Training Security Foot Soldiers

Entry-level Security+ certification could be a way for many to move into growing IT security field.

Security managers worth their salt are arming their companies with arsenals of technology such as firewalls and encryption. But its the wise ones like Matthew Speare who know that it also takes well-trained foot soldiers to fight the constant information security battle.

Thats why Speare, IT risk management director at the $10 billion Ohio Savings Bank, recently fired off a memo to his security administrator strongly recommending that the bank steer as many IT staffers as possible to a new entry-level security certification called Security+.

"Im a strong believer in certification," said Speare, in Cleveland. "If theres one now that covers the basics, our guys need to know about it."

Security+, from the Computing Technology Industry Association, is the latest among several security skills certification programs that are increasingly popular with enterprises. However, unlike many certifications, including CISSP (Certified Information Systems Security Professional), Security+ is targeted at entry-level IT security professionals. As such, say experts, it represents an attractive opportunity for IT pros seeking to find new opportunities in todays difficult job market.

"Theres a huge information security job boom ahead. Theres going to be a land rush for talent starting in the first half of 2004," said David Foote, president of Foote Partners LLC, an IT work force research company based in New Canaan, Conn., and an eWeek online columnist.

Driving that demand, said Foote, will be heightened awareness of security issues nationwide, accelerating e-business development and an overdue loosening of IT budgets.

Security+ has been under development since the beginning of the year by CompTIA, a global computing industry trade association based in Oakbrook Terrace, Ill. According to Kris Madura, program manager for Security+, CompTIA recruited 24 people from industry, government and academia to form a steering council.

The goal was to create a vendor-neutral certification that set a base line for security skills required by enterprises. Security+ is aimed at people who have at least two years of experience in networking and TCP/IP and who have gained a modicum of experience with security tasks. The certification lays down a core body of knowledge in five domains: general security concerns, communications, infrastructure, basic cryptography, and operational and organizational security.

Security+ will also help organizations ensure that IT staffers already working as security experts dont have big holes in their knowledge and experience.

"Ive met many computer experts in a given area—security, for example—who know the intricacies of computer software security yet lack fundamental and essential security skills," said Tivoli Software Project Manager Susan Farago, in Austin, Texas, a Security+ cornerstone committee member. "This cert will bridge that gap and enable candidates to demonstrate they possess the fundamental skills that serve as a solid foundation to build more technical or vendor-specific skills on."

Following final refinements, the test will go live by the end of the year. The cost to take the test will be $149 for CompTIA members and $200 for nonmembers. (For more information, go to