IT security professionals need to arm themselves with skills that are currently in demand as well as relevant for the future, according to industry watchers, who also list the toughest certificates in the industry and explain why IT security professionals need to know more than just technical know-how.
A survey conducted by (ISC)2 last December to identify skills recruiters want in IT security professionals, found different priorities between hiring managers in the Asia-Pacific region and their counterparts in the United States.
This provides a hint of what may become relevant skills for IT professionals here because the U.S. is at least four years ahead of the Asia-Pacific with regard to information security development, said Clayton Jones, head of business development at (ISC)2 Asia-Pacific.
"We need to stay ahead to see what are important skills in the future so that information security professionals can equip themselves now," Jones said in an e-mail interview.
The priorities highlighted by Asia-Pacific hiring managers were:
1. Information risk management
2. Security management practices
4. Security architecture and models
5. Telecommunications and network security.
On the other hand, U.S. hiring managers were concerned about IT security skills such as:
1. Operations security
2. Access control systems and methodology
3. Information risk management
4. Applications and system development security
5. Security architecture and model
Jones pointed out that in the U.S., security management is becoming a key issue in privacy and healthcare because of regulatory requirements. This highlights the importance of compliance as organizations will be penalized or fined if they do not comply with rules and regulations, he said.
Clouds, apps challenge security professionals
With cloud computing on the rise, compliance will become even more complex, Jones added, noting that software vendors are actively pushing their customers to the cloud.
"Cloud computing promotes efficient sharing and collaboration, but at the same time the data becomes stateless and this poses a threat to traditional regulations and compliance policy," he said.
In an e-mail interview, Prinya Hom-Anek, president and founder of Thailand-based ACIS Professional Center, also highlighted the importance of compliance, which he grouped under process skills. He noted that IT security professionals in Asia are lacking in such skills, which encompasses GRC (governance, risk management and compliance) and involves IT governance and information security governance.
However, Hom-Anek said they can mitigate the lack of process skills by obtaining subsidiary certifications such as ITIL (IT Infrastructure Library), COBIT (Control Objectives for Information and related Technology), ISMS (Information Security Management System) as well as IT audits.
He noted that another skill lacking among Asia-Pacific security professionals is application security skills. Hom-Anek explained that some software developers only aim to develop source codes that satisfy the performance and requirements by users, but not much effort has been put into security.
Jones agreed, adding that many security leaders believe vulnerable software is the main threat facing enterprises today that remains unresolved.
And when security is built into the application, too often, it is evaluated only at the end of the software development life cycle and as a response to a threat or after an exposure, he said. Jones noted that this results in higher production costs and delays.
The emergence of mobile workforce also means security professionals have more on their plates now.
Not only do security professionals need to protect users from application threats, they also need to worry about the possibility of lost corporate data when users misplace their mobile devices.
Tough security certifications
To mitigate the risks, industry watchers advocate that prevention is better than cure.
Azhar Abu Bakar, director of security assurance at IMPACT (International Multilateral Partnership Against Cyber Threats), said: "Advancement of technology may offer niche solutions but it is essential for the security professionals to implement stringent policies and processes to pre-empt and prevent IT security breaches."
For IT security professionals looking to boost their credentials with certificate, Abu Bakar highlighted two types of courses that encompass management and technical skills.
Asked to identify the certificate that is the toughest to obtain, he said: "For management courses in IT security, we believe the (ISC)2 Certified Information Systems Security Professional (CISSP) is one of the most coveted courses in the industry and is also one of the toughest as it covers all 10 domains of information security."
"For technical courses, the SANS Institute provides the most scrutinizing courses in the market," he said, adding that professionals need to choose courses corresponding to their areas of expertise.
ACIS's Hom-Anek concurs that CISSP is one of the most difficult certificates.
He also singled out another certificate from (ISC)2, the CSSLP (Certified Secure Software Lifecycle Professional), as another tough credential to acquire. The certificate, he said, focuses on in-depth knowledge of an application lifecycle and contains many jargons on the topic, making it difficult for developers in general to pass.
Other notable certificates include those from GIAC, such as GIAC Certified Forensic Analyst (GCFA), GIAC Certified Firewall Analyst (GCFW), GIAC Secure Software Programmer-.NET (GSSP-NET) and GIAC Security Essentials Certification (GSEC), Hom-Anek said.
However, Husin Jazri, CEO of CyberSecurity Malaysia, noted that security professionals should not be too focused on certifications. "Well-known certifications in existence are just benchmark of competencies that are not perfect," Jazri said in an e-mail interview. CyberSecurity is Malaysia's national cybersecurity specialist center, operating under the Ministry of Science, Technology and Innovation (MOSTI).
Going beyond security knowledge
Industry watchers ZDNet Asia spoke to agreed that security professionals need to go beyond technology know-how and gain skills in other areas.
Communication skill is top on the list for Jazri. "Without being able to communicate, it is hard to move ahead anywhere," he said. "Even if you have the best ideas in the world, if you cannot communicate them, no one will ever know."
Abu Bakar noted that, increasingly, there is a need for IT professionals to have soft skills as well as written and presentation skills. "Traditionally, we have segmented roles when salespersons had the soft skills to persuade and manage relationships, while programmers had the skills to do the core technology processes and programs.
"Increasingly, we believe programmers will need these soft skills as well, as they are the ones who face the project or program managers, and the clients for requirements of the system," he added, noting that it can be disastrous if the system does not meet the security requirements of the organization.
Jones said information security professionals should also have an understanding of how the business operate as well as the employee psyche to apply the security knowledge into the practical world.