Industry experience vs. security certification credentials

Industry experience vs. security certification credentials

I'm currently working in the IT risk management field. What would be the added value of gaining the CISSP? Are there other certifications that would better assist me in identifying and mitigating specific business risks?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

In my opinion, the CISSP is more about a resume then proving one's competence as a security professional. It will show that someone can pass the test, but it doesn't say much about that person's ability to do the job.

I think you are in a great position because you are dealing with risk, and that is by definition a business activity. So focus on learning about the business, interacting with business people and understanding how to relate security to your organization's business imperatives.

I'd rather see you further specialize in your field and gain a greater understanding of how your business operates and some of the critical success factors for your company, as opposed to getting a credential that simply indicates you can attend a boot camp and take a test.

There is no way to fake real industry knowledge in an interview. If I were you, I'd be spending my time focused on gaining that industry knowledge, as opposed to a generic security certification. That is, unless you are passionate about the technology. In that case, being in the risk management group may not be the best fit.

For more information:

  • Khalid Kark explains how to build an information risk management framework.
  • In this tip, security practitioners give advice to those embarking on an information security career.

    • This was first published in November 2007

    Back to top