CISSP

ISC-Squared Finally Begins Move Away from Pencil&Paper Testing

It’s funny how information sometimes shows itself to those who care to look for it. Now with over 60,000 CISSPs certified world-wide, and with surely two or three times that many professionals across all of its half-dozen certifications, I’ve always found it interesting that the (ISC)² (pronounced “Eye-Ess-See squared”) continues to require its certification candidates to show up at physical testing centers on specific dates to take proctored exams using old-fashioned mark-sense forms with a pencil, instead of making a deal with Prometric or Pearson VUE to start doing cert exams the way all the other big programs do them–by computer download to a graphics test engine at an affiliated testing center. This opens the doors to many more exam takers, and will surely lead to a further increase in the size of their certified population.

The International Information Systems Security Certification Consortium logo

In a press release entitled “Pearson Vue and (ISC)² Sign Exclusive Contract to Deliver Computer-Based Information Security Exams Worldwide” two very interesting nuggets of information present themselves for consideration. First, the two organizations will work together to release an exam at Prometric VUE testing centers “sometime in 2010.” Second, (ISC)² will begin “…phasing in its other credential exams over the next three years,” with the first exam up being the Certified Secure Software Lifecycle Professional (CSSLP).

Presumably that means by the end of 2012, the CISSP and the SSCP will also be avaiable in computer-based format at a nearby Prometric VUE testing center. Congratulations to the (ISC)², and welcome to the 1990s. It’s about time!

ISC-squared Creates a Software Lifecycle Credential

Ask any security-savvy software developer how best to make code secure, and he or she will quickly tell you something like “To make code secure, you must design it to be secure, then test the heck out of it to make sure the implementation lives up to that design goal.” And in fact, a growing body of knowledge in the software development community focuses on design tools and techniques to  help make sure that what gets built is indeed as secure as possible, augmented by a growing number of automated tests designed to check such work from the security perspective.

This is a very good thing. No less a security eminence than Bruce Schneier believes that security testing is not only important, but also something that must be part and parcel of the development process starting from initial design all the way through post-release maintenance and updates —throughout th entire software lifecycle as it were. For some fascinating reading on this and just about any other security topic that might interest you, check out his blog “Schneier on Security” for some eye-opening and thought-provoking material.

The new credential is called the Certified Secure Software Lifecycle Professional (CSSLP) and aims to bring better knowledge and tools to bear on software design, development, and maintenance. The primary subject areas figure into the CSSLP:

• Secure Software Concepts: security implications that touch on software development
• Secure Software Requirements: representing security needs and concerns during the requirements gathering phase of development
• Secure Software Design: translating security requirements into application design elements and specifications
• Secure Software Implementation/Coding: unit testing for security functionality and resistance to attack, developing secure code, including incident-handling and mitigation techniques
• Secure Software Testing: QA testing that integrates tests for security functionality and resistance to attack
• Software Acceptance: Security analysis and investigation during software acceptance
• Software Deployment, Operations, Maintenance, and Disposal: ensuring security during steady state operations and when managing software

Anybody who’s familiar with the software lifecycle model for development will recognize that this new cert simply integrates security throughout its current phases and activities. This is a great way to make common sense and a growing body of thought and expertise more explicit and better recognized. If you’re a developer with a security bent, this could be just as potent a credential for coders as the CISSP is for system and network administrators and “security policy wonks.” Check it out on the CSSLP Home page.

Erik Eckel Opines on “10 Best IT Certifications”

In digging through some Microsoft PR materials recently, I came across mention of a Top 10 IT certification list that Erik Eckel put together for TechRepublic, later reprinted by big-time training company Global Knowledge. Though it’s dated December 12, 2008 it still provides some interesting information for consideration, and some fodder for ongoing debate. I’m not quite sure that I fully understand his selection criteria which he describes as follows “While this list may not include the 10 best accreditations for you, it does catalog 10 IT certifications that possess significant value for a wide range of technology professionals.”

Here’s his list as ranked at TechRepublic in straight numerical order:

1. MCITP (Microsoft Certified IT Professional), with specific mention of database developer, database administrator, enterprise messaging administrator, and server asministrator
2. MCTS (Microsoft Certified Technology Specialist), with specific mention of SQL Server business intelligence, database creation, or SQL server administration
3. CompTIA Security+, with an observation that “security continues to be a critical topic”
4. MCPD (Microsoft Certified Professional Developer) with specific mention of the Windows Developer 3.5, ASP.NET Developer 3.5, and Enterprise Applications Developer 3.5 tracks
5. CCNA (Cisco Certified Network Associate), with an emphasis on increasing dependence on remote access technologies, even at smaller companies
6. Comptia A+, iwth an emphasis on “proven support expertise” in the areas of desktop installation, problem diagnosis, preventive maintenance, and computer/network troubleshooting.
7. PMP (Project Management Professional) with an emphasis on “job skills and knowledge required to plan, execute, budget, and lead a technology project”
8. MCSE/MCSA (Microsoft Certified System Engineer/Administrator) represent Microsoft’s previous take on basic admin (MCTS) and professional (MCITP) certs, and enjoy amazing certficiation population numbers–as Eckel observes “…these certifications tend to indicate holders that have been working within the technology field for a long time.”
9. CISSP (Certified Information Systems Security Professional) receives mention for “…building a respected, vendor-neutral security certification,” that’s also accredited by ANSI.
10. CompTIA Linux+ get a nod because “…the open source alternative is an important platform…”

Given these choices, it’s no wonder that Microsoft is promoting this list: they’ve garnered 4 out of 10 (really 5 out of 11) choices therein. CompTIA might also take cheer as well from the inclusion of Network+, Security+, and A+ (of which Network+ and A+ are by far its most popular credentials). And certainly, all the other elements in the list–CCNA, PMP, and CISSP–are all immensely popular and highly sought-after credentials as well.

Though Eckel’s selection criteria and methods aren’t entirely clear, this blog makes me wish that CertCities.com would revive its Top 10 lists, which used to be an interesting marker between one year and the next for IT professionals. At  least their list came from a survey of thousands of active IT participants, an could in some sense be argued as representative of collective interests. Funny how those lists of yore don’t differ too much from Eckel’s list, either.

I wouldn’t have any arguments with this list, in fact, if it used the word “Popular” instead of “Best” to describe its constituents, because there’s almost no argument about any of these on a pure numbers basis. But the definition of best is one that’s fraught with peril, and certainly subject to lots of differing interpretations. While he does give the CCIE passing mention in his CCNA item, I’d be inclined to put it in any Top 10 Best I were to put together,  and I’d be more inclined to pick rather more senior-level credentials rather than entry-levels ones like the CompTIA items, MCTS, and CCNA. But that’s my “best” interpretation showing. What’s yours?

Prepping for CISSP? Check out CCCure.org

As I started working on one of our more successful books–it’s now in a fourth edition, and continues to generate modest but steady earnings–I first stumbled across French-Canadian Clement Dupuis’ outstanding CCCure.org Web site. For those prepping for the CISSP exam, this site is a real treasure trove of information, including all kinds of useful study tips and advice on how best to prepare for the exam, as well as beaucoups content and pointers to still more content to help candidates learn the subject matter necessary from each of the exam’s many categories/topic areas in the body of knowledge that they must master.

You’ll also find pointers to relevant training and tutorials, exam quizzes to help you hone your study skills, and even a nice collection of book reviews of CISSP study guides–including, thankfully, a good review of the aforementioned CISSP Study Guide to which James Michael Stewart, Mike Chapple, and I all contributed. But the best aspect of this resource has to be the on-site forums. Here, you can learn an awful lot by reading over postings from others with CISSP related questions, and the answers that some incredible security luminaries regularly provide in response. If you need answers to your own questions, please do your homework and search existing threads first before posting here, then be prepared to wait 2-3-sometimes-even-4 days to get a reply. You won’t be sorry.

Of course, I should also mention that Clement Dupuis is no slouch in the security department: he’s a well-known instructor, researcher, and consultant in this area. He’s also now teaching for Shon Harris’ San Antonio-based training company, Logical Security, where he regularly rubs shoulders with other security experts as well.

If you need to add an excellent on-line resource to your study arsenal for the CISSP exam, CCCure.org is it. You’ll also find some coverage of the ISACA CISA and CISM exams here, too, but I haven’t explored it sufficiently enough to give it the same ringing endorsement I so happily give to the CISSP coverage–though I’m pretty sure I would do likewise were I to dig into it more deeply.

Need a guide to infosec certs? Check out this (our) survey!

One continuing bright spot in the IT specialization/employment world is information security. More and more companies and organizations are devoting personnel to this area, and more and more IT professionals are finding it worthwhile to obtain or demonstrate expertise in information security subjects, tools, and technologies. But with hundreds of options to choose from, what’s a savvy IT person to do when it comes to narrowing her or his selections? Why, consult our survey at SearchSecurity.com, of course!

Every year, my partner in grime, Kim Lindros, and I compile a survey of all the certification programs we can find in the area of information security. It’s called the “SearchSecurity.com guide to information security certifications” and covers 71 vendor-neutral and 36 vendor-specific credentials. It also includes analyses of these various offerings, and identifies the most popular and/or useful credentials across the various categories used to break the surveys up into manageable chunks.

Putting this survey together each year is a big job, and requires an enormous amount of checking (for existing certs, which come and go with amazing frequency) and surfing (to find new infosec certs, which pop up like mushrooms after the rain). As you look this material over, please e-mail me [mailto:etittel at techtarget dot com] or post here if you can point me at any credentials we’ve somehow managed to miss. There are so many of them, I’m sure we missed at least one or two. We’ll be updating this survey again in Q109 so I hope to hear from you on this score sooner, rather than later.

Thanks a bunch in advance for your help and support with this project. Those pondering infosec certs will also surely find it useful (our lowest reader ranking for any of this survey’s many parts is 4.68 out of 5.00, so I know we must be doing OK).

–Ed–

DoD Directive 8570 and the OMB Follow-up

Back in 2005, the US Department of Defense aka DoD, issued Directive 8570 entitled “Information Assurance Workforce Improvement Program.” In a nutshell, this document states workforce responsibilites and requirements for personnel tasked with “information assurance,” a locution that means more or less the same thing as “information security” outside military circles.

There’s a lot of interesting information in this document, but what many readers of this blog will find most interesting is a list of accepted and mandated infosec certifications required for tecnical and management level workers in this technical niche. Because many of these items come from the SANS GIAC program (all of which start with the letter “G” in the lists that follow), you’ll find a nice summary of this information on their Web site.

Here is the way things break down at a very high level.

Technical Track
Level 1: A+, Network+, ISC² SSCP
Level 2: GSEC, Security+, SCNP, SSCP
Level 3: GSE, CISSP, SCNA, CISA

Management Track
Level 1: GSLC, GISF
Level 2: GSLC, CISSP, CISM
Level 3: GSLC, CISSP, CISM

What’s interesting about this list is that nearly all of these certifications are well-recognized outside the DoD, and that many of them have considerable cachet on the current job market as well. What’s even more interesting is this recent story at CertCities.com, which indicates that the Office of Management and Budget (OMMB) is working on a similar set of requirments for professional certification for IT workers in civilian agencies inside the US Government (and hence also, any contractors that do business with same).

This certainly creates rampant opportunities for individuals who hold one or more of these credentials, and makes the already-valuable CISSP, CISA, CISM, and SANS GIAC certs into a sort of “gold standard” for doing infosec business with the feds.

Need I say more, to those looking for more and better ways to feather their nests?

Why Entry-Level Certs Aren’t Enough to Get You a Job

Pick a popular entry-level IT certification, I don’t care which one: MCP (Microsoft single-exam credential, Microsoft Certified Professional), any major CompTIA cert (A+, Network+, Security+,…), CCNA (Cisco Certified Network Associate), and so forth. For each of these items, and others I don’t mention as well, I often find myself involved in answering questions that might be summarized as “Let’s assume I earn the . What kind of job will that get me?”

Before I respond to this question, let me make some observations about IT jobs in the civilized world:
1. Right now, it’s an employer’s market. That means employers currently enjoy the upper hand over prospective job candidates, in the sense that there are more candidates looking for jobs, than there are jobs looking for candidates. This goes double for entry-level jobs.
2. IT Certification, especially at the entry level, has become a “checkbox item” for individuals, rather than a “differentiator.” In simpler language, this means employers often expect candidates to hold certain certifications, and find those expectations met rather more often than not, rather than being able to pick outstanding candidates on the basis of whether or not they hold certain certifications. Again, this goes double for entry-level jobs, especially now that so many associate’s and bachelor’s degree programs include certification opportunities or requirements along with the rest of their degree plans.
3. Employers want people with degrees, certifications, AND experience. Anyone who’s lacking in any of these areas is automatically a less attractive job candidate. Paradoxically, the experience criterion even applies to entry-level positions, where a lack of experience is not supposed to matter, but often does matter a lot.

How should aspiring and active IT professionals look at entry-level certs in this light? My answer: “Purely as stepping stones. Treat any other additional benefits as pure gravy, and expect nothing from these credentials.” Entry-level certs have always been designed to certify minimal skills, knowledge, and competence and that’s really how employers treat them nowadays. Gone are the go-go days of the late 90s and early part of this century when any certification looked like a sure ticket to a good job, or a key ingredient for hopping from a current position to a new one.

OK, it’s still the case that certain certs–such as the CISSP, CCIE, SAP Consulting, and so forth–are indeed enough to make the difference between landing a job and missing out on an offer. But entry-level certs appear nowhere in this list, nor are they likely to make this grade any time soon, barring a radical and global economic upturn.

Does this mean that entry-level certs have no value, or that you can skip them? The answer to both of these queries is “No,” and both ultimately point to where the value of entry-level certs really come from–namely, what kinds of things they entitle you to learn and earn next. Hence the term “stepping stone.” Unless you plan to climb to the next rung in a multi-step program that treats a particular cert as a pre-requisite or that satisfies certain component requirements, it may not be worth spending the time, effort, and money needed to acquire one.

‘Nuff said.

–Ed–