Earning Other Certifications

In business and technology, no one’s career stays in one place. You’re continuously growing and changing, and ever-changing technology also influences organizations and your role within them.

You shouldn’t consider your quest for certifications finished when you earn your CISSP — even if it is the highest-level information security certification out there! Security is a journey, and your CISSP certification isn’t the end goal, but a milestone along the way.

Other (ISC)² certifications

(ISC)² has several other certifications, including some that you may aspire to earn after (or instead of) receiving your CISSP. These certifications are

CSSLP (Certified Secure Software Lifecycle Professional): A certification that was introduced in 2009. Designed for software development professionals, the CSSLP recognizes software development in which security is a part of the software requirements, design, and testing — so that the finished product has security designed in and built in, rather than added on afterwards.

JGISP (Japanese Government Information Security Professional): A country-specific certification that validates a professional’s knowledge, skills, and experience related to Japanese government regulations and standards.

CAP (Certification and Accreditation Professional): Jointly developed by the U.S. Department of State’s Office of Information Assurance and (ISC)², the CAP credential reflects the skills required to assess risk and establish security requirements for complex systems and environments.

CISSP concentrations

(ISC)² has developed follow-on certifications (think accessories) that accompany your CISSP. (ISC)² calls these certifications concentrations because they represent the three areas you may choose to specialize in:

ISSAP (Information Systems Security Architecture Professional): Suited for technical systems security architects

ISSEP (Information Systems Security Engineering Professional): Demonstrates competence for security engineers

ISSMP (Information Systems Security Management Professional): About security management (of course!)

All the concentrations require that you first be a CISSP in good standing, and each has its own exam. Read about these concentrations and their exams on the (ISC)² website.

Non-(ISC)² certifications

Organizations other than (ISC)² have security-related certifications, one or more of which may be right for you. None of these certifications directly compete with CISSP, but some of them do overlap with CISSP somewhat.

Non-technical/non-vendor certifications

There are many other certifications available that are not tied to specific hardware or software vendors. Some of the better ones include

CISA (Certified Information Systems Auditor): Consider this certification if you work as an internal auditor or your organization is subject to one or more security regulations, such as Sarbanes-Oxley, HIPAA, GLBA, PCI, and so on. The Information Systems Audit and Control Association and Foundation (ISACA) manages this certification. Find out more about CISA at www.isaca.org/cisa .

CISM (Certified Information Security Manager): Similar to (ISC)²’s Information Systems Security Management Professional (ISSMP) certification (which we talk about in the section “CISSP concentrations,” earlier in this chapter), you may want the CISM certification if you’re in security management. Like CISA, ISACA manages this certification. Read more about it at www.isaca.org/cism .

CRISC (Certified in Risk and Information Systems Control): This is a relatively new certification that concentrates on organization risk management. Learn more at www.isaca.org/crisc .

CGEIT (Certified in the Governance of Enterprise IT): Look into this certification if you want to demonstrate your skills and knowledge in the areas of IT management and governance. Effective security in an IT organization definitely depends on governance, which involves the management and control of resources to meet long-term objectives. You can find out more about CGEIT at www.isaca.org/cgeit .

CPP (Certified Protection Professional): Primarily a security management certification, CPP is managed by ASIS International, at www.asisonline.org/certification . The CPP certification designates individuals who have demonstrated competency in all areas constituting security management.

PSP (Physical Security Professional): ASIS International also offers this certification, which caters to those professionals whose primary responsibility focuses on threat surveys and the design of integrated security systems. Read more at www.asisonline.org/certification .

CIPP (Certified Information Privacy Professional): The International Association of Privacy Professionals has this and other country-specific privacy certifications for security professionals with knowledge and experience in personal data protection. Find out more at www.privacy association.org .

C|CISO (Certified Chief Information Security Officer): This certification demonstrates the skills and knowledge required for the typical CISO position. Learn more at www.eccouncil.org .

CBCP (Certified Business Continuity Planner): A business continuity planning certification offered by the Disaster Recovery Institute. You can find out more at www.drii.org .

DRCE (Disaster Recovery Certified Expert): This certification is a recognition of knowledge and experience in disaster recovery planning. For more information visit www.bcm-institute.org/bcmi10/drce .

PMP (Project Management Professional): A good project manager — someone you can trust with organizing resources and schedules — is a wonderful thing, especially on large projects. The Project Management Institute, at www.pmi.org , offers this certification.

GIAC (Global Information Assurance Certification): The GIAC family of certifications includes categories in Audit, Management, Operations, and Security Administration. One of the GIAC non-vendor-specific certifications that complement CISSP is the GIAC Certified Forensics Analyst (GCFA) and GIAC Certified Incident Handler (GCIH). Find more information at www.giac.org/certifications . There are also several vendor-related GIAC certifications mentioned in the next section.

Technical/vendor certifications

We won’t even pretend to list all the technical and vendor certifications here. But these are some of the well-known vendor-related security certifications:

CCSP (Cisco Certified Security Professional) and CCIE (Cisco Certified InternetworkingExpert) Security: Cisco also offers several product-related certifications for specific products, including PIX firewalls and intrusion prevention systems. Find out more at www.cisco.com/ certifications .

Check Point Security Administration certifications: You can earn certifications related to Check Point’s firewall and other security products. Visit www.checkpoint.com/certification .

MCSA (Microsoft Certified Solutions Associate): Security and MCSE (Microsoft Certified Solutions Expert): Security: These are two specializations for the Microsoft Certified Systems Administrator and Microsoft Certified Systems Engineer certifications from Microsoft. Read more at www.microsoft.com/certification .

C|EH (Certified Ethical Hacker): We know, we know. A contradiction in terms to some, real business value for others. Read carefully before signing. Offered by the International Council of E-Commerce Consultants (EC-Council). You can find out more at www.eccouncil.org .

E|NSA (Network Security Administrator). Also from EC Council, this is the certification that recognizes the defensive view — as opposed to the offensive view of C|EH. You can learn more at https://cert.eccouncil.org/certification/certificate-categories/ensa-2 .

L|PT (Licensed Penetration Tester). Another certification from the EC Council, this takes penetration testing to a higher level than C|EH. Learn more at https://cert.eccouncil.org/certification/certificate-categories/licensed-penetration-tester-lpt .

C|HFI (Certified Hacking Forensics Investigator). Also from EC Council, this certification recognizes the skills and knowledge of a forensic expert who can detect computer crime and gather forensic evidence. Find out more here: https://cert.eccouncil.org/certification/ certificate-categories/computer-hacking-forensic- investigator-chfi .

CSFA (CyberSecurity Forensic Analyst): This certification demonstrates the knowledge and skills for conducting computer forensic examinations. Part of the certification exam is an actual forensics assignment in the lab. Check out www.cybersecurityforensicanalyst.com for more.

RHCSS (Red Hat Certified Security Specialist): This certification demonstrates advanced skills and knowledge for securing the Red Hat distribution of the Linux operating system. You can find out more at www.redhat.com/certification/rhcss .

Security+: A security competency certification for PC techs and the like. We consider this an entry-level certification that may not be for you, but you may well advise your aspiring colleagues who want to get into information security that this certification is a good place to start. You can find out more at certification.comptia.org .

Security|5: Like Security+, this is an entry-level security competency certification for anyone interested in learning computer networking and security basics. Find out more at www.eccouncil.org . Go to Courses ⇒ Entry Level Certifications.

You can find many other security certifications out there. Use your favorite search engine and search for phrases such as “security certification” to find information.

Choosing the right certifications

Regularly, technology and security professionals ask us which certifications they should earn next. Our answer is almost always the same: Your decision depends on where you are now and where you want your career to go. You can’t find a single “right” certification for everyone — determining which certification you should seek is a very individual thing.

When considering other certifications, ask yourself the following questions:

Where am I in my career right now? Are you more focused on technology, policy, operations, development, or management?

Where do I want my career to go in the future? If (for example) you’re stuck in operations but you want to be focusing on policy, let that goal be your guide.

What qualifications for certifications do I possess right now? Some people tackle certifications based on the skills they already possess, and they use those newly earned certifications to climb the career ladder.

What do I need to do in my career to earn more qualifications? You need to consider not only what certifications you may be qualified to earn right now, but also what experience you must develop in order to earn future certifications.

If you’re honest with yourself, answering these questions should help you discern what certifications are right for you. We recommend that you take time every few years to do some long-term career planning; most people will find that the answers to the questions we’ve listed here will change.

You might even find that one or more of the certifications you have no longer reflect your career direction. If so, give yourself permission to let those certifications lapse. No sense hanging on to old certifications that no longer exhibit (or help you attain) your career objectives. Each of us has done this at least once, and we may again someday.

Most nontechnical certifications require you to prove that you already possess the required job experience in order to earn them. People make this common mistake: They want to earn a certification in order to land a particular kind of job. But that’s not the purpose of a certification. Instead, a certification is evidence that you already possess both knowledge and experience.