What Security Certification to Start With & Security Certification vs Degree
Matt Tett
I am one of those very lucky few 30-somethings who had a “natural” bent for computing, growing up in the days of the Commodore (that of the nerd, not bogan). While I wouldn’t consider myself stupid, my apparent success is a testament to that, perhaps though that is just luck and fate falling into the right place at the right time. However what I can state is that I am definitely not academic by any stretch of the imagination. While a voracious reader, I only care to read what engages me. I have always preferred to learn through doing and listening (occasionally) and making my own mistakes (thereby clearly validating the claims of those who had told me and been there and made that mistake before me). While some academics argue this is akin to the re-reinvention of a wheel, the best “hackers”, (in the traditional sense of the term), only know this form of learning – and who’s to say innovation through this process won’t lead to a better wheel. Infinite monkey theorem; monkey at typewriter (erm .. word processor) etc.
My other foibles are verbosity, drive and conviction. Having been previously described as a “bull-dozer” I am more than willing to absolutely argue that black is white despite facts (because black is white, right!). Needless to say I left school as soon as I had the opportunity and moved into my career in computing. Choosing to bypass University entirely. Ironically my first few roles were technically managing engineering staff that were two and even three times my age (and whom were the process of changing from traditional electronics and electrical backgrounds to computing and silicon). Thank goodness that those generations were brought up with forgiveness and peace at their core, or else I wouldn’t be here today. The double irony is that I now lead an independent testing organisation with its origins deeply seated within a University. Indeed our Australian HQ and primary Laboratory is still within a University.
The TestLab charter, for over 22 years, has been to provide opportunities to students, and academics to gain really world live experience working with commercial testing projects. Therefore a majority of our resources are either at some stage of obtaining or already have a degree and are working beyond this, a number have Ph.Ds. I therefore respect all the efforts that these people have put in to creating a solid foundation and gaining the base theory that they need to then commence building their careers, discovering, defining and focusing on their area of speciality. Exciting times!
Early in my career and with the advent of networking, (BNC 10BT, token ring, Novell etc. yawn), I began to focus more and more on this area and the ensuing security component, which grew, and grew and is still growing over the evolution of technologies. Therefore by the time I ended up working for the University IT test laboratory almost 10 years ago now, I was a senior network and security engineer. Through dedicated, focused hands-on experience (pulling things apart and attempting re-assembly, breaking things and writing reports) and the benefit of me being paid as commercial work by my previous employers and essentially their clients funding this “education”.
Shortly after joining the University a niggling concern began to overtake me, must be something in the University air, or maybe my advancing old age, and while I was offered a degree through experience, and no, not one of those from a dodgy “Uni” on the internet. I was mildly offended, if I really wanted, and more importantly needed, a degree I would go through the full process under my own steam. I gave that thought about 6.2 seconds consideration and had horrible recall and flashbacks to my previous academic efforts in secondary school. I therefore decided to take the industry certification route. Networking was out .. too boring, again with all due respect to my CCIE acquaintances but hey what could be more sexy to a nerd than security ? (if you are a normal human being then read that “sexy” as “mildly more interesting”).
So I started the research, which I am assuming if you have read this far you too have commenced or completed, into what security certifications are out there, without going down the route of vendor certificates. SANS are great but highly focused on specific technical nuances of a body of knowledge, better for refining skills and focus in a specialist career or requirement at a point in time. What I was after was more of a general qualification that covered all my experience.
Ok, I will cut to the chase, that is the CISSP (Certified Information System Security Professional) certification run by ISC2. But again it may not be for all. While a great foundation it does cover all the common bodies of knowledge reasonably expected by a security practitioner. Not to mention that it was a killer examination ~ 6 hours multi-choice (with the caveat that there may be no incorrect answers, however the “correct” answer may be the best solution of the options given!). There is also a hefty, and legitimate, requirement to provide solid evidence of a number of years previous industry experience practicing security hands on. Ensuring presumably that academics and wannabes simply cannot “study-up” and then sits the exam and gain the qualification. There is also the requirement to submit ongoing annual Continuing Professional Education (CPE) points, demonstrating that even while working in the sphere the participant is also keeping current changes and the state of play in security outside of their workplace.
This is where organisations such as the Australian Information Security Association (AISA) come in to play, disclaimer that I am a committee member of the Melbourne chapter. Networking with peers, connecting with prospective mentors, introduction to the industry for students and those commencing their careers. And above all education outside of the workplace or formalised study.
Other certification options that I had sourced and considered at the time, were the Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA). These are administered by the Information Systems Audit and Control Association (ISACA).
So what did I end up doing? Well all three of course, told you I was a bulldozer! Passed all first time out, but it was NOT easy, and not recommended. In-fact at the time all three exams were only held annually once at that stage, luckily for me ISACA announced that they would be running two exams for the first time the year I did mine, so I managed to do all in the one year.
So in summary; A degree gives one a foundation in theory and background in history and a taste of what may be to come in a career, enabling the student to start to focus on what piques their interest. CISSP gives an experienced security professional with a number of years practical hands-on work in the industry a rounded-out overview and well recognised and respected qualification attesting to their experience and chosen career. CISA, more focused on information systems and audit process, with a security bent, but more procedural and theoretical – definitely worthwhile if governance, compliance and risk are your chosen path without all the other technical detailed hands-on “fluff” associated with CISSP. CISM is similar to CISA but more rounded in terms of managing a security team and auditors and understanding risks and the options around risk.
I am sure that I haven’t missed 1,000,001 things at all, because I am a “bull-dozer”, and always right, so feel free to leave comments with your further valuable input that will be considered wrong even if it is obviously right.