Posted by Robert Schifreen on January 7, 2016.
I’ve always been a bit cynical when it comes to professional IT qualifications. They have their values, for sure, but you need to be sure that the certification you’re studying for, or recruiting against, isn’t merely a marketing ploy by a vendor. Sure, you can be pretty confident that someone with a Microsoft or Cisco qualification knows their stuff, but never forget that such schemes also help the vendors too. If they’re done right, they create loyalty and lock-in among techies, who are then dissuaded from changing their allegiances.
Perhaps the most obvious example is the Microsoft MVP, or Most Valued Professional. You don’t get to be an MVP by studying hard or passing an exam. MVP status is awarded by Microsoft to anyone who goes out of their way to help users with their Microsoft-related issues. This could be as a result of speaking at professional conferences, post in online forums, and so on. And your award only lasts for a year, so you need to keep up the good work if you want to remain on Microsoft’s list. Now I happen to know a lot of MVPs, and without exception they’re experts in their field, but one has to question who gains the most out of all this.
In the field of IT security there are, of course, a number of professional qualifications. One of the best-known is the Certified Information Systems Security Professional or CISSP. At present there are around 110,000 CISSPs in the world. Gaining and maintaining the qualification is neither cheap, fast nor easy. You need to have worked in the field for a number of years, you need to pass a 6-hour exam, you need to be recommended to the institution by an existing CISSP, and you need to renew your qualification every 3 years.
Passing the exam requires you to know what’s called the CBK, or the Common Body of Knowledge. If you can spare a week and a thousand pounds or so, you can take a course. Or for £40 or so, there are many books which aim to teach the CBK. Sybex publishes what in my experience is the best one, which is currently in its 7th edition and runs to around 1100 pages in addition to the extra practice exams and other material which you can access online. Don’t bother picking up cut-price copies of older editions, by the way, as the CBK was restructured back in April.
The Sybex book, and the CBK, encompasses pretty much everything you need to know in order to be an IT security pro. Everything from risk analysis, hiring and firing security staff, the theory of data encryption, the intricacies of the TCP/IP protocol, and everything in between. Be prepared to set aside many weeks to plough through it in detail. And despite what you read in various forums, from people who suggest you get the Kindle version to make searching easier, take my advice and get the paper one. You can then scribble your notes all over it. It makes studying much easier, and the physical act of scribbling or highlighting improves the actual process of learning.
As to whether I’m fully convinced that the CISSP program exists purely for the benefit of IT security pros, rather than a business in its own right, the jury is still out. But the CBK is a hugely useful resource and the CISSP Official Study Guide does a superb job of bringing it all together in a form that’s easy to understand. If I was hiring a security professional and they had a piece of paper which proved that they knew most of what was in that book, it would certainly count in their favour. So even if you don’t intend to take the exam, consider buying the book. Whatever your level of experience, you’ll learn a lot.
If you still have some Christmas gift vouchers left over, head to http://www.amazon.co.uk/Certified-Information-Security-Professional-Official/dp/1119042712 and spend some of them.Submitted in: Robert Schifreen, Uncategorized |