“I’m just starting out in the field of information security, what certifications should I go after?” Or, “I’ve got my CISSP, now what?” These are common questions for information security professionals, especially since there are more than 42 security-related certifications to obtain in a sea of more than 200 IT-related certifications worldwide.
This tip provides infosec pros with guidance for the
Requires Free Membership to View
SearchMidmarketSecurity.com members gain immediate and unlimited access to breaking SMB industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchMidmarketSecurity.com today!
Michael S. Mimoso, Editorial Director
best
security certifications that will add the most value to their career.
When considering which certifications to pursue, the following three qualifiers can help guide the decision: (1) years of experience, (2) career path and (3) complementary practice. Let’s discuss each one in detail.
Years of Experience
Some certifications require a certain number of years of practice before one can take the
certification exam. Examples are the certifications offered by the International Information
Systems Security Certification Consortium, Inc. (ISC2), which tests
for CISSP and other certifications, and Information Systems Audit and Control Assocation
(ISACA), which tests for CISA and other certifications. The Certified Information System Security
Professional requires at least four years of experience in two of the ten domains of knowledge
defined by ISC2. The Certified Information Security Manager (CISM) requires eight years of
experience. In contrast, the SCCP can be obtained after one year of relevant experience. CompTIA
and SANS offer basic security certifications with no years of experience required.
Recommendation:
- Starting out in your career, take the Security+ or one of the basic SANS certifications. It is a great way to learn basic practices of the information security discipline without the experience or time in the field that some of the other certifications require.
- If you are a security professional with at least four years of qualifying experience in two of the 10 domains, sit for the CISSP. Most security job descriptions beyond entry level require or prefer the applicant to possess a CISSP.
Career path
If you are an adrenalin junkie or enjoy solving puzzles, then a technical career might be your
path. A prime technical focus is chasing malicious traffic. Obtain certifications that complement
the technical environment you work in.
If you prefer to lead, manage and apply your business acumen to information security, then the business of information security might be your path. You can focus on auditing, governance, risk or other areas.
Recommendation:
- For technology-oriented security professionals, obtain Cisco Certified Network Associate (CCNA) followed by a CCNA Security certification to round out your skill set. Top if off with an incident handling (SANS GIAC/IH) or forensics (GCFA) certificate for a firm foundation to identifying malware or preventing and discovering intrusions.
- For business-oriented security professionals, obtain a CISSP, then consider one of the following certifications: Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC) or Certified Information Privacy Professional (CIPP). The CISA in particular is a great complement to the CISSP because it will help you understand how auditors think. That knowledge can be used to plan an effective strategy for your information security program.
Complementary practice
Whew!, You’ve got at least three certifications under your belt and your career is moving along
well, but you continue to see more certifications geared toward security professionals. So, which
ones should you pursue? Once you have built a solid certification track and added value to yourself
as a professional by diversifying your certifications, that answer is simple: None of them.
Recommendations:
- Technical professionals interested in becoming an architect can pursue The Open Group Architecture Framework (TOGAF) certification. Compared to the Information Systems Security Architecture Professional (CISSP-ISSAP) from ISC2, TOGAF enables you to understand the complete body of enterprise architecture as opposed to a niche practice.
- Strategic practitioners can obtain a Project Management Professional (PMP) certification from the Project Management Institute or a Business Process Modeling (BPM) certification from BPMInstitute.org. Six Sigma certifications, available from a variety of training companies, can help you trim down the sometimes-monolithic process associated with information security and auditing.
Points to remember
Here are some additional points to keep in mind throughout your career.
(1) Every two years, review your certifications to see which are no longer relevant and which have become relevant to your career. Allow those that no longer have value to expire, maintain those that still have value, and obtain those that have become relevant or can help you reach future career goals.
(2) Develop a strategy to easily obtain your continuing professional education credits (CPEs), which are often required to maintain certification. Webcasts and industry meetings can be an easy way to earn CPEs.
(3) Keep an eye on the certifications that are requested by employers in job postings.
About the author:
Ravila Helen White is the director of enterprise security and architecture at a company in
the Pacific Northwest. Prior to that, she was the head of information security at The Bill &
Melinda Gates Foundation and drugstore.com.
This was first published in June 2011