Feds, firms unveil test for security pros
A new certification program for entry-level computer-security workers will get up and running Monday, say representatives of the combined industry-government group behind the exam.
The Security+ certification, brainchild of the Computing Technology Industry Association, could become a minimum requirement that would help companies and government agencies hire knowledgeable network administrators. CompTIA is made up of two dozen trade and government security experts, including representatives from Microsoft, IBM and the FBI.
"This is going to be an entrance into the security profession, a validation of knowledge," said Kris Madura, Security+ program manager for CompTIA.Judging from the organizations that helped create the certification, Security+ looks to be on the path to becoming the standard for verifying that a potential employee has a sound understanding of security concepts. CompTIA also includes members from Sun Microsystems, VeriSign, Novell, the Secret Service and the National Institute of Standards and Technology, the organization that sets the hiring standards for nonmilitary government agencies.
Security certification got a big boost last September, when the Bush Administration published a draft form of the National Strategy to Secure Cyberspace. The strategy highlights the need for more security training and better ways to certify knowledge.
Information-technology "security professionals, associations, and other appropriate organizations should explore approaches to, and the feasibility of, a nationally recognized certification program," the National Strategy says, "including a continuing education and retesting program. The federal government could assist in the establishment of such a program, and, if it is created, consider requiring that federal IT security personnel be appropriately certified."
Despite the heavy corporate involvement in the Security+ certification, Madura said, CompTIA worked to ensure that the exam doesn't favor one technology over another.
"The concepts are more generalized, but they are not so conceptualized that they aren't relevant," she said. "This exam is targeted toward the foot soldier, the people out there that are doing the job."
According to Bryant Tow, executive vice president of vulnerability-assessment company Olympus Security--another company that aided in creating Security+--the new certification won't overlap with another well-known security rating, the Certified Information Systems Security Professional certification.
"CISSP is targeted at people with more experience," Tow said, adding that the Security+ certification answers a different need. "One of the biggest questions we would get from our customers is 'Where can I get started in security?' This answers that."
Although certification programs such as Security+ would depend on the degree to which a person used and was responsible for a network connection, CompTIA's Madura said that as more attention gets focused on security, training could become mainstream, perhaps even making its way into bedrock school curricula.
"Even a third or fourth grader should understand that you never give out your password," she said.