“I’m just starting out in the field of information security, what certifications should I go after?” Or, “I’ve got my CISSP, now what?” These are common questions for information security professionals, especially since there are more than 42 security-related certifications to obtain in a sea of more than 200 IT-related certifications worldwide.
This tip provides infosec pros with guidance for the
When considering which certifications to pursue, the following three qualifiers can help guide the decision: (1) years of experience, (2) career path and (3) complementary practice. Let’s discuss each one in detail.
Years of Experience
Some certifications require a certain number of years of practice before one can take the certification exam. Examples are the certifications offered by the International Information Systems Security Certification Consortium, Inc. (ISC2), which tests for CISSP and other certifications, and Information Systems Audit and Control Assocation (ISACA), which tests for CISA and other certifications. The Certified Information System Security Professional requires at least four years of experience in two of the ten domains of knowledge defined by ISC2. The Certified Information Security Manager (CISM) requires eight years of experience. In contrast, the SCCP can be obtained after one year of relevant experience. CompTIA and SANS offer basic security certifications with no years of experience required.
- Starting out in your career, take the Security+ or one of the basic SANS certifications. It is a great way to learn basic practices of the information security discipline without the experience or time in the field that some of the other certifications require.
- If you are a security professional with at least four years of qualifying experience in two of the 10 domains, sit for the CISSP. Most security job descriptions beyond entry level require or prefer the applicant to possess a CISSP.
If you are an adrenalin junkie or enjoy solving puzzles, then a technical career might be your path. A prime technical focus is chasing malicious traffic. Obtain certifications that complement the technical environment you work in.
If you prefer to lead, manage and apply your business acumen to information security, then the business of information security might be your path. You can focus on auditing, governance, risk or other areas.
- For technology-oriented security professionals, obtain Cisco Certified Network Associate (CCNA) followed by a CCNA Security certification to round out your skill set. Top if off with an incident handling (SANS GIAC/IH) or forensics (GCFA) certificate for a firm foundation to identifying malware or preventing and discovering intrusions.
- For business-oriented security professionals, obtain a CISSP, then consider one of the following certifications: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC) or Certified Information Privacy Professional (CIPP). The CISA in particular is a great complement to the CISSP because it will help you understand how auditors think. That knowledge can be used to plan an effective strategy for your information security program.
Whew!, You’ve got at least three certifications under your belt and your career is moving along well, but you continue to see more certifications geared toward security professionals. So, which ones should you pursue? Once you have built a solid certification track and added value to yourself as a professional by diversifying your certifications, that answer is simple: None of them.
- Technical professionals interested in becoming an architect can pursue The Open Group Architecture Framework (TOGAF) certification. Compared to the Information Systems Security Architecture Professional (CISSP-ISSAP) from ISC2, TOGAF enables you to understand the complete body of enterprise architecture as opposed to a niche practice.
- Strategic practitioners can obtain a Project Management Professional (PMP) certification from the Project Management Institute or a Business Process Modeling (BPM) certification from BPMInstitute.org. Six Sigma certifications, available from a variety of training companies, can help you trim down the sometimes-monolithic process associated with information security and auditing.
Points to remember
Here are some additional points to keep in mind throughout your career.
(1) Every two years, review your certifications to see which are no longer relevant and which have become relevant to your career. Allow those that no longer have value to expire, maintain those that still have value, and obtain those that have become relevant or can help you reach future career goals.
(2) Develop a strategy to easily obtain your continuing professional education credits (CPEs), which are often required to maintain certification. Webcasts and industry meetings can be an easy way to earn CPEs.
(3) Keep an eye on the certifications that are requested by employers in job postings.
About the author:
Ravila Helen White is the director of enterprise security and architecture at a company in the Pacific Northwest. Prior to that, she was the head of information security at The Bill & Melinda Gates Foundation and drugstore.com.
This was first published in June 2011