A Certified Information System Security Professional (CISSP) is someone with considerable experience in information technology (IT) security fields who has also completed a rigorous exam to verify his or her qualifications. CISSP holders must also meet continuing education requirements to maintain their certification.
Studies show that people with the CISSP certification earn significantly more than their non-certified peers do, perhaps as much as $20,000 to $30,000 per year. There are several career paths open to CISSP holders; this overview discusses some of the most common ones.
Network Architect: People in this job do all the planning needed to set up a network for a business. The network may be within a single location; between two or more offices; or it could be international. Network architects need to thoroughly understand an organization's structure, operations and goals in order to plan a network that will fulfill its needs. They design the network, present the plan to management, determine the equipment needed to implement the plan and organize the physical layout for equipment. Network architects also sometimes supervise the staff that builds the network. They must know about current and upcoming technology to plan for future needs, and they must incorporate information security into network designs.
Information Security Analyst: This position is responsible for maintaining the security of a business's computer network. Analysts have to stay up-to-date on ever-changing security measures to prevent cyberattacks. They develop safe practices for an organization and implement them, which may involve installation of data encryption software, firewalls and virus protections. They continually monitor network systems and investigate breaches, and they develop disaster recovery plans to protect and preserve data should something drastic occur. Analysts also help a company's employees learn about security features.
Computer and Information Systems Manager: People in this position coordinate all the computer operations within a business. They analyze needs; determine the hardware and software required to meet those needs; and they plan and direct installations. These individuals are also responsible for maintaining the security of a business's electronic documents and computer systems.
IT Security Manager: Sometimes considered a sub-category of Computer and Information Systems Management, an IT security manager oversees all information security measures within an organization; this includes both data and network security. They work with executives to develop security policies and to arrange training for employees. They supervise investigations of breaches, and they must always stay up-to-date with the latest IT security developments.
Security Auditor: Security auditors independently evaluate the quality of a company's information security. This broad category may involve interviewing employees as well as testing computer and network systems. Security auditors need to thoroughly understand an organization's practices, including organization charts, job descriptions, operating systems, equipment usage, IT policies, disaster recovery plans, access permissions granted to various system areas, backup procedures and more. They meet with managers to discover where there might be concerns and to establish the goals of an audit before actually performing the work.
Beyond direct information security, auditors often look at additional elements that affect IT security, including supervision of outside vendors entering a business; physical security against unauthorized access; and environmental controls that protect data from fires and floods. Security auditors issue detailed reports of their findings that may include recommendations for improvements.
IT Security Consultant: Companies that aren't big enough to maintain a full-time IT department, or larger ones that simply don't want one, may hire an IT security consultant to analyze computer and information security needs; to develop a plan to upgrade equipment, software and security procedures; and to oversee the implementation of that plan. A security consultant may work independently or through a consulting company.