Joint presentation by Kevin Flanagan & Dan Houser, RSA 2008. Overview of career development, professional security/risk certifications, and how to develop and drive your career plan.
Certifications and Career Development for Security Professionals
1. Certifications and Career
Development for Security
Professionals
Kevin Flanagan
Manager, Technical Consulting, Data Security Group
RSA, The Security Division of EMC
Dan Houser
Sr. Security Identity Architect
Cardinal Health
04/09/2008 | Session Code: PROF-201
2. • Kevin Flanagan, MBA, CISA, CISSP
• Dan Houser, MBA, CISM, CISSP-ISSAP,
e-Biz+, Security+, DTM, QIWT, CITP,
GSEC-Gold, SSCP, CCP, CDP, CSP
Speaking of Certifications
3. Key Points
• Professional Development
• Certification Overview
• Value of Certification
• Certification Study
• Balanced Professional Development Plan
• Q&A
4. What Do You Want to Be?
CIO
CSO
Architect
Security
Engineer
Security
Consultant
Self Employed
Vice President
Security
Manager
Lead AuditorAnalyst
5. What Talents Do You Possess?
Relationship
Building
Communication
Leadership
Coding
Computer
Networking
Forensic Analysis
Pen Testing
Risk
Assessment
Project
ManagementTrending
Quick Learner
6. What Gaps Do You See?
Experience
Professional
Contacts
Crypto
Software
Development
Credentials/Certifications
Confidence
Leadership
Tenure
Technical Hands-On
Experience
Business/Industry
Knowledge
7. Professional Development
• Goal orientation
– Where do you want to go?
– How are you going to get there?
• Personal Skills & Interest Assessment
– What do you do well?
– What skills are marketable?
– What skills are stale?
– What do you LIKE to do?
• Recommended Reference:
What Color is Your Parachute?
Career Architect (Lombardo & Eichinger)
8. "We’ve been reporting for more than a year that
pay for IT certifications has been on a steady
decline," remarks David Foote, Foote Partners
CEO and chief research officer.
“But there is one category of IT certifications—and
only one, according to our data—that is showing
signs of life: IT security. The group of 27 security
certifications we survey is the only one that grew
in value the past six months”
Report: Security Certifications Boost Pay
eWeek 6/1/2007
9. What is Certification?
Certification provides the following:
– Passing the bar
– Fit for use
– Verified to have met a standard
• Certification typically equates to
knowledge, but not always skill.
• Doesn’t necessarily equate to
competency or skill
10. Why certification?
You need to find your own reason:
• Satisfaction / personal accomplishment
• Practical assessment of skills
• Right of passage
• Typical requirement for consulting
• Help in Career Progression
• Recognition of special knowledge
• Resume distinction in a tight job market
• Round out your knowledge
14. CompTIA Security +
• Description
– Entry-level broad certification which covers many aspects of information security
– Covers communication security, infrastructure security, cryptography, operational security, and
general security concepts
• Governing Body: CompTIA
• Experience Requirements
– Two years experience in networking with emphasis on security
– CompTIA Network+ recommended, but not required
• Maintenance Requirements: None
• Code of Ethics: None
• Exam Format
– 100 questions
– Pass with 764 on a scale of 100 – 900
– 90 minutes
• Cost: US $251.00
15. Systems Security Certified Practitioner
• Targets: intermediate audience of security professionals - technical InfoSec
focus
• Seven technical domains, both conceptual and pragmatic application.
• Some overlap with the CISSP body of knowledge with less experience
required
• Governing Body: (ISC)² - International Information Systems Security
Certification Consortium
• Experience Requirements
– 1 year of direct full-time security work experience in one or more SSCP domains
• Maintenance Requirements
– Annual Fee
– 60 Continuing Professional Education (CPE) credits in 3 years
• Code of Ethics: (ISC)2 Code of Ethics
• Exam Format
– 125 multiple-choice questions
– 3 hours
• Cost: US$369/$469
16. Certified Information Systems Security
Professional (CISSP)
• Description
– Gold Standard in Information Security Certifications
– The CISSP CBK consists of the 10 broad domains, from cryptography and network to
law, ethics and investigations.
– Target: Senior Security Engineers, Architects and technical Security Managers
• Governing Body: (ISC)²
• Experience Requirements
– 4 years direct full-time security professional work experience in 1+ domains
– One year waived with college degree or “equivalent life experiences”
• Maintenance Requirements
– Annual Fee.
– 120 (CPE) credits in 3 years
• Code of Ethics: (ISC)2 Code of Ethics
• Exam Format
– 250 multiple-choice questions
– 6 hours
• Cost: US$499/$599
17. CISSP Concentrations
• CISSP-ISSMP - Information Systems Security Management Professional
– Practitioner’s security expertise in management.
– Requires CISSP & two years professional management experience
– Candidates: Senior level InfoSec manager, director, CISO
– Exam Format
• 125 Multiple choice questions
• 3 hours
– Cost: US$349/$449
• CISSP-ISSAP - Information Systems Security Architecture Professional
– Requires CISSP & two years professional architecture experience
– Asserts that, participants are well qualified to design & implement secure information
system architectures with significant technical security knowledge across 6 domains.
– Exam Format
• 125 Multiple choice questions
• 3 hours
– Cost: US$349/$449
18. Certified Information Security Manager (CISM)
• Description
– Targets experienced information security managers or those with similar responsibilities.
– Requires that the candidate has specific knowledge and business oriented skills in managing and
overseeing organizational information security.
– Also covers designing, assessing, and technical security issues at a conceptual level.
– Applicable to experienced information security managers
• Governing Body: ISACA - (Information Systems Audit and Control Association)
• Experience Requirements
– 5 years of information security work experience, with a minimum of three years of information
security management work experience in three or more of the job practice analysis areas.
– Experience substitutes are available.
• Maintenance Requirements
– Annual maintenance fee.
– Minimum 20 CPE hours per year, 120 CPE hours in 3 years
• Code of Ethics: ISACA Code of Professional Ethics
• Exam Format
– 200 multiple-choice questions
– 4 Hours
• Cost: ISACA Members: US $410 Nonmembers: US $530
19. Project Management Professional (PMP)
• Description
– For project management professionals with extensive experience.
– Rigorous qualifications and testing, make this a widely respected certification.
– Focuses on five process groups: Initiating, Planning, Executing, Controlling, &
Closing.
– Applicable to project managers & security managers
• Experience Requirements
– Bachelor's degree and 4,500 hours of PM experience in the five process groups, OR,
– Secondary school diploma + 7,500 hours of PM experience in the five process groups
– 35 contact hours of classroom instruction that relate to project management
objectives.
– Supporting Documentation is required
• Maintenance Requirements
– Annual maintenance fee.
– minimum of 60 Professional Development Units (PDUs)/3 year cycle
• Code of Ethics: PMI Code of Ethics and Professional Conduct
• Exam Format
– 200 multiple-choice questions
– 4 Hours
• Cost: PMI Members: US $405 Nonmembers: US $555
20. Certified Information Systems Auditor (CISA)
• Description
– Endorses a candidate’s understanding of information auditing, controls and security.
– The focus of the certification is less on technical security (network and infrastructure)
auditing, and more on systems auditing and compliance checking.
– Applicable to Information Security Auditors and Operational staff
• Governing Body: ISACA - Information Systems Audit and Control Association
• Experience Requirements
– 5 years work experience in the fields of InfoSystems Auditing, Control, or Security.
• Maintenance Requirements
– 20 CPEs annually, 120 CPEs in 3-year recertification cycle
– Annual maintenance dues
• Code of Ethics: ISACA Code of Professional Ethics
• Exam Format
– 200 multiple-choice questions
– 4 Hours
• Cost: ISACA Members: US $410 Nonmembers: US $530
21. Certified Business Continuity Professional (CBCP)
• Description
– Endorses practitioner’s knowledge of BCP/ DR concepts, processes and procedures.
– The MBCP is a follow-on certificate to the CBCP. Roughly equivalent to grad degree
– Applicable to BCP professionals
• Governing Body: DRI International (DRII)
• Experience Requirements
– 2 years significant practical experience in 5 of the key Subject Areas
• Maintenance Requirements
– Pay all annual maintenance fees.
– 80 CPEs every two years
• Code of Ethics: Code of Ethics established by DRII.
• Exam Format
– Multiple-choice Questions (between 140 and 160 questions)
– There is only one exam, score on the same exam determines your eligibility for
certification at a variety of levels
• Cost: US$350 (CBCP) / US$425 (MBCP) + $500 exam fee
22. Global Information Assurance Certification (GIAC)
• Huge range of designation choices
• Two-tiered achievement -- (to solve ABD problem)
– Silver - completion of one exam administered in a proctored environment.
– Gold – Exam plus technical report (SANS Reading Room)
• Course-based certification process: certificate of achievement?
• Proctored exams using online testing portal – open book, not open Internet
• Elite Platinum GSE program requires significant testing and practicals
• Only 12 have this… equivalent rigor to PhD+ ??
• Governing Body: SANS – The SysAdmin, Audit, Network, Security Institute
• Experience Requirements: None
• Maintenance Requirements: Renewal every 2 years
• Code of Ethics: GIAC Code of Ethics
• Exam Format
Two online exams, each 100 multiple-choice questions, 3 hours
• Cost
US $800
23. Global Information Assurance Certification (GIAC)
* - From SANS Website: http://www.giac.org/certifications/roadmap.php
24. Technical/Vendor Certifications
• Cisco Certified Internetwork Expert (CCIE)
– Gold Standard for network professionals
– Added Security Track in 2002
– Rigorous Testing/Plus Hands-on
• Red Hat Certified Engineer (RHCE)
– “Crown Jewel” of Linux examinations
– 3 extensive training programs.
– 1 hour exam followed by 6 hour Lab Exam
• Microsoft Certified Systems Engineer (MCSE)
– Over 600,000 MCSEs (sharp decline)
– 7 tests = 6 core, 1 elective
– 1-2 years recommended experience
27. Putting Certification into Perspective
We distributed a survey to a broad group of Information
Security professionals.
– We received 74 responses, of those who responded:
• 81% had at least one industry certification
• 60% held the CISSP
• 86% have been in IT for over 10 years
• 54% have been in InfoSec for over 6 years
(30% 10+ years)
28. In the past 2 years, these certifications have gotten....
Weaker (2) Same (3) Stronger(4)
31. Lapsed Certifications
• Which Certifications have you let lapse?
– MCSE 53%
– GIAC 47%
– CCNA 33%
– SSCP 14%
– Security+ 7%
– CISSP 7%
• Of those who let certifications lapse, why?
– Certification no longer relevant 41%
– Change jobs/careers/fields 38%
– No interest 34%
– Cost of dues/maintenance fees too high 19%
– Unable to meet recertification requirements 9%
32. Interesting Blips in the Survey
• CISSP waning: 53% said CISSP same or declined
• CISM and CISSP-ISSMP sharply delineated (88%)
• (ISC)² says CISSP is a management degree
– Only 1/3 of survey respondents agreed
• Strong preference for certifications over education:
– Only 52% said that MS/ MBA/ PhD are valuable
– Only 4% indicated no preference for certified candidates
– 77% preferred to hire certified candidates
– 19% ** preferred to hire un-certified candidates (53% “meh”)
** 3 different questions. They add up to 100% as a fluke
33. Putting It All Together
• Certification is just one piece of the
puzzle
• Certification should be part of a
broader professional development
plan
• This plan should include:
– Education
– Experience
– Technical Skills
– Soft Skills
– Leadership/Management
Passion – what do you love?
34. Professional Development Plan
• Professional Goals
– Specific
– Measurable
– Achievable
– Relevant
– Time-bounded
• Adapted over time
35. Professional Development Plan
• Develop the plan with your manager or a mentor
• Align personal & career goals, department goals
• Work on soft skills as much as hard skills
• Think outside the box for soft skills:
– Coaching, mentoring, ISSA board, non-profit boards, Big
Brother, college course, foreign language, start a business,
white papers, Toastmasters, presenting at conferences,
teaching course in other language, tutoring academics,
music tutoring, league referee, college courses
• Status reporting provides link to compensation
36. Summary
• Include certification as a component of
comprehensive professional development
• Align development with long-term goals
• Work on soft skills as much as tech skills
• Research certifications – ask tough
questions of the certification bodies
• Mix general, technical & security certs
• Come up with a professional development
roadmap & don’t be afraid to adjust.
• Watch for trends, bellwether changes
38. Sources
• Portions of this presentation contain the trademark images of: ICCP,
PMI, Cisco, Sun, RedHat, Microsoft, (ISC)², ISACA, ACFE, SANS,
ASIS and DRII.
• Sources include primary research in InfoSec and Audit community,
Foote Partners, Information Security Magazine, searchSecurity.com,
eWeek, Certification Magazine, Information Week, Security
Certified, and countless interviews with peers.
Editor's Notes
Dan/Kevin Slide
On this slide we need to tell a story before we get into this. Use it as an introduction plus a way to earn credibility.
Time: 3 minutes
Dan talks to all of the acronyms next to his name.
I talk to my few acronyms, plus as part of my job with RSA and the president of our ISSA chapter, I (Kevin) deal with certified, uncertified and, certifiable people on a daily basis.
Can
Tell them what we are going to tell them (Preso 101)
Time: 30 Seconds
Here we want to talkdiscuss the fact that certifications do not tell the whole story for you as a professional. People need to be well rounded. How many people know professors who never worked in the real world, but want to tell you what the real world is like? You need to balance your professional development with experience, education, and occasional certifcation to have a 3rd party validate a baseline of knowledge.
Time 20 seconds
There is going to be a lot of detail on each of thee slides. We don’t need to go through these in great detail. Just cover some highlights, but retain the data for reference purposes.
TH
Talk to each and discuss details of each of the certs
Talk to each and discuss details of each of the certs
http://www.certmag.com/articles/templates/CM_gen_Article_template.asp?articleid=2479&zoneid=224
By no means do we imply that by gettig a specific cert you will get the salary. Ithink there is a Chicken/Egg thing going on here.
The purpose of this is to transition from the talk on Professional/Career Development and move into our dicsussion certifications…
Want to put this in at the end, this wraps everything together and closes out the presentation…