What’s the right IT/Information Security Certification for me?

In one of our previous article we already discussed what an Information Security degree would bring you; now, let’s tackle this tricky question:  “What security certification should I pursue?”

Throughout my career, I constantly heard a ready-made answer:  CISSP! (even though the person was not able to tell what CISSP stands for). Try it yourself: Whenever you have a chance, ask your workmates the very same question. I bet someone will mention it before you finish the sentence. It’s a kind of wildcard answer: Security? No matter what area/position the person works for, say CISSP and you’ll be alright.

But is that the definitive answer for this question?

First, let me clarify something: While getting a security certification is not absolutely essential to apply for an IT/information security job, an increasing number of companies are requiring that applicants be certified. The algorithm is simple:

Information Security Recruiting

Efficient (for the recruiter)? Apparently yes.

Accurate? Unlikely, but that’s the reality out there; having some certifications is a matter of survivability in the field, either we like it or not.

Having a security certification also ensures that you will enjoy a higher salary compared to co-workers who are not certified, as per countless market researches. Thus, becoming a certified professional undoubtedly gives you an edge in your IT/information security career. The problem is that certification has become big business and the number of possible security certificates you can earn has grown.

So let me use an analogy one of my bosses used to tell me. Imagine the following scenario: You’re working at a construction site, demolishing a wall, and a pile of debris needs to be taken away. Will you use a Lamborghini, one of the fastest cars ever built, but with a trunk that barely accommodates a suitcase? I highly doubt it… I know the example might sound cliché, but that’s how I see this certification thing. Tell me what you intend to achieve, and I tell you what Information/IT certification is the best for you. So let’s dig a bit further…

When picking where to start with your security certification path, ask yourself a couple of questions first:

Am I a techie or a management professional?

Answering this question helps you deciding to go either for a vendor-specific certification or a vendor-neutral one. Think with me: if you work as a firewall administrator (and you plan to keep doing so for a while), pursuing CISSP without being, let’s say, CCSA, is not the best way to go. Conversely, if your deal is to develop and implement your company’s ISMS, achieving a CCSP won’t be of much help. It goes without saying that getting Y-certified (I just coined this term 🙂 : means achieving both managerial and technical certifications, rooting from the same field) will certainly broaden your field of sight, but the benefits might not be readily perceived.

Y certification path

Pages: 1 2

Filed Under: ArticlesCertificationsFrom me to youFront PageJob MarketMy career


RSSComments (9)

Leave a Reply | Trackback URL

  1. Hi Adriano,
    Hope you are doing well. It is a brilliant article which has helped me to decide my career path logically.
    I am an IT security and governance graduate, looking forward to become an IT Auditor (Risk, Compliance & Governance) in future. I do not have relevant work experience, but so far in my education I have learned and implemented many aspects of Information Security and Auditing (As per ISO 27K suite).
    Can you please suggest me a certification which does not require any work experience as an eligibility criteria and at the same time is competent enough to land me a job. I do understand that certifications doesn’t guarantee a job but in today’s world it is a necessary requirement to get noticed by HR.
    Kindly, Advice.

    Thanks and regards,

  2. Logan says:

    Nice Post Adriano.

    What do you say about an Associate CISSP (a person who has passed the exam, without 4 or 5 years of experience)?
    I have around 2 years of experience as a Security Engineer(Appsec/VA/PT). Can I go for Associate CISSP, If not, what certification do you suggest?

  3. Ayomide Philip says:

    Thanks for this mail. Are you saying as a 23year old graduate in Computer science who wants to start a career in InfoSec, GISF is first? I actually just joined a training that would cover Network Management, RF engineering, Transmission and GSM engineering. Can you tell me how I can relate InfoSec with Networking or how I can relate InfoSec with this training? What are those things I must do to link those trainings with InfoSec certifications?

  4. Alexandre Marson says:

    Thanks for posting this… it is exactly what I was looking for. I recently immigrated to Canada and am looking forward to entering this career. Will start looking around for certifications…
    You may wanna publish the below…. just so people get a little more excited over being in ITSEC… 🙂


  5. […] to treat it? – Please describe the steps to be taken by a company implementing an ISMS framework – Why did you become (CISSP/CISA) certified? – During an audit, an interviewee is not disclosing the information being requested. How would you […]

  6. Vincent Senatore says:

    Eugune,, you do realize that statement Mainframe is dying was made around 1990,,, and I am still waiting.
    But as for changing jobs why I am good at what I do and I enjoy my work.
    As your statement to cost,,,you should look into how many UNIX servers can run on a Z/os system,, with no additional hardware cost.

  7. Eugene Williams says:

    Vincent, that’s because there’s no market for certifying mainframe environments. The whole world is going for PC/Servers and cutting cost and throw in Green IT – vmware etc, perhaps it’s time you consider changing jobs?

  8. Vincent Senatore says:

    This is a bit of a rant, but,
    What I what to know is how come the certification community has left out the professionals who secure the Z/OS mainframe environments, using CA-TOP SECRET, CA-ACF2 AND IBM’S RACF???

    I am a Z/os Mainframe security analyst/architect and administrator(since 1983) using CA-Top Secret, who has been involved, is all phase of security implementations. On the mainframe we have to know how applications run, what resources are available for use within the application so we can secure them.

    In general our security knowledge usually requires knowledge of how system software, applications, FTP, encryption certificates (build and allow usage), and UNIX system services interacts with Z/OS system.

    So I guess my question is what SANS, ISC2, plus IBM and CA have not gotten together to create certifications for these professionals.


  9. Thanks for posting this.