Which Security Certification Should I Get?
August 31, 2007
If you can, get the CISSP, don’t waste your time with anything else. You don’t have to make it your last cert, but (if you can) make it your first. It has become the gold standard that gives you “just add-water” credibility. You can slap those initials at the end of your name and flash a badge with your ISC2, CISSP number on it.
The statement above will piss off a lot of security people, but it is the truth.. the inconvenient, sad and pathetic truth. To all you skilled hackers and IS pro’s, don’t hate the blogger, hate the game. I did create the rules, I just hack them.
Old school hackers and security geniuses talk MAD shit about the CISSP, but what they fail to realize is that “to hack ‘the man’, you have to be ‘the man’”. What I mean is that playing the game is essential to your financial need$. There are always exceptions: Adrian ‘homeless hacker’ Lamos, Steve ‘I write entire apps in assembly’ Gibson, Gordon ‘I created nmap’ Lyon, Jeff ‘i created defcon and sold it in 2005 for 14mil’ Moss, Bruce ‘i decrypted code as a fetus’ Schneier..
For average bastards like you and me, the CISSP is way to go.
I do agree with DMiessler and Mckeay:
“I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.
More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge - not for testing whether or not you’d be qualified to actually do anything.” — dm
“..the CISSP is not a technical certificate! It is not now, nor was it ever meant to be, a technical certification.” — mckeay
Though you may see a couple of technical questions on the test, the over all test is pretty high level, unlike the Certified Ethical Hacker or the CCNA that ask specific technical questions about specific technical issues.
So what should you go for on the Security Certification front:
Go directly for the CISSP (if you can). The fact of the matter is that most companies, the government and foreign organization look for the CISSP. Aside from the CCIE, I don’t know of any other technical cert that will give so much credibility (even if you don’t deserve it).
A NOTE of caution: If you get it, be real with your self. The CISSP does not instantly make you an expert in all ten of its domains. It will not put an “S” on your chest and make you impervious to Kryptonite. Its just a test. Its not an I.Q. test or the Bar. Its just a test. If you have passed, congradulations… now the real work begins. Good security professionals are ALWAYs learning (even more so than your average IT guy, because we have to know the latest in IT as well as policies, some law and even some level of management). A real CISSP should be a “jack of all trades, Master of ONE“.
You should also consider that there is simply no replacement for a good degree except for experience. The good thing about the CISSP is that it requires you to have a certain amount of experience before you even attempt it.
Building to the CISSP:
Beginner: if you’re just starting, you want Comptia’s Security+ certification.
Now, if your just trying to the guy who looks at audit logs all day and report what they see, then your golden. But if you’re serious about security, then you need to play the game, get the damn CISSP (do not pass go, do not collect $200). It pays better than a Security+… much better.
Serious Beginner
Get into any kind of Information Security position and earn some “street cred“. You may even be in a typical IT position on a filthy help desk (sorry, I’ve done it and it sucks) you can still use it to your advantage by working your way into security tasks. If your in the military, volunteer to be the COMSEC guy or an IAO (it’ll be easy because nobody else wants to do it). Volunteer to work with the security guys and learn from them. The goal is the get into the security mindset and also rack up some experience. A degree will help to with a school that allows you to set up a lab.
Novice Security
After a solid year of security experience you should go for the Systems Security Certified Practitioner (SSCP®). Why the SSCP? It will help you build toward the CISSP. At this point, if you haven’t done so already I would recommend joining the Information System Security Association (ISSA). You’ll begin to network with other security folks from everything from forensics to the pentesters to information security managers (who don’t even know how to set up a network). By this time, you should have some idea what you’d like to specialize in. The CISSP is a great foundation as certification credibility goes, but you will need to specialize.
The CISSP
I found the test challenging. You don’t want to take it twice that is for damn sure. Just make sure your ready. You’ll have to have about 5 years total security experience.
Now checks this out:
“Effective 1 October 2007, professional work experience requirements for the CISSP® will increase from four to five years, and direct full-time security professional work experience will be required in two or more of the ten CISSP® CBK® domains.” –ISC2
Even a Masters degree will only replace a maximum of 1 year of experience (sounds like *NS to me):
Candidates can substitute a maximum of one year of direct full-time security professional work experience described above if they have a four-year college degree OR Master’s Degree in information security from a U.S. National Center of Academic Excellence in information Security (CAEIAE) or regional equivalent. If you hold both a four-year degree and a Master’s degree, you may only apply for a one year waiver of experience.
*NS-non sense
Popularity: 5% [?]
All the certifications be it CISSP, CISA, CISM…….enable one to put a foot in the door when it comes to interviews. Otherwise nothing beats real life exprience. So don’t have your hope too high that after getting a CISSP your world is going to change.
S.
While there are several security and audit certifications out there, one should based their decision to acquire based on individual situations and role requirements. For example, if you are working in a role that require you to audit or work with auditors (internal/external), then a CISA from ISACA may be a good fit. Perhaps your role is to manage and implement security policies and countermeasures. in this case I would definitely obtain a CISSP from IC2. Then there is the case where you role requires you to just manage security awareness and processes; therefore I would consider the CISM from ISACA.
Overall, obtaining one or more security certifications would be a “key” to have. if I had to make a recommendationon on one certification, it would be the CISSP. The CISSP exam is very comprehensive and will aide in developing the skills to implement security controls, many of which Auditors may require.
I agree with the post above, having a CISSP, CISA, CISM or any other security cert without practical knowledge or experience wont add the tens of thousands of dollars to your compensation or the corner office on the executive floor.
James Sayles
Chief Compliance Advisor
Ecora Software
See my other blogs and posts at: http://www.ecora.com/ecora/news/bureau.asp
I have been in the industry for more than seven years now… the CISSP exam took me less than 1.5 hours, including double-checking my answers and work. It is a fairly simple exam… I learned nothing in the bootcamp (and made everyone save the teacher angry because I knew all of the answers and he and I kept going into in-depth discussions). They have to force you to have 5 years of experience because the exam is too easy (14 year olds were passing it without any experience), which says to me that the exam is worthless.
The CISSP is a weak exam because it is non-technical and covers many topics, but few things. No depth. What little depth it attempts to provide is generally wrong, though. For example, my exam had a question concerning buffer overflows and how to “prevent” them. The only somewhat correct answer is to check the range and offset, but even that’s not right. In all of the domains, excluding BC and DR, the CISSP has very little information, depth, or knowledge.
Also, just to add a twist, I took the CCNA 1/2/3/4 route through Cisco’s Networking Academy, which taught me a wealth of information that I retain today and has helped me through my college studies, work, and my research. CISSP has done nothing for me. In my case, I got the CCNA through a respectable means, rather than simply passing the exam, and I learned the most; I didn’t learn anything in the CISSP bootcamp and and no issues with ANY of the CISSP exam questions (save 2 that made no sense… the English was completely messed up).
My ultimate point is that certifications should mean nothing to you… it’s the knowledge. Anyone can pass an exam (I know CISSPs who couldn’t tell you the difference between a router, switch, lvl4 switch, lvl3 switch, hub, repeater, and bridge…. I know CCNAs who couldn’t either). I recommend that you take classes, go to University (and apply yourself), and participate in research. Certifications and ceritificates are pointless and don’t help you grow… when companies figure this out, we’ll see a dramatic shift in work quality and fewer losers in our fields (I do application PT, Web-based application PT, network PT, OS PT, and vulnerability assessments for a living).
Sounds like a total waste of time for “DO”. I’ve met a couple of people who finisded it in an hour or so. It took me 5 1/2 hours and I found the question pretty hard… then again I’m not that smart.
I took the CCNA as well (in ‘03). Probably the funnest test I’ve ever taken.
I personally haven’t met anyone calling it a waste of time. Because even if you think the questions are stupid and irrelevant, the industry (security related) does not.. and they will pay your for it.
Hi to all,
This post is quite interesting. I just pass the Cisco CCSP and wondering in what direction to take.
From what I’ve seen here, the CISSP certificate will be a plus, but it does not cover technical stuff.
What do you recomend: CISSP, CISM, SSCP, or the Cisco CCIE Security ?
Thanks