Ed Tittel is the president of LANWrights, Inc., a wholly-owned subsidiary of iLearning.com. Tittel has been working in the computing industry for 20 years and has worked as a software developer, a manager, a writer and a trainer. As an expert on SearchSecurity.com, Ed answers your questions on security training and certification. Here, Ed offers certification advice for a future Chief Security Officer.
Q: I am an IT tech interested in working my way up to be a Chief Security Officer. I don't currently hold any certifications. Could you describe an educational path for someone such as myself?
I'd recommend a slow, deliberate
climb up a security certification ladder to help you prepare for a CSO
position, as follows:
Start out gentle with the BrainBench Internet and network security exams.
You'll find them listed at www.brainbench.com. They're cheap, provide good
basic coverage of the subject and will get you motivated to make progress.
This should take you two-to-four months.
Next, tackle the Certified Internet Webmaster (CIW) Security Professional
exam. Combined with an MCSE, passing this exam makes you a CIW Security
Analyst and may enhance your "merit badge count." This is a good entry-level
exam on basic Internet, network and systems security. This will take you
another two-to-four months to complete.
After that, a broader, more formal, but still entry-level security cert is
what you should tackle. This could be any of the following credentials, any
of which will provide you with an excellent and thorough background in
computer security theory, operations, practices and policies:
TruSecure ICSA Computer Security Associate (TICSA)
The International Computer Security Association is well-known and highly
regarded; their entry-level program requires a minimum of two years of
work-related security experience or equivalent classroom training hours.
ISC-squared's System Security Certified Professional
The International Information Systems Security Certification Consortium is
also home to the best-known senior level security certification (see below).
If you're of a mind to go that route, the SSCP is a great way to prepare.
SANS GIAC Security Essentials Certification (GSEC)
The SANS Institute is a growing powerhouse in the security industry.
Likewise, its certifications are gaining increased visibility and
acceptance. The GSEC opens the door to other certifications in the SANS GIAC program.
Next, you'll be ready to tackle an intermediate-level security
certification. Most such certifications require three or more years of
relevant, on-the-job experience. Many require submitting papers or research
results in addition to passing exams; some also require taking specific
classes. Of these, three are particularly worthy of mention and pick up
where the previous three left off:
ISC-squared's Certified Information Systems Security Professional (CISSP)
CISSP is the best-known senior-level security certification in North America
and the one most often requested by name in job postings and classified ads.
SANS GIAC Security Specialist Certifications
The SANS Institute offers numerous topical specializations that extend on
the GSEC including firewalls, incident handling, intrusion analysis, Windows
and Unix administration, information security officer, and systems and
network auditor certs. A topical, timely and highly technical program based
on outstanding training online or at SANS conferences.
Finally, you'll be ready for a heavy-duty, senior-level cert (many of which
require seven or more years of relevant work experience). At this point, a CSO
job should also be more than a dream -- it should be achievable! Here's the
short list of relevant certs:
Certified Information Systems Auditor (CISA)
Source: www.isaca.org
Demonstrates knowledge of IS auditing for control and security purposes. Of
primary interest to IT security professionals responsible for auditing IT
systems, practices and procedures to make sure organizational security
policies meet governmental and regulatory requirements, conform to best
security practices and principles and meet or exceed requirements stated in
an organization's security policy.
Certified Protection Profesional (CPP)
Source: American Society for Industrial Security (www.asis.org)
Demonstrates thorough understanding of physical, human and information
security principles and practices. The most senior and prestigious IT
security professional certification covered here, the CPP requires extensive
on the job experience (seven to nine years), as well as a profound knowledge
of technical and procedural security topics and technologies. Only those who
have worked with and around security for some time will be able to qualify
for this credential.
The SANS GIAC Program also continues to introduce more senior-level,
cumulative security certs. It is a good idea to check out their top-end offerings when you're
ready to climb this last rung of the security certification ladder.
Good luck!
