A 2,500-hour examination should be the minimum requirement for an IT security career

There should be a minimum entry qualification requiring 2,500 hours of examination to work in the security industry.

Speaking to SC Magazine, Ian Glover, chairman of the Council for Registered Ethical Testers (Crest), said that there needs to be a definition of what the role of the cyber security professional is and a recognition of what they look like.

He said: “We need to understand that they are broader than technology and need to know forensic capabilities and have a broad range of skills and can draw from multiple disciplines.

“We need exams to cover many areas such as penetration testing, CISSP, etc. But doing 10,000 hours at half of your work time can take years; there should be a standard 2,500-hour exam to cover subjects and get people to the right level.

“A dedicated masters degree will cover 9,000 hours. The 2,500 hours is a good base as people can specialise from there. We are trying to create a professional to do data protection, ISO standards and demonstrate a level of competence as a practitioner.”

Glover went on to say that he would like someone to offer this and called for it to be a requirement, as it will allow graduates to have a point to work towards to become a general practitioner, before moving on to becoming a senior security architect, which will require 6,000 hours of examination. Glover said that becoming a principal security architect would be the pinnacle for most people, as the 2,500 hours would allow people to "understand all of IT in more detail" and that it comes down to creating a "really strong base".

Asked who should be offering this, Glover said that there are companies doing a good job of this but there is no national framework. Crest is working with e-Skills to create a national standard for penetration testing, but there needs to be one for general security. “Create that and then define a pathway and use tools to find a course, and backtrack into a university course,” he said.

“There is a question on how do you get into IT as a career? By collaborating as an industry we can make it better. There is nothing wrong with CISSP, but we need a stepping stone to say you have done enough and that is only one of them.”