Certifications provide employers with an objective way to measure a candidate’s knowledge of a particular topic or set of topics. That said, there are many valuable certifications that exist in the information security field, and selecting which one – or which group – to pursue can be a difficult choice for some people to make.
I have been a long-time fan of the CISSP certification (which I, myself, decided to pursue years ago because I considered it to be valuable, and which I have now held for quite some time). There are several reasons for my affinity of this particular certification:
1. It is vendor neutral – so a change in technology or methodology at a person’s employer will not diminish its value.
2. It is issued by (ISC)2 – a universally trusted party.
3. It is effectively evergreen – countermeasures come and go, and products change, but the concepts learned for the CISSP exam are about as timeless as information-security concepts can get – especially if one meets the continuing professional education requirements to maintain the certification over the long term.
4. It is broad – so even if a person works in one area of information security he or she will have some knowledge of other areas. This is important as components of information security are often interconnected.
5. It provides employers with the comfort that its holders understand important aspects of more than one area of information security at a high level. So, if you are working on one area and want to transfer to another, your employer knows that you will not be starting from level zero.
6. Training courses are readily available – so you are not on your own preparing for the exam.
7. In order to receive the actual certification, candidates must also have several years of professional information security experience, must commit to a code of ethics, and must be endorsed by someone else already holding the certification. The combination of these factors translate to a situation in which employers know that anyone holding a CISSP certification is more established in the field of information security than someone who only passed an exam.