rich.nealon at gmail.com
Tue Aug 25 15:23:27 EDT 2009
As a former member of (ISC)2 Board of Directors, and active volunteer,
you'll not be surprised to find that I have stong opinions on the topic.
You might be surprised though, to find that they're not too far from all of
the points raised so far.
First point: There are three types of certification available in the market
at the moment:
1. Technical certification - SANS, Vendor related (Microsoft, Cisco,
Symantec, etc), EC Technical Hacker, etc
2. Generic certifications - ISC2, ISACA
3. Academic certifications - MSc, Dip in Forensics, etc.
Each of these have their merits & demerits, but I think that we have to look
at the area of certification (and what it offers each of us) holistically
rather than focusing on one particular cert.
Which one of these types is best? To use the great SOx answer - "It
It depends greatly on what your chosen/planned career path is, the security
of your job, your expectations for the future.....
I'd argue that any certification doesn't prove competence in any manner. It
only goes to show that an individual has been successful in achieving a
certain score at a point in time.
Nevertheless, in so many cases, recruiting employers will list a
specific certification (or range of certs) to set a baseline and discourage
what they consider to be the timewasters (those going for the job despite
having no experience). In most cases, for security management roles, CISSP
or CISA (CISM is the more appropriate ISACA cert but simply isn't as well
known) are used as that baseline. That's just the way it is - (ISC)2 has
been around over 20 years with a membership of about 60k and ISACA even
longer. The reason that these specific baselines are used, is only because
there's nothing better on offer that's as well known in the marketplace.
Now - let me come back to an important point in the last paragraph. You'll
notice that I mentioned "for security *management* roles". The baseline
certs being looked for should be much different if the organisation is
recruiting a DBA, Firewall admin, RACF support.... but unfortunately
they nearly always use one-size-fits-all (primarily because they don't
really understand what "security do").
I was speaking with a chap last week who's a graduate of the MSs programme
in Information Security from Royal Holloway. The job he was interviewing for
was to independently review and report on a PKI implementation. Despite
having implemented and managed a large PKI environment in the past, and
having the MSc, the employer rejected his tender because he didn't meet
their certification criteria (i.e. didn't currently hold CISSP or CISA).
If you're looking to set your career as a security techie - go for, and
maintain technical certifications
If you're looking to set your career in security management - get at least
one of the generic certifications and maintain it
If you want to educate yourself - go off and get an academic certification
If you're never going to have to interview again (internally or externally)
- save your money and let your certifications lapse
Them's the options! Take your pick.
On a personal note - I'm happy to pass back any constructive suggestions
from the group to their exec management as to what (ISC)2 should be doing to
make their offering more valuable to their members. Please don't just tell
me that they don't offer enough content, opportunity, support...
Rather, outline exactly what you think that they're currently missing e.g.
local chapters, free seminars, technical guidelines, areas of the CBK that
should be covered, new certs, ......
CISSP, CISM, CISA (and a bunch of others that I rarely if ever use, other
than to flesh out the CV)
PS - I'll respond separately on the CPE issue and the value for money issue
(no point in putting the whole mailing list to sleep in the one go)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-ireland