Ever since I started my security career, questions have arisen regarding the best certifications, or whether certifications are necessary for building a successful infosec career. Only recently have there been increased opportunities to get graduate (and even undergraduate) degrees focused on information security. Hence, the question of what's best for a career -- an infosec certification or IT security degree -- becomes even more muddied.
I am happy to answer the question with the caveat that my thoughts are only opinions, and different circumstances may affect my opinion.
So, what should you do? My answer is, if you want to be successful in the security field, you need a certification to establish your credibility first. Pursuit of a degree is useful to expand knowledge. Either way, if I were to hire you, my key considerations would include:
- Are you capable of being successful in information security? Frankly, I think having the certification gives you credibility when I ask this question.
- Do you have the tenacity and sustained persistence to get through the tough problems? Getting a certification like a CISSP, CEH or a four-year information security degree gives you credibility in this regard.
- Do you have strong social skills, and can you make persuasive and articulate arguments for certain information security practices? This could be demonstrated by outside interests and memberships (e.g., Are you involved in any civic clubs, such as the Rotary Club, or security organizations, such as a local chapter of ISSA or ISACA?), not necessarily degrees or certs. The intent is to see whether you will be effective at communicating with co-workers and managers.
- Can you write effectively? Are you a good speaker and presenter? Do you work well under stress? Again, these traits are not necessarily tested or proven by a certification or degree, per se. Instead, show me what you’ve written; show me presentations you’ve given, etc.
As a suggested approach, I’d advise you to work on your certifications -– perhaps starting with Security+, then getting a CISSP or CISM, then a CEH to round out your technical strengths and positioning. Then, as you continue with your career, I’d suggest pursuing a graduate degree from one of the leading infosec schools, such as Norwich, Carnegie Mellon or University of Maryland University College, to name a few.
Several of these schools and others have online degree programs. In fact, Western Governors University includes the CEH certification as part of its online Masters Program.
The bottom line is, there is no final answer to this question: The answer depends greatly on your particular circumstances. However, consider the potential interview questions above when deciding which you want to pursue, because the end goal of any training is landing an infosec job.
This was first published in July 2011