There are probably few who would disagree that the market for information security and security software is on a major growth path. Gartner estimates 8% growth to an overall market of $14.5 Billion in security software, and other blogs are extensively covering White House initiatives and funding for Cyber Security in national infrastructure.
So without a doubt, many companies are now or will soon be entering the IT Security market. Some of these companies already have a legacy of software in malware detection and anti-virus licensing. Some have background in certification processes through NIST, NIAP, or other Government or commercial security body. But many of these companies will be entering what can loosely be called the ‘security market’ from a background in traditional software, business services, or architectural design backgrounds, and will have to establish their experience or credentials in the security market. So how exactly do they do this?
SearchSecurity.com posted an article today interviewing Gartner Research Director Carsten Casper on the value of various individual security certifications that professionals should seek out and achieve. The title of the article is slightly inflammatory (“some certifications are overvalued”), but the text of the interview was about 1000 words of ‘it depends on your situation’.
I come from a background where much of the security accreditation you bring to an employer is based on Government clearances. Most people are aware of the political nature of such things, and the fact that they don’t necessarily bring any technical knolwedge of the security technology covered by those clearances. In most cases, your credentialing comes from a customer asking ‘What agencies are you working with, and who is your interface at those agencies?’ Security credentials through name-dropping.
As CPU Tech develops a full offering in security services relating to the Acalis Secure Processor, we are taking very seriously the need to establish security credentials across the board. Working with and interacting with the widest possible variety of Government agencies will allow us to understand the breadth of processing security needs across missions (Trusted Source, Anti-Tamper, Secure Communcations, Trusted Computing, etc.)
Just as important in providing services, however, is keeping up to speed on the growing variety of more ‘commercial’ security certifications being made available through groups like GIAC, CISSP, and others specific to Microsoft, Oracle, and Cloud Computing services. In a security services capacity, it may not be as important holding each of these certifications as it is knowing the exact contents of each and being able to call on such knowledge as needed.
In the field of security, experience will always be the keystone element in establishing credentials. If a program manager needs help achieving a very specific accreditation or third party evaluation, the only question on that manager’s mind will be experience with the accreditating body and the ability to accurately scope the effort required. This is very much an on/off capability: either you have experience, or you don’t. It is easy to document the experience once you have it, but it is difficult to gain that experience if you don’t. This is where is makes sense to seek experienced partners in achieving accreditations with new agencies.