Which cert is right for Me?

I would like to answer the tricky question: “What security certification should I pursue?”

Throughout my career, I constantly heard a ready-made answer: CISSP! (even though the person was not able to tell what CISSP stands for). Try it yourself: Whenever you have a chance, ask your workmates the very same question. I bet someone will mention it before you finish the sentence. It's a kind of wildcard answer: Security? No matter what area/position the person works for, say CISSP and you'll be alright.

But is that the definitive answer for this question?

First, let me clarify something: While getting a security certification is not absolutely essential to apply for an IT/information security job, an increasing number of companies are requiring that applicants be certified. The algorithm is simple:

Efficient (for the recruiter)? Apparently yes.

Accurate? Unlikely, but that's the reality out there; having some certifications is a matter of survivability in the field, either we like it or not.

Having a security certification also ensures that you will enjoy a higher salary compared to co-workers who are not certified, as per countless market researches. Thus, becoming a certified professional undoubtedly gives you an edge in your IT/information security career. The problem is that certification has become big business and the number of possible security certificates you can earn has grown.

So let me use an analogy one of my bosses used to tell me. Imagine the following scenario: You're working at a construction site, demolishing a wall, and a pile of debris needs to be taken away. Will you use a Lamborghini, one of the fastest cars ever built, but with a trunk that barely accommodates a suitcase? I highly doubt it… I know the example might sound cliché, but that's how I see this certification thing. Tell me what you intend to achieve, and I tell you what Information/IT certification is the best for you. So let's dig a bit further…

When picking where to start with your security certification path, ask yourself a couple of questions first:

Am I a techie or a management professional?

Answering this question helps you deciding to go either for a vendor-specific certification or a vendor-neutral one. Think with me: if you work as a firewall administrator (and you plan to keep doing so for a while), pursuing CISSP without being, let's say, CCSA , is not the best way to go. Conversely, if your deal is to develop and implement your company's ISMS, achieving a CCSP won't be of much help. It goes without saying that getting Y-certified (I just coined this term: means achieving both managerial and technical certifications, rooting from the same field) will certainly broaden your field of sight, but the benefits might not be readily perceived.

What's my current level of knowledge in the field?

If you are taking your first steps in the field with a basic knowledge of information security, a good option to start with is the SANS GISF certification, which doesn't require previous (although recommended) security experience and consists of a 150-question, 4 hours examination. The GISF in my opinion is one of the best certifications for newcomers, since you'll not learn “HOW” to create a firewall rule, but “WHY” instead. Every Security professional, regardless of whether Technical or Management focused, should have intrinsic understanding of why information needs to be protected.

On the other hand if you're a seasoned Information Security professional, I recommend you to sit for a Certified Information Systems Security Professional (CISSP) exam. To become a CISSP you are required to have a minimum of five years of direct full-time security professional work experience in two or more of the ten domains of the (ISC)2 CISSP CBK , or four years of direct full-time security professional work experience in two or more of the ten domains of the CISSP CBK with a college degree. Alternatively there is a one-year waiver of the professional experience requirement for holding an additional credential on the (ISC)2-approved list. Let me stress out something here: DO NOT START YOUR INFORMATION SECURITY BY PURSUING/ACHIEVING CISSP. If you want to become a successful professional, do it right: get yourself some entry level certifications, land a security job, get experienced, and only after go for CISSP.

For the technical professionals out there, most of the domains have specific certifications to be achieved, always starting from a basic, introductory level to more complex topics. The higher you go, the more prestigious your career becomes. Needless to say that memorizing questions for the certification exam doesn't bring any value to your career. A certification should be seen as a mean, not as an end.

Do I hold any other certification?

Since every career path is different, let me give you how I have chosen to build up my own:

When I was non-certified technical professional working in operations, I analyzed my career at that very moment, and chose the certification which I could ripe the benefits as early as possible. Achieving vendor-specific certifications rewarded me with salary raises every time I added an acronym to my signature. That's a fact: being certified gives you a stronger position to bargain for better conditions with your current employee, and also demonstrates your commitment to your career. As for which one to run for, I can't give you precise directions since there are many specializations in the Infosec field, but you might be able to figure out the best one for you without much effort. Some options would be CCSA, SSCP, Security+, GISF, GSEC, and so on.

PS: I know some certifications I've mentioned here are not vendor-specific. They are listed here due to their entry-level nature instead.

Once I held a few certifications, I sought after longer term prospects. My career started to lean towards Governance/Compliance, and that was the time when I decided to go for CISSP (or CISM, depends on your expectations). After achieving the CISSP, I identified the topics in which I could further strengthen my position as a manager and pursued ITIL and Prince2 certifications. That was the best long term decision I could have taken: I was a Security manager, juggling with projects in one hand and ITIL/Cobit on the other. The knowledge absorbed through the certification process helped me to identify and work upon my weak spots, leading me to the path of becoming an all-rounded manager.

Thinking even further upon my career, I understood that becoming an independent consultant is one of the natural paths my career might take. That's when I decided to go for CISA and ISO 27001 Lead Auditor. The illustration below should give you a best understanding of my recommendation:

What are the financial/logistical requirements to achieve and keep the certification in good standing?

Some other factors to consider involve the budget required to achieve/keep the certification and the re-certification requirement of the vendor/institution. Some re-certification requires you to pass an updated exam while others call for you to have continuing education credits. The process of (re)certification may be pricey when all the costs (test fees, study materials) are added up. However, in today's highly competitive IT environment, maintaining your certification makes it easier for you to land information security jobs, and since you already spent a considerable amount of resources/energy to become a certified professional, the recertification is a must. Just to wrap this topic up, handle the whole certification process (learning about the certification itself, studying, getting ready for the exam, taking the exam and so on) as an investment on you. It's like going to the gym: sometimes we are comfortable with our looks or current condition, but we can always get better.

Finally, please ensure that you do the homework and never purchase the hype offered by many vendors who gurantee that their security certification provides the best opportunities to get hired for the best security jobs.