A guide to cyber security certification and training
Cyber security skills are in demand from every organisation, but what training and certification is needed?
Everyone knows that the life of an IT security specialist is a busy one. On one side you have the rapidly evolving threat landscape, and on the other, there’s the need to balance the demands of business stakeholders. Add to this a skills shortage within the technology sector – cyber security in particular – and you have yourself a very stretched cyber security professional.
How to reduce the impact of the skills gap in your business General Data Protection Regulation (GDPR) Has demand for cyber security skills hit crisis point?
A 2022 UK government IPSOS report shared that the estimated cyber security workforce gap was approximately 14,000 in 2021, and this year that figure is expected to grow by 13%, equating to around 17,000 individuals. Businesses are facing the most alarming amount of cyber crime ever known, and with a lack of talent within these organisations, those with cyber security qualifications are crucially in demand.
But getting into this profession takes time. Acquiring the relevant education can take two-four years – or 12-15 months if you choose to do an in-depth cyber bootcamp – but you could also start in a junior role, or an apprenticeship, to build relevant experience. Ultimately, the right certifications will also help you stand out above the rest.
Whichever route you choose, there’s an abundance of learning opportunities and resources available, even more so in recent years, to support and encourage individuals moving into the sector. It’s ensuring you have the right qualifications to embellish your CV, and show your future employers that you understand the value of your technical expertise, and that you’re a committed member of the team.
In cyber security, there’s so much to learn and with so many attacks occurring on a daily basis, a certification could be the differentiator between you and other candidates. Companies will value those that take time to further their own knowledge.
Responsible for information training
The truth about cyber security training
Stop ticking boxes. Start delivering real change.
When it comes to cyber security training, the government has understood how important it is to get small organisations on board with this important education. It has highlighted that it is eager to aid those working in all sizes of private and public sector organisations to get to know their responsibilities when it comes to data protection.
As part of this initiative to raise awareness of cyber security, it is allowing all workers to take part in a free digital learning course covering everything they require to understand how to protect and handle data, both while working remotely and in the office. It advises what an information asset owner is as well as what employees should look out for when identifying online threats.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The two-hour course was developed for businesses working in the civil sector but is suitable for any organisation that would like its employees to have a basic understanding of cyber security. The content can be accessed from the Gov.UK website.
Training for HR, procurement and legal & accounting
The government has developed a series of in-depth training courses for both public sector and private businesses that need a little more intensive development. Its specialised security courses and training schemes are aimed at businesses in niche sectors, such as HR, procurement, and legal and accounting to help those working in such industries understand how their job roles are affected by cyber security.
Just like the government's other schemes, they comprise modules designed to be completed in an employee's own time rather than at set intervals. However, they're not likely to take away from your leisure time, with each very quick to finish.
They may not provide as much detail as third party, fully-certified training courses, but they provide the background to many of the issues employees are coming up against and cover most bases for businesses without a big budget.
Certified Information Systems Auditor
ISACA's Certified Information Systems Auditor (CISA) certification is an IT professionals certification that aims to build upon an interest in information systems auditing, control and security.
Those obtaining the certification are recognised worldwide for their competencies to manage vulnerabilities and ensure compliance of systems. During the certification, they gain the knowledge, skills and experience to come up with security and compliance solutions to enterprises that require their organisation to be protected against cyber security threats.
Certified Information Security Manager
The Certified Information Security Manager (CISM) certification is also offered by ISACA. IT security professionals with this certificate can demonstrate their understanding of the relationship between an information security program and broader business goals and objectives.
It shows prospective employers the professional has not only information security expertise but also knowledge and experience in the development and management of an information security program.
Certified in Risk and Information Systems Control
The third ISACA qualification on our list, CRISC certified professionals can help enterprises understand business risk and have the technical knowledge to implement appropriate IS controls.
CRISC certified employees can build a better understanding of the impact of IT risk and how it relates to the overall organisation.
CompTIA Security+
This certification from CompTIA covers network security, compliance and operation security, threats and vulnerabilities as well as application, data and host security. Also included are access control, identity management, and cryptography.
Systems Security Certified Practitioner
The International Information Systems Security Certification Consortium, known as (ISC)2, offers the Systems Security Certified Practitioner (SSCP) certification is aimed at IT professionals with proven technical skills and practical security knowledge in hands-on operational IT roles.
It indicates a practitioner's technical ability to tackle the operational demands and responsibilities of security practitioners, including authentication, security testing, intrusion detection/prevention, incident response and recovery, attacks and countermeasures, cryptography, malicious code countermeasures, and more.
Certified Information Systems Security Professional
Another certification from (ISC)2, the Certified Information Systems Security Professional (CISSP) certification is great for professionals with proven deep technical and managerial competence, skills, experience and credibility to design, engineer, implement and manage their overall information security program to protect organisations from sophisticated attacks.
Certified Ethical Hacker
There's even a qualification, certified by the International Council of Electronic Commerce Consultants (EC-Council), available to white hat hackers. Dubbed the Certified Ethical Hacker (CEH), recipients must demonstrate the capacity to identify weaknesses and vulnerabilities in target computer systems. White hat hackers and pen-testers alike have a crucial role to play in businesses' cyber security defences, and qualified individuals are often employed to probe target systems and test for any gaps that may emerge.
Computer Hacking Forensic Investigator
Also organised by the EC-Council, the Computer Hacking Forensic Investigator (CHFI) certification validates professionals that have the skills to detect a hack and obtain the evidence needed to report the crime and prosecute the cyber criminal in a court of law.
The certification strives to stay vendor-neutral, and focuses on forensic analysis, proving a viable training pathway for those with a foot in the law enforcement door.
ISO 27001
The ISO 27001 certification (part of the tier ISO 27000 family) is an international standard that offers the procedures and practices for keeping an organisation's IT assets secure.
This certification predominately concerns information security, as opposed to explicitly being cyber security-oriented, and comprises the various systems, guidelines and certifications needed to help a business analyse its processes.
Prior to ISO 27001 there were a host of separate services for handling all aspects of information security and managing risk, which naturally produced inefficiencies. The development of this standard in the 90s, however, meant the disparate processes could be brought under the umbrella of a single standard, with various components of a business managed in a single system.
ISO 27701
One of the most recent security certifications is the ISO 27701, which effectively serves as a privacy-based extension of the ISO 27001. The aim of this separate standard is to boost existing information security procedures with additional privacy-focused requirements.
This was only published in August 2019 and may form the basis for future GDPR standards given its preoccupation with systems that handle and protect the personal data that's processed as part of normal business functions.
GDPR training
The truth about cyber security training
Stop ticking boxes. Start delivering real change.
GDPR is an area that has also seen certifications crop up due to the significance placed on data protection by businesses since its enactment in 2018. The UK government recently published its plans for a new Data Reform Bill that would scrap a number of the more stringent rules set out under GDPR. These changing times mean expertise in the area is paramount. Responsibility will still lie with the board, but cyber security experts need to be aware of what’s expected from them.
One company offering GDPR training is Assuredata. The introductory courses, which are endorsed by both the Cloud Industry Forum and the Federation Against Software Theft (FAST), aim to raise awareness of GDPR requirements and remove confusion, particularly with regard to those in the cloud industry. More information can be found here.
In addition, IT Governance offers a range of GDPR and DPA (Data Protection Act) training courses, as well as modules for specialist roles, i.e. Data Protection Officers (DPO). IT Governance pride themselves on being an authority on GDPR and are currently the only GDPR course that is ISO 17024-certificated.
This article was first published on 20/09/19, and has since been updated.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.