Get Certified?

Jan. 27, 2009
The real deal with Information Security training and certification

As of late, there has been a lot of hype surrounding information security training and certification. I think a lot of it is marketing brawn compensating for the dwindling respect many employers have of security certifications. Perhaps it is because there are just too many training and certification choices muddying the waters. Maybe it is the temporary lull in the market we are experiencing.
On the other hand, IT practitioners and those looking to make career changes are stirring the pot as well. The field of information security is as hot as ever and the trade magazine publishers, conference promoters and training vendors are wisely capitalizing on this. A down economy is, after all, typically a great time for career changes. Many of those staying the course in IT and information security are also seeing this as a good opportunity to boost their skills to get to the next level.

But what is the real deal with information security training and certification? Is furthering your education something you need to have on your radar? What are the payoffs of training and certification? What are the downsides that no one talks about? Well, as with anything, there are three sides to every story: yours, theirs and the truth. This topic deserves a look at all three.

First off, information security training and certification is a personal issue. Whether or not you need to get more training or a certificate for your wall is a choice you will have to make depending on your specific circumstances. You can actually gain clarity on this very issue if you simply step back and ask yourself: “How is my current situation working for me?” If not being certified or taking the latest and greatest set of classes is not that big of a deal for you or your employer, then it may not pay to pursue them. If, on the other hand, you are a career changer or in a competitive market where you really need to stand out above the rest, then focusing on some solid training and obtaining a good certification may be just what you need.

There is no shame in pursuing training and certification as long as you have the time and resources to make it happen. Just do not make the mistake of taking every class and getting every certification possible. One or two classes in areas of information security you think you need help could do wonders. Maybe a course in ethical hacking or project management is just what you need. Likewise, one or two certifications specific to the type of security work you want to focus on is more than adequate. This may be ISC2’s CISSP (the most popular and widely-accepted IT security certification), the SANS GIAC, or even the PMP or ITIL v3 certifications. What’s your employer looking for? What are hiring companies demanding? Look around and it will become clear what you need to focus on.
Do not overlook the fact that training and certification do not always have to go hand-in-hand. Some training classes can still be beneficial even if you do not intend to get certified. Training classes and conference sessions not only offer a nice mental break away from the office, but they also give you the opportunity to network with others and hear things from other people’s perspectives. As hard as it is for those of us in IT to believe, there are other valid opinions outside of our own.

The important thing is to find a good balance of training and certification. Take classes and get certified to suit you in your current job and future career goals within reason.
Ensure the time, effort and resources you and your employer will put into it make good sense for you both. Once you achieve the appropriate levels of information security training and certification, do not apply them in a negative way. Many people use training and certifications as a sense of entitlement. Simply having attended a one-week course or the placement of an acronym or two behind one’s name will not all of a sudden command respect from everyone. If we all stopped worrying about what people call us and instead put that energy towards improving ourselves and doing higher-quality work, everyone would benefit. Simple things like reading an extra article or two on a security or business topic that interests you each day and listening to one or two new audio programs each month will do wonders.

As you ponder where you want to go and what you need to do, be wary of the marketing machine. It is a powerful beast that can take you in, hold you tight, and make you do crazy things — often things that do not benefit anyone but the marketers themselves. Instead of believing everything you hear and read about information security training and certifications, take a step back and look at it from a common-sense approach and determine if it is something you need. Use your own judgment. I have always been a big advocate of self-training and self-education. Hands-on experience is undoubtedly the best way to learn and add value to your knowledgebase and career. That said, continuing education and certifications most certainly have their place. You do not want to overdo it, but you also do not want to be one of the many IT curmudgeons set in his ways believing he knows all he needs to know to get by. Again, a good balance is key.

Having written all I have about training and certifications, the best thing you can do is to look at yourself in the mirror for ways you can stand out above the noise in your career. How is your mindset? Are you positive about your job? Do you feel comfortable in the personal choices you are making to better yourself? Are you using your time wisely day in and day out? When all is said and done, how far you take your career is determined by the type of person you are and how you think — not by how many classes you have taken and what letters come after your name on your business card.
Henry Ford once said: “Whether you think you can or you think you can’t, you’re right.” Make sure you keep your thoughts on the right side of your mind to stay positive. Think about who and what you want to become because you will indeed become what you think about most of the time.

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent information security assessments. He has authored/co-authored seven books on information security including “Hacking for Dummies” and “Hacking Wireless Networks for Dummies” (Wiley). He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at [email protected].