IT Security Certifications, Skills and Compliance

InfoSec Recruiting Secrets
By

Veteran recruiter Jeff Snyder answers questions regarding the most in most in-demand certifications, technology skills and compliance-related experience in today's market for IT security professionals.

Mikhael:  Let’s talk certifications.  Which ones are still most in demand?

Jeff:

  • There are many answers to this question. Generally speaking, an information security professional should earn a CISSP.  Perception across all industries is that when a company needs to hire an information security professional, they should have a CISSP.  Whether this is right or wrong is not my argument.  Companies most frequently ask for a CISSP when they are hiring an information security professional.
  • For more technical information security jobs, companies tend to go beyond the CISSP to include GIAC certifications from SANS and vendor specific certifications from Cisco, ArcSight, etc.
  • For information security jobs that are more audit / compliance oriented, employers ask for the CISA, CRISC and CGEIT.
  • For information security jobs that are more leadership focused, companies ask for the CISSP, CISA, CISM and sometimes PMP and/or Master’s level education.

Mikhael:  Technology skills.  Has there been an uptick in demand for application or virtualization security?  It appears both Web 2.0 and Cloud Computing would be beating this drum.  

Jeff:

  • One of the hottest skills I’ve seen for the past decade is application security.  As more and more technologies hit the market to enable developers to push applications to the Web or to the Cloud, it is critically important the developers use secure software development techniques.  Security professionals who have previously held jobs requiring them to write either Java or .NET code are in a great position to learn what application security is all about through OWASP.  When employers want application security or web application security professionals, more often than not, they lean towards hiring application security professionals who have written code in their past so that these professionals are able to work with the software engineering staff to teach them to build secure applications in the first place.

Mikhael:  Any specific compliance related experience growing in demand (i.e., PCI, FFIEC, etc.).

Jeff:

  • All regulations that lean against a bank are in demand (FFIEC, PCI, GLBA).  Coming soon will be strong demand for HITECH (Health Information Technology for Economic and Clinical Health) skilled people to serve regulatory pressures that will soon push against the healthcare industry.
  • Industry insiders tell me to stay on the lookout for new regulations leaning against our nation’s critical infrastructure companies.  These companies tend to be behind the curve when it comes to understanding and acting on risk and vulnerability information relative to industries such as banking or financial services.
  • As a result of recent significant data breaches involving customer data, I anticipate seeing more privacy regulations.  Those security professionals who stay ahead of this curve are sure to be in the right place at the right time.

Technical chops alone do not make a great IT professional, albeit skills and certifications are a common pre-requisite.  Today, recruiters are looking for seasoned IT experts with soft skills, business acumen, industry knowledge, experience with regulations and an ability learn and bend to new IT challenges such as Cloud and mobile computing. 

Comments