MIKHAEL FELKER (CISSP-ISSEP, MCSA, SECURITY+, LINUX+, NETWORK+, INET+) Certifications in IT

Disclaimer The ideas presented here do not represent the views of the Heinz School, Carnegie Mellon, or the Department of Defense. They are solely the opinion of the author.

The ideas presented here do not represent the views of the Heinz School, Carnegie Mellon, or the Department of Defense. They are solely the opinion of the author.

Agenda What are IT certifications? Information Assurance in US Gov’t Cost-Benefit Analysis Q & A

What are IT certifications?

Information Assurance in US Gov’t

Cost-Benefit Analysis

Q & A

Certification Wikipedia: “Certification…is a designation …to certify that he is qualified to perform a job . …indicates…[has] specific set of knowledge , skills , or abilities … certifications are awarded by professional bodies and corporations . The difference between licensure and certification is licensure is required by law , whereas certification is generally voluntary . Sometimes the word certification is used for licensure .”

Wikipedia: “Certification…is a designation …to certify that he is qualified to perform a job . …indicates…[has] specific set of knowledge , skills , or abilities … certifications are awarded by professional bodies and corporations . The difference between licensure and certification is licensure is required by law , whereas certification is generally voluntary . Sometimes the word certification is used for licensure .”

Industries Accounting: CPA Engineering (Civil): Professional Engineer Finance: CFA IT/IA: ??? Generally “software” people do not like to talk about certifications.

Accounting: CPA

Engineering (Civil): Professional Engineer

Finance: CFA

IT/IA: ???

Generally “software” people do not like to talk about certifications.

Certified by the Numbers Microsoft 1 MCP: 963,606+ MCSE: 244,153+ CompTIA 2 Combined Certs: 900,000+ Cisco 3 CCNA or other: 700,000+ PMI 4 PMP: 50,000+ Redhat RHCE: 7500+ 1 Source: http://mcpmag.com/certbasics/ 2 http://certification.comptia.org/about.aspx 3 Source: http://certcities.com/certs/other/cert.asp?ID=14 4 Source: http://www.pmichapters-australia.org.au/melbourne/membersncert/pmp.htm

Microsoft 1

MCP: 963,606+

MCSE: 244,153+

CompTIA 2

Combined Certs: 900,000+

Cisco 3

CCNA or other: 700,000+

PMI 4

PMP: 50,000+

Redhat

RHCE: 7500+

Certifying Bodies (over 22): Certiport Check Point Cisco CIW Citrix CompTIA CWNP EC-Council IBM ISACA (ISC) 2 LPI Microsoft MySQL Novell Oracle PMI Red Hat RSA Sun TIA TruSecure Do I get one? Which one?

Certifying Bodies (over 22):

Certiport

Check Point

Cisco

CIW

Citrix

CompTIA

CWNP

EC-Council

IBM

ISACA

(ISC) 2

LPI

Microsoft

MySQL

Novell

Oracle

PMI

Red Hat

RSA

Sun

TIA

TruSecure

Vendor vs. Vendor Neutral Advantages Vendor Specific knowledge for a particular product or service Direct application of skills/tools Market skills to a particular company that uses a vendor Advantages Neutral Greater transferability in skills No “tunnel” syndrome Not locked into any particular vendor

Advantages Vendor

Specific knowledge for a particular product or service

Direct application of skills/tools

Market skills to a particular company that uses a vendor

Advantages Neutral

Greater transferability in skills

No “tunnel” syndrome

Not locked into any particular vendor

Vendor Certifications Popular Vendors: Cisco Microsoft RedHat Oracle Popular Categories: Networking Development Operating Systems Database Management Don’t fall in the tar pit Not all vendors, or vendor certifications are equal

Popular Vendors:

Cisco

Microsoft

RedHat

Oracle

Popular Categories:

Networking

Development

Operating Systems

Database Management

Don’t fall in the tar pit

Not all vendors, or vendor certifications are equal

Vendor Neutral CompTIA (ISC) 2 PMI

CompTIA

(ISC) 2

PMI

Certification Levels Entry (e.g. CompTIA) Entrant to field or improvement of skills (e.g. 6 months – 1 year) Intermediate (e.g. CCNP) Currently working in the field, mastery of a particular set of products. Advanced (e.g. PMP, CISSP) Several to numerous years of work experience How many exams for the Certification?

Entry (e.g. CompTIA)

Entrant to field or improvement of skills (e.g. 6 months – 1 year)

Intermediate (e.g. CCNP)

Currently working in the field, mastery of a particular set of products.

Advanced (e.g. PMP, CISSP)

Several to numerous years of work experience

How many exams for the Certification?

Government employees/contractors

ANSI/ISO accredited ISO/IEC17024 “ is an International Standard which sets out criteria for bodies operating certification of persons.” Is important because recent DoD Directive “ Requires all IA certifications be accredited under ISO/IEC Standard 17024 (“equivalent” certifications acceptable if approved by OSD or accredited to ISO/IEC Standard 17024 by authorized body).” Source: IAF-GD24-2004 Guidance on ANSI/ISO/IEC 17024

ISO/IEC17024

“ is an International Standard which sets out criteria for bodies operating certification of persons.”

Is important because recent DoD Directive

“ Requires all IA certifications be accredited under ISO/IEC Standard 17024 (“equivalent” certifications acceptable if approved by OSD or accredited to ISO/IEC Standard 17024 by authorized body).”

SFS students and Government Contractors Department of Defense (Top-Down) Directives (Policy) Instructions Manuals (Implementation) DoD Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management," August 15, 2004 Two tracks Technical & Managerial (three levels: I, II, III) Source: http://www.dtic.mil/whs/directives/

Department of Defense (Top-Down)

Directives (Policy)

Instructions

Manuals (Implementation)

DoD Directive 8570.1, "Information Assurance Training, Certification, and Workforce Management," August 15, 2004

Two tracks

Technical & Managerial (three levels: I, II, III)

Government work: what certification to get?

Cost-Benefit

Time/Cost Preparation Study Time, test time, possibly recertify Initial Cost Study materials ~ $30 - $100 Exam fees ~ $130 - $1000 Boot camp ~ $2,000 - $5,000 Upkeep fees/Annual Maintenance Fees (AMF) Varies ~ $0 - $100 Continuing Professional Education (CPE) Varies ~ $0 – cost of conference (several thousands dollars)

Preparation

Study Time, test time, possibly recertify

Initial Cost

Study materials ~ $30 - $100

Exam fees ~ $130 - $1000

Boot camp ~ $2,000 - $5,000

Upkeep fees/Annual Maintenance Fees (AMF)

Varies ~ $0 - $100

Continuing Professional Education (CPE)

Varies ~ $0 – cost of conference (several thousands dollars)

Testing Computer Based Testing (CBT) Prometric/Vue centers (worldwide) Specific Administration Time/date limited Practicum in-person Perform a set of tasks in a lab environment (e.g. CCIE, RHCE)

Computer Based Testing (CBT)

Prometric/Vue centers (worldwide)

Specific Administration

Time/date limited

Practicum in-person

Perform a set of tasks in a lab environment (e.g. CCIE, RHCE)

Requirements Some or all of the following: Prior entry/mid level certifications Years of Experience 3 rd party verification (e.g. employer) Passing exam score or practicum Comply with code of ethics

Some or all of the following:

Prior entry/mid level certifications

Years of Experience

3 rd party verification (e.g. employer)

Passing exam score or practicum

Comply with code of ethics

Continuing Professional Education (CPE) Attending educational courses or seminars Attending security conferences Being a member of an association chapter and attending meetings Listening to vendor presentations Completing university/college courses Providing security training Publishing security articles or books Serving on industry boards Self-study Completing volunteer work Source: (ISC) 2

Attending educational courses or seminars

Attending security conferences

Being a member of an association chapter and attending meetings

Listening to vendor presentations

Completing university/college courses

Providing security training

Publishing security articles or books

Serving on industry boards

Self-study

Completing volunteer work

Renewal Many exams require renewal (e.g CCNA after 3 years) Substitute renewal with CPEs Renew by taking higher level certification

Many exams require renewal (e.g CCNA after 3 years)

Substitute renewal with CPEs

Renew by taking higher level certification

Benefits Marketability Increased skill set Increase salary potential (possibly) Check the average salary ( http://www.payscale.com/index/US/Certification )

Marketability

Increased skill set

Increase salary potential (possibly)

Check the average salary ( http://www.payscale.com/index/US/Certification )

Downsides “ This is the first time skills have trumped certifications since our firm began surveying tech skills pay in 2000.” Source: http://www.eweek.com/article2/0,1895,1954198,00.asp

“ This is the first time skills have trumped certifications since our firm began surveying tech skills pay in 2000.”

Stereotypes "Paper" MCSEs No knowledge How to deal with it, and respond

"Paper" MCSEs

No knowledge

How to deal with it, and respond

Certifications as Strategic Tools Higher percentage of callbacks from keyword searches Ability to perform work X because I am certified Requirements of Government As quick verification of baseline skills

Higher percentage of callbacks from keyword searches

Ability to perform work X because I am certified

Requirements of Government

As quick verification of baseline skills

Side Notes

Skimming Time Some certifications let you substitute one certification for years of experience, or exams (e.g. Security+ can be an elective exam for MCSE)

Some certifications let you substitute one certification for years of experience, or exams (e.g. Security+ can be an elective exam for MCSE)

Certification housekeeping Keep track of Certification IDs Date Time Location Find an appropriate method to store CPEs Know how to get verification (employers sometimes request it) Become aware of the side benefits of certain certifications Special accounts for jobs postings, discounts on education conferences, etc.

Keep track of Certification

IDs

Date

Time

Location

Find an appropriate method to store CPEs

Know how to get verification (employers sometimes request it)

Become aware of the side benefits of certain certifications

Special accounts for jobs postings, discounts on education conferences, etc.

Takeaways Certifications don't guarantee salary increases (although possible) Increased knowledge Increased respect and networking potential (e.g. LinkedIN group for CISSPs) Vendor certifications creates “lock-in” Salary surveys (might undervalue) Don’t account for advanced degree(s)

Certifications don't guarantee salary increases (although possible)

Increased knowledge

Increased respect and networking potential (e.g. LinkedIN group for CISSPs)

Vendor certifications creates “lock-in”

Salary surveys (might undervalue)

Don’t account for advanced degree(s)

Questions Feel Free to e-mail me: Mikhael Felker – [email_address]

Feel Free to e-mail me:

Mikhael Felker – [email_address]

Sites of Interest http://www.tcpmag.com/ http://www.mcpmag.com/ http://certcities.com/ http://www.sans.org/salary2005

http://www.tcpmag.com/

http://www.mcpmag.com/

http://certcities.com/

http://www.sans.org/salary2005