About Us | Contact Us
View Cart

The Certification Leaf

By Dan Hadaway | Tuesday, March 30, 2010 - Leave a Comment

Dan’s New Leaf

Well it’s already been a week and until I get used to this, my articles are going to start out expressing that.  🙂

————————–

I’ve decided to focus this week’s article on a question that I get asked regularly by my Information Security Officer clients and friends.  “How do I become certified and what would you recommend I get?”

The following is my opinion and it is biased.  All CISSPs will disagree with me.  🙂

(Most CISSPs will also be irritated that I haven’t taken the time to learn how to turn off the smiley emoticon in WordPress.)

A good question commonly asked by technical and non-technical bank IT personnel is “what type of certification should I be aiming for?”

To me, certifications serve two purposes:  assurance and knowledge-management.

Certifications are an assurance control.  They quickly tell me that at one time you had command over a certain body of knowledge that fits into a framework of what I may or may not need in a potential employee.  And, if there is CPE requirements, the certifications assure me that you are staying current in the field of expertise.  They are also an excellent tool for that very reason.

Certifications keep the certified educated about a body of knowledge that we all want to rely upon.  They declare their body of knowledge, and they update and maintain this body of knowledge.  Thus, we all know that a CISA is going to be strong in audit controls, whereas a CISSP will be strong on the technical nuts and bolts of network security.  And as a CISA I have a wealth of information resources available to me surrounding my body of knowledge.

————————–

Resources

Let me quickly reveal some resources to help you with this the subject of certifications:

  • I was involved in a really good discussion on LinkedIn that addresses the issue “which is better, CISSP or CISA?  I’ve shortened the URL*:  http://bit.ly/9ykii0.
  • Meanwhile, I ran across this article and thought it was interesting:  http://bit.ly/accmM7
  • ISACA (www.isaca.org), ISC2 (www.isc2.org), and SANS (www.sans.org) are where you’ll learn about specific certifications.

————————–

Continuing Professional Education (CPE) Requirements

For me, CPE requirements are as important as the certification itself.  To me, ISACA has the most stringent CPE requirements.  They actually audit their membership against declared CPE and that goes a long way towards making everybody serious about it.

Product-based certifications rarely require CPE.

ISC2 and SANS require CPE, but I have never seen any evidence that it is difficult to get, or that it is being audited.

So I guess what I’m saying here is “Rock On, ISACA!!!”

————————–

The “Main Security Certs”:

  • An Information Security Officer should, in my opinion, go for the following certs in the following order to the extent possible:  CISM, CISA, CRISC or CISSP.  Beyond that, you don’t need any more letters.  And by the time you get through CISA, if you want more letters you need to decide whether to focus on high-level risk management CRISC or technical wizardry (CISSP).
  • A CISA is a Certified Information Systems Auditor, and is a good choice if you are an Information Security Officer, Internal Auditor, or in any capacity where you will be responsible for auditing the enforcement of policies, procedures, and controls.
  • If your bank is regulated by Sarbanes-Oxley (you’ll know if you are), then CISA is a great certification because the body of knowledge includes CobiT, which is quickly becoming an management/audit framework for IT Governance in large enterprises.
  • A CISM is a Certified Information Security Manager and is a good choice if you have security responsibility, supervise security professionals, or are responsible for managing security.  This is an excellent certification for Information Security Officers.  Network Administrators wanting to balance their technical knowledge with security knowledge should consider the CISM.
  • CRISC is Certified in Risk and Information Systems Control:  This one is new, and the only reason I list it here is because I’m going for it.  🙂  Seriously, I’m hoping to be grandfathered into this certification, which focuses on IT Risk Management.  That’s what I’ve been doing for the last twenty years of my life, so I’m looking forward to the body of knowledge that comes with the certification.  This is a great cert for CIOs, CTOs, and others at the top of the technology food chain (who can’t pass the technical tests, a CISSP might add.)  (insert smiley emoticon here)
  • A CISSP is what I’ve always referred to as “a very technical certification.”  It exudes a very technical body of knowledge and you can’t fool your way through it.  CISSP’s often scoff at CISAs and CISMs, but they always seem to have trouble with those non-technical controls anyway.  🙂  And I’d like to point out that ISC2 has now rolled out a new SDLC certification . . . . CSSLP . . . . could this indicate that they now agree that “SDLC controls” is a missing element in the CISSP body of knowledge.
  • The SSCP (Systems Security Certified Practitioner) is the first step for you to take towards the CISSP.  It is an excellent start for those who want the technical certification.  It’s body of knowledge is pretty deep in the area of Access Controls, Cryptography, Malicious Code and Activity, Monitoring and Analysis, Networks and Communications, Risk, Response and Recovery, Security Operations and Administration.
  • The SANS institute offers the Global Information Assurance Certification (GIAC) certification, covering a body of knowledge that includes Security Administration, Security Management, IT Audit, and Software Security.

————————–

Level of Ease

Product-based Certifications (MCA, MCSE, etc.) are probably the easiest but they expire, are focused on only one product, and can be a marketing tool rather than an assurance control.  Also, product-based certs rarely have strong continuing education requirements, and thus they do not make a strong assurance control on the issue of staying current with technology.

Thus, I always say “they’re nice but tell me what else you have.”

The CISM is the easiest information security certification to get, in my opinion.  It is still not easy, and the CPE (Continuing Professional Education) requirements are diligent.

The CISSP is the most difficult certification to get in my book, and technical people will agree with me on that.  If you want the CISSP, start off by getting the SSCP.

The GIAC, CISA, CRISC certifications are somewhere in between the CISM and the CISSP in terms of “ease.”

————————–

The Footnote:

  • Note:  Shortened URL’s are dangerous only if you don’t know the source (and thus the destination).  In other words, if you don’t know for sure who is telling you to go to http://bit.ly/9ykii0, then you do not really know if that shortened url takes you to a legitimate website.  But since you are reading this blog on my website (check the url above to be sure . . . infotex.com needs to be in that url), the shorted url doesn’t present much risk because you know I am the person suggesting you go there.
Posted in Dan's New Leaf

Related Articles
Latest News
    Endpoint Detection and Response and You Webinar Registration
    Endpoint Detection and Response and You Webinar-Video In this webinar-Video, we will discuss the advantages, considerations, pricing, and configuration concerns when adding Endpoint Detection and Response to your security posture. If you are using a traditional Anti-Virus/Malware solution, you’ll want to consider adding or replacing it with a comprehensive EDR/XDR/MDR solution for the most bang […]
    R7: 2023’s Top Seven Technology Risks Video
    R7: 2023’s Top Seven Technology Risks Webinar-Video What are the top seven risks your board should know about in 2023? Since 2006, Dan has been compiling a list of the “top seven risks small institutions are facing,” in preparation for his board presentations. This webinar will present the 2023 list in a manner that you […]
    Introducing William Summers
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are excited to announce the addition of William Summers to our team as our new Data Security Analyst. William brings a wealth of knowledge to our organization, and we are confident that he will be an invaluable asset in helping us reach […]
    Worf
    Yes, the CISO of the Starship Enterprise On AI replacing the business of cybersecurity. Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . From time to time, my friends from high school, and even some from college, who have a minimal understanding of the cybersecurity […]
    The Consequence of Unintended Consequences
    Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]
    Introducing Nathan Taylor
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex.  “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]
    I saw the news today, oh boy
    about artificial intelligence . . . And who will protect us from it . . .  Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]
    Slammed Again
    The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]
    “Inbox Zero” – Awareness Poster
    Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    Experts Warn of AI Cybersecurity Risk
    New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker.  This isn’t science fiction, it’s an actual attack that has […]
To the Blog