Certifications in InfoSec — An army veteran’s corporate transition perspective !

I spent 20 years in the Army in technology leadership roles with a wide variety of roles and responsibilities. When I decided to transition out of the Army I realized that I needed to translate my skills and knowledge into something tangible to land me a job in the corporate sector. So the most logical way was to look up Job Descriptions of various roles I was aspiring for. Though I had the knowledge and skills for the job I did not possess the certifications required for the roles. Therefore as a part of my transitioning I did two certifications — CISM from ISACA and CISSP from ISC2. I will share what I gained from these and how they helped me in my transition to a corporate career.

I believe that to get a job you aspire for you need three things

1. Knowledge and Skills — Knowledge of the area which you intend to work in and skills to apply that knowledge in real life situations and various problems you would encounter while in that job.
2. Qualifications — Degrees, certificates and relevant courses which show that you know the domain well and clear the basic HR filter.
3. Networking — Networking with varied set of people in the Industry is essential to get your foot in the door for a job interview and also help you succeed in your job once.

In this blog we will talk about qualifications — Degrees and certifications which may be required for a job role you are aspiring for In my case I was aspiring for a CISO or CISO minus role where I could lead InfoSec for an organization. For a CISO role you need to have a broad knowledge of all the key domains of Cyber Security and also the soft skills to build and drive an InfoSec program to protect an organization from Cyber Threats. At this level there are a few cyber certifications which can help you demonstrate that you possess the domain knowledge for this role.

CISSP ( Certified Information Systems Security Professional) is the gold standard for Cyber Security certifications and requires a minimum 5 years of experience in InfoSec. It covers all the domains of Cyber Security without going deep into any domain or testing your technical knowledge practically. I self studied for this exam for three months using the CISSP study guide and CISSP reference guide and passed it in the first attempt. So what is my take on this certification.

Pros

1. Good wide all round coverage
2. Forces you to study areas which you may not have ever studied about or applied in real life
3. Listed in all the JDs for senior InfoSec positions.

Cons

1. No check on practical application or knowledge
2. The content can be easily crammed and learnt for the purpose of the exam

Recommendation

1. Ensure you clear Security + first before attempting CISSP.
2. Do not attempt it before 10 years of work experience
3. Supplement it with practical learning in a few domains.
4. Do attend a physical or online training from a good trainer to get a good perspective of various domains and practical challenges.

Overall a good certification to get but not too early in your career as you would end up having theoretical knowledge without the practical experience needed in the field. As we get more and more specialised in the Cyber security field this would be my only recommendation for a vendor neutral certification after Security + .

The second certification which I acquired was CISM ( Certified Information Security Manager ) from ISACA. This is meant for InfoSec managers and gives a well rounded perspective from a GRC ( Governance, Risk and Compliance ) perspective. Unfortunately the content and the exam are both very theoretical. Unless you have a very deep practical experience in the GRC domain of Information Security it is difficult to understand the concepts from the CISM Study guide. The ISACA Study guide is very esoteric and difficult to comprehend. I did clear the exam in my first attempt but I do not think it helped me much in my work or job hunt.

My views on the certification

Pros

1. A good overview of the GRC domain of Cyber Security
2. It does show up in various JDs for senior roles but is not a deal clincher.

Cons

1. The content and exam are very theoretical and abstract.
2. You will not learn anything which you can apply practically in your job.
3. The same knowledge can be better learnt from various GRC and IT Risk management online courses and books

Bottom-line, I do not recommend this certification at all as it is too abstract and not very well connected to real life practical risk management and governance and compliance. Unfortunately ISACA does not help its case by making the study guide also very theoretical and abstract. After this I shelved my plans to do other ISACA certifications like CRISC and CGEIT as well. My suggestion for all those who are interested in these areas is to learn these areas from various online courses or good books and skip the certifications.

One certification which I did not acquire but studied for was Security + from COMPTIA. I like COMPTIA’s approach to enhancing Security Knowledge and their content for various certifications. I studied Security + material from their official learning material and immensely benefited from the content and the labs with each topic. This added a practical touch to the content and helped connect the concept with practical application.

Besides these certifications I did a number of online courses from Coursera, EDx and other MOOC platforms. I will cover these in a separate post soon. Please do share your thoughts and views on the article and share if you want me to write about any specific topic or domain in InfoSec.

Thanks and see you soon.