February 17, 2010, 12:03 PM — In this last article in a series of five, I'll (finally) respond to a young correspondent's request for guidance about the "best" security certification for improving job prospects.
What's the best tool for solving a problem in your house?
There is no best tool for an undefined job. Nobody can rationally decide whether a hammer or a power drill is the "best tool" without specifying what job the tool is supposed to do. So it is with certifications.
In a conversation with a former graduate student recently, we were discussing precisely this question. The student, a U.S. Army veteran with a wide background in IT, was pleased with his MSIA degree but now wondering whether to hurry up and complete a Certified Information Systems Security Professional (CISSP) exam right away, wait until the graduation ceremony and exam in June, or take another certification such as the Certified Information Systems Auditor (CISA) or Certified Information Systems Manager (CISM). He was also considering Security+ certification.
Naturally, I responded to his questions with a preliminary, "Well, it depends" – the answer that gets academics in hot water with people (not my student) who insist on cut-and-dried, yes-no answers. I pointed out that there are lots of valuable certifications and lots of interesting career directions in security; the goal as we consider options is to find the intersection subset of useful certifications for interesting specializations in the field.
In my student's case, he expressed interest in moving away from strictly technical, relatively low-level network-administration jobs into higher-level, security-management jobs. That information made it easy to point to the CISSP and the CISM as excellent career-enhancing certifications for him. He agreed with my comment that security auditing is a useful contribution to security management, so the CISA is valuable and appreciated by potential employers.