Dan’s New Leaf

Well it’s already been a week and until I get used to this, my articles are going to start out expressing that.  🙂

————————–

I’ve decided to focus this week’s article on a question that I get asked regularly by my Information Security Officer clients and friends.  “How do I become certified and what would you recommend I get?”

The following is my opinion and it is biased.  All CISSPs will disagree with me.  🙂

(Most CISSPs will also be irritated that I haven’t taken the time to learn how to turn off the smiley emoticon in WordPress.)

A good question commonly asked by technical and non-technical bank IT personnel is “what type of certification should I be aiming for?”

To me, certifications serve two purposes:  assurance and knowledge-management.

Certifications are an assurance control.  They quickly tell me that at one time you had command over a certain body of knowledge that fits into a framework of what I may or may not need in a potential employee.  And, if there is CPE requirements, the certifications assure me that you are staying current in the field of expertise.  They are also an excellent tool for that very reason.

Certifications keep the certified educated about a body of knowledge that we all want to rely upon.  They declare their body of knowledge, and they update and maintain this body of knowledge.  Thus, we all know that a CISA is going to be strong in audit controls, whereas a CISSP will be strong on the technical nuts and bolts of network security.  And as a CISA I have a wealth of information resources available to me surrounding my body of knowledge.

————————–

Resources

Let me quickly reveal some resources to help you with this the subject of certifications:

• I was involved in a really good discussion on LinkedIn that addresses the issue “which is better, CISSP or CISA?  I’ve shortened the URL*:  http://bit.ly/9ykii0.
• Meanwhile, I ran across this article and thought it was interesting:  http://bit.ly/accmM7
• ISACA (www.isaca.org), ISC2 (www.isc2.org), and SANS (www.sans.org) are where you’ll learn about specific certifications.

————————–

Continuing Professional Education (CPE) Requirements

For me, CPE requirements are as important as the certification itself.  To me, ISACA has the most stringent CPE requirements.  They actually audit their membership against declared CPE and that goes a long way towards making everybody serious about it.

Product-based certifications rarely require CPE.

ISC2 and SANS require CPE, but I have never seen any evidence that it is difficult to get, or that it is being audited.

So I guess what I’m saying here is “Rock On, ISACA!!!”

————————–

The “Main Security Certs”:

• An Information Security Officer should, in my opinion, go for the following certs in the following order to the extent possible:  CISM, CISA, CRISC or CISSP.  Beyond that, you don’t need any more letters.  And by the time you get through CISA, if you want more letters you need to decide whether to focus on high-level risk management CRISC or technical wizardry (CISSP).
• A CISA is a Certified Information Systems Auditor, and is a good choice if you are an Information Security Officer, Internal Auditor, or in any capacity where you will be responsible for auditing the enforcement of policies, procedures, and controls.
• If your bank is regulated by Sarbanes-Oxley (you’ll know if you are), then CISA is a great certification because the body of knowledge includes CobiT, which is quickly becoming an management/audit framework for IT Governance in large enterprises.
• A CISM is a Certified Information Security Manager and is a good choice if you have security responsibility, supervise security professionals, or are responsible for managing security.  This is an excellent certification for Information Security Officers.  Network Administrators wanting to balance their technical knowledge with security knowledge should consider the CISM.
• CRISC is Certified in Risk and Information Systems Control:  This one is new, and the only reason I list it here is because I’m going for it.  🙂  Seriously, I’m hoping to be grandfathered into this certification, which focuses on IT Risk Management.  That’s what I’ve been doing for the last twenty years of my life, so I’m looking forward to the body of knowledge that comes with the certification.  This is a great cert for CIOs, CTOs, and others at the top of the technology food chain (who can’t pass the technical tests, a CISSP might add.)  (insert smiley emoticon here)
• A CISSP is what I’ve always referred to as “a very technical certification.”  It exudes a very technical body of knowledge and you can’t fool your way through it.  CISSP’s often scoff at CISAs and CISMs, but they always seem to have trouble with those non-technical controls anyway.  🙂  And I’d like to point out that ISC2 has now rolled out a new SDLC certification . . . . CSSLP . . . . could this indicate that they now agree that “SDLC controls” is a missing element in the CISSP body of knowledge.
• The SSCP (Systems Security Certified Practitioner) is the first step for you to take towards the CISSP.  It is an excellent start for those who want the technical certification.  It’s body of knowledge is pretty deep in the area of Access Controls, Cryptography, Malicious Code and Activity, Monitoring and Analysis, Networks and Communications, Risk, Response and Recovery, Security Operations and Administration.
• The SANS institute offers the Global Information Assurance Certification (GIAC) certification, covering a body of knowledge that includes Security Administration, Security Management, IT Audit, and Software Security.

————————–

Level of Ease

Product-based Certifications (MCA, MCSE, etc.) are probably the easiest but they expire, are focused on only one product, and can be a marketing tool rather than an assurance control.  Also, product-based certs rarely have strong continuing education requirements, and thus they do not make a strong assurance control on the issue of staying current with technology.

Thus, I always say “they’re nice but tell me what else you have.”

The CISM is the easiest information security certification to get, in my opinion.  It is still not easy, and the CPE (Continuing Professional Education) requirements are diligent.

The CISSP is the most difficult certification to get in my book, and technical people will agree with me on that.  If you want the CISSP, start off by getting the SSCP.

The GIAC, CISA, CRISC certifications are somewhere in between the CISM and the CISSP in terms of “ease.”

————————–

The Footnote:

• Note:  Shortened URL’s are dangerous only if you don’t know the source (and thus the destination).  In other words, if you don’t know for sure who is telling you to go to http://bit.ly/9ykii0, then you do not really know if that shortened url takes you to a legitimate website.  But since you are reading this blog on my website (check the url above to be sure . . . infotex.com needs to be in that url), the shorted url doesn’t present much risk because you know I am the person suggesting you go there.