Project SAIL
is supported by
the Sloan Foundation

Project SAIL
Partners

Cybersecurity and (ISC)²
The International Information Systems Security Certification Consortium
St. Petersburg College, Florida

Information technology security (ITS) is one of the fastest-growing segments in the information technology (IT) market. In spite of waning demand for general IT professionals, the worldwide demand for ITS services was approximately $8 billion in 2001, and is estimated to grow to $23.6 billion by 2006. Changes in global technology and homeland security have fueled the demand for a variety of specialized security professionals, including firewall analysts, incident handlers, IT law experts, security trainers and cryptography, and IT insurance analysts.

In exploring the field for ITS professionals, one needs to clear common misconceptions about them. IT professional refers to a network administrator or systems architect who, along with performing a core job, also has an inherent knowledge of the security required for day-to-day operations. On the other hand, an ITS professional, beyond general information technology skills, has a comprehensive know-how of security in the information technology field. The ITS professional’s primary job is to assess the risk factors for an enterprise, implement insurance plans, and design security policies.

The emerging vulnerabilities and threats, through ever-expanding complex networks and access points, added to increasing regulatory requirements, are drastically affecting the way organizations approach cybersecurity. A vice president for Cisco Systems recently pointed out that the organizations that have the greatest need for information security professionals are IT consulting, e-commerce, financial services, insurance, and manufacturing, or 80 percent of the IT industry.

Adding to the ITS market demands is the newly emerging and stringent privacy legislation. These factors, coupled with ballooning concerns on security issues in outsourcing, are compelling companies to implement information security. In addition, the demand is growing exponentially, as there is growing dependency on technology systems and concern for making network systems foolproof, as well as compliant with international security standards, and secured from hacking and virus threats.

Industry observers point out that all this has made information security one of today’s most sought after and best-paid careers. In fact, in the U.S., an entry-level IS professional can command a salary of $75 to 80,000 annually.

Demand and Supply Gap

The need for ITS professionals will exponentially increase in the coming years as more overseas companies search globally to support their information processing needs. Unfortunately, this is not matched by a corresponding supply of skilled ITS professionals. The National Association of Software and Service Companies (Nasscom) Report claims that fewer than 10,000 professionals have a working knowledge of ITS. At this rate, there will be an expected shortfall of more than 100,000 ITS professionals globally by the year 2008.

With the changing ITS scenario, companies can no longer look at IS as an extension of the IT department. Information Technology Security requires skill sets in designing, implementing, and monitoring the IT security infrastructure. The skill sets of ITS professionals can be broadly grouped under two categories, namely, the ITS technical skill sets and business process-controls skill sets. While technical skill sets are required in setting up and implementing the information security architecture and to review compliance to define ITS policies and procedures, business process-controls skills are required to ensure that business processes happen in a controlled environment and in compliance with regulatory requirements.

According to Certification Magazine and their annual, industry-wide study of the effects of certification on global salaries for information technology professionals, credentials supporting these skills are currently earning the highest pay for certified experts. The (ISC)² Certified Information Systems Security Professional (CISSP ®) certification ($85,960), Cisco Qualified Specialist: IP Telephony ($84,620) and (ISC)²’s Systems Security Certified Practitioner (SSCP ®) ($84,310) all ranked within the top 5 of all IT certifications surveyed. These strong numbers and the impressive salaries for 80 other certification programs measured demonstrate that certification that is still a winning investment for IT experts.

Program Description

In October 2003, the (ISC)² , announced a partnership with St. Petersburg College (SPC), to provide information security-related courseware and certification to students based on (ISC)² best practices and premier security credentials. As the provider and administrator of the program for (ISC)² , SPC will manage the program by selecting and qualifying up to 100 colleges and universities throughout the world to participate in the first year initiative.

The model for this program is founded on the establishment of (ISC 2AC)s (Authorized Academic Centers) at colleges, and enabling access to the highest level industry certification available, with cost-effective tuition bases, and without large investments in research and online curricula developments.

Comprising a self-paced training series, the (ISC)² topics are based on entry-level assessments, eLearning experiences with simulations, and lab-based practicum with practice tests and evaluation measures to prepare students for certification testing. The seven domains of certification are noted below, and each has thorough designated course goals.

• Access Controls targets major access control concepts, protocols, and issues consistent with policies, standards, and procedures.
• Administration informs students about the description and implementation of effective programs based on best practices and sound security administration.
• Audit and Monitoring allows students to research and review the vulnerabilities inherent in information technology and system networks and analyze techniques and strategies to enhance the security services.
• Risk, Response, Recovery are course objectives surrounding the elements of risk management, implementing best practices for disaster and business continuity planning, and ensuring the recovery of information resources as part of the infrastructure’s overall security planning.
• Cryptography introduces the basic principles, concepts, and terminology of cryptography, with an expanded understanding of cryptographic algorithms.
• Data Communications helps students research the vulnerabilities inherent in data communications, protocols, and system networks and develop techniques and strategies to enhance the security infrastructure.
• Malicious Code targets the development and recognition of vulnerabilities exploited by malicious software and effective countermeasures for implementation.

Program Implementation

The model for (ISC)² program implementation supports the Project SAIL philosophy and the idea of selected colleges becoming authorized training centers and delivering the content for certification and continuing professional education (CPE) credits.

Colleges may apply to become a (ISC 2AC) and, upon approval, are offered (ISC)² licensing options. The licensing package includes training and support for 2 local faculty instructors to (ISC)² CBK Review Seminars, access to full curriculum modules for certification, complete training packages and materials, and program marketing and promotion materials for an annual fee of $3,295. The annual fee also includes continued training updates and content support, and helpdesk support.

As authorized (ISC 2AC)s , local colleges are able to collect registration and FTE for students, with full access to curriculum at a rate of $165.00 per student, per three-credit course. The Systems Security Certified Practitioner (SSCP®) requires seven courses to prepare for certification, and the Certified Information Systems Security Professional (CISSP®) requires 10 courses in preparation for national (ISC)² certification testing.

The SSCP® and the CISSP® are internationally recognized and can be extended beyond workforce developments as content modules for colleges to offer credit-based certificates and capstone or specialty programs for information technology degrees. In addition, there are over 30,000 existing CISSP® professionals who require 40 CPE credits annually to maintain certification. College-based (ISC)² training centers offer lifetime certification paths for these professionals and meet the needs of access, quality, and economy to serve continuing education needs.

Summary

Since its inception in 1989, the nonprofit organization (ISC)² has trained, qualified, and certified more than 30,000 information security professionals in more than 110 countries. The quality of the (ISC)² online content, lab-simulation experiences, and collaborative connections provide new opportunities and expanded avenues for IT professionals to leverage their expertise, skills, and services in the ever-changing field of technology.

For more information on Cyber Security, (ISC)², and how to become an authorized provider,contact Paul Harris, Director of IT Security Education, St. Petersburg College