Question on IT Security Certifications & Career Planning

Home
About
Services
- Audit
- Tax
- Accounting
- Information Systems
- PCI Services
  - PCI-CP
  - PCI-WAS
  - PCI FAQ
  - PCI-CS
  - PCI-CR
  - PT
Qualifications
Resources
Careers
Contact
- Map

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.

Here is a question from a colleague:

Why would someone certify under CAP or CPP instead of SSCP or CISSP? Most network engineers would certify under CISSP, correct?

Each of the certifications covers a different set of skills and is made for different job positions. You should determine what job you want and build your resume for that dream job.

CISSP, SSCP and CAP are (ISC)2 certifications.

CISSP (Certified Information Systems Security Professional) is a high level tech or a manager certification.

The SSCP (Systems Security Certified Practitioner) is a certification for a tech.

The CAP (Certification and Accreditation Professional) is a specialty certification on National Institute of Standards and Technology (NIST) security framework and designed for management or a NIST/FISMA consultant. (The Federal Information Systems Management Act (FISMA) requires Federal government agencies to implement information security and NIST standards)

The CPP is a certification administered by ASIS International.

The CPP (Certified Protection Professional) is an executive management level certification that traditionally focused on physical security and more recently has added IT security topics. The CPP will focus on topics as broad as terrorism, retail theft prevention, executive protection, armored cars, workplace violence, safety and information security.

The government has recognized certification as the best way to determine personnel skill levels.

The Department of Defense (DoD) really got the ball rolling on certifications by mandating certification for all staff involved in Information Assurance. DoD Directive 8570.1 actually maps each of the certifications to either technical or managerial and then to levels in each. In addition there are specialty positions, such as auditor, that don’t have levels but have certifications. All DoD part-time or full-time personnel are required to have those certifications by 2010. (70% by 2009)

Here is information on the DoD directive:

http://www.isc2.org/dod-fact-sheet.aspx

There is talk that certifications like CAP will be added in the near future. Perhaps it was not selected because it was too general on certification and accreditation to fit in with the DoD. However, it is perfect for federal government agencies and anyone that wants to use NIST security standards like State, Local and Tribal governments. (Other organizations too, as NIST can be used by private organizations as well).

Some other Federal agencies are using DoD as a guideline for their staff as well. Which is a good idea. In the past hiring managers focused on degrees and experience. The problem with experience is being able to verify that the candidates experience matched the needs of the position to be filled. This is where certification come into play. A certification demonstrates a the holder has a particular knowledge or set of skills. In the end, you want to have both the experience and be able to demonstrate that experience with relevant certifications.

Degrees are a one time event and have the problem of being up-to-date with current technology and practices. For example, is a degree in computer science from 1980 relevant to today’s systems? With technology changing so rapidly any training you have is likely to be out of date; sometimes it is out of date before you have finished the training. The best bet is to combine continuing education with a degree.

There are 4 important qualities for a career in Information Technology or Information Assurance (IT Security).

1. A Degree, mostly to get you past any hiring manager that place a high value on a degree.

2. Experience, the longer you have been in the field the better.

3. Certifications, as a means to verify your experience.

4. Continuing Education, because this field changes rapidly and you have to keep up.

You will have a greater advantage over your completion the more you have in each of these areas.

Donald E. Hester

CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV

Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.

RSS Subscription: http://feeds2.feedburner.com/learnsecurityblog

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.