In the security industry, there are tons of options for certification and training, but which are best when looking to advance your career? In this expert response, David Mortman explains what you need to know to climb the ladder.
Let's start with certifications. Certifications won't generally enhance your career in information security unless the job you're looking for requires them. So unless a certification is required, save your time and money and focus on more training. Training will give you actual skills that can demonstrate your value. Remember, training gives you knowledge and the beginnings of skills. Certifications say you remembered the requisite information long enough to get the minimal score necessary to pass a test -- they are not at all the same thing.
Without knowing where you are in your career and what skills you already have, I have a hard time recommending specific classes. In terms of enhancing technical skills, I've heard great things about the trainings offered at Black Hat prior to the briefings. I've also heard great things about the SANS security training classes, especially with regard to forensics. If those classes are outside your budget, there are lots of great websites and blogs you can study from, not to mention books. Check out the Security Bloggers Network and the Team Cymru News Feed. Both are great sources of information and will give you a fantastic overview of the best blogs in the industry to pick and choose from. Finally, you could try to set up a study group with other security professionals in your town to discuss a particular topic, sort of a book club for infosec pros. There are a number of national and regional information security user groups as well.
If you are interested in pursuing (or are already on) the security management track, I would avoid security classes altogether and instead consider business classes. A stronger understanding of how businesses work (and, in particular, how your employer works) will be a great benefit to your career. Such understanding can enable you to communicate with the business in terms that they understand; having a common language will give you the ability to get a lot more done. In addition to general management classes, it would be useful to take classes on finance -- at least enough to understand balance sheets, 10Ks and what not. Classes like this are generally available in the evenings at local universities and community colleges.
Finally, regardless of where you are in your career, I recommend that everyone work on their presentation skills, whether though formal classes, semi-formal organizations like toastmasters, or even by speaking regularly at local groups. Without the ability to communicate effectively to business executives and your security team, the rest of your training will go to waste.
For more information:
- Check out our security career advisor tips.
- The vendor-neutral information security certification landscape: What you need to know.
Dig deeper on Information Security Jobs and Training
Related Q&A from David Mortman, Contributor
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.