VA builds security staff

A year ago, the Department of Veterans Affairs was searching for workers who were certified as information systems security professionals. Now it employs 22 of them.

The special certification — the Certified Information Systems Security Professional (CISSP) — can be an instant job ticket into federal agencies these days, especially the VA.

"We look at CISSP certification as one of the things that marks a solid security professional," said Bruce Brody, the VA's cybersecurity chief. "It means that a person understands the common body of knowledge of information security."

When Brody arrived at the VA in March 2001, there were only two CISSPs, including him. Today, there are 22, mostly in Washington, D.C., but one is in Albany, N.Y., and another in Austin, Texas.

Brody said the certification program ensures that an information systems security expert is competent in 10 areas of knowledge, including physical security, encryption, telecommunications and network security, law and ethics. As a result, the VA gets a knowledgeable professional and the employee obtains an important credential for the future, he said.

"It is a new trend in the workplace," Brody said. However, certification isn't easy. The 250-question test was "easily the most difficult exam I've ever taken." The pass rate is about 60 percent.

Alan Paller, director of research at the SANS Institute, an information security education and research group, said that a CISSP certification is an important standard today. In the past, he said, many people who were given responsibility for security "came with no prior knowledge" about the issue.

He said the designation is a "minimum knowledge" for information technology workers responsible for security. "It's a wonderful baseline."