Why does an IT professional seek a certificate in IT security? For many, it's a way for junior and mid-career pros to advance their careers and improve their "personal brand." For others, it's a requirement of their existing job. So when a C-level IT industry executive — one without security in his job title — decided that he needed a cybersecurity certification, Dark Reading asked why.
Tim Titus is chief technology officer at PathSolutions. With a job title that seldom requires new certifications, he nevertheless decided to pursue a CISSP. The Certified Information Systems Security Professional (CISSP), a certification granted by the International Information System Security Certification Consortium (ISC)², is one of the major certificates employers use to determine whether someone is qualified in IT security. Along with Certified Ethical Hacker (CEH), Certified Information Security Manager (CISM), CompTIA Security+, and SANS GIAC Security Essentials (GSEC), the CISSPs' combination of experience and examination is intended to provide assurance that someone knows what they're doing when it comes to IT security.
Titus acknowledges that most people who would volunteer to bury their noses in test prep guides until their vision prescription changes are doing so merely to improve their employment opportunities.
In his case, however, it was to improve his professional knowledge and to benefit his company. Staff (even C-level executives) who hold professional certifications are seen as more credible and authoritative than those who don't.
Why the CISSP instead of another certification program? Titus says that peers and friends in the industry told him the CISSP is respected as a broadly based certificate in the field. It doesn't focus, he says, on any one vendor or area of concern, requiring testing on eight different areas of interest for each candidate.
"The CISSP is about teaching you how to think about security," Titus says, and to think about it within the context of the eight CISSP security domains. Security and risk management, asset security, security architecture and engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security are the eight domains in which CISSP candidates will have to demonstrate knowledge before they pass the exam.
There are many different ways to prepare for the CISSP exam: self-study books and online courses, for example. Titus, however, went for a full emersion.
"I signed up for a boot camp, a $3,000 training camp, that was referred to me by one of the CISSPs I was friends with," he explains. The Monday to Saturday camp was, he says, a very high-quality experience.
Even before the bootcamp, though, Titus began working on the exam. He says that the bootcamp sent out their study material about six weeks before the actual camp; material that included the official (ISC)² study manual. Titus praises the quality of the material found in the manual and says that,
"I went out to Monterrey, got a hotel and I sat in the hotel for three days, effectively going cover to cover in that book," he says. The ability to spend 100% of his time focused on the material made his time in the course much more valuable, he feels.
The material in the study manual was, he says, enlightening.
"The CISSP is all about helping you understand the risks, render the proper judgment, and gather the proper financial resources to rally around those risks," Titus says. He makes the analogy that the CISSP isn't about how to program an access control list (ACL) into a router — it's about knowing the risks the network faces and how an ACL might figure into an overall security strategy.
Titus was able to get a timeslot for the exam five days after completing the bootcamp. He wanted to take the test soon after the course so the material was still fresh in his mind when he sat down in front of the computer. But before he took the test, he went through one more step.
The practice exam. "The reason for getting that sample test is that it allowed me to sit down and run through each of the domains in a testing environment and see, OK, how do I score," he explains, continuing, "if I find that I'm scoring less than 70% than I need to brush up in those areas."
On the other hand, he says, scoring more than 90% on a domain means that you can probably need to spend any additional study time. A retest is allowed (within a specific time period) so you have the opportunity to catch any issues and fix them before taking it again. Lay that material aside to concentrate on your weaknesses. It's the strategy he used to go in and pass the test on his first attempt.
Being able to put "CISSP" after his name on a business card is good, Titus says, but far from the sole benefit of the process.
"The thing I loved about this whole experience was that I learned it's not just about firewalls, antivirus, and anti-malware. It's not about technology. It's about process and judgment on putting the process together," he says. "And if you don't have a good process, you're throwing money left and right at various risks that you might not even encounter."