Which certifications matter most for those new to security

Which certifications matter most for those new to security

I like classes. If I could be a professional student, I would. I was a teacher, so book learning has great value to me as does learning in a classroom.

Take that for what it’s worth as it doesn't necessarily apply to the information security industry.

Certifications do matter, but an extensive list of certs with no hands-on learning to show that you can apply and utilize that knowledge won’t bode well in many interviews. Rather than have you take my word for it, I asked some of the industry leaders across different sectors which certifications they value most for those new to security and why.

[ PART 1: Why certificates matter, and which ones matter most | PART 3:
Beyond the basics: The certifications you need based on the path you choose ]

Jeff Schilling, CSO, Armor said, “It is always a red flag for me when I see a CV where a potential prospect has pages and pages of certifications listed, but no real work experience that leverage those certifications.”

The certifications that Schilling and other industry leaders look for and recommend for security newbs depend a lot of your specialized area. CompTIA Security+, CISSP, and CISM are industry standards regardless of the track you choose, and as you grow in your career, you will want to acquire more sector standard certifications.

Security+ covers the fundamentals ranging from network to cloud security. Widely recognized as a useful and important introduction to information security, "Security+ and Network+ certifications are good certifications to gain a core understanding of the networking and security. These certifications are not required, but help prioritize who to interview for Level 1 positions," said Tom Gorup, security operations leader, Rook Security.

It's worth noting, though, that not every leader in infosec agrees on which certifications have value. James Carder, CISO at LogRhythm said about Security+, "I have never really valued that certification. If you are brand new to the industry, I’d rather see a bachelors degree in computer science than anything else. Any certification after that just tells me that you have some initiative but I wouldn’t use the Security+ as a determining factor for the interview or job."

So what would Carder look for in a candidate?  “The Certified Information Systems Security Professional (CISSP) is probably the closest thing the information security industry has as a standard right now that most security professionals should get,” he said.

Carder isn’t alone. Schilling agreed that he likes to see a CISSP certification, which he considers not only a popular certification but a relevant one. “CISSP has a blend of both technical depth and security program development. It is a good security generalist certification I like to see in consultants and security sales leaders,” Schilling said.


On the other hand, holding only the CISSP could suggest inexperience, said Michael Angelo, chief security architect - CRISC, CISSP, Micro Focus.  

"While I see more people with this certification, they seem to have little experience. In particular, I see a lot of student / fresh graduates with this certification but do not see much in the way of practical application," Angelo said, though the National Initiative for Cybersecurity Education holds that CISSP is one of the leading certifications for information security. (ISC)2 also said, "In order to hold the CISSP certification you must have a minimum of five years of experience under your belt."

Just because you are new to security doesn’t mean you are necessarily starting at an entry-level position, so it's also important to have certifications that demonstrate learning and training across levels.

For those interested in management positions, you can start preparing for upward growth by earning the Certified Information Security Manager (CISM). Schilling noted, “CISM is more of an executive-level certification that addresses cyber risk models and organizational maturity models.”

“It is not as technical as the other security certifications, but the strategies, methodologies and frameworks learned in the certification process have served me well in the board room and in building a security team,” Schilling said.

I know I said I’d only be offering you the top three certification recommendations, but here’s an extra treat if for no other reason than to prove that narrowing down the list isn’t easy. I also don’t want to make anyone feel bad if they just passed their GIAC Security Essentials (GSEC) because it’s a completely respectable certification to have.

Jeramy Schmitt, vice president, Education & Enablement, BeyondTrust said, "It’s difficult to shortcut your way into passing the CISSP, GSEC and CISM tests, so there is confidence in knowing the individual has the experience and core competency in information security." 

Whether you are looking for entry-level positions, executive to senior management, or analyst positions there are a variety of certifications available that cover the basics of network security. What’s most important to think about with any certification is the value it brings in showcasing the skills you have gained through experience. Shy of having experience, the training does show a commitment to learn, which does speak to the type dedication you will bring to your work.  

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)