Certification is on the mind of many security professionals, and the recent Computer Security Institute conference devoted much attention to the topic. In one session, Peter Stephenson of Eastern Michigan University's Center for Regional and National Security presented an overview of what certifications can do for you and which ones, if any, you should have.
Stephenson holds the Certified Information Systems Security Professional (CISSP), Certified Information Forensics Investigator (CIFI), Certified Information Security Manager (CISM) and Fellow of the Institute for Communications, Arbitration and Forensics (FICAF) in the United Kingdom. However, he holds a somewhat cynical view of certifications.
"By themselves, they prove nothing," Stephenson says of certifications. They're filters for employers and lucrative revenue for the training and certification industry. A tech veteran with nearly 40 years of experience, Stephenson obtained his first certification in 2002 to help him put food on the table. The one designation he pursued because of the challenge was the FICAF, which requires election by your peers.
What follows are his recommendations for when a security certification might be necessary and which ones are appropriate choices for these groups.
- Technicians and engineers: Consider certification if the training required for the certification is necessary to perform job duties. SANs Global Information Assurance Certification (GIAC), a field-specific certification such as International Information Systems Forensics Association (IISFA), CIFI; vendor-specific designations from Cisco, Internet Security Systems or Microsoft, or CompTIA's Security +, for example.
- Technical manager: Pursue when the job requires one. Certifications to get include CISSP, CISM, field-specific, or possibly SANs GIAC.
- Senior manager: Consider when the job requires, or pursue when you want one. Examples include high-level certifications such as the ICAF for mature professionals.
To keep your skills current and meet continuing education requirements, considera course from a Training Institute as well as specialized conferences and symposiums.