Certification – Poor Picks – Low Level Certs
- At July 03, 2008
- By Josh More
- In Business Security
0
We are exploring my poor choices for areas in which to certify. Today we will look at Low Level Certifications
Let’s face it, if a certification is easy to attain, everyone who wants it will have it. Don’t waste your time. Instead, focus on a challenging certification. Some see value in a beginner going after a low-hanging certification, but I think that it’s doing them a disservice to allow them to think that the certification itself is what matters at that level. The processes of studying and practicing test-taking skills are far more valuable than the certification itself. Their time is better spent getting a basic book/website and learning on their own until they’re at a level where certification will help them out.
Once you have narrowed your focus, take a look at the certifications available in that area. Most certifications are “tiered” with low, middle, and high levels of proficiency on which you are tested. If you do not have much experience yet, you may be tempted by the low level certification. Don’t be. Develop the experience needed to go after the middle level. You’ll get a better learning experience AND a better story to tell. You will also be able to better distinguish yourself from those people that start at level 1 and stop.
(Disclaimer: I do not have any low-level certifications)
Certification – Poor Picks – Vendor-specific certifications
- At July 01, 2008
- By Josh More
- In Business Security
- 0
Of course, there are some bets that I wouldn’t make. I’m not necessarily down on specific certifications, but I am down on specific types of certifications.
Any certification that locks you into a specific vendor has, at its core, an interest other than the certification alone. If a vendor is pushing a certification, they want to make you expert in their technology over similar technologies. This raises the demand for that technology and increases their sales. Pretty much all of the large technology vendors have a certification program. These, of course, as the most popular certifications, as they are promoted by the sales department of each vendor.
The big problem for you, is that these certifications will lock you in and links your career to the future of that company. This can be even more dangerous than specializing in a specific programming language. That said, there is an out. In some places, there is no vendor-neutral certification in a specific technology (at a high enough tier). In those cases, you are best off going after two certifications! That way, if one company stumbles, you have the other one to fall back on. You can also brand yourself as an expert in the technology without being a sales person for a specific company.
(Disclaimer: I am Linux certified by both Red Hat and Novell.)
Certification – Personal Picks – ITIL
- At June 27, 2008
- By Josh More
- In Business Security
- 1
We are exploring my personal picks for areas in which to certify. Today we will look at ITIL
Best Practices are always in vogue, and they are starting to be formalized by systems such as ITIL. ITIL is a methodology for streamlining IT to the business’s needs. As IT becomes increasingly tied to business systems ITIL and systems like it will become increasingly important. At this time, ITIL is one of the best known systems for doing this, but as time goes on, there will be others. I strongly recommend that you take a class prior to certification in this (or other) methodology. Most methodologies are similar, and having a firm and solid grounding in the concepts for one will make it much easier for you to learn another should you need to.
This certification is worth pursuing if you are in charge of integrating IT with the business. If you are still on the help-desk / daily workload part of your career, you should familiarize with the ideas behind ITIL, but you might want to hold this one until later.
(Disclaimer: I do not currently hold an ITIL certification)
Certification – Personal Picks – Vendor Management
- At June 24, 2008
- By Josh More
- In Business Security
- 0
We are exploring my personal picks for areas in which to certify. Today we will look at Vendor Management
As the industry moves away from everything being internal to more “just in time delivery” and subscription-based software, individual businesses will become increasingly tied to vendors. As the vendor loses money when they have to deal with the business, they may not always be completely willing to add functionality, solve problems, or generally do anything that falls outside of their business model. This puts YOUR business in a very difficult position. It will be increasingly difficult to move away from a vendor, and the vendors will be providing a decreasing quality of service. Therefore, managing your vendors will become a key skill.
Sadly, there are no certification or training programs out there (that I know of) that can help you with this. There is one segment of one course (SANS MGMT 512) that touches on this, but there will soon be more. As the work landscape flattens out and there are more and more connections between the outside world and your business, there will need to be a new level of manager. We have middle managers that manage the people in your organization. We have account managers that manage your customers. We have C-level managers that manage the business as a whole. What we do not have are vendor managers, or professional customers. Soon, we will, and those of us who are good at it will blaze that trail and define the profession.
Then, we’ll be able to certify in it.
(Disclaimer: As this certification does not yet exist, I am not yet certified in it.)
Certification – Personal Picks – Security
- At June 20, 2008
- By Josh More
- In Business Security
- 0
We are exploring my personal picks for areas in which to certify. Today we will look at Security
Security touches on all aspects of business and tends to come in two flavors: management security and technical security. No matter which direction the industry goes (barring a whole-scale collapse), both will be needed. Management security will be more stable than technical security. In other words, the general principles behind security do not change no matter how the attacks do. As attackers improve their technology, the defenders improve theirs. This means that education on general concepts is a better bet than education on specific technologies. (Of course, if you have a specific technology that you have to implement, by all means, study it and learn how to implement it properly. Just try to understand the big concepts too.)
Unlike virtualization, security certification is a mature industry and there are oodles of players. Before you can evaluate them, you have to consider what your goals are. If you want to be an implementer, you will want to go down the technical security line — though it changes so quickly you will need to plan for multiple certifications, at least one per year. If, however, you want to be more of a management-level security person, you need to understand the concepts very deeply and merge them into your life. This is also a path to general paranoia, as management security impacts all aspects of life, not just the tech world.
At this time, the two key players in security certification that I recommend looking at are as follows:
(Disclaimer: I have both a CISSP and GIAC certification)
ISC2
ISC2 offers a handful of generalized security certifications. The “Gold Standard” of these is the CISSP, which also has some specializations. There are some lower-level certifications that are intended as stepping stones towards the CISSP. Personally, I say to develop the prerequisite experience needed for the CISSP and then go for it. This is an excellent management-level certification and you will learn a great deal while pursuing it.
SANS
SANS offers several certifications in many areas: Security, Audit, Management, and Legal. However, SANS is primarily an educational organization, not simply a certification body. Yes, it is possible to get a SANS certification (called a GIAC) without taking a class, I do not recommend it. The point the a GIAC is the experience and learning that you get along the way. A SANS class is excellent and well worth your time. They have multiple formats, from the week-long security conference to small, do-it-on-your-own systems like SANS Mentor and SANS @Home. You will probably have a more holistic experience at the conference, since a lot of the learning comes from talking with multiple people. However, if your budget doesn’t allow the conference or class, you will still learn plenty in a Mentor or @Home class.
Note that SANS offers training in so many fields, that you can get a management security OR a technical security certification through them. Remember that the point is education, so choose the certification based on what you need to learn (and are passionate to learn). I doubt that most hiring managers / bosses will distinguish between the different GIAC certifications, so don’t worry about that. Just pick the experience that you need to have and the rest will follow.
