Category: Education

There are now a vast number of courses and qualifications available for IT and cyber security professionals. Some are achievable over only a few days, whilst some may take years to complete. In terms of Information Security, there are a great deal of courses and qualifications out there, but one of the best-known and highly regarded is the Certified Information Security Manager (CISM) qualification, which is awarded by ISACA (the organisation previously known as the Information Systems Audit and Control Association).

The Qualification

The Certified Information Security Manager qualification was first launched in 2002 and is now a globally accepted qualification amongst the IT community.

Who is it for?

The CISM is for IT professionals with a specific interest in IT security. It is awarded to individuals who meet the following requirements:

1. Pass the CISM exam.
2. Adhere to ISACA’s Code of Professional Ethics.
3. Agree to comply with the Continuing Professional Education (CPE) Policy
4. Have relevant work experience.
5. Submit an Application for CISM Certification.

The Exam

One of the criteria for certification is passing the main exam. The exam covers the four CISM areas outlined below:

• Information Security Governance (24% of exam)
• Information Risk Management and Compliance (30% of exam)
• Information Security Program Development and Management (27% of exam)
• Information Security Incident Management (19% of exam)

The exam consists of 150 multiple-choice questions covering the areas above. Candidates have four hours in which to complete the exam.

Since 2017, the exam can now be taken via computer-based testing (CBT) at a number of registered exam centres. This also means that the candidate’s exam score can be displayed straight away.

In order to register for the exam, candidates must first register online with the ISACA, find a testing centre nearby, and pay for the examination in advance.

The fees for this exam are $575 USD (approx. £475) for SACA Members and $760 USD (approx. £625) for non-members.

Required Experience / Qualifications

Those who wish to become qualified must possess a minimum of five years of relevant work experience. This experience must be verified and include at least three years of information security management work in three or more of the specified areas. This experience must have been gained in the 10-year period prior to the application date, or within 5 years from when the exam was originally passed.

There are, however, several certifications and types of experience that can be used towards the 5-year information security work experience requirements (but not toward the 3-year specific requirements).

Certifications and experience that count for two years of the five include:

• Certified Information Systems Auditor (CISA)
• Certified Information Systems Security Professional (CISSP)
• Post-graduate degree in either information security or a related field such as business administration, information systems, or information assurance.

Certifications and experience that count for one year of the five include:

• One year of information systems management experience
• One year of general security management experience
• Skill-based security certifications such as CompTIA Security +, SANS Global Information Assurance Certification (GIAC), Disaster Recovery Institute Certified Business Continuity Professional (CBCP), Microsoft Certified Systems Engineer (MCSE), or ESL IT Security Manager.
• A completed information security management program at a relevant institution (i.e. one aligned with the Model Curriculum).

Continuing Professional Education and Jobs Prospects

A key element in obtaining certification is that the candidate agrees to follow the Continuing Professional Education (CPE) policy. This policy is there to ensure that all certified candidates keep their knowledge current and maintain proficiency in the field. Staying up-to-date means that individuals are better able to provide leadership and value to their organisations. At least 20 hours of CPE are required each year in order to maintain the CISM certification.

Professionals who pass the CISM qualification can go into a wide range of roles including (but not limited to):

• Information Security Manager
• Information Security Analyst
• IT Audit Manager
• Director of Cyber Security & Information Assurance
• Cybersecurity Consultant

According to the website IT Jobs Watch, the average (median) annual salary for an ISACA Certified Information Security Manager is £65,000. You can find out more about other cyber security job salaries in this article on our sister site, Cyber Security Jobs.

Today’s constantly changing cyber security landscape means that keeping your network secure is more essential than ever. A key part of this is penetration testing. You might think that this is a specialist area that needs to be left to the experts, but in fact, you can set up your own network penetration testing lab in house.

Not only is this a good way of securing your systems but it also helps to improve your configuration and security skills so that you are less likely to leave attack routes open in future. Carrying out penetration testing in a lab environment is also much safer, as some of the tools used can cause problems if applied to a live network. Your own lab is also a good way of experimenting with the latest testing tools and techniques.

Physical versus virtual

In the past, you would have needed a physical server as the core of your testing setup. Today, however, you can do it in a fully virtualised environment. You can combine the two, with a single virtual machine offering a number of virtual environments, or you can go for a completely cloud-based solution.

You need to be aware, however, that virtual machines don’t always precisely replicate the characteristics of physical ones, so certain techniques may not yield the same results. Even so, to get started, a virtual environment is probably best. If you need to increase the realism of your tests later, you can look at using old hardware, either surplus within the organisation or purchased second-hand.

The principal advantage of virtual machines in the cloud is scalability. You can easily add capacity as you need it. Infrastructure as a Service (IaaS) allows you to replicate all kinds of network scenarios without the need for expensive hardware. Virtual machines can be used to host a range of different environments, including Windows and Linux.

Inside the lab

Having decided on the environment you are going to use, what does your lab actually contain? At its simplest, all you need is the computer to be tested and the one that is going to carry out the testing. As your needs evolve, the number of machines may increase.

If you are just beginning, it’s best to start simple and build up to something more complex. The key thing is to replicate the target system as closely as possible. For newbie testers, it’s important to understand what it is that makes a system vulnerable. Fortunately, the internet is your friend here and there are a number of places where you can download applications and virtual machines that are pre-configured to be vulnerable. This is a good way of getting started and learning how your testing tools work.

As your skills improve, you’ll want to start adding complexity to your test setup. This means increasing the number of targets, adding machines running different operating systems and different software. This ensures that you gain experience as to how mixed networks look from an attacker’s point of view. You can also expand the potential attack surface by adding services such as FTP, databases, email and so on.

On the machine that’s carrying out the testing, you really need to be able to run both Windows and Linux as there are different tools available for each OS and their capabilities differ. Once again, there are pre-configured testing tools that you can download to help you get started. Alternatively, you can build your own toolkit. There are a number of things you need for this, a set of basic network utilities including FTP and Telnet is essential. You’ll need some packet capture software, a port scanner, and a vulnerability scanner. You may also want to look at getting a password cracker as well as a scripting tool.

It isn’t hard to get started, setting up a testing lab with just a couple of virtual machines and some pre-configured image downloads. You can then add complexity and sophistication as your skills develop.

Are you interested in cyber security but don’t know how to turn it into a career? If so, it’s worth investigating Cyber Security Challenge UK and it doesn’t matter how old you are or what qualifications you have (or don’t have). In this article we take a look at everything you need to know.

What is Cyber Security Challenge UK?

It’s an initiative set up to identify and encourage people with cyber security skills, with the aim of recruiting them into the industry. The programme offers both competitions to test a variety of skills across multiple age groups, together with education at all levels to help students and teachers develop cyber security knowledge and to promote future career prospects in the sector.

The principal competition starts with online qualifying challenges designed to test your skills. These aren’t necessarily all technical; cyber security also requires an aptitude for risk identification, problem solving and understanding psychology. From there, successful participants move on to face-to-face semi-finals and then to the Masterclass grand finale where an annual champion is chosen.

With a significant shortage of skills in the sector already biting, if law enforcement and security agencies can’t recruit suitable talent, the UK won’t be able to combat the rising tide of cyber crime. Cyber Security Challenge UK is looking to solve that potential issue with its competitions and its numerous events in schools, colleges and universities.

How do you enter?

To enter, simply go to the Cyber Security Challenge UK website and register to play. Once registered, you can play online or download the app for a faster, more engaging experience.

You need to be 16 or over, a UK or EU citizen and a UK resident to enter the main competition, although the organisers have the discretion to admit under-16s with exceptional abilities. If you’re under 18 and get to the face-to-face stages, you must attend with an adult. If you currently work in the cyber security industry, you can register for the online competition but you cannot progress to the face-to-face stages.

There are also rules for the frequency with which you can enter. If you win a Masterclass place, you can’t enter any further face-to-face competitions in that calendar year. If you reach two or more Masterclasses or are crowned champion, you can no longer participate in face-to-face events. This is to ensure that as many potential cyber security professionals as possible can reach the semi-final and final stages. You can, however, still play online and attend educational events.

Who’s behind it?

Cyber Security Challenge UK is funded primarily via sponsorship, including the UK Government, the National Crime Agency and GCHQ. As a Not for Profit organisation, it provides a route for both private and public enterprises to find exceptional talent that can defend the UK’s financial institutions, national security and overall digital economy in years to come.

As a result, the range of sponsors reflects the diverse needs of the cyber security industry. Sponsors include universities, defence organisations, government departments, technology companies of all sizes, law firms, together with education and training businesses.

What about the educational events and activities?

Cyber Security Challenge UK is very much about the long term, an integral part of which is working to support and even change mainstream education. Cyber security developments don’t form a major part of any standard educational offering at GCSE and A-level, but the promotion of lesson plans, free summer camps and resources for parents should help to foster an interest in young people and encourage them onto a pathway that leads to a cyber security career.

In universities, the organisation offers a variety of boot camps tailored to both technical and non-technical undergraduates. Again, the emphasis is on finding the right people, unrestricted by age, background, or qualifications, setting them on a path where they are seen by the right recruiters.

Ultimately, if this is a sector that appeals to you, you meet the requirements and you think you have the necessary skills, this is a great starting point. Register, play, and see where it takes you.

Starting a career in cyber security can lead to personal financial security. Experis, in fact, reported a four percent year-on-year salary increase coming into 2018, with other analysts reporting a seven percent salary increase for cyber security specialists in 2018 – the biggest for IT professionals in Europe.

If you’re looking to become a cyber security professional but lack practical experience or the finances to take classes in a university, there are plenty of ways you can get into the industry.

Here are five of our top free beginner cyber security resources and course to get you started:

Introduction to Cyber Security

Learn the fundamentals of cyber security to protect private and personal data. Know the basics of authentication, networking, threat identification, cryptography application, risk management, recovery, and the law surrounding cyber security.

The Open University offers this eight-week course through Future Learn, with support from the UK Government’s National Cyber Security Programme and accreditation from GCHQ Certified Training, APMG International, and the IISP.

The free version gives you a 10-week access to all the educational materials, but you’ll have to pay for certification.

Cyber Security: Safety at Home, Online, in Life

Considering how much personal data is stored online through the proliferation of smart devices, social media use, and online shopping, the threat of cyber attacks has increased. With this course, you’ll understand the practical applications of cyber security on the everyday goings-on of the average individual and how that relates to commercial businesses.

Newcastle University offers this three-week course through Future Learn. Enrolling in this course for free gives you access for five weeks. You will have to pay to get certification.

Network Security

Establish foundational knowledge on cryptography, cryptanalysis, and systems security in the context of securing networks. Lessons are taught through seminal papers and monographs that have impacted the industry, developing your security research skills in the process.

The Georgia Institute of Technology (Georgia Tech) offers this 16-week course through Udacity.

This free course nets you instructor videos and interactive quizzes, but you will not receive any accreditation unless you are part of the Georgia Tech OMSCS program.

Cyber Security for Small and Medium Enterprises: Identifying Threats and Preventing Attacks

While the biggest cyber crimes people hear about concern multinational corporations and industry giants, small- and medium-sized businesses are just as vulnerable to cyber attacks. This course teaches you how to identify risks and prevent threats that SMEs uniquely face when it comes to cyber security.

Deakin University will be offering this two-week course through Future Learn. You can only get credit for this online course if you complete the entire Cyber Security Management program it is part of.

Secure Android App Development

Mobile applications have become an integral part of modern living, with so much confidential information tied to these apps. The freedom and flexibility of app development on Android, however, comes at the price of great cyber security risks. Learn how to identify and solve common security problems in mobile apps that can be fixed in the development stage with the use of HPE Fortify SCA.

The University of Southampton’s Cyber Security Academy offers this four-week course through Future Learn.

 

Once you have developed these beginner skills, take the next step in your education by looking for advanced cyber security courses through our very own network of providers. If you’re ready for that career defining first job, then check out our sister site, Cyber Security Jobs.