The IT world seems to be exploding with certifications, with new ones being offered practically every month. How does one chose from all of the options available, and are they worth it? This session discusses the plethora of Governance, Risk, Compliance, Security and Technology related certifications being offered today. What are the benefits, and which are the most highly valued? Most importantly, which ones are right for you? Can one get too many certifications, and what’s the balance? Practical tips and recommendations are offered to help the person who decides on attaining certifications. Including, how to select the best certifications, how to plan a roadmap for achieving them, and successfully completing the plan they set out. Lastly, the benefits of certifications are discussed, and how to maximize their value.

1. Are They Worth the Investment?
and if so…,
Which One(s) are Right for You??
William Diederich
BS MS CISSP CISM CISA CRISC HCISPP FLMI ATP
President, CIO for You, LLC
whd@cioforyou.com
www.cioforyou.com
www.teksystems.com
Security Certifications

2. Overview
• Formalities – Introduction (ok, let’s keep it short):
• 25+ years in IT, ….
• 15+ years as a CIO / CTO / CISO in Mid-Cap companies….
• Education:
• B.S. Management Engineering
• M.S. Management & Administration
• Certifications – CISSP, CISM, CISA, CRISC, HCISPP, FLMI, ATP
• What I’m going to cover
• What I’m not going to cover
• What you can hope to get out of this presentation
• What you should get out of this presentation!
• Most importantly - this presentation is meant to be educational,
enlightening and entertaining!
• Caveat Emptor – Your Mileage May Vary (YMMV) - And a disclaimer: I’m
not representing any Organization(s) offering Security Certifications….

3. Types of Certifications (overview)
• Business or Company Based (optional or required):
• … must successfully complete the “Security Manager Certification training course
(#12345) in order to qualify as a Enterprise Security Manager (ESM).”
• Vendor or Product Based:
• Cisco – CCNA Security
• Microsoft – MS Security Essentials (MTA / MSCE)
• Professional Certifications & Licenses (potentially required by Code, Statute,
Industry, etc.): PE / RN / ATP
• Industry Associations (both Non-Profit & For-Profit) in no particular order:
• ISSA – A not-for-profit, international organization of information security
professionals and practitioners
• ISACA – Incorporated in 1969, 140K professionals
• (ISC)² – Over 25 years of service in information security
• GIAC – Founded in 1999 to validate the skills of InfoSec professionals
• SANS – Established in 1989 now with more than 165,000 security professionals
around the world
• EC-Council – Supports and enhances the role of individuals and organizations
who design, create, manage or market Security and E-Business solutions
• CompTIA – CompTIA, a non-profit trade association, is the voice of the world’s
information technology (IT) industry

4. How tough can it be to successfully
complete a Security Certification?
It’s tough, but not as tough as learning to fly a Gulfstream
(and a lot less expensive); plus InfoSec jobs pay a lot more!

5. What are two of the fastest growing
professions today?….
• Aviation:
• Boeing predicts 558,000 pilots worldwide over the next 20 years,
including 95,000 in North America
• But we’re not here to talk about being a pilot…..
• Information Security, Cybersecurity and Information Assurance:
• Jobs and salaries in cybersecurity are booming
• Demand for information security professionals is growing
exponentially
• Cybersecurity skills shortage demands new workforce strategies
• IT careers: Security talent is red-hot | Computerworld
• 7 Startling Stats on the Cyber Security Skills Shortage

6. 7 Startling Stats on the Cyber Security
Skills Shortage*
• 44 percent of organizations are short on staff with strong cyber security and
networking knowledge—ESG, “Network Security Trends in the Era of Cloud and
Mobile Computing”
• 35 percent of organizations are unable to fill open security jobs, despite the fact
that 82 percent expect to be attacked this year—ISACA and RSA, “State of
Cybersecurity: Implications for 2015”
• The demand for information security analysts will grow 37 percent from 2012-
2022—S. Bureau of Labor Statistics
• Between 2007 and 2013, postings for cyber security jobs rose 74 percent, more
than twice the rate of IT jobs as a whole—Burning Glass, “Job Market
Intelligence: Report on the Growth of Cybersecurity Jobs”
• The average senior security analyst in the US makes $103,226, more than double
the national average—Glassdoor.com
• 64 percent of high school students do not have access to computer science
classes that would help prepare them for a Cybersecurity career—Raytheon &
National Cyber Security Alliance, “Preparing Millennials to Lead in Cyber Space.”
• By 2017, there will be a shortage of 2 million cyber security jobs worldwide—
Digital Skills Committee
• *Swimlane - By Cody Cornel, July 30, 2015, Security Operations Weekly

7. Today’s Security Landscape
(in no particular order)
Types of Threats:
• Sabotage / Terrorism
• Espionage
• Revenge
• Blackmail
• Data Theft
• Services Theft
(Phone-fraud, File
Distribution, etc.)
Security Incidents:
• WikiLeaks / Snowden
• Tesla / Nissan Leaf
• Office of Personnel
Management
• Stuxnet
• Target / Anthem
• IOT attacks (many)
• Sony*
*Who saw the 60 Minutes “Sony Hack” Exposé?

8. Just in 2016 alone (to-date)!
• 48 Breaches have been made public in 2016 to date
• 282,360 Records (many breaches had ‘unknown’ loss of records)
• Examples include:
• The IRS……
• HCA / Hollywood Presbyterian / BCBS of California
• JB Autosports, Time Warner Cable, Kicky Pants, Inc.
• 896MM Records Breached From 4,790 Data Breaches Made Public
Since 2005* - Source: Privacy Rights Clearinghouse -
https://www.privacyrights.org/data-breach/new

9. How Important are Certification(s)?
• Certification, training, and experience are three of the top four most
important characteristics when selecting a candidate for a more
advanced positions
• Certifications help establish both the professionalism and the
competence of an employee and can help differentiate the employee
from other candidates for a promotion or an opportunity
• Employees with certifications earn more - organizations reported that
certified staff members earn 15% more on average than staff without
certification
• More responsibility - organizations reported that certified IT staff
members are given more responsibility than noncertified staff members
and are sometimes given responsibility for managing and supervising
noncertified staff members
• More opportunities for advancement - Additional responsibilities
create more opportunities for advancement within organizations. In
addition, IT managers expressed a sense that earning certification
reflects an employee’s interest in career advancement.

10. 15 Top-Paying Certifications for 2015*
Notable Trends:
• Six of the top 15 certifications pay $100,000 or more, nine are under $100,000
• Five are in security (1, 2, 3, 5, and 13)
• Two are in virtualization and cloud computing (8 and 14)
• Three are in business (4, 6, and 12), Three are in networking (7, 9, and 10)
Certified in Risk and Information Systems Control (CRISC) $119,227
Certified Information Security Manager (CISM) $118,348
Certified Information Systems Security Professional (CISSP) $110,603
Project Management Professional (PMP®) $109,405
Certified Information Systems Auditor (CISA) $106,181
Certified ScrumMaster $101,729
Cisco Certified Design Associate (CCDA) $99,701
Citrix Certified Professional - Virtualization (CCP-V) $97,998
Cisco Certified Network Professional (CCNP) $97,038
Juniper Networks Certified Internet Associate - Junos $96,734
Microsoft Certified Systems Engineer (MCSE) $96,198
ITIL v3 Foundation $95,434
Certified Ethical Hacker (CEH) $95,155
VMware Certified Professional - VCP-DCV $94,181
Certified Novell Engineer (CNE) $93,856
*2015 IT Skills and Salary Survey conducted by Global Knowledge in the fall of 2014
About the Author: John Hales, VCP, VCP-DT, VCAP-DCA, VCI, is a VMware instructor at Global Knowledge

11. 15 Top-Paying Certifications for 2016*
Notable Trends:
• All but two of the top 15 certifications pay $100,000 or more
• Six are in security (2, 3, 4, 6, 10 and 13)
• Three are in virtualization and cloud computing (1, 12 and 15).
• Three are in business (5, 11 and 14), Three are in networking (7, 8 and 9)
*2016 IT Skills and Salary Survey conducted by Global Knowledge in the fall of 2015
About the Author: John Hales, VCP, VCP-DT, VCAP-DCA, VCI, is a VMware instructor at Global Knowledge
AWS Certified Solutions Architect - Associate $125,871
Certified in Risk and Information Systems Control (CRISC) $122,954
Certified Information Security Manager (CISM) $122,291
Certified Information Systems Security Professional (CISSP) $121,923
Project Management Professional (PMP®) $116,094
Certified Information Systems Auditor (CISA) $113,320
Cisco Certified Internetwork Expert (CCIE) $112,858
Cisco Certified Network Associate (CCNA) Data Center $107,045
Cisco Certified Design Professional (CCDP) $105,008
EC-Council - Certified Ethical Hacker (CEH) $103,297
Six Sigma Green Belt $102,594
Citrix Certified Professional - Virtualization (CCP-V) $102,138
Cisco Certified Networking Professional (CCNP) Security $101,414
ITIL® v3 Foundation $99,869
VMware Certified Professional 5 - VCP5-DCV $99,334

12. Article on IT Compensation from
CIO Magazine
Security
Data Security Analyst: $113,500 - $160,000 (+ 7.1%)
System Security Administrator: $105,500 - $149,500 (+ 6.1%)
Network Security Administrator: $103,250 - $147,000 (+ 5.3%)
Network Security Engineer: $110,250 - $152,750 (+ 6.7%)
Information Systems Security Manager: $129,750 - $182,000 (+ 6.2%)

13. Employer’s Perspective (CIO Magazine
IT Certification Hot List - 2015)*
• 65 percent of employers use IT certifications to differentiate between
other equally qualified candidates
• 72 percent of employers use IT certifications as a requirement for
certain job roles
• 60 percent of organizations often use IT certifications to confirm a
candidate's subject matter knowledge or expertise
• 66 percent of employers consider IT certifications to be very valuable -
- a dramatic increase from the 30 percent in 2011
*By Rich Hein, CIO | CIO Magazine Mar 3, 2015

14. CIO Magazine - IT certifications that
paid off the most in 2015*
*By Rich Hein, CIO | CIO Magazine Nov 16, 2015

15. Market Value Gains – InfoSec
Certifications (through 1/1/2016)

16. IT Certification Premium Pay

17. CIO Magazine
10 Highest-Paying IT Security Jobs*
*By Sharon Florentine, CIO | CIO Magazine Jun 9, 2015
Lead Software Security Engineer $233,333
Chief Security Officer $225,000
Global Information Security Director $200,000
Security Consultant $198,909
Chief Information Security Officer $192,500
Director Of Security $178,333
Cyber Security Lead $175,000
Lead Security Engineers $174,375
Cybersecurity Engineer $170,000
Application Security Manager $165,000

18. Indeed Sample of Required or Desired
Security Certifications in Job Postings
• Security certifications preferred / preference to candidates with a CISSP
• Security+ certification would be a plus
• CISSP, Security+, or relevant vendor security certifications
• Certification - One or more of the following: CISSP, IAM, IEM, SAN Certs
• Information security management qualifications such as CISSP or CISM
• Hold at least one certification, i.e.: CISSP, CEH, CSIH, CISM, CISA, GIAC...
• IT security certifications (CISSP, CISA, CISM) a plus (or preferred)
• Masters degree in Business, Computer Science, or equivalent work
experience; Security Certifications – CISSP, CISM
• Certifications in CISSP, CCSP, CCIE-Security, or CEH highly desirable
• CISSP required, CISM preferred, GISM or CCSP certification a plus
• Professional certification such as CISSP, CISM, CISA, CRISC, or other
security credentials, is preferred - Multiple listings (similar wording)

19. Reasons for Security Certifications
(Employee)
Employees benefit from professional certifications in several ways:
• Skills validated and acknowledged by an independent third party
• Differentiates individuals from others in the hiring process
• Facilitates the ability to command higher pay
• Helps individuals remain competitive and employable
• Enables job proficiency more quickly (getting up to speed)
• Shows dedication to the individuals career
• Can enable an IT professional not currently in Information Security to
retool and potentially change to Information Security career paths
• Certification necessitate staying current, continuously learning new skills,
and networking with peers while staying engaged in, and committed to,
the field of Information Security

20. Reasons for Security Certifications
(Employer)
Employers also benefit from professional certifications:
• Professional certification is a quality marker that helps an employer
gauge the effectiveness and qualifications of a potential hire
• Employers want their hires to stay current and continue to grow in their
profession
• They are a driver of continuing education and training
• Employers can use achievement of professional certification as a
requirement for advancement or pay increases as well
• Certified professionals with proven knowledge and competency will
contribute more to an organization
• Investing in Security training and certifications can increase employee
satisfaction and retention

21. What are not Good Reasons to get
Security Certifications?
• If Certifications are so great, why would a person not get a Security
Certification?
• There are many benefits, but here are some reasons not to:
• Assuming an expectation that the Certification will result in an
increase in one or more of these areas *:
• Compensation
• Responsibilities
• Marketability
• Job satisfaction
(*i.e. Have realistic expectations of the outcome)
• Just for the sake of having a Certification – there must be a purpose
• For any nefarious activities (most if not all associations have a
required code of conduct, passing the requirements may be difficult
or impossible with such an intent)

22. Choosing the Right One(s) for You?
It depends…….
• What are your career goals and objectives?
• What are you trying to accomplish with a Certification(s)?
• If it’s just about money – one could choose the one highest in demand
– but it should be more than that
• Do you have a roadmap that will help you achieve your short and
long-term career goals? – If not, plan one:
• Security Technical Expert (hands-on)
• Security Architect (hands-on)
• Risk and Compliance Expert (administrative role)
• Team Leader or Managerial (administrative role)
• Start with a certification within your wheelhouse rather than taking
the most challenging one available as your first certification

23. Are all Security Certifications Created
Equal?
This is a tricky question…
• A number of Security Certifications have only recently become
available riding the demand for Certified Security Professionals but
may not have the reputation of mature certifications
• Some require formal classroom training or highly encourage formal
training, or make it difficult to pursue self-study options
• And some are just downright extremely expensive
So….
• Stick with the more well known Organizations (mentioned during the
introduction) and their associated Security Certifications
• There’s always time down the road to complete the most demanding
certifications or dabble in more esoteric ones

24. Are Certifications Expensive?
• Certifications can range in cost from a few hundred dollars to many
thousands (particularly if formal classroom training is utilized)….
• Structured training expenses:
• Formal classroom training can cost up to $5,000 for a week
• Online training programs range from several hundred dollars up to
several thousand
• Self-study training expenses can include:
• Books, study guides, CBT’s, etc. from $200 to $1,000
• Exam-prep, test-question databases, etc. can add another $50-$200
• The exam itself is typically around $500 or more
• The actual application for Certification can add $50 to $100
• And, if you want the fancy wood engraved plaque, that’s an extra $99
• My rule of thumb: plan on $1000 per certification

25. How to Pay for a Security Certification?
• Self-funded including:
• Self-study, personally paying for exam and cost for the certification…
(hopefully a worst case scenario)
• May be necessary if you’re in a hurry
• At least it may be a tax deduction (YMMV)
• Partially Company Funded – many companies support this:
• Paying for study materials
• Or reimbursing for an exam after successfully passing it
• 100% Company Sponsored – obviously the best case scenario
(fortunately more companies are undertaking this commitment)

26. Certification Requirements
What it takes….
• Experience – Meeting minimum requirements (hours or years)
• Comprehensive Examination – Multiple choice (60 to 250 questions, 2
hours to 6 hours)
• Application for Certification including 3rd party verification of work
experience by someone attesting to your qualification for Certification
(ex. A manager or existing Certificate holder)
• Rigorous review of your application, and Association board approval
• Fees (Application & recurring Annual maintenance)

27. What if I don’t meet the
Requirements?
• There are entry level Certifications – such as the (ISC)2 SSCP®
(Systems Security Certified Practitioner) or CompTIA Security+
• Some Certifications allow for a candidate to sit for an examination
and then to complete the experience requirements at a later date
(within an allowable, defined, period)
• There is no penalty for studying the materials even if you don’t sit for
the exam (though course materials typically change regularly -
annually or every couple of years)
• A vendor certification may make sense as these typically don’t have
defined experience requirements (such as a MCSE or CCNA)

28. Alternatives to Certification
• Experience, Experience, Experience….
• Company training programs (formal or informal)
• Join a local Security Chapter such as ISSA, ISACA, SMBA/(ISC)², OWASP,
etc. and Attending Meetings
• Reading – always a good idea and necessary to stay on top of a rapidly
evolving Security landscape
• Articles, White papers, Reports
• Books (including Cert Prep books even if you don’t intend to take the
certification)
• Podcasts, Youtube, Webcasts
• Vendor demos and presentations
• College Degrees: Undergraduate (Associate or Bachelors) or Graduate
(though Certifications are a lot less expensive, and perhaps better value)
• Did I happen to mention experience – “Advanced degrees and sound
technical certifications can help to establish professional credibility, but
there is no substitute for real-world experience.”*
*TECH CRUNCH NETWORK - The Horizon For Information Security Jobs

29. Preparing for a Certification
• Don’t kid yourself, it’s a significant investment (of time & potentially
money)
• Plan on at least 100 hours of study (doing 2 hours a week could mean
a year of study or more)
• Join a study group
• Lay out a schedule and stick to it
• You have to really want to complete the certification, you can’t just
think ‘it would be nice to have one….’

30. Sitting for a Certification
Do:
• Prepare as best as humanly possible
• Have a positive attitude (reinforced with preparation)
• Get plenty of rest the night before
• Show up early and be ready
• Pace yourself, it’s important to know how long you have for each
question
• Complete the exam and review your answers (time permitting)
Don’t:
• Second guess yourself or get stuck on questions
• Relate or compare test questions to your world, keep it theoretical
Results:
• Some tests score the exam immediately – so you know your results
• Others can take 5 to 8 weeks to get the results

31. Building Knowledge versus
Point of Diminishing Returns
• To some extent the course materials from one exam can facilitate passing
another – Example:
• ~100 hours of study for the ISACA CISM, passed first time
• Which helped prepare for the CISSP (and only ~60 hours of study)
• But too many certifications can potentially lower their value:
• There is such a thing as too many certifications - you don’t want to be
known as a Certification hound
• In fact, it may not be wise to display all your certifications, or at least
target the most applicable to whatever opportunity you’re seeking
• You may even let some outdated certifications lapse
• It might make more sense to pursue an advanced degree, such as a
Cybersecurity degree, rather than another Certification
• Keep in mind the cost of maintaining all the certifications can be
prohibitive (that is unless some reimbursement or subsidy is involved)
• It’s most important for people to be able to recognize for your capabilities
• The right balance of Certifications (no more, no less) can do that….

32. Two Real-World Examples
• A personal case – why I got my certifications and
the results….
• A former employee successfully completed
several security certifications and landed the
Chief Information Security Officer job they
wanted (and a lot more money)!

33. In Summary: Are Security
Certifications Worth the Investment?
• Statistically – Absolutely (but don’t necessarily expect it):
• More (and better) opportunities
• Within your existing organization
• Or, on the other hand, if you do decide to make a move
• Higher Compensation
• More responsibility
• Personally – Yes
• A merit badge and achievement to be proud of
• Better understanding of the subject matter
• The ability to contribute more meaningfully
• A member of an elite group
• Honestly, if you’re not getting certifications in today’s world
you’re falling behind

34. Q & A
AND THANK YOU!
(also feel free to see me after the presentation or email me)

35. Appendix & References

37. References
• http://techcrunch.com/2015/06/07/the-horizon-for-information-security-jobs/
• https://www.informatica.com/resources.asset.0dc802365c118d1353aabd4f8f8ca4bc.pdf
• http://images.globalknowledge.com/wwwimages/pdfs/2015_SalaryReport.pdf?utm_medium=ema
il&utm_source=email
• http://www.huschblackwell.com/~/media/files/businessinsights/businessinsights/2015/03/white%
20paper%20data%20breach/whitepaper_databreachresponsereadiness.pdf
• http://www.csoonline.com/article/2953258/it-careers/cybersecurity-job-market-figures-2015-to-
2019-indicate-severe-workforce-shortage.html
• http://www.globalknowledge.com/training/generic.asp?pageid=3855&country=United+States
• http://certmag.com/subscribe/
• http://www.tomsitpro.com/articles/information-security-certifications,2-205.html
• http://www.tomsitpro.com/articles/information-security-certifications,2-205-7.html
• http://www.sololearn.com/Blog/20/is-certification-important/
• http://images.globalknowledge.com/wwwimages/pdfs/2015_SalaryReport.pdf?utm_medium=ema
il&utm_source=email
• http://blogs.cisco.com/security/forewarned-is-forearmed-announcing-the-2016-cisco-annual-
security-report
• http://www.cio.com/article/2951115/certifications/8-most-in-demand-it-security-
certifications.html
• http://www.itworld.com/article/2999370/careers/jobs-and-salaries-in-cybersecurity-are-
booming.html