely on network engineers or technicians to plan, create, and maintain both local area networks (LAN) as well as wide area networks (WAN). Cisco being the biggest player in the routing and switching segment is ubiquitous in the organizational environment worldwide.
Though a vendor-specific qualification, CCNP demonstrates in-depth network management expertise. CCNP proves that the holder can not only plan and implement networks, but monitor the performance of and troubleshoot enterprise networks as well as work together with experts to deliver voice, video, wireless, and superior security solutions.
CCNP is a level above the Cisco Certified Network Associate (CCNA) qualification. Network engineers earn this certification in order to demonstrate superior networking knowledge and skills so as to move on to more challenging and better-paying positions. Candidates are required to take different exams on routing, switching, and diagnosis and repair.

Microsoft Specialist: Windows 10

Windows is the most widely used desktop and laptop operating system across the world and Windows 10 is the latest iteration. Since many organizations are upgrading to Windows 10, in-depth proficiency in the Enterprise version is in increasing demand.
There are two Microsoft Specialist credentials for Windows 10 : Configuring Windows Devices, and Planning for and Managing Devices in the Enterprise. These certifications validate technical expertise in device and network security management, desktop, mobile, and application management and maintenance, and remote access specific to Windows 10.
This is an important certification for helpdesk staff and service technicians, systems administrators, and architects.

Microsoft Certified Professional

This is the foundation for all other Microsoft certifications. This certification, available across a wide range of Microsoft products, technologies, and solutions, demonstrates professional-level knowledge of at least one Microsoft product. Since Microsoft is everywhere, the demand for developers and technicians who can install, deploy, and troubleshoot Microsoft products in industry as well as in any other organizational environment is high.
Since this is a base certification for all other Microsoft qualifications, IT professionals seeking accreditation of in-depth knowledge of Microsoft products and technologies, need to earn this certification first.

VMware Certified Professional – Data Center Virtualization (VCP-DCV)

The growth in cloud and virtualization means organizations can store and process more data and serve a greater number of end-users with less hardware and other physical resources. However, to optimize resource utilization, realize significant cost-efficiency, and ensure optimum data center performance in line with user needs and organizational goals, businesses need data center administrators with advanced virtualization skills.
The internationally recognized VCP-DCV certification validates in-depth knowledge of Domain Name System (DNS), and technical expertise in installing, deploying, managing, and scaling VMware and vSphere environments.
To certify, candidates without previous VMware experience are required to complete a VMware-authorised course, have worked with VMware infrastructure technologies for at least six-months, and pass two exams. Someone who has earned VCP certification that is no longer valid is required to complete an authorised course and two exams. Candidates with valid VCP certifications need to complete just one exam.
VMware certifications are now valid for two years. Holders must recertify every two years in order to keep their certifications valid.

Go Get Certified!

There are hundreds of IT certifications out there. Any of these 10 credentials, however, will provide a rock-solid stepping stone to better jobs and more specialized career paths. Whether you are a student looking to launch a career in the industry, or an experienced professional seeking a more stimulating and lucrative assignment, there’s help for you here.
Which certification you opt for depends on which IT pathway interests you most, your career goals, and your circumstances. A realistic assessment of your interests and aptitude, of where you want to go in your career, and of your situation can help you decide on the most valuable certification.

Wednesday, 20 January 2016

(ISC)² Opens Call For Speakers For Fourth Annual CyberSecureGov Training Event Invited Keynotes Confirmed

(ISC)2 ("ISC-squared"), the largest not-for-profit membership body of certified cyber, information, software and infrastructure security professionals with nearly 110,000 members worldwide, academia and industry to address a variety of government cyber issues from a holistic perspective.

"The government cannot continue taking one step forward and two steps back in its response to cyber threats," said Dan Waddell, CISSP, CAP, PMP, managing director, North America Region and director of U.S. Government Affairs, (ISC)². "With a unique perspective on what is at stake, cybersecurity professionals are being called as agents of change to influence and empower the government's progress at all levels and in new ways. This year's CyberSecureGov training event is designed to shake up the status quo and incite progress in new ways."

Themed Inspiring Change Agents in an Environment of Game-Changing Threats, the CyberSecureGov training program will include three tracks focused on Prevention, Detection and Resilience. (ISC)² is currently accepting speaker submissions from experts in government, industry and academia in the following topic areas:
  • Cloud Security
  • Threats and the Advanced Adversary
  • Critical Infrastructure Protection
  • Automation, Detection and CDM
  • Incident Response and Recovery
  • Professional Development
  • Business, Financial and Risk Implications
  • Identity Access Management
  • The Privacy Challenge
  • Game Changing Solutions

Distinguished Keynote Speakers Have Been Confirmed:

The University of Maryland's Director of the Human-Computer Interaction Lab, Jennifer Golbeck, will open Day 1 of the training program addressing, "The Human Side of Cybersecurity." As a world leader in social media research and communication, Ms. Golbeck's research focuses on analyzing and computing with social media and creating usable privacy and security systems. Her research has influenced industry, government and the military.

Harvard Visiting Executive In-Residence, Eisenhower Fellow, and Chief Information Officer (CIO) for the Federal Communications Commission (FCC), Dr. David A. Bray, will open Day 2 of the training program addressing, "Positive #ChangeAgents in our Exponential Era." He served as IT Chief for the Center for Disease Control's Bioterrorism Preparedness and Response Program during 9/11, volunteered to deploy to Afghanistan to "think differently" on military and humanitarian issues in 2009, and served as Executive.

Director for a national commission reviewing the research and development efforts of the U.S. Intelligence Community. Together with a team of change agents, Dr. Bray led the FCC's award-winning IT transformation that demonstrated solutions at 1/6th the price and in half the time compared to legacy on premise approaches.

About (ISC)²Ò

Formed in 1989, (ISC)² is the largest not-for-profit membership body of certified cyber, information, software and infrastructure security professionals worldwide, with nearly 110,000 members in more than 160 countries. Globally recognized as the Gold Standard, (ISC)² issues the Certified Authorization Professional (CAPÒ), Certified Cyber Forensics Professional (CCFPÒ),

Certified Cloud Security Professional (CCSPSM), Certified Information Systems Security Professional (CISSPÒ) and related concentrations, Certified Secure Software Lifecycle Professional (CSSLPÒ), HealthCare Information Security and Privacy Practitioner (HCISPPÒ) and Systems Security Certified Practitioner (SSCPÒ) credentials to qualifying candidates.

(ISC)²'s certifications are among the first information technology credentials to meet the stringent requirements of ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)² also offers education programs and services based on its CBK®, a compendium of information and software security topics. More information is available at http://www.isc2.org.

Monday, 4 January 2016

Step into an IT Career With The iCollege IT Security & Management Bundle (94% off)

High-level jobs aren’t simply given out; a lot of hard work that goes into landing your desired position. If IT management is your life’s calling, then your immediate future calls for proper certification – and prepping for the essential certification exams is critical.

Help assert your authority in the industry, and bolster your career prospects with the iCollege IT Security & Management Bundle, now on offer for just $59 from TNW Deals.

The iCollege IT Security & Management Bundle fully prepares you to take four industry-recognized exams: the Certified Information Systems Security Professional, the CompTIA Security+ Certification, the Certified Information Systems Auditor, and the Information Technology Infrastructure Library exams.

The instruction is based around professional qualifications, so it is not only about the basic principles of security, but also how to put them into practice in the real world. This includes content on managing secure databases and infrastructure, along with cryptography, and systems to help with avoiding human error. You’ll get a handle on basic terminology and principles so you’re fully comfortable with core concepts before moving on to more advanced material.

The courses work towards ITIL, CISA, CompTIA and — all of which should catch the eye of potential employers — with exam simulations, tips, and case studies. Plus, you get two years of access, so you can take your time.

Upgrade your security knowledge and take a leap in your career with the iCollege IT Security & Management Bundle, now 94 percent off from TNW Deals.

Friday, 4 December 2015

Cloud Security Alliance and ISC² launch certification in Brazil

The security training program intends to take advantage of the local growth of cloud computing.

The Cloud Security Alliance and security education body ISC² have launched the Certified Cloud Security Professional (CCSP) certification in Brazil.

Introduced as part of the Security Congress Latin America, a cybersecurity event held by ISC² in São Paulo this week, the certification is targeted at security professionals with more than five years of experience in IT, three of which being in information security and one in cloud security.

The CCSP program focuses on advanced skills required to cloud security, as well as knowledge in the design, implementation and management of cloud environments.

According to ISC² business development head for the Americas, Elise Yacobellis, the certification is relevant for Brazilian IT professionals given the forecast local growth of cloud computing.

"Research suggests that the cloud infrastructure services market will have grown by more than 30 percent in 2015. That means it is fundamental to have certified professionals who are prepared for the appropriate management of [cloud] systems and applications," Yacobellis says.

The economic crisis in Brazil has negatively impacted the business of most Brazilian technology firms in the first half of 2015 - but suppliers in areas such as cloud have been managing to ride out the instability.

The cloud computing market in Brazil is forecast to generate $1.1bn by 2017as organizations see the technology as a means to reduce IT spend, according to Frost & Sullivan research.

Wednesday, 18 November 2015

Cyber Security Sector Struggles To Fill Skills GAP

Global demand for cyber security experts is forecast to outstrip supply by a third before the end of the decade, with companies struggling against what one senior industry figure has called the “largest human capital shortage in the world”.

(ISC)2, the security certification and industry body, predicts that companies and public sector organizations will need 6m security professionals by 2019 but only 4.5m will have the necessary qualifications.

Data from a range of security companies, recruiters and professional services groups show the extent of the problem company’s face as governments prepare new regulation forcing them to improve their cyber defenses.

The UK announced this week that it would increase spending on cyber security to £1.9bn by 2020. This will include opening a National Cyber Centre and Institute for Coding, as well as improving the level of teaching of cyber skills at schools.

Although budgets have increased, Tom Kellermann at Trend Micro, the cyber security company, says throwing money at security teams can only achieve so much.

“Even if we get authority in the budget to hire, where the hell are we going to find them?” he says, adding that his teams have dozens of openings, but “it’s very difficult to find the appropriate talent”.

Only 103,000 people worldwide, including about 68,000 in the US, hold a CISSP, one of the main cyber security certifications. But there were almost 50,000 job openings for CISSP-certified workers in the US in 2014 alone, according to recruitment analysts Burning Glass.

Competition is so fierce in the sector that security professionals on LinkedIn moved jobs more than twice as often as average workers in the year to April 2015.

According to Burning Glass, job postings in the US took 14 per cent longer to fill than the average for all jobs, making cyber security more difficult to recruit for than data science, advanced manufacturing and petroleum engineering.

The company says one of the challenges is that it is not enough for staff to understand the technology alone, a concern shared by Mark Brown, UK and Ireland executive director of cyber security and resilience at EY, the professional services company. “You need people who know the technology but can also speak the language of the boardroom, and translate tech talk into understanding for the C-suite,” he says.

Mr Brown adds that there is already “virtually 0 per cent unemployment” in the industry, but the shortage is only set to get worse.

(ISC)2 expects demand for security professionals to increase 10.8 per cent a year between 2014 and 2019, while supply will increase 5.6 per cent a year.

The shortage means security is a candidate’s market. Attendees at hacker events such as Black Hat, which held its European conference last week, are increasingly sought after by corporates.

Even sports brand Nike has hosted Black Hat after-parties for the past two years, a sign of the attention all types of companies are paying to security issues.

Businesses are employing a number of methods to attract cyber security staff. Researchers are well-paid and often allowed to work from home and research what they want, but Mr Kellermann says many of the most talented potential employees have no interest in taking a corporate job.

“They don’t want bosses, they don’t want to report to anyone, they don’t need structure. Sixty per cent of the people out there don’t necessarily want to work for a corporation, they just want to use their skills,” he says.

Some programmers have tried to attract former “black hats” — those who illegally hack companies and individuals for personal gain — to “ethical” hacking positions where they can help businesses identify potential problems.

But Mr Kellermann said low prosecution rates mean there is little incentive for hackers outside of Western Europe and the US to move to legitimate employment.

In the UK, salaries have increased up to 10 per cent year on year for security staff, and 16 per cent for consultants, but Chadi Malak, practice manager at specialist recruiters IQ InfoSec, says experts are “consistently undervalued”.

IQ InfoSec is widening the scope of candidates it considers for retraining for security jobs, but Mr Malak believes “we won’t have sufficient talent supply until there is school level introduction to security”.

Haroon Meer, founder of applied research company Thinkst, says companies will have to change the way they approach security. Last week researchers at Black Hat revealed new ways for criminals to manipulate oil stocks, break into offices or access millions of user records held in phone apps.

But Mr Meer says “the simple truth is that most of the high-profile breaches that we have seen in the last while have not been because of great attacker sophistication”.

He says companies should “realize that completely preventing a breach is a fool’s errand”.

He adds: “Telling the board ‘we will be compromised’ is not particularly inspiring, but it’s increasingly clear that the alternative path is a flawed one.”