Which Security Certification Should I Get?

by Bruce Brown | 12 Comments

If you can, get the CISSP, don’t waste your time with anything else. You don’t have to make it your last cert, but (if you can) make it your first. It has become the gold standard that gives you “just add-water” credibility. You can slap those initials at the end of your name and flash a badge with your ISC2, CISSP number on it.

The statement above will piss off a lot of security people, but it is the truth.. the inconvenient, sad and pathetic truth. To all you skilled hackers and IS pro’s, don’t hate the blogger, hate the game. I didn’t create the rules, I just hack them.

Old school hackers and security geniuses talk MAD shit about the CISSP, but what they fail to realize is that “to hack ‘the man’, you have to be ‘the man'”. What I mean is that playing the game is essential to your financial need$. There are always exceptions: Adrian ‘homeless hacker’ Lamos, Steve ‘I write entire apps in assembly’ Gibson, Gordon ‘I created nmap’ Lyon, Jeff ‘i created defcon and sold it in 2005 for 14mil’ Moss, Bruce ‘i decrypted code as a fetus’ Schneier..

For average bastards like you and me, the CISSP is way to go.

I do agree with DMiessler and Mckeay:

“I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge – not for testing whether or not you’d be qualified to actually do anything.” — dm

“..the CISSP is not a technical certificate! It is not now, nor was it ever meant to be, a technical certification.” — mckeay

Though you may see a couple of technical questions on the test, the over all test is pretty high level, unlike the Certified Ethical Hacker or the CCNA that ask specific technical questions about specific technical issues.

So what should you go for on the Security Certification front:
Go directly for the CISSP (if you can). The fact of the matter is that most companies, the government and foreign organization look for the CISSP. Aside from the CCIE, I don’t know of any other technical cert that will give so much credibility (even if you don’t deserve it).

A NOTE of caution: If you get it, be real with your self. The CISSP does not instantly make you an expert in all ten of its domains. It will not put an “S” on your chest and make you impervious to Kryptonite. Its just a test. Its not an I.Q. test or the Bar. Its just a test. If you have passed, congradulations… now the real work begins. Good security professionals are ALWAYs learning (even more so than your average IT guy, because we have to know the latest in IT as well as policies, some law and even some level of management). A real CISSP should be a “jack of all trades, Master of ONE“.

You should also consider that there is simply no replacement for a good degree except for experience. The good thing about the CISSP is that it requires you to have a certain amount of experience before you even attempt it.

Building to the CISSP:
Beginner: if you’re just starting, you want Comptia’s Security+ certification.
Now, if your just trying to the guy who looks at audit logs all day and report what they see, then your golden. But if you’re serious about security, then you need to play the game, get the damn CISSP (do not pass go, do not collect $200). It pays better than a Security+… much better.

Serious Beginner
Get into any kind of Information Security position and earn some “street cred“. You may even be in a typical IT position on a filthy help desk (sorry, I’ve done it and it sucks) you can still use it to your advantage by working your way into security tasks. If your in the military, volunteer to be the COMSEC guy or an IAO (it’ll be easy because nobody else wants to do it). Volunteer to work with the security guys and learn from them. The goal is the get into the security mindset and also rack up some experience. A degree will help to with a school that allows you to set up a lab.


Novice Security

After a solid year of security experience you should go for the Systems Security Certified Practitioner (SSCP®). Why the SSCP? It will help you build toward the CISSP. At this point, if you haven’t done so already I would recommend joining the Information System Security Association (ISSA). You’ll begin to network with other security folks from everything from forensics to the pentesters to information security managers (who don’t even know how to set up a network). By this time, you should have some idea what you’d like to specialize in. The CISSP is a great foundation as certification credibility goes, but you will need to specialize.

The CISSP
I found the test challenging. You don’t want to take it twice that is for damn sure. Just make sure your ready. You’ll have to have about 5 years total security experience.

Now checks this out:

“Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains.” –ISC2

Even a Masters degree will only replace a maximum of 1 year of experience (sounds like *NS to me):

Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master’s degree, you may only apply for a one year waiver of experience.

*NS-non sense

12 Comments on Which Security Certification Should I Get?

  1. secunoid
    September 3, 2007 at 4:07 pm (9 years ago)

    All the certifications be it CISSP, CISA, CISM…….enable one to put a foot in the door when it comes to interviews. Otherwise nothing beats real life exprience. So don’t have your hope too high that after getting a CISSP your world is going to change.

    S.

    Reply
  2. James Sayles
    September 10, 2007 at 10:25 pm (9 years ago)

    While there are several security and audit certifications out there, one should based their decision to acquire based on individual situations and role requirements. For example, if you are working in a role that require you to audit or work with auditors (internal/external), then a CISA from ISACA may be a good fit. Perhaps your role is to manage and implement security policies and countermeasures. in this case I would definitely obtain a CISSP from IC2. Then there is the case where you role requires you to just manage security awareness and processes; therefore I would consider the CISM from ISACA.

    Overall, obtaining one or more security certifications would be a “key” to have. if I had to make a recommendationon on one certification, it would be the CISSP. The CISSP exam is very comprehensive and will aide in developing the skills to implement security controls, many of which Auditors may require.

    I agree with the post above, having a CISSP, CISA, CISM or any other security cert without practical knowledge or experience wont add the tens of thousands of dollars to your compensation or the corner office on the executive floor.
    James Sayles
    Chief Compliance Advisor
    Ecora Software

    See my other blogs and posts at: http://www.ecora.com/ecora/news/bureau.asp

    Reply
  3. DO
    January 21, 2008 at 2:03 pm (9 years ago)

    I have been in the industry for more than seven years now… the CISSP exam took me less than 1.5 hours, including double-checking my answers and work. It is a fairly simple exam… I learned nothing in the bootcamp (and made everyone save the teacher angry because I knew all of the answers and he and I kept going into in-depth discussions). They have to force you to have 5 years of experience because the exam is too easy (14 year olds were passing it without any experience), which says to me that the exam is worthless.

    The CISSP is a weak exam because it is non-technical and covers many topics, but few things. No depth. What little depth it attempts to provide is generally wrong, though. For example, my exam had a question concerning buffer overflows and how to “prevent” them. The only somewhat correct answer is to check the range and offset, but even that’s not right. In all of the domains, excluding BC and DR, the CISSP has very little information, depth, or knowledge.

    Also, just to add a twist, I took the CCNA 1/2/3/4 route through Cisco’s Networking Academy, which taught me a wealth of information that I retain today and has helped me through my college studies, work, and my research. CISSP has done nothing for me. In my case, I got the CCNA through a respectable means, rather than simply passing the exam, and I learned the most; I didn’t learn anything in the CISSP bootcamp and and no issues with ANY of the CISSP exam questions (save 2 that made no sense… the English was completely messed up).

    My ultimate point is that certifications should mean nothing to you… it’s the knowledge. Anyone can pass an exam (I know CISSPs who couldn’t tell you the difference between a router, switch, lvl4 switch, lvl3 switch, hub, repeater, and bridge…. I know CCNAs who couldn’t either). I recommend that you take classes, go to University (and apply yourself), and participate in research. Certifications and ceritificates are pointless and don’t help you grow… when companies figure this out, we’ll see a dramatic shift in work quality and fewer losers in our fields (I do application PT, Web-based application PT, network PT, OS PT, and vulnerability assessments for a living).

    Reply
    • Jay
      December 14, 2009 at 1:59 am (7 years ago)

      So you are saying don't get a certification from an online vendor. I have been trying to figure out which vendor or program to take. Some are expensive and some are as cheap as $100.00

      Reply
  4. elamb.security
    January 23, 2008 at 1:16 pm (9 years ago)

    Sounds like a total waste of time for “DO”. I’ve met a couple of people who finisded it in an hour or so. It took me 5 1/2 hours and I found the question pretty hard… then again I’m not that smart.

    I took the CCNA as well (in ’03). Probably the funnest test I’ve ever taken.

    I personally haven’t met anyone calling it a waste of time. Because even if you think the questions are stupid and irrelevant, the industry (security related) does not.. and they will pay your for it.

    Reply
  5. Adrian
    April 24, 2008 at 4:30 am (8 years ago)

    Hi to all,
    This post is quite interesting. I just pass the Cisco CCSP and wondering in what direction to take.
    From what I’ve seen here, the CISSP certificate will be a plus, but it does not cover technical stuff.
    What do you recomend: CISSP, CISM, SSCP, or the Cisco CCIE Security ?

    Thanks

    Reply
  6. Adrian Lamo
    December 7, 2008 at 5:41 pm (8 years ago)

    Lamo. Not Lano 🙂

    Cheers!

    Reply
  7. Shane Terry
    July 3, 2009 at 3:49 pm (7 years ago)

    I’m 22 now and looking to apply myself in a new direction. I graduated high school but i haven’t wanted to spend money on conventional college. I took some ccna classes in high school but did not take them seriously at the time. So I’m basically a super beginner. I would love to go back and maybe retake the 1-4 classes, get the certification. Would it be possible to volunteer somewhere to gain experience and a chance to work in this field. Ultimately i would be interested in working security. Any advice that you might have would be greatly appreciated.

    Reply
  8. elamb.security
    July 4, 2009 at 6:24 am (7 years ago)

    Adrian Lamo:
    Holy crap.. Adrian Lamo made a comment on my blog last year.. I’m not worthy!!

    Shane:
    There are a couple of things you can do. 1) Go to a vocational school that teaches toward the certification of your choice. People talk crap about vocational schools but if you’re serious you can learn a lot from there and do quite well. I know guys who have. 2) Go to a college and talk to an academic counselor. They will straighten you right out. 3) Join the military go in as a Computer Security guy.. DO NOT let them con you into being a COP or a COOK. Oh, and go into the Air Force.. NOT the Army, Marines or Navy because the suck (no offense.. just keeping it real). I was in Air Force and they got me my degree and several technical certs and lots of experience on every level of security (including management.. all in my 20’s). 4) The hardest way.. go get some books start reading, grab some equipment off ebay hook it all up, get a certification, apply for some jobs on monster or start your own business. You can do anything you set you mind to.

    Reply
  9. SGK
    July 11, 2009 at 9:41 am (7 years ago)

    *if it's all bout the $$$ … then …

    The steps to be taken is:
    -pass the CISSP … (Aside from the CCIE, I don’t know of any other technical cert that will give so much credibility (even if you don’t deserve it … quote from elamb.org)
    -get a real security related job … (not a typical IT position, i.e: a filthy help desk)
    -get experienced … so you can quallified as an IT manager (read: “jack of all trades, Master of ONE“.) & earn lots of $$$

    LOL,
    😀 😀 😀

    Reply
  10. elamb
    December 14, 2009 at 4:43 am (7 years ago)

    "So you are saying don't get a certification from an online vendor. I have been trying to figure out which vendor or program to take. Some are expensive and some are as cheap as $100.00"

    @Jay
    regardless of what anyone says, certifications get companies to hire you and pay you more than the average employee. In my mind, that makes them worth having. But it depends on what you do. If you are a pure network guy working with Cisco equipment than you probably want a CCNA or CCNP. If you are security than Security+, CISSP. What ever the cert. it should fit your work. I would also recommend going with the hire level certs (MCSE, CCNP, CISSP, CCSP) or even expert (CCIE or CISSP-ISSE) Professional level and above are the ones that get you paid. These higher level certs are much more involved and expensive but once you get them, they pay you for as long as you have them.

    Reply
  11. Sal
    June 18, 2012 at 12:34 pm (4 years ago)

    dudes got a chip on his shoulder.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment *