About Us | Contact Us
View Cart

The Certification Leaf

By Dan Hadaway | Tuesday, March 30, 2010 - Leave a Comment

Dan’s New Leaf

Well it’s already been a week and until I get used to this, my articles are going to start out expressing that.  🙂

————————–

I’ve decided to focus this week’s article on a question that I get asked regularly by my Information Security Officer clients and friends.  “How do I become certified and what would you recommend I get?”

The following is my opinion and it is biased.  All CISSPs will disagree with me.  🙂

(Most CISSPs will also be irritated that I haven’t taken the time to learn how to turn off the smiley emoticon in WordPress.)

A good question commonly asked by technical and non-technical bank IT personnel is “what type of certification should I be aiming for?”

To me, certifications serve two purposes:  assurance and knowledge-management.

Certifications are an assurance control.  They quickly tell me that at one time you had command over a certain body of knowledge that fits into a framework of what I may or may not need in a potential employee.  And, if there is CPE requirements, the certifications assure me that you are staying current in the field of expertise.  They are also an excellent tool for that very reason.

Certifications keep the certified educated about a body of knowledge that we all want to rely upon.  They declare their body of knowledge, and they update and maintain this body of knowledge.  Thus, we all know that a CISA is going to be strong in audit controls, whereas a CISSP will be strong on the technical nuts and bolts of network security.  And as a CISA I have a wealth of information resources available to me surrounding my body of knowledge.

————————–

Resources

Let me quickly reveal some resources to help you with this the subject of certifications:

  • I was involved in a really good discussion on LinkedIn that addresses the issue “which is better, CISSP or CISA?  I’ve shortened the URL*:  http://bit.ly/9ykii0.
  • Meanwhile, I ran across this article and thought it was interesting:  http://bit.ly/accmM7
  • ISACA (www.isaca.org), ISC2 (www.isc2.org), and SANS (www.sans.org) are where you’ll learn about specific certifications.

————————–

Continuing Professional Education (CPE) Requirements

For me, CPE requirements are as important as the certification itself.  To me, ISACA has the most stringent CPE requirements.  They actually audit their membership against declared CPE and that goes a long way towards making everybody serious about it.

Product-based certifications rarely require CPE.

ISC2 and SANS require CPE, but I have never seen any evidence that it is difficult to get, or that it is being audited.

So I guess what I’m saying here is “Rock On, ISACA!!!”

————————–

The “Main Security Certs”:

  • An Information Security Officer should, in my opinion, go for the following certs in the following order to the extent possible:  CISM, CISA, CRISC or CISSP.  Beyond that, you don’t need any more letters.  And by the time you get through CISA, if you want more letters you need to decide whether to focus on high-level risk management CRISC or technical wizardry (CISSP).
  • A CISA is a Certified Information Systems Auditor, and is a good choice if you are an Information Security Officer, Internal Auditor, or in any capacity where you will be responsible for auditing the enforcement of policies, procedures, and controls.
  • If your bank is regulated by Sarbanes-Oxley (you’ll know if you are), then CISA is a great certification because the body of knowledge includes CobiT, which is quickly becoming an management/audit framework for IT Governance in large enterprises.
  • A CISM is a Certified Information Security Manager and is a good choice if you have security responsibility, supervise security professionals, or are responsible for managing security.  This is an excellent certification for Information Security Officers.  Network Administrators wanting to balance their technical knowledge with security knowledge should consider the CISM.
  • CRISC is Certified in Risk and Information Systems Control:  This one is new, and the only reason I list it here is because I’m going for it.  🙂  Seriously, I’m hoping to be grandfathered into this certification, which focuses on IT Risk Management.  That’s what I’ve been doing for the last twenty years of my life, so I’m looking forward to the body of knowledge that comes with the certification.  This is a great cert for CIOs, CTOs, and others at the top of the technology food chain (who can’t pass the technical tests, a CISSP might add.)  (insert smiley emoticon here)
  • A CISSP is what I’ve always referred to as “a very technical certification.”  It exudes a very technical body of knowledge and you can’t fool your way through it.  CISSP’s often scoff at CISAs and CISMs, but they always seem to have trouble with those non-technical controls anyway.  🙂  And I’d like to point out that ISC2 has now rolled out a new SDLC certification . . . . CSSLP . . . . could this indicate that they now agree that “SDLC controls” is a missing element in the CISSP body of knowledge.
  • The SSCP (Systems Security Certified Practitioner) is the first step for you to take towards the CISSP.  It is an excellent start for those who want the technical certification.  It’s body of knowledge is pretty deep in the area of Access Controls, Cryptography, Malicious Code and Activity, Monitoring and Analysis, Networks and Communications, Risk, Response and Recovery, Security Operations and Administration.
  • The SANS institute offers the Global Information Assurance Certification (GIAC) certification, covering a body of knowledge that includes Security Administration, Security Management, IT Audit, and Software Security.

————————–

Level of Ease

Product-based Certifications (MCA, MCSE, etc.) are probably the easiest but they expire, are focused on only one product, and can be a marketing tool rather than an assurance control.  Also, product-based certs rarely have strong continuing education requirements, and thus they do not make a strong assurance control on the issue of staying current with technology.

Thus, I always say “they’re nice but tell me what else you have.”

The CISM is the easiest information security certification to get, in my opinion.  It is still not easy, and the CPE (Continuing Professional Education) requirements are diligent.

The CISSP is the most difficult certification to get in my book, and technical people will agree with me on that.  If you want the CISSP, start off by getting the SSCP.

The GIAC, CISA, CRISC certifications are somewhere in between the CISM and the CISSP in terms of “ease.”

————————–

The Footnote:

  • Note:  Shortened URL’s are dangerous only if you don’t know the source (and thus the destination).  In other words, if you don’t know for sure who is telling you to go to http://bit.ly/9ykii0, then you do not really know if that shortened url takes you to a legitimate website.  But since you are reading this blog on my website (check the url above to be sure . . . infotex.com needs to be in that url), the shorted url doesn’t present much risk because you know I am the person suggesting you go there.
Posted in Dan's New Leaf

Latest News
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]