Problem solve Get help with specific problems with your technologies, process and projects.

Certification path for future CSO

Certification expert Ed Tittel outlines a certification path for future CSOs.

Ed Tittel is the president of LANWrights, Inc., a wholly-owned subsidiary of Tittel has been working...

in the computing industry for 20 years and has worked as a software developer, a manager, a writer and a trainer. As an expert on, Ed answers your questions on security training and certification. Here, Ed offers certification advice for a future Chief Security Officer.

Q: I am an IT tech interested in working my way up to be a Chief Security Officer. I don't currently hold any certifications. Could you describe an educational path for someone such as myself?

Next, tackle the Certified Internet Webmaster (CIW) Security Professional exam. Combined with an MCSE, passing this exam makes you a CIW Security Analyst and may enhance your "merit badge count." This is a good entry-level exam on basic Internet, network and systems security. This will take you another two-to-four months to complete.

After that, a broader, more formal, but still entry-level security cert is what you should tackle. This could be any of the following credentials, any of which will provide you with an excellent and thorough background in computer security theory, operations, practices and policies:

TruSecure ICSA Computer Security Associate (TICSA)
The International Computer Security Association is well-known and highly regarded; their entry-level program requires a minimum of two years of work-related security experience or equivalent classroom training hours.

ISC-squared's System Security Certified Professional
The International Information Systems Security Certification Consortium is also home to the best-known senior level security certification (see below). If you're of a mind to go that route, the SSCP is a great way to prepare.

SANS GIAC Security Essentials Certification (GSEC)
The SANS Institute is a growing powerhouse in the security industry. Likewise, its certifications are gaining increased visibility and acceptance. The GSEC opens the door to other certifications in the SANS GIAC program.

Next, you'll be ready to tackle an intermediate-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many require submitting papers or research results in addition to passing exams; some also require taking specific classes. Of these, three are particularly worthy of mention and pick up where the previous three left off:

ISC-squared's Certified Information Systems Security Professional (CISSP)
CISSP is the best-known senior-level security certification in North America and the one most often requested by name in job postings and classified ads.

SANS GIAC Security Specialist Certifications
The SANS Institute offers numerous topical specializations that extend on the GSEC including firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer, and systems and network auditor certs. A topical, timely and highly technical program based on outstanding training online or at SANS conferences.

Finally, you'll be ready for a heavy-duty, senior-level cert (many of which require seven or more years of relevant work experience). At this point, a CSO job should also be more than a dream -- it should be achievable! Here's the short list of relevant certs:

Certified Information Systems Auditor (CISA)
Demonstrates knowledge of IS auditing for control and security purposes. Of primary interest to IT security professionals responsible for auditing IT systems, practices and procedures to make sure organizational security policies meet governmental and regulatory requirements, conform to best security practices and principles and meet or exceed requirements stated in an organization's security policy.

Certified Protection Profesional (CPP)
Source: American Society for Industrial Security (
Demonstrates thorough understanding of physical, human and information security principles and practices. The most senior and prestigious IT security professional certification covered here, the CPP requires extensive on the job experience (seven to nine years), as well as a profound knowledge of technical and procedural security topics and technologies. Only those who have worked with and around security for some time will be able to qualify for this credential.

The SANS GIAC Program also continues to introduce more senior-level, cumulative security certs. It is a good idea to check out their top-end offerings when you're ready to climb this last rung of the security certification ladder.

Good luck!

I'd recommend a slow, deliberate climb up a security certification ladder to help you prepare for a CSO position, as follows: Start out gentle with the BrainBench Internet and network security exams. You'll find them listed at They're cheap, provide good basic coverage of the subject and will get you motivated to make progress. This should take you two-to-four months.
This was last published in September 2002

Dig Deeper on Information security certifications, training and jobs