Your daily source of Pwnage, Policy and Politics.

Episode 130 – Balancing Experience and Certs

Play

ISD Podcast Episode 130 for May 14, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:
MyHardDriveDied.com:

  • MHDD Data Recovery Class current dates and locations:
    • San Francisco – June 14th -18th
    • Atlanta – July – 12th-16th
    • Dallas, TX – October – 11th – 15th
    • Washington DC – December 6th – 10th
    • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: [email protected] or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.

SANS Community Atlanta:

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).  Use the Discount Code: isdpod15 for a 15% discount.

Atlanta ISSA:

  • ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: [email protected].
  • ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

  • Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50).
  • For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/

Friends of the Podcast:

Webhosting services:WebSpeedway

Stories of Interest:
News item 1:  http://www.darkreading.com/vulnerability_management/security/government/showArticle.jhtml?articleID=224701863
The IT security job market is booming — but that doesn’t mean everyone is automatically getting a job, or the right job. And just like the threat landscape is rapidly evolving, so are the qualifications and qualities needed for positions in the security profession.

There’s a conundrum between supply and demand: Employers are looking for security candidates who can fill a specific need, such as incident response or risk management, while security pros on the job hunt want to build on their existing skills and advance their careers. “But employers don’t want to hire someone to get experience on their dime,” says Lee Kushner, president of LJ Kushner and Associates, an IT security recruitment firm.

“In general, there are more qualified people than jobs. And in specific terms, there are fewer qualified candidates for the jobs people are hiring for,” says Kushner, who also co-founded InfoSecLeaders.com.

Getting the right person for the job is as difficult as getting the right job. According to a report by Booz Allen Hamilton last year, only 40 percent of government managers say they are satisfied with the quality of applicants they’re seeing for federal IT security jobs, and only 30 percent are happy with the number of applicants.

And employers are looking for security pros who specialize in specific security disciplines. The days of the Certified Information Systems Security Professional (CISSP) certification guaranteeing employment are over. “CISSP used to be a must-have. Now it’s more of a ‘nice-to-have.’”  There has always been a battle between certification or experience, now it’s expected that you have both.

  1. Incident-handling/response (attention to detail, good at documentation and sharing with others)
  2. Compliance know-how (PCI DSS, HIPPA, Health Information Trust Alliance (HITRUST) framework)
  3. Risk management (GIAC Information Security Fundamentals (GSIF) certification is a baseline, GIAC Security Essentials Certification (GSEC))
  4. Business acumen (must be able to articulate the business value of a specific security or network technology to C-level folks)
  5. Government security clearance (IT security pros with security clearances earn 20 percent more than those without)
  6. Leadership experience (Experience here could be leading a team or project or a professional organization)