This article reviews the top 3 most demanded information security job roles, industry certifications, and relevant skill sets that every business must consider for greater assurance and resiliency and also to meet both the long- and short-term business objectives.
The business requirements to meet and exceed customer expectations demand a continuous evolution of the technology landscape and the improvement of a company’s business cycles. The opportunities that come with the advancement in technology are great, which in turn attract unsolicited attention of criminal gangs which are highly organized and more often than not, mimic a successful legitimate business entity. These criminal syndicates are very quick to realize the “business” potential that comes from exploiting the weaknesses in the information technology infrastructure of any business by leveraging the right IT skills.
As a result, businesses have no choice but to counter these threats by (continuously) scaling up and investing in the specific skill sets that counteract fraudulent actions.
Table of Contents
Information Security Architect
A person in this role is an experienced security professional who has the ability to decode and understand business requirements (from the business teams), identify and analyze applicable threats, has been actively involved in the selection and implementation of security controls, and finally be able to evaluate the overall security posture and suggest reasonable improvements to reduce the risks. It is customary, to see individuals in this role, to have a highly technical background but who also has worked very closely with the non-technical folks. This mix of experience is highly desirable in organizations where an architect is required to develop processes and then create awareness among various user groups.
And increasingly these days, as more and more data privacy and other related regulations and laws are being introduced, it is very important for the information security architect to identify and build or implement those controls in target systems.
With all this, it is imperative that the information security architect sees the bigger picture, takes a wholesome view of the requirements, builds an architecture with layers of security defenses around business data, at the center.
The industry certifications that attest to the knowledge and skill set of an Information Security Architect are:
1. GIAC Defensible Security Architecture (GDSA): This is by far the best and well-recognized industry certification for those individuals who are responsible for protecting organizations by building and testing secure network architecture for application and data.
2. CISSP-Information Systems Security Architecture Professional (CISSP-ISSAP) is another well-reputed industry certification but is not as hands-on as the GDSA.
3. CREST Registered Technical Security Architect (CRTSA): Aimed at technical architects who understand and relate the technical solutions to the business requirements.
In addition to these, it is common to have vendor-specific certifications for the Information Security Architect, but they are usually limited in their scope and usage.
Information Security Analysts
People in this job role are highly adept with certain technologies and well versed in the use of tools for monitoring, testing, and analyzing data for an indication of a security compromise or data breaches. This is more of an operational role that requires them to follow a well-defined set of processes in a routine. They are more technology-focused and should be able to test a system, review its configuration, and analyze logs & data from various applications and systems to find and report if there is a bug or vulnerability that can be exploited by internal or external bad actors.
In addition to that, they also performing root cause analysis and recommend solutions to ongoing issues. This means that they have an extremely important role to play during an incident investigation and response.
The role requires specific hands-on training with tools and technologies, including vulnerability assessment and penetration testing, monitoring through Security Information and Events Management (SIEM), threat hunting, and incident response.
There are many industry certifications that teach the skillset required for the role and some of them include:
1. Offensive Security Certified Professional (OSCP): A popular and highly respected certification for Information Security Analyst with a specific focus on testing and assessing the security (vulnerability assessment and penetration testing).
2. SANS GIAC Certified Penetration Tester (GPEN): The holder of the certification is believed to be well versed in testing the security of the network and operating systems within an organization using various tools and techniques. It is a GREAT to have certification and proves to the skills of the analyst.
3. SANS GIAC Certified Detection Analyst (GCDA): This is another certification that proves the holder has hands-on technical knowledge needed for the detection and analysis of malicious activity within the IT infrastructure of an organization.
4. Certified Information Systems Security Professional (CISSP): It is by far the most popular information security certification which requires a fairly moderate to advanced level of knowledge of almost all aspects of information security. The holder is considered to be a perfect fit for the role of Information Security Analyst when combined with the other one or more hands-on certifications in this list.
5. Certified Information Systems Auditor (CISA): A common certification for both, information systems auditors and the Information security analysts. It requires a basic to intermediate level of knowledge of auditing information systems.
6. Certified Ethical Hacker (CEH): It is another nice to have hands-on certification.
Information Security Compliance Officers
An information security compliance officer is the third top Information Security job and it is required to have experience in establishing a management system that ensures the security of business and customer information and requires working in collaboration with teams including sales and marketing, accounting and finance, HR, legal, building & facilities, and IT. The management systems are implemented & supported by documented policies & procedures, technical controls, mature processes, and by enabling people through training & awareness. The Information Security Compliance officer must possess the ability to understand and then translate complex compliance requirements for the relevant stakeholders. The person in this role must possess excellent communication skills as they are required to interact with various groups of employees including senior executive management.
And more recently, with an increasing number of laws and regulations being introduced in various regions and industries, it is an area where organizations are feeling increased difficulties in keeping their heads above water. A global drive to protect the privacy of individuals means organizations cannot ignore or leave them to be addressed at a later time (as and when convenient). In this context, the job role of an Information Security Compliance office has become a crucial one and in demand than ever before. As mentioned earlier, the compliance requirements vary from country to country and also from industry to industry.
Some of the more prevalent and widely accepted compliance frameworks include:
• ISO 27000 series of standards (organizations can get certified against 27001:2013),
• Payment Card Industry-Data Security Standard (for the financial sector),
• General Data Protection Regulation (GDPR, a data privacy regulation for EU residents),
• Service Organizational Control (SOC1 & SOC2)
• Health Insurance Portability and Accountability Act (HIPAA, for the healthcare industry),
• PIPEDA (Personal Information Protection and Electronic Documents Act of Canada),
• California Consumer Privacy Act (CCPA, in the state of California, USA).
Information Security Compliance Officers must be intimately familiar with one or more of these compliance regulations and standards. And since all of them require knowledge and implementation experience around Information security Governance, Risk & Compliance (GRC), the relevant certifications and skillset for the job role can include:
1. ISACA’s Certified in Risk and Information Systems Control (CRISC): The certification is for information systems professionals tasked with Risk Management activities in an organization.
2. ISACA’s Certified in the Governance of Enterprise IT (CGEIT): With a focus on enterprise IT governance, value delivery, risk management, and resource management.
Most compliance frameworks have specific training and certification programs that an Information Security Compliance Officer has to choose based on the organization’s needs.
1. ISO / IEC 27001:2013 Lead Auditor and Implementer Certifications: ISO 27001:2013 is a well-known and universally accepted standard that can be implemented in all types and sizes of organizations. It is because of that I categorize this as a “must-have” certification for all Information Security Compliance professionals.
2. Payment Card Industry – Data Security Standard (PCI-DSS): There are various training and associated certification tracks from the PCI Security Standards Council with PCI Quality Security Assessor (PCI-QSA) being the most famous of those all.
3. Certified Information Privacy Professional (CIPP): The certification program is aimed at privacy regulations in various regions and hence differs for every supported region (Asia, Canada, Europe, and the USA).
Our intention was to cover the top 3 most demanded information security job roles, industry certifications, and relevant skill sets that are important for greater assurance and resiliency. These roles can help to meet both the long- and short-term business objectives.