Security certification on the rise in Asia

Von Sheila Lam

?Who?s qualified?? This perennial question daunts those who hire security professionals. But with security certifications on the rise in Hong Kong, IT executives may find these critical decisions easier to make.

The number and recognition of security certifications in Asia Pacific is surging, according to IDC. The research firm recently conducted a study on the global information security workforce, sponsored by a security certification body -- the International Information System Security Certification Consortium (ISC2).

The result, announced in early November, pegs the number of security professionals in Asia Pacific at 323,000 by the end of this year. This represents an 18.9 percent year-on-year growth over 2003. Asia has the highest growth rate, noted IDC, as compared to North American and Europe, the Middle East and Africa. The study covers security certifications granted both by vendors as well as independent certification organizations.

Recognition of security certifications is also rising among Asian companies. The study included a survey in which 920 security professionals from Asia participated -- 37.8 percent of respondents indicated the importance of security certification was ?very high? when hiring security staff.

IDC noted Asian companies on average spent about 10 days for security training in 2003, a figure tipped to increase by 25 percent this year to 12.5 days.

Government adoption drives recognition

Asia differs from North America and Europe in that the main growth driver for certification is government, rather than private sector-based, said Chester Soong, director, certification services, Asia Pacific, ISC2.

?Asian countries each want to position themselves as the region?s IT hub,? said Soong. ?Most Asian security certification recognition is driven by governments.?

He noted that currently about 10 percent of the staff at the Hong Kong Government CIO (GCIO) office have achieved the Certified Information Systems Security Professional (CISSP) certification awarded by ISC2. The government also indicates a preference for CISSP at the tendering process for information security related contractors.

With the endorsement of the HKSAR government, Soong noted that Hong Kong is one of the regions with the highest number of certifications granted by ISC2. As of June 2004, the organization has awarded about 27,000 security certificates.


With 15 years of history, CISSP is one of the world?s most recognized certifications for IT security, said Soong. The CISSP examination focuses on managerial skills and is only available for individuals with four years of practical experience in the security industry.

Certification is granted after successful completion of a 250-question exam within six hours. To maintain the certification in good standing, a CISSP certificate-holder must submit 120 continuing professional education (CPE) credits within each three-year renewal period, or retake the exam.

The CISSP exam covers 10 major areas of IT security, including business continuity planning, law and ethics, as well as security architecture and security management practice. The credential is expected to demonstrate that the candidate understands security from a top-level view, and the CPE requirement mandates ongoing training.

Apart from providing the international English version of examination, the organization is currently studying the possibility of examinations with regional specifications in China, Japan and Korea, said Soong. These regional-specific examinations will be presented in local languages and provide additional assessment for best practices that are applied specifically for these markets.

Other certifications

In addition to CISSP, there are other security certifications available locally. The Global Information Assurance Certification?s GIAC Security Essentials Certification (GSEC), and the Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA) offered by Information Systems Audit and Control Association (ISACA).

With the increasing number of certifications, IT executives should understand what these certifications offer, noted Kenneth Rode, manager of internal operations for Unape, an IT consulting firm based in the US.

?The certification must test skills that prove more than ?book-level? proficiency,? said Rode. Examinations that test theoretical knowledge don?t necessarily prove the candidate?s ability to apply that knowledge in complex networks.

The security certification should also be vendor-neutral, he added. Although certifications from market leaders such as Cisco Systems and Microsoft are useful in a focused environment, security professionals must be able to demonstrate a range of skills and understand what is required to secure a heterogeneous network of products from different manufacturers, concluded Rode.