Navigating Your IT Security Certifications, Part 2
By Martin Schaeferle | April 02, 2021
At this point you should have the certifications that gets you going in the IT Security field and can provide you many fantastic opportunities. But what if you want to take it to the next level. Perhaps you are aspiring for a Director of Security or CISO role. What certifications lay the foundation to purse that direction?
There are actually many other specialty areas in security available for us to discuss (like those created by industry leaders like Cisco, GIAC, SANS, ISACA, (ISC)2 and many others). But for the interest of brevity, I’d like to highlight some of the more popular ones. The first two I’d like to introduce are from ISACA and are favorable certifications for those who wish to move into management positions. Those two are: Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).
There are more than 150,000 professionals certified globally with CISA and it is one of the top paying IT certifications. As companies are faced with increasingly more security challenges including new global threats (e.g. ransomware, spear phishing), new government regulations (e.g. GDPR), and new technologies to secure; they are under enormous pressure to hire the right talent to manage it. With the CISA certification, you will be recognized as someone that can take a comprehensive view of information systems and their relationship to a success business-wide security initiative. In addition to passing the
exam, this certification requires the submission of a formal application which requires certain levels of education and work experience. Check out their web site for more information.
The CISM certification is different and comes at security from a company policy standpoint. It covers four key areas: information security governance, Information risk management, information security program development and management, and information security incident management. Passing this certification demonstrates that you understand security and how it relates to the overall business goals. It shows that you not only understand security, but also how to build and manage an information security program within the company.
But perhaps you’re looking to achieve an even higher position, one that oversees all of the company’s security needs, such as Chief Information Security Officer (CISO) and Director of IT Security. Moving into these roles require digging much deeper into all the individual niches in the security field. The first one to consider is CompTIA’s Advanced Security Practitioner (or CASP). CASP is a relatively new certification from CompTIA and is meant to test the student on a broad range of security skills. In fact, it meets the ISO 17024 standard and is compliant with regulations in the Federal Information Security Management Act (FISMA).
Once you pass the CASP certification, you will likely be feeling pretty good about your skills, a Jedi Knight of Security experts if you will. But what if you want to go for Yoda status? One of the top respected certifications is undoubtedly the (ISC)2 Certified Information Systems Security Practitioner (or CISSP), which is not your average certification and will require significant work to achieve. It is meant to demonstrate a clear and deep knowledge of all things security and is fast becoming a requirement for many of the very top positions in IT security.
Although CASP and CISSP are great options for some of the top IT positions and cover a broad range of security topics, they are very different in what the exams cover. The CASP exam tests whether you know HOW to implement many of the common security concepts, so their questions will be mostly unambiguous. For example, “What command line tool is used to create a 128-bit hash?” The CISSP exam, on the other hand, tests whether you know what the best practices are when dealing with complex security situations. Here, the options available to choose from may, in fact, all be technically correct. The challenge is picking the best one for the described situation. For example, take the following question, “Which of the following is the PRIMARY advantage of data classification for an organization?” Here, all the options could all be examples of legitimate advantages, but the correct answer is the one that has the most advantages.
Be sure to check out many of the training titles we have in security, and good luck my young Padawan.