Techies turn to security training

The "Help Wanted" signs are hung up across government for information technology professionals. But some agencies are looking for extra qualifications — specialists who are certified IT security experts.

That credential is becoming an attractive piece of any IT professional's resume, according to Bruce Brody, cybersecurity chief at the Department of Veterans Affairs and one of the highest ranking government officials who is a Certified Information Systems Security Professional (CISSP).

If there are two candidates for the job and one has the certificate, Brody said, he would always hire the one with the credential. So far, six IT experts at the VA, including Brody, have obtained certification in the past two years. And more employees are expected to take the test and receive training this year.

"There are a lot of self-professed information security professionals out there," said Brody, who earned his certificate nearly two years ago while working at the Pentagon. "Now we have a credential that backs up the assertion that you know about information security."

The nonprofit International Information Systems Security Certifications Consortium Inc., or (ISC)2, certifies IT professionals in two designations: CISSP and System Security Certified Practitioner. There are more than 4,000 certified professionals nationwide, and hundreds in Europe, Latin America and Asia.

"This credential not only gives the workforce integrity, it provides one more tool that we can use to professionalize the workforce and create a career ladder and get the job done," Brody said.

The certification exams are not product-specific and do not ask questions such as how to install a firewall, but test concepts and knowledge of such specialties as cryptography, network security, architecture and ethics.

Jim Duffy, managing director of (ISC)2, said the certification facilitates management.

"When a manager makes hiring decisions, what do they have? A resume," Duffy said. "Now they see a [certification]. They know this person has passed a rigorous exam and has demonstrated some command of the subject. They can feel comfortable turning over their architecture to the person."

The certification is becoming so popular that some agencies encourage their workers to take the test. State Department officials, for example, are offering a 10 percent pay raise to anyone who gets certified.

"It is more prestigious than having a Microsoft [Corp.] certification because it is for the security professional," said Susan Hansche, program manager for a State Department contract that has so far turned out 60 (ISC)2 certified professionals.

The credential, she said, means that an IT professional "understands not just system security but a full range of security for the automated information system."

Not only that, having (ISC)2-certified employees gives an agency the muscle it needs to comply with the Computer Security Act of 1987, which requires that agencies train federal employees and support contractors before giving them access to a computer system.

With a growing emphasis on IT security, (ISC)2-certified personnel are exactly what government agencies need to make their infrastructure stronger, Hansche said.

"You read in the papers about a crying need for people with security fields in the federal government," she said.

A person with this certification is not only "familiar with the technology, but knows how it fits in and how to meld it together with an agency's business needs," said Laurie McQuillan, project manager at the Federal Aviation Administration's Office of Regulation and Certification.

The certification is broader than the average credential, she said.

"When you have people with certifications, you have someone with a proven technology instead of having to cull skills from a resume," said McQuillan, who has helped certify about 30 FAA employees.

John Thompson, chairman and chief executive officer of Symantec Corp., said that certifying technical skills is a good start. But one thing it can't do is "get into a person's head to find out whether he is a closet hacker," he said.

How to become a Certified Information Systems Security Professional

An applicant must demonstrate experience in the security field, pass a rigorous exam, subscribe to a code of ethics and maintain the credential with continuing education. Federal agencies have been paying for the $3,000 training course, which includes the $450 test, because they think it's a good investment. An applicant must also have three years of experience in the information technology field.