What’s the best tool for solving a problem in your house?
There is no best tool for an undefined job. Nobody can rationally decide whether a hammer or a power drill is the “best tool” without specifying what job the tool is supposed to do. So it is with certifications.
In a conversation with a former graduate student recently, we were discussing precisely this question. The student, a U.S. Army veteran with a wide background in IT, was pleased with his MSIA degree but now wondering whether to hurry up and complete a Certified Information Systems Security Professional (CISSP) exam right away, wait until the graduation ceremony and exam in June, or take another certification such as the Certified Information Systems Auditor (CISA) or Certified Information Systems Manager (CISM). He was also considering Security+ certification.
Naturally, I responded to his questions with a preliminary, “Well, it depends” – the answer that gets academics in hot water with people (not my student) who insist on cut-and-dried, yes-no answers. I pointed out that there are lots of valuable certifications and lots of interesting career directions in security; the goal as we consider options is to find the intersection subset of useful certifications for interesting specializations in the field.
In my student’s case, he expressed interest in moving away from strictly technical, relatively low-level network-administration jobs into higher-level, security-management jobs. That information made it easy to point to the CISSP and the CISM as excellent career-enhancing certifications for him. He agreed with my comment that security auditing is a useful contribution to security management, so the CISA is valuable and appreciated by potential employers.
My student asked how he could best prepare for these exams. Would review guides or courses be useful? I responded that I’m skeptical about the long-term value of short cram-courses (for example, “three-day CISSP Prep”); however, longer courses, especially those that provide mentoring and discussion groups, can be useful to committed students. Review questions are useful as diagnostic tools; they can serve to warn a user that a section of the common body of knowledge for their certification exam is missing or unclear. Some exam guides have proven themselves over years to be of value and have now become textbooks in their own right. Shon Harris’ CISSP All-in-One Exam Guide is now in its Fifth Edition and has 1,216 pages – more than the Fourth Edition of the Computer Security Handbook (2002) from Wiley.
I admitted that I am completely biased, but I suggested that the Fifth Edition of the Computer Security Handbook (2009) makes an excellent review text for the CISSP and for the Information Systems Security Management Professional (ISSMP) concentration.
Finally, I mentioned to my student that online study groups can be helpful in preparing for certification exams. In addition to the restricted MSIA-related group we run for alumni of our program, there’s an excellent public site that has a wealth of resources and forums for anyone interested in posting questions and sharing knowledge in our field.