When it comes to deciding what security certifications to pursue, IT professionals should understand that they will be better off career-wise if they ask—and then answer—the right questions before choosing.
So says Chuck Davis, who as an adjunct professor at Harrisburg University of Science and Technology in Pennsylvania teaches ethical hacking and computer forensic classes. Currently a senior security architect at a Fortune 500 company, Prof. Davis has earned the Master of Science in Information Assurance at Norwich University, the Certified Information Systems Security Professional (CISSP) credential and the Information Systems Security Architecture Professional
(ISSAP) credential. He insists that there is no one-size-fits-all game plan for IT professionals looking for the right security certifications to earn.
“I would suggest that if you’re someone who is new to security, maybe just out of college or you’ve been working in IT and want to move into security, studying and working towards the CISSP is a good [move],” says Prof. Davis, who earned his CISSP and ISSAP from (ISC)². “I believe the CISSP is considered kind of the gold standard for a lot of professionals. What the CISSP does is it gives a very wide breadth of curriculum.”
According to Prof. Davis, IT professionals need to reflect on things such as where they are in their careers and what their objectives are before they can knowledgeably select the right security certifications. Josh Lochner, a senior risk management consultant at SecureState in Ohio, is also a proponent of this view. He insists that there are a handful of questions that IT professionals need to ask themselves before choosing. Meanwhile, Carmen Buruiana, human resource manager for Bitdefender in Romania, argues that possessing the right skill set and attitude is more important than having specific certifications.
While money certainly isn’t everything, many IT professionals who are weighing the pros and cons of different security certifications would no doubt factor salaries into the decision-making equation. And, fortunately, there are resources available that provide some indication of which security certifications can
be the most rewarding from a financial perspective.
For instance, Foote Partners’ “IT Skills and Certification Pay Index – Q3 2011 edition” indicates that the following security certifications translate into the highest pay premiums:
- Certified Information Systems Security Professional (CISSP)
- Information Systems Security Engineering Professional (CISSP/ISSEP)
- IACRB Certified Penetration Tester (CPT
- CyberSecurity Forensic Analyst
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Cisco Security Solutions and Design Specialist
- IACRB Certified Reverse Engineering Analyst (CREA)
- GIAC Secure Software Programmer –Java
- GIAC Systems and Network Auditor (GSNA)
- Information Systems Security Architecture Professional (CISSP/ISSAP)
- Security Certified Network Architect
- Check Point Certified Master Architect (CCMA)
But salary, of course, is just one of the things IT professionals should contemplate. Lochner explains that there are certain questions he would ask IT professionals who come to him for advice on what security certifications to go after.
“Some of the questions that I might ask would be, ‘Are you looking for a broad basis of knowledge? What foundation are you building on right now?’” he says. “For example, if you wanted a broad basis you might start off by looking at the CISSP. But there’s also ‘Are you doing this so that you can apply to a new job or
are you doing this so that you can move laterally or perhaps vertically up within you own organization?’”
After answering these types of questions, IT professionals would do well to find mentors who are already in roles that they themselves would eventually like to end up in, says Lochner, who has been providing consulting services in security domains for over a decade.
If after careful consideration IT professionals decide to start off with the CISSP, which is designed to provide a broad overview of the “security landscape,” they will end up with skills that are attractive in the increasingly competitive job market, notes Prof. Davis.
“It gives employers or potential employers a level set to say, ‘Well this person at least has a really decent understanding across the entire security landscape,’” he says. The (ISC)² website, which details certification requirements, lists the following 10 security domains
covered in the CISSP curriculum:
- Access Control
- Telecommunications and Network Security
- Information Security Governance and Risk Management
- Software Development Security
- Security Architecture and Design
- Operations Security
- Business Continuity and Disaster Recovery Planning
- Legal, Regulations, Investigations and Compliance
- Physical (Environmental) Security
While the CISSP is a “good foundation certification,” Lochner stresses that those who really want to invest in advancing their careers won’t want to stop there.
“If you’re going to be working in a particular area, it might behoove you to study a little bit more,” he explains. “CISSP is a good basis, and you can look at GIAC for some of the more specialized certifications. They have something they call…GSEC – GIAC Security Essentials.”
According to Prof. Davis, SANS certifications are good bets for those who really want to get technical in the security space; ISACA’s CISM and CISA certifications solid options for IT professionals interested in getting into auditing; and EC-Council’s Certified Ethical Hacker program is popular among those involved in pen testing.
Security certifications can definitely help IT professionals at any stage of their careers. But Buruiana from Bitdefender says that lacking security certifications isn’t necessarily a deal-breaker at the Internet security company.
“Bitdefender is an unconventional company seeking talented people with inquisitive minds, capable of taking a creative approach and finding solutions to the most common dilemmas of our industry,” says Buruiana. “Every year, we run human resources projects aimed at discovering these brilliant minds.
“As for the recruiting process, we value innovation and a passion for technology more than we do specific certifications. Certifications are, undoubtedly, an added value and an asset as far as professional credibility is concerned. They are key to the ’rounded know-how’ concept, but they do not count as an exclusive
criterion with us.”
That said, the company’s employees periodically take part in certification sessions adapted to the company’s ongoing business process, says Buruiana. The sessions focus on domains like project management, software development, testing and support services.
This post was originally written by Ian Palmer, a contributor to InfoSec Resources. InfoSec Institute is the best source for high quality information security training.