CISSP For Dummies

In business and technology, no one’s career stays in one place. We are continuously growing and changing, and ever-changing technology also influences organizations and our roles within them.

You shouldn’t consider your quest for certifications finished when you have earned your CISSP - even if it is the highest-level information security certification out there! Security is a journey, and your CISSP certification is not the end goal, but a milestone along the way.

Other (ISC) ² certifications

(ISC) ² has several other certifications, including some that you may aspire to earn after receiving your CISSP. (ISC) ² calls these concentrations, because they represent the four areas you may choose to specialize in:

• ISSAP (Information Systems Security Architecture Professional): This concentration is suited for technical systems security architects.

• ISSEP (Information Systems Security Engineering Professional): This concentration demonstrates competence for security engineers.

• ISSMP (Information Systems Security Management Professional): Yes, of course this is about security management.

• CAP (Certification and Accreditation Professional): Jointly developed by the U.S. Department of State’s Office of Information Assurance and (ISC)2, the CAP credential reflects the skills required to assess risk and establish security requirements for complex systems and environments.

All the concentrations require that you first be a CISSP in good standing. Each of the concentrations has its own exam. Read about these on the ISC Web site.

Non-(ISC) ² certifications

Other organizations have security-related certifications, one or more of which may be right for you. None of these directly compete with CISSP, but some of them do overlap with CISSP somewhat.

Non-technical/non-vendor certifications

• CISA (Certified Information Systems Auditor): This may be good if you are in internal audit or if your organization is subject to one or more security regulations such as Sarbanes-Oxley, HIPAA, GLBA, PCI, and so on.The Information Systems Audit and Control Association and Foundation (ISACA), at www.isaca.org, manages this certification.

• CISM (Certified Information Security Manager): Similar to (ISC)2’s ISSMP, this certification is suited for you if you are in security management. Like CISA, this certification is managed by ISACA.

• CPP (Certified Protection Professional): Primarily a security management certification, CPP is managed by ASIS International, at www.asisonline.org/certification.

• PSP (Physical Security Professional): ASIS International also offers this certification.

• CBCP (Certified Business Continuity Planner): This is a business continuity planning certification offered by the Disaster Recovery Institute. You can find out more at www.drii.org.

• PMP (Project Management Professional): A good project manager is a wonderful thing, especially on larger projects. The Project Management Institute, at www.pmi.org, offers this certification.

• GIAC (Global Information Assurance Certification): The GIAC family of certifications includes categories in Audit, Management, Operations, and Security Administration. Our favorite GIAC non-vendor-specific certifications that complement CISSP are the GIAC Certified Forensics Analyst (GCFA) and GIAC Certified Incident Handler (CGIH). Find more information at www.giac.org/certifications.

Technical/vendor certifications

We won’t even pretend to list all the technical and vendor certifications here. These are some of the well-known vendor-related security certifications.

• CCSP (Cisco Certified Security Professional) and CCIE (Cisco Certified InternetworkingExpert) Security: Cisco also offers several product-related certifications for products including PIX firewalls and intrusion prevention systems. Find out more at www.cisco.com/certifications.

• Check Point Security Administration certifications: You can earn certifications related to Checkpoint’s firewall and other security products. Visit www.checkpoint.com/certification.

• MCSA:Security and MCSE:Security: These are two specializations for the Microsoft Certified Systems Administrator and Microsoft Certified Systems Engineer certifications from Microsoft. Read more at www.microsoft.com/certification.

• CEH (Certified Ethical Hacker): We know, we know. A contradiction in terms to some, real business value for others. Read carefully before signing. Offered by the International Council of E-Commerce Consultants (EC-Council). You can find out more at www.eccouncil.org.

• GIAC (Global Information Assurance Certification): GIAC includes several technical-oriented certifications, including GIAC Certified Windows Security Administrator (GCWN), GIAC Certified UNIX Security Administrator (GCUX), and GIAC Securing Oracle Certification (GSOC). Read more at www.giac.org/certifications.

• Security+: This is a security competency certification for PC techs and the like. We consider this an entry-level certification that may not be for you, but you may well advise your aspiring colleagues who want to get into information security that this is a good place to start. You can find out more at www.comptia.org.

• Security5: Like Security+, this is an entry-level security competency certification for anyone interested in learning computer networking and security basics. Find out more at www.eccouncil.org.

There are many other security certifications out there. Use your favorite search engine and search on phrases such as security certification to find information.

Choosing the right certifications

Regularly, we are asked which certifications a person should earn next. Our answer is always the same: Your decision depends upon where you want your career to go. There is no “right” certification for everyone - it is a very individual thing.

When considering other certifications, ask yourself the following questions:

• Where am I in my career right now? Are you more focused on technology, policy, operations, or development?

• Where do I want my career to go in the future? If you’re stuck in operations but you want to be focusing on policy, let that goal be your guide.

• What qualifications for certifications do I possess right now? Some people tackle certifications based on the skills they already possess.

• What do I need to do in my career to earn more qualifications? You need to consider not only what certifications you may be qualified to earn right now, but also what experience you must develop in order to earn future certifications.

 Remember   Most nontechnical certifications require you to prove that you already possess the required job experience in order to earn them.

A common mistake that people make is this: They want to earn a certification in order to land a particular kind of job. But that’s not the purpose of a certification. Instead, a certification is evidence that one possesses both knowledge and experience.