Certification – Personal Picks – Security

We are exploring my personal picks for areas in which to certify. Today we will look at Security

Security touches on all aspects of business and tends to come in two flavors: management security and technical security. No matter which direction the industry goes (barring a whole-scale collapse), both will be needed. Management security will be more stable than technical security. In other words, the general principles behind security do not change no matter how the attacks do. As attackers improve their technology, the defenders improve theirs. This means that education on general concepts is a better bet than education on specific technologies. (Of course, if you have a specific technology that you have to implement, by all means, study it and learn how to implement it properly. Just try to understand the big concepts too.)

Unlike virtualization, security certification is a mature industry and there are oodles of players. Before you can evaluate them, you have to consider what your goals are. If you want to be an implementer, you will want to go down the technical security line — though it changes so quickly you will need to plan for multiple certifications, at least one per year. If, however, you want to be more of a management-level security person, you need to understand the concepts very deeply and merge them into your life. This is also a path to general paranoia, as management security impacts all aspects of life, not just the tech world.

At this time, the two key players in security certification that I recommend looking at are as follows:

(Disclaimer: I have both a CISSP and GIAC certification)

ISC2

ISC2 offers a handful of generalized security certifications. The “Gold Standard” of these is the CISSP, which also has some specializations. There are some lower-level certifications that are intended as stepping stones towards the CISSP. Personally, I say to develop the prerequisite experience needed for the CISSP and then go for it. This is an excellent management-level certification and you will learn a great deal while pursuing it.

SANS

SANS offers several certifications in many areas: Security, Audit, Management, and Legal. However, SANS is primarily an educational organization, not simply a certification body. Yes, it is possible to get a SANS certification (called a GIAC) without taking a class, I do not recommend it. The point the a GIAC is the experience and learning that you get along the way. A SANS class is excellent and well worth your time. They have multiple formats, from the week-long security conference to small, do-it-on-your-own systems like SANS Mentor and SANS @Home. You will probably have a more holistic experience at the conference, since a lot of the learning comes from talking with multiple people. However, if your budget doesn’t allow the conference or class, you will still learn plenty in a Mentor or @Home class.

Note that SANS offers training in so many fields, that you can get a management security OR a technical security certification through them. Remember that the point is education, so choose the certification based on what you need to learn (and are passionate to learn). I doubt that most hiring managers / bosses will distinguish between the different GIAC certifications, so don’t worry about that. Just pick the experience that you need to have and the rest will follow.