Joint presentation by Kevin Flanagan & Dan Houser, RSA 2008. Overview of career development, professional security/risk certifications, and how to develop and drive your career plan.

1. Certifications and Career
Development for Security
Professionals
Kevin Flanagan
Manager, Technical Consulting, Data Security Group
RSA, The Security Division of EMC
Dan Houser
Sr. Security Identity Architect
Cardinal Health
04/09/2008 | Session Code: PROF-201

2. • Kevin Flanagan, MBA, CISA, CISSP
• Dan Houser, MBA, CISM, CISSP-ISSAP,
e-Biz+, Security+, DTM, QIWT, CITP,
GSEC-Gold, SSCP, CCP, CDP, CSP
Speaking of Certifications

3. Key Points
• Professional Development
• Certification Overview
• Value of Certification
• Certification Study
• Balanced Professional Development Plan
• Q&A

4. What Do You Want to Be?
CIO
CSO
Architect
Security
Engineer
Security
Consultant
Self Employed
Vice President
Security
Manager
Lead AuditorAnalyst

5. What Talents Do You Possess?
Relationship
Building
Communication
Leadership
Coding
Computer
Networking
Forensic Analysis
Pen Testing
Risk
Assessment
Project
ManagementTrending
Quick Learner

6. What Gaps Do You See?
Experience
Professional
Contacts
Crypto
Software
Development
Credentials/Certifications
Confidence
Leadership
Tenure
Technical Hands-On
Experience
Business/Industry
Knowledge

7. Professional Development
• Goal orientation
– Where do you want to go?
– How are you going to get there?
• Personal Skills & Interest Assessment
– What do you do well?
– What skills are marketable?
– What skills are stale?
– What do you LIKE to do?
• Recommended Reference:
What Color is Your Parachute?
Career Architect (Lombardo & Eichinger)

8. "We’ve been reporting for more than a year that
pay for IT certifications has been on a steady
decline," remarks David Foote, Foote Partners
CEO and chief research officer.
“But there is one category of IT certifications—and
only one, according to our data—that is showing
signs of life: IT security. The group of 27 security
certifications we survey is the only one that grew
in value the past six months”
Report: Security Certifications Boost Pay
eWeek 6/1/2007

9. What is Certification?
Certification provides the following:
– Passing the bar
– Fit for use
– Verified to have met a standard
• Certification typically equates to
knowledge, but not always skill.
• Doesn’t necessarily equate to
competency or skill

10. Why certification?
You need to find your own reason:
• Satisfaction / personal accomplishment
• Practical assessment of skills
• Right of passage
• Typical requirement for consulting
• Help in Career Progression
• Recognition of special knowledge
• Resume distinction in a tight job market
• Round out your knowledge

11. Which Certification Makes Sense
For Me?

12. IT Security Certifications
Introductory Security+ CompTIA
SSCP (ISC)²
GISF SANS
Advanced CISSP (ISC)²
Advanced + CISSP-ISSAP (ISC)²
CISSP-ISSMP (ISC)²
CISM ISACA
GSEC SANS
Specialized PMP PMI
CISA ISACA
CGEIT ISACA
CBCP DRI
G7799, GCFW, GCWN,
GCUX, etc.
SANS
CEH EC-Council

13. Vendor/Technical Certifications
Cisco CCIE
Microsoft MCSE
Others Check Point
Red Hat
Symantec
RSA
ISS
Sun
Cybertrust
Juniper
F5

14. CompTIA Security +
• Description
– Entry-level broad certification which covers many aspects of information security
– Covers communication security, infrastructure security, cryptography, operational security, and
general security concepts
• Governing Body: CompTIA
• Experience Requirements
– Two years experience in networking with emphasis on security
– CompTIA Network+ recommended, but not required
• Maintenance Requirements: None
• Code of Ethics: None
• Exam Format
– 100 questions
– Pass with 764 on a scale of 100 – 900
– 90 minutes
• Cost: US $251.00

15. Systems Security Certified Practitioner
• Targets: intermediate audience of security professionals - technical InfoSec
focus
• Seven technical domains, both conceptual and pragmatic application.
• Some overlap with the CISSP body of knowledge with less experience
required
• Governing Body: (ISC)² - International Information Systems Security
Certification Consortium
• Experience Requirements
– 1 year of direct full-time security work experience in one or more SSCP domains
• Maintenance Requirements
– Annual Fee
– 60 Continuing Professional Education (CPE) credits in 3 years
• Code of Ethics: (ISC)2 Code of Ethics
• Exam Format
– 125 multiple-choice questions
– 3 hours
• Cost: US$369/$469

16. Certified Information Systems Security
Professional (CISSP)
• Description
– Gold Standard in Information Security Certifications
– The CISSP CBK consists of the 10 broad domains, from cryptography and network to
law, ethics and investigations.
– Target: Senior Security Engineers, Architects and technical Security Managers
• Governing Body: (ISC)²
• Experience Requirements
– 4 years direct full-time security professional work experience in 1+ domains
– One year waived with college degree or “equivalent life experiences”
• Maintenance Requirements
– Annual Fee.
– 120 (CPE) credits in 3 years
• Code of Ethics: (ISC)2 Code of Ethics
• Exam Format
– 250 multiple-choice questions
– 6 hours
• Cost: US$499/$599

17. CISSP Concentrations
• CISSP-ISSMP - Information Systems Security Management Professional
– Practitioner’s security expertise in management.
– Requires CISSP & two years professional management experience
– Candidates: Senior level InfoSec manager, director, CISO
– Exam Format
• 125 Multiple choice questions
• 3 hours
– Cost: US$349/$449
• CISSP-ISSAP - Information Systems Security Architecture Professional
– Requires CISSP & two years professional architecture experience
– Asserts that, participants are well qualified to design & implement secure information
system architectures with significant technical security knowledge across 6 domains.
– Exam Format
• 125 Multiple choice questions
• 3 hours
– Cost: US$349/$449

18. Certified Information Security Manager (CISM)
• Description
– Targets experienced information security managers or those with similar responsibilities.
– Requires that the candidate has specific knowledge and business oriented skills in managing and
overseeing organizational information security.
– Also covers designing, assessing, and technical security issues at a conceptual level.
– Applicable to experienced information security managers
• Governing Body: ISACA - (Information Systems Audit and Control Association)
• Experience Requirements
– 5 years of information security work experience, with a minimum of three years of information
security management work experience in three or more of the job practice analysis areas.
– Experience substitutes are available.
• Maintenance Requirements
– Annual maintenance fee.
– Minimum 20 CPE hours per year, 120 CPE hours in 3 years
• Code of Ethics: ISACA Code of Professional Ethics
• Exam Format
– 200 multiple-choice questions
– 4 Hours
• Cost: ISACA Members: US $410 Nonmembers: US $530

19. Project Management Professional (PMP)
• Description
– For project management professionals with extensive experience.
– Rigorous qualifications and testing, make this a widely respected certification.
– Focuses on five process groups: Initiating, Planning, Executing, Controlling, &
Closing.
– Applicable to project managers & security managers
• Experience Requirements
– Bachelor's degree and 4,500 hours of PM experience in the five process groups, OR,
– Secondary school diploma + 7,500 hours of PM experience in the five process groups
– 35 contact hours of classroom instruction that relate to project management
objectives.
– Supporting Documentation is required
• Maintenance Requirements
– Annual maintenance fee.
– minimum of 60 Professional Development Units (PDUs)/3 year cycle
• Code of Ethics: PMI Code of Ethics and Professional Conduct
• Exam Format
– 200 multiple-choice questions
– 4 Hours
• Cost: PMI Members: US $405 Nonmembers: US $555

20. Certified Information Systems Auditor (CISA)
• Description
– Endorses a candidate’s understanding of information auditing, controls and security.
– The focus of the certification is less on technical security (network and infrastructure)
auditing, and more on systems auditing and compliance checking.
– Applicable to Information Security Auditors and Operational staff
• Governing Body: ISACA - Information Systems Audit and Control Association
• Experience Requirements
– 5 years work experience in the fields of InfoSystems Auditing, Control, or Security.
• Maintenance Requirements
– 20 CPEs annually, 120 CPEs in 3-year recertification cycle
– Annual maintenance dues
• Code of Ethics: ISACA Code of Professional Ethics
• Exam Format
– 200 multiple-choice questions
– 4 Hours
• Cost: ISACA Members: US $410 Nonmembers: US $530

21. Certified Business Continuity Professional (CBCP)
• Description
– Endorses practitioner’s knowledge of BCP/ DR concepts, processes and procedures.
– The MBCP is a follow-on certificate to the CBCP. Roughly equivalent to grad degree
– Applicable to BCP professionals
• Governing Body: DRI International (DRII)
• Experience Requirements
– 2 years significant practical experience in 5 of the key Subject Areas
• Maintenance Requirements
– Pay all annual maintenance fees.
– 80 CPEs every two years
• Code of Ethics: Code of Ethics established by DRII.
• Exam Format
– Multiple-choice Questions (between 140 and 160 questions)
– There is only one exam, score on the same exam determines your eligibility for
certification at a variety of levels
• Cost: US$350 (CBCP) / US$425 (MBCP) + $500 exam fee

22. Global Information Assurance Certification (GIAC)
• Huge range of designation choices
• Two-tiered achievement -- (to solve ABD problem)
– Silver - completion of one exam administered in a proctored environment.
– Gold – Exam plus technical report (SANS Reading Room)
• Course-based certification process: certificate of achievement?
• Proctored exams using online testing portal – open book, not open Internet
• Elite Platinum GSE program requires significant testing and practicals
• Only 12 have this… equivalent rigor to PhD+ ??
• Governing Body: SANS – The SysAdmin, Audit, Network, Security Institute
• Experience Requirements: None
• Maintenance Requirements: Renewal every 2 years
• Code of Ethics: GIAC Code of Ethics
• Exam Format
Two online exams, each 100 multiple-choice questions, 3 hours
• Cost
US $800

23. Global Information Assurance Certification (GIAC)
* - From SANS Website: http://www.giac.org/certifications/roadmap.php

24. Technical/Vendor Certifications
• Cisco Certified Internetwork Expert (CCIE)
– Gold Standard for network professionals
– Added Security Track in 2002
– Rigorous Testing/Plus Hands-on
• Red Hat Certified Engineer (RHCE)
– “Crown Jewel” of Linux examinations
– 3 extensive training programs.
– 1 hour exam followed by 6 hour Lab Exam
• Microsoft Certified Systems Engineer (MCSE)
– Over 600,000 MCSEs (sharp decline)
– 7 tests = 6 core, 1 elective
– 1-2 years recommended experience

25. What’s In It For Me?

26. Security Certification Salaries
* 2006 Salary Data Courtesy of Certification Magazine

27. Putting Certification into Perspective
We distributed a survey to a broad group of Information
Security professionals.
– We received 74 responses, of those who responded:
• 81% had at least one industry certification
• 60% held the CISSP
• 86% have been in IT for over 10 years
• 54% have been in InfoSec for over 6 years
(30% 10+ years)

28. In the past 2 years, these certifications have gotten....
Weaker (2) Same (3) Stronger(4)

29. Which has more value:

30. What 3 Certifications Have Been Most Valuable to
You?

31. Lapsed Certifications
• Which Certifications have you let lapse?
– MCSE 53%
– GIAC 47%
– CCNA 33%
– SSCP 14%
– Security+ 7%
– CISSP 7%
• Of those who let certifications lapse, why?
– Certification no longer relevant 41%
– Change jobs/careers/fields 38%
– No interest 34%
– Cost of dues/maintenance fees too high 19%
– Unable to meet recertification requirements 9%

32. Interesting Blips in the Survey
• CISSP waning: 53% said CISSP same or declined
• CISM and CISSP-ISSMP sharply delineated (88%)
• (ISC)² says CISSP is a management degree
– Only 1/3 of survey respondents agreed
• Strong preference for certifications over education:
– Only 52% said that MS/ MBA/ PhD are valuable
– Only 4% indicated no preference for certified candidates
– 77% preferred to hire certified candidates
– 19% ** preferred to hire un-certified candidates (53% “meh”)
** 3 different questions. They add up to 100% as a fluke

33. Putting It All Together
• Certification is just one piece of the
puzzle
• Certification should be part of a
broader professional development
plan
• This plan should include:
– Education
– Experience
– Technical Skills
– Soft Skills
– Leadership/Management
Passion – what do you love?

34. Professional Development Plan
• Professional Goals
– Specific
– Measurable
– Achievable
– Relevant
– Time-bounded
• Adapted over time

35. Professional Development Plan
• Develop the plan with your manager or a mentor
• Align personal & career goals, department goals
• Work on soft skills as much as hard skills
• Think outside the box for soft skills:
– Coaching, mentoring, ISSA board, non-profit boards, Big
Brother, college course, foreign language, start a business,
white papers, Toastmasters, presenting at conferences,
teaching course in other language, tutoring academics,
music tutoring, league referee, college courses
• Status reporting provides link to compensation

36. Summary
• Include certification as a component of
comprehensive professional development
• Align development with long-term goals
• Work on soft skills as much as tech skills
• Research certifications – ask tough
questions of the certification bodies
• Mix general, technical & security certs
• Come up with a professional development
roadmap & don’t be afraid to adjust.
• Watch for trends, bellwether changes

37. Q&A
Questions?

38. Sources
• Portions of this presentation contain the trademark images of: ICCP,
PMI, Cisco, Sun, RedHat, Microsoft, (ISC)², ISACA, ACFE, SANS,
ASIS and DRII.
• Sources include primary research in InfoSec and Audit community,
Foote Partners, Information Security Magazine, searchSecurity.com,
eWeek, Certification Magazine, Information Week, Security
Certified, and countless interviews with peers.