Navigating Your IT Security Certifications, Part 2
At this point you should have the certifications that gets you going in the IT Security field and can provide you many fantastic opportunities. But what if you want to take it to the next level. Perhaps you are aspiring for a Director of Security or CISO role. What certifications lay the foundation to purse that direction?
There are actually many other specialty areas in security available for us to discuss (like those created by Cisco, GIAC, SANS, ISACA, and many others). But for the interest of time, I’d like to highlight the most popular ones. The first two are from ISACA and are favorable certifications for those that wish to move into management positions. Those two are: Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).
There are more than 140,000 professionals certified globally with CISA and it is one of the top paying IT certifications of 2018 as reported by Global Knowledge. As companies are faced with increasingly more security challenges including new global threats (e.g. ransomware), new government regulations (e.g. GDPR), and new technologies to secure; they are under enormous pressure to hire the right talent to manage it. With the CISA certification, you will be recognized as someone that can take a comprehensive view of information systems and their relationship to a success business-wide security initiative. In addition to passing the exam, this certification requires the submission of a formal application which requires certain levels of education and work experience. Check out their web site for more information.
The CISM certification covers four key areas: information security governance, Information risk management, information security program development and management, and information security incident management. Passing this certification demonstrates that you understand security and how it relates to the overall business goals. It shows that you not only understand security, but also how to build and manage an information security program within the company.
But perhaps you’re looking to achieve an even higher position, one that leads all of the company’s security needs, such as Chief Information Security Officer (CISO) and Director of IT Security. Moving into these roles require digging much deeper into all the individual niches in the security field. The first one to consider is CompTIA’s Advanced Security Practitioner (or CASP). CASP is a relatively new certification from CompTIA and is meant to test the student on a broad range of security skills. In fact, it meets the ISO 17024 standard and is compliant with regulations in the Federal Information Security Management Act (FISMA).
By now you are feeling pretty good, a sort of Luke Skywalker of Security experts. But what if you want to go for Yoda status? The top certifications is undoubtedly the (ISC)2 Certified Information Systems Security Practitioner (or CISSP), which is not your average certification and will require significant work to achieve. It is meant to demonstrate a clear and deep knowledge of all things security and is fast becoming a requirement for many of the very top positions in IT security.
Although CASP and CISSP are great options for some of the top IT positions and cover a broad range of security topics, they are very different in what the exam covers. The CASP exam tests whether you know HOW to implement many of common security concepts so there questions will be very black and white. For example, “what command line tool is used to create a 128-bit hash?” The CISSP exam tests whether you know what the best practice is when dealing with complex security situations. These are all picking between many shades of gray. For example, “Which of the following is the PRIMARY advantage of data classification for an organization?” Here, all the answers are advantages but the correct answer is the one that has the most advantages.
Be sure to check out many of the training titles we have in security, and good luck my young Jedi.