Many times I have been asked by people who are starting out in information security, "which certification should I get?" My answer is, "Go get knowledge and skills first. Do the certifications later."
To elaborate, I recommend focusing on training that teaches concepts and knowledge or how to do something. As you get further along in your career, consider independent certifications because they help demonstrate your competence to someone who doesn't know you, such as HR staff or recruiters.
Here's a brief guide to what you can expect from the three main types of IT security training courses associated with certifications.
Training with certificate of attendance
A certificate of attendance sounds like weak recognition for putting in hard work, but if you are starting out in information security, they are the right place to start. Many include a quiz or other instrument to gauge the student's comprehension. But at the end of the day, they are teaching the subject. Unlike an exam prep course or certification-specific class, pure knowledge classes also teach concepts and skills that are hard to test on a standardised test.
The instructors will spend little or no class time on test-taking skills and other trivia that benefits test takers. When you're starting out, these are the kinds of courses you want.
Training with integrated certification
Some certifications are paired with training for their associated exam. The exam may be designed well psychometrically, but it is not offered to students who do not first take the training. Typically the exam cannot be administered by any organisation other than its author.
Such classes, especially if they have a hands-on or lab component, are better suited than exam prep classes for people who are looking to learn things they don't know. Minimum qualifications are usually required to take these courses.
These certifications are an intermediate step between acquiring foundational knowledge and being independently certified.
Independent certifications are meant to recognise knowledge or capabilities that candidates possess on exam day. The exam's authors don't know and don't care how the candidate came by that knowledge; the candidate might have been in the industry 20 years or for a much shorter period of time. The candidate may possess vast and varied knowledge, or she or he may possess the minimum tested by the exam. The score is pass/fail.
If you are early in your career, do not mistake an exam prep course for a course that teaches information security; these courses help already qualified candidates succeed under exam conditions — they do not teach practical work skills. A weekend exam cram or weeklong exam prep course is not going to advance someone's career or capabilities significantly whether they pass the exam or not.
Confused about what to take? Get answers to these questions
If you're still trying to decide which kind of class to take, finding the answers to the following questions should help point you in the right direction.
- Does the course lead to a specific certification result?
- Could any qualified candidate take the exam without taking the course? (If so, then this is an independent certification.)
- Would someone take the course if they didn't care about taking the exam?
- Does the course teach doing something or knowing something?
- Does the associated exam at the end test your ability to do something, or does it test that you know something? Think about which of those you want.
Paco Hope is a security consultant at Cigital.
Author of the Web Security Testing Cookbook and frequent conference speaker, Paco Hope is a security consultant with Cigital who has been working in the field of software security for almost two decades. Paco helps secure software in the financial, retail, and online gaming industries through security requirements, source code review and architectural risk analysis. He serves as a subject matter expert to (ISC)² for the CISSP and CSSLP certifications. Outside of secure software, he is passionate about privacy, user experiences, and data visualization. Paco fundamentally believes that security is less about wizardry and more about common sense.