The current environment, with a significant shift to virtual living, has brought cybersecurity into equal focus for the individual as well as organizations.
The challenge is to identify professionals that have a clear end-to-end understanding of cybersecurity threats, across systems. A combination of cybersecurity and computer forensics skills is an asset.
Professionals need to have an in-depth understanding of the current and common web vulnerabilities in addition to strong analytical and diagnostic skills. And this is precisely what makes cybersecurity certifications the need of the hour.
“There is a greater need for cybersecurity roles ranging from Penetration testers, IT Analysts for Application Security, Network Security, Infrastructure security, EPS, IAM, SOC to Compliance, Audits and Risk Management,” says Aiyappan Pillai, IEEE Senior Member.
He adds that organizations would prefer to hire professionals who can combine many of the above-mentioned skills and abilities in their roles and apply them to solve technical issues with a holistic understanding.
Certificate courses such as CISSP, CISM, CISA, CEH, GIAC, GSEC, GPEN, ISC(2) are among the popular cybersecurity courses. The proposed National Forensics and Cyber-forensics University is another option on the horizon, for suitable courses.
Whatever route an aspirant for the cybersecurity profession chooses, it is important that they have practical exposure and get into a continuous learning and up gradation mode. Pillai says that aspirants may refer to the career map developed for cybersecurity by DSCI to choose the specific area within the whole gamut of cybersecurity that they wish to pursue.
As the frequency and sophistication of cyber-attacks increase, so does the need for skilled security professionals. Certifications do help in ensuring a minimum acceptable level of awareness and right practices in the area of Information Security.
Hence, general IT professionals may be trained to undertake information security responsibilities. Chief Information Security Officers (CISOs) not only protect corporate data but also manage holistic risk management and security policies – and do so much more. This makes security certifications highly beneficial – regardless of which path is taken.
However, it is important for the certified professionals (or others) to constantly update themselves and upgrade their information security skills. This is a critical requirement that ensures an organization is protected against emerging security threats.
The cyberspace is accessed by anyone from any corner of the world. It is also important to note that almost every job will require digital skills increasingly in the next five years and would need extensive upskilling to find employment.
Dr Vinay Wandrekar, Business Information Security at Novartis Healthcare shares that his journey in cybersecurity started with the BS7799 certification (British Standard for Information Security). The certification, he explains, comprises of two parts — one pertains to the role of a lead auditor, while the second that of an implementor. Upon completing BS7799, he set sights on the Certified Information Systems Auditor (CISA) certification.
CISA is a popular certification among cybersecurity professionals not only because it is sought after by most organizations today — it also enables them to draw a better pay package. Payscale shows that the average salary for a mid-career information security manager with security testing and auditing skills stands at around INR 13.66 lakh.
The CISA certification is conducted by the Information Systems Audit and Control Association, more commonly known as ISACA. Candidates can register for the CISA exam by paying an application fee of USD 50 (around INR 3700). Following this, if the candidate is not an ISACA member, he/she would need to pay USD 595 (around INR 44,044). The candidate can save USD 50 by registering early for the exam.
The CISA certification involves a 4-hour examination in which candidates have to answer 150 questions.
Dr Lopa Mudra Basu, former CISO at Nissan Motors says that for CISOs, security heads, information security heads are the roles which require certifications the most. “However a lot of CISO roles have emerged from different business units within the organization — those are not full-fledged CISO roles, they are project management roles. For these executives, security certifications may not be required.”
She adds that traditionally, CISOs emerged from IT departments in organizations, but nowadays, security heads are also coming from the quality and legal & compliance units. She believes the roadmap for these executives are different as they would first need to understand the technology and IT functions.
“The person taking on the role of a security head should be an expert of specific technology domains — it could be in networking, applications or database management. Those with networking or an infrastructure background will find it easier to be certified as they have an overall view of different technologies,” she says.
“CISSP is one certification that specifically focuses on technology and IT — it is more generic and vendor-agnostic in nature and is well accepted in the industry,” she adds.
A CISSP certification prepares a professional to become a subject matter expert. In Mudra’s experience, she has seen quite a few CISSP-certified professionals pursue a career in becoming a domain expert, as opposed to working towards becoming a CISO.
The Certified Information Security Manager (CISM) certification, on the other hand, prepares a person for a managerial role — it helps gain an overall understanding of different security domains, but it is not a technology certification. “Even a person with limited knowledge of technology can get a CISM certification,” says Mudra.
So how difficult is it to get a CISSP or CISM certification?
“I’ve seen a lot of people not being able to clear the certification course in their first or second attempts. A common reason for this is that they had been preparing for the certification from different course materials,” she reveals.
In her experience, it’s a lot easier to clear a certification exam if one simply goes by the manual issued by the certification body — follow it like the Bible is what she suggests.
Mudra shares another interesting observation: experienced professionals find it harder to clear a certification exam compared to people with lesser experience. The reason, she believes, is that they have been following certain practices at their organizations and this is hardwired into their minds. However, these practices may not align with what the certification module prescribes.
An important thing to bear in mind, she says, is that any standard is not a hundred percent applicable in an organization — a lot of customization may be required based on the organization’s requirement, organizational culture, the technology infrastructure, regulatory compliance based on the location of the organization, and of course, the organization’s IT budget.
Copyright © 2020 IDG Communications, Inc.