| In one of our previous article we already discussed | | | | ACHIEVING CISSP. If you want to become a |
| what an Information Security degree would bring | | | | successful professional, do it right: get yourself some |
| you; now, let’s tackle this tricky | | | | entry level certifications, land a security job, get |
| question: “What security certification should I | | | | experienced, and only after go for CISSP. |
| pursue?” | | | | For the technical professionals out there, most of the |
| Throughout my career, I constantly heard a | | | | domains have specific certifications to be achieved, |
| ready-made answer: CISSP! (even though the | | | | always starting from a basic, introductory level to |
| person was not able to tell what CISSP stands for). | | | | more complex topics. The higher you go, the more |
| Try it yourself: Whenever you have a chance, ask | | | | prestigious your career becomes. Needless to say |
| your workmates the very same question. I bet | | | | that memorizing questions for the certification exam |
| someone will mention it before you finish the | | | | doesn’t bring any value to your career. A |
| sentence. It’s a kind of wildcard answer: | | | | certification should be seen as a mean, not as an end. |
| Security? No matter what area/position the person | | | | Do I hold any other certification? |
| works for, say CISSP and you’ll be alright. | | | | Since every career path is different, let me give you |
| But is that the definitive answer for this question? | | | | how I have chosen to build up my own: |
| First, let me clarify something: While getting a | | | | When I was non-certified technical professional |
| security certification is not absolutely essential to | | | | working in operations, I analyzed my career at that |
| apply for an IT/information security job, an increasing | | | | very moment, and chose the certification which I |
| number of companies are requiring that applicants be | | | | could ripe the benefits as early as possible. Achieving |
| certified. The algorithm is simple: | | | | vendor-specific certifications rewarded me with salary |
| | | | raises every time I added an acronym to my |
| Efficient (for the recruiter)? Apparently yes. | | | | signature. That’s a fact: being certified gives you |
| Accurate? Unlikely, but that’s the reality out | | | | a stronger position to bargain for better conditions |
| there; having some certifications is a matter of | | | | with your current employee, and also demonstrates |
| survivability in the field, either we like it or not. | | | | your commitment to your career. As for which one |
| Having a security certification also ensures that you | | | | to run for, I can’t give you precise directions |
| will enjoy a higher salary compared to co-workers | | | | since there are many specializations in the Infosec |
| who are not certified, as per countless market | | | | field, but you might be able to figure out the best |
| researches. Thus, becoming a certified professional | | | | one for you without much effort. Some options |
| undoubtedly gives you an edge in your IT | | | | would be CCSA, SSCP, Security+, GISF, GSEC, and |
| information security career. The problem is that | | | | so on. |
| certification has become big business and the number | | | | PS: I know some certifications I’ve mentioned |
| of possible security certificates you can earn has | | | | here are not vendor-specific. They are listed here |
| grown. | | | | due to their entry-level nature instead. |
| So let me use an analogy one of my bosses used to | | | | Once I held a few certifications, I sought after longer |
| tell me. Imagine the following scenario: You’re | | | | term prospects. My career started to lean towards |
| working at a construction site, demolishing a wall, and | | | | Governance/Compliance, and that was the time |
| a pile of debris needs to be taken away. Will you use | | | | when I decided to go for CISSP (or CISM, depends |
| a Lamborghini, one of the fastest cars ever built, but | | | | on your expectations). After achieving the CISSP, I |
| with a trunk that barely accommodates a suitcase? I | | | | identified the topics in which I could further |
| highly doubt it… I know the example might sound | | | | strengthen my position as a manager and pursued |
| cliché, but that’s how I see this certification | | | | ITIL and Prince2 certifications. That was the best |
| thing. Tell me what you intend to achieve, and I tell | | | | long term decision I could have taken: I was a |
| you what Information/IT certification is the best for | | | | Security manager, juggling with projects in one hand |
| you. So let’s dig a bit further… | | | | and ITIL/Cobit on the other. The knowledge |
| When picking where to start with your security | | | | absorbed through the certification process helped me |
| certification path, ask yourself a couple of questions | | | | to identify and work upon my weak spots, leading |
| first: | | | | me to the path of becoming an all-rounded manager. |
| Am I a techie or a management professional? | | | | Thinking even further upon my career, I understood |
| Answering this question helps you deciding to go | | | | that becoming an independent consultant is one of |
| either for a vendor-specific certification or a | | | | the natural paths my career might take. That’s |
| vendor-neutral one. Think with me: if you work as a | | | | when I decided to go for CISA and ISO 27001 Lead |
| firewall administrator (and you plan to keep doing so | | | | Auditor. The illustration below should give you a best |
| for a while), pursuing CISSP without being, let’s | | | | understanding of my recommendation: |
| say, CCSA, is not the best way to go. Conversely, if | | | | |
| your deal is to develop and implement your | | | | What are the financial/logistical requirements to |
| company’s ISMS, achieving a CCSP won’t | | | | achieve and keep the certification in good standing? |
| be of much help. It goes without saying that getting | | | | Some other factors to consider involve the budget |
| Y-certified (I just coined this term: means achieving | | | | required to achieve/keep the certification and the |
| both managerial and technical certifications, rooting | | | | re-certification requirement of the vendor/institution. |
| from the same field) will certainly broaden your field | | | | Some re-certification requires you to pass an |
| of sight, but the benefits might not be readily | | | | updated exam while others call for you to have |
| perceived. | | | | continuing education credits. The process of |
| | | | (re)certification may be pricey when all the costs |
| What’s my current level of knowledge in the | | | | (test fees, study materials) are added up. However, |
| field? | | | | in today’s highly competitive IT environment, |
| If you are taking your first steps in the field with a | | | | maintaining your certification makes it easier for you |
| basic knowledge of information security, a good | | | | to land information security jobs, and since you |
| option to start with is the SANS GISF certification, | | | | already spent a considerable amount of resources |
| which doesn’t require previous (although | | | | energy to become a certified professional, the |
| recommended) security experience and consists of a | | | | recertification is a must. Just to wrap this topic up, |
| 150-question, 4 hours examination. The GISF in my | | | | handle the whole certification process (learning about |
| opinion is one of the best certifications for | | | | the certification itself, studying, getting ready for the |
| newcomers, since you’ll not learn “HOW” | | | | exam, taking the exam and so on) as an investment |
| to create a firewall rule, but “WHY” instead. | | | | on you. It’s like going to the gym: sometimes we |
| Every Security professional, regardless of whether | | | | are comfortable with our looks or current condition, |
| Technical or Management focused, should have | | | | but we can always get better. |
| intrinsic understanding of why information needs to | | | | Finally, make sure to do your homework and |
| be protected. | | | | don’t buy into the hype offered by many |
| On the other hand if you’re a seasoned | | | | vendors who claim that their security certification |
| Information Security professional, I recommend you | | | | offers the best opportunities to be hired for the best |
| to sit for a Certified Information Systems Security | | | | security jobs. Study the requirements of your |
| Professional (CISSP) exam. To become a CISSP you | | | | organization carefully to decide which certification |
| are required to have a minimum of five years of | | | | best suits its needs and the responsibilities of your |
| direct full-time security professional work experience | | | | current information security career. If you are |
| in two or more of the ten domains of the (ISC)2® | | | | considering security certification in order to shift |
| CISSP CBK®, or four years of direct full-time | | | | careers, make sure to look carefully at the |
| security professional work experience in two or more | | | | objectives of every certification examination to see |
| of the ten domains of the CISSP CBK with a college | | | | if it meshes with your desired career objectives. |
| degree. Alternatively there is a one-year waiver of | | | | That’s all for now, readers! The theme is lengthy |
| the professional experience requirement for holding | | | | and complex, and impossible to be covered in one go. |
| an additional credential on the (ISC)2-approved list. | | | | If you have any questions about the certification |
| Let me stress out something here: DO NOT START | | | | topic, please send it to our e-mail and I’ll do my |
| YOUR INFORMATION SECURITY BY PURSUING | | | | best to clarify! |