SIDEBAR: Training the Two-Headed Beast

Are certifications a valid mark of a person's skill and knowledge level, or are they just resume fluff?

Security bodies in Australia such as The Australian Security Intelligence Organisation (ASIO) and the Australian Security Intelligence Service (ASIS) are reaching out to engage the IS community. Individuals within the intelligence community realise this is where their futures lie. They see themselves as best placed to fill the emerging CSO roles and they are jockeying to benefit from the demand.

Corporate security professional bodies such as the Australian Security Industry Association Limited (ASIAL) and the Australian Society for Industrial Security (ASIS) are actively promoting the CSO concept and the integration of the physical and IS professions. Dean Kingsley, the head of enterprise risk services Asia-Pacific at Deloitte Consulting, says he is intrigued that local IS professionals, by and large, are not positioning themselves for the CSO trend.

So what makes a great CSO? Where do they come from? What will companies need them to do?

Emma Stonham, a spokesperson for Candle IT Recruitment, says in a senior security executive Australian companies are looking for a very particular person. Candle's experience is that the CSO role is difficult to fill. They see many companies retraining senior IT staff to meet new security needs.

"Companies want it all in the one person," says Stonham. "Not only do security managers need to be able to manage aspects of security exposure for the business, such as firewall and WAN/LAN security, they need to be able to develop and implement IT and business strategies too. The job covers everything from security of data and information to security passes and intellectual property.

"This growing security need is taking the security executive higher in the organisation. They are now contributing with their own project plans and business plans, not just following orders from the CEO or the CIO," she says. "The new security outlook even means some are now the decision makers within the IT environment with regard to new implementations and direction."

In Demand

There are perhaps less than 100 certified information systems security professionals (CISSPs) in Australia - a qualification in such short supply that it is on the federal government's Migration Occupations in Demand List. This certification is primarily for those in security consulting and is regarded as a well-recognised credential for CSOs. But the CISSP exam has been criticised in the past for being too broad or for its supposed focus on the needs of US government and military organisations - precisely the characteristics that have brought it back into vogue.

Meanwhile, a new qualification is emerging called certified information security manager (CISM). It is being packaged and operated by the Information Systems Audit and Control Association (ISACA), a global professional body that promotes IT governance. CISM springs from the realisation that most security training and certification focuses on lower level technical solutions. Even a certification like CISSP concentrates on tactical and procedural matters. The industry has also become concerned about measurement. How do security professionals know if they are succeeding? How do they avoid over-optimism? What is the compelling reason to combine the physical and IS functions? CISM is designed for IS managers facing these questions. Its proponents say CISM is not a CSO certification - although that might be a logical next step - but one for chief information security officer (CISO).

Skills Gap

It came as no surprise last year when a national study by the IT Skills Hub called IT Security and Risk Management Skill Requirements found there was an urgent need for staff with both IS skills and corporate risk management knowledge.

The study involved detailed interviews with senior security risk managers at leading organisations, vendors and education providers. It revealed that even though enterprises realise their perceived and real IS vulnerabilities, companies and education authorities are not doing enough to close the growing skills gap caused by corporate Australia's new focus on security. The findings indicate that leading companies are incorporating IS within their overall corporate audit and risk management strategies to comply with emerging national and international standards for e-commerce. It noted that Australian companies wanting to participate in global financial transactions must comply with standards such as the Basel Accord and Identrus, which set international benchmarks for managing IS risk, privacy and associated legal issues. This is stimulating demand for people with more than just technical security skills. The corporate world now wants people who can reconcile IS performance with corporate risk and compliance issues.

The IT Skills Hub report recommended that IS and risk management should be fundamental components of all tertiary computer courses. It also said business courses must include training in managing IS as an integral part of corporate risk management.