Are They Worth the Investment?and if so…,Which One(s) are Right for You??

William DiederichBS MS CISSP CISM CISA CRISC HCISPP FLMI ATPPresident, CIO for You, LLCwhd@cioforyou.comwww.cioforyou.comwww.teksystems.com

Security Certifications

Overview• Formalities – Introduction (ok, let’s keep it short):• 25+ years in IT, ….• 15+ years as a CIO / CTO / CISO in Mid-Cap companies….• Education:

• B.S. Management Engineering• M.S. Management & Administration

• Certifications – CISSP, CISM, CISA, CRISC, HCISPP, FLMI, ATP• What I’m going to cover• What I’m not going to cover• What you can hope to get out of this presentation• What you should get out of this presentation!• Most importantly - this presentation is meant to be educational, enlightening

and entertaining!

• Caveat Emptor – Your Mileage May Vary (YMMV) - And a disclaimer: I’m not representing any Organization(s) offering Security Certifications….

Types of Certifications (overview)• Business or Company Based (optional or required):• … must successfully complete the “Security Manager Certification training course (#12345) in

order to qualify as a Enterprise Security Manager (ESM).”• Vendor or Product Based:• Cisco – CCNA Security• Microsoft – MS Security Essentials (MTA / MSCE)

• Professional Certifications & Licenses (potentially required by Code, Statute, Industry, etc.): PE / RN / ATP

• Industry Associations (both Non-Profit & For-Profit) in no particular order:• ISSA – A not-for-profit, international organization of information security professionals and

practitioners• ISACA – Incorporated in 1969, 140K professionals• (ISC)² – Over 25 years of service in information security• GIAC – Founded in 1999 to validate the skills of InfoSec professionals• SANS – Established in 1989 now with more than 165,000 security professionals around the world• EC-Council – Supports and enhances the role of individuals and organizations who design, create,

manage or market Security and E-Business solutions• CompTIA – CompTIA, a non-profit trade association, is the voice of the world’s information

technology (IT) industry

How tough can it be to successfully complete a Security Certification?

It’s tough, but not as tough as learning to fly a Gulfstream (and a lot less expensive); plus InfoSec jobs pay a lot more!

What are two of the fastest growing professions today?….• Aviation:• Boeing predicts 558,000 pilots worldwide over the next 20 years,

including 95,000 in North America• But we’re not here to talk about being a pilot…..

• Information Security, Cybersecurity and Information Assurance:• Jobs and salaries in cybersecurity are booming• Demand for information security professionals is growing

exponentially• Cybersecurity skills shortage demands new workforce strategies• IT careers: Security talent is red-hot | Computerworld• 7 Startling Stats on the Cyber Security Skills Shortage

7 Startling Stats on the Cyber Security Skills Shortage*• 44 percent of organizations are short on staff with strong cyber security and networking

knowledge—ESG, “Network Security Trends in the Era of Cloud and Mobile Computing”• 35 percent of organizations are unable to fill open security jobs, despite the fact that 82

percent expect to be attacked this year—ISACA and RSA, “State of Cybersecurity: Implications for 2015”

• The demand for information security analysts will grow 37 percent from 2012-2022—S. Bureau of Labor Statistics

• Between 2007 and 2013, postings for cyber security jobs rose 74 percent, more than twice the rate of IT jobs as a whole—Burning Glass, “Job Market Intelligence: Report on the Growth of Cybersecurity Jobs”

• The average senior security analyst in the US makes $103,226, more than double the national average—Glassdoor.com

• 64 percent of high school students do not have access to computer science classes that would help prepare them for a Cybersecurity career—Raytheon & National Cyber Security Alliance, “Preparing Millennials to Lead in Cyber Space.”

• By 2017, there will be a shortage of 2 million cyber security jobs worldwide—Digital Skills Committee

• *Swimlane - By Cody Cornel, July 30, 2015, Security Operations Weekly

Today’s Security Landscape(in no particular order)

Types of Threats:• Sabotage / Terrorism• Espionage• Revenge• Blackmail• Data Theft• Services Theft

(Phone-fraud, File Distribution, etc.)

Security Incidents:• WikiLeaks / Snowden• Tesla / Nissan Leaf• Office of Personnel

Management• Stuxnet• Target / Anthem • IOT attacks (many)• Sony*

*Who saw the 60 Minutes “Sony Hack” Exposé?

Just in 2016 alone (to-date)!

• 48 Breaches have been made public in 2016 to date

• 282,360 Records (many breaches had ‘unknown’ loss of records)

• Examples include:• The IRS……• HCA / Hollywood Presbyterian / BCBS of California• JB Autosports, Time Warner Cable, Kicky Pants, Inc.

• 896MM Records Breached From 4,790 Data Breaches Made Public Since 2005* - Source: Privacy Rights Clearinghouse - https://www.privacyrights.org/data-breach/new

How Important are Certification(s)?• Certification, training, and experience are three of the top four most

important characteristics when selecting a candidate for a more advanced positions

• Certifications help establish both the professionalism and the competence of an employee and can help differentiate the employee from other candidates for a promotion or an opportunity• Employees with certifications earn more - organizations reported that

certified staff members earn 15% more on average than staff without certification

• More responsibility - organizations reported that certified IT staff members are given more responsibility than noncertified staff members and are sometimes given responsibility for managing and supervising noncertified staff members

• More opportunities for advancement - Additional responsibilities create more opportunities for advancement within organizations. In addition, IT managers expressed a sense that earning certification reflects an employee’s interest in career advancement.

15 Top-Paying Certifications for 2015*

Notable Trends:• Six of the top 15 certifications pay $100,000 or more, nine are under $100,000• Five are in security (1, 2, 3, 5, and 13)• Two are in virtualization and cloud computing (8 and 14)• Three are in business (4, 6, and 12), Three are in networking (7, 9, and 10)

Certified in Risk and Information Systems Control (CRISC) $119,227Certified Information Security Manager (CISM) $118,348Certified Information Systems Security Professional (CISSP) $110,603

Project Management Professional (PMP®) $109,405Certified Information Systems Auditor (CISA) $106,181

Certified ScrumMaster $101,729Cisco Certified Design Associate (CCDA) $99,701Citrix Certified Professional - Virtualization (CCP-V) $97,998Cisco Certified Network Professional (CCNP) $97,038Juniper Networks Certified Internet Associate - Junos $96,734Microsoft Certified Systems Engineer (MCSE) $96,198

ITIL v3 Foundation $95,434Certified Ethical Hacker (CEH) $95,155

VMware Certified Professional - VCP-DCV $94,181Certified Novell Engineer (CNE) $93,856

*2015 IT Skills and Salary Survey conducted by Global Knowledge in the fall of 2014About the Author: John Hales, VCP, VCP-DT, VCAP-DCA, VCI, is a VMware instructor at Global Knowledge

15 Top-Paying Certifications for 2016*

Notable Trends:• All but two of the top 15 certifications pay $100,000 or more• Six are in security (2, 3, 4, 6, 10 and 13)• Three are in virtualization and cloud computing (1, 12 and 15).• Three are in business (5, 11 and 14), Three are in networking (7, 8 and 9)

*2016 IT Skills and Salary Survey conducted by Global Knowledge in the fall of 2015About the Author: John Hales, VCP, VCP-DT, VCAP-DCA, VCI, is a VMware instructor at Global Knowledge

AWS Certified Solutions Architect - Associate $125,871Certified in Risk and Information Systems Control (CRISC) $122,954Certified Information Security Manager (CISM) $122,291Certified Information Systems Security Professional (CISSP) $121,923

Project Management Professional (PMP®) $116,094Certified Information Systems Auditor (CISA) $113,320

Cisco Certified Internetwork Expert (CCIE) $112,858Cisco Certified Network Associate (CCNA) Data Center $107,045

Cisco Certified Design Professional (CCDP) $105,008EC-Council - Certified Ethical Hacker (CEH) $103,297

Six Sigma Green Belt $102,594Citrix Certified Professional - Virtualization (CCP-V) $102,138

Cisco Certified Networking Professional (CCNP) Security $101,414ITIL® v3 Foundation $99,869

VMware Certified Professional 5 - VCP5-DCV $99,334

Article on IT Compensation from CIO Magazine

SecurityData Security Analyst: $113,500 - $160,000 (+ 7.1%)System Security Administrator: $105,500 - $149,500 (+ 6.1%)Network Security Administrator: $103,250 - $147,000 (+ 5.3%)Network Security Engineer: $110,250 - $152,750 (+ 6.7%)Information Systems Security Manager: $129,750 - $182,000 (+ 6.2%)

Employer’s Perspective (CIO Magazine IT Certification Hot List - 2015)*• 65 percent of employers use IT certifications to differentiate between

other equally qualified candidates

• 72 percent of employers use IT certifications as a requirement for certain job roles

• 60 percent of organizations often use IT certifications to confirm a candidate's subject matter knowledge or expertise

• 66 percent of employers consider IT certifications to be very valuable -- a dramatic increase from the 30 percent in 2011

*By Rich Hein, CIO | CIO Magazine Mar 3, 2015

CIO Magazine - IT certifications that paid off the most in 2015*

*By Rich Hein, CIO | CIO Magazine Nov 16, 2015

Market Value Gains – InfoSec Certifications (through 1/1/2016)

IT Certification Premium Pay

CIO Magazine10 Highest-Paying IT Security Jobs*

*By Sharon Florentine, CIO | CIO Magazine Jun 9, 2015

Lead Software Security Engineer $233,333Chief Security Officer $225,000

Global Information Security Director $200,000Security Consultant $198,909

Chief Information Security Officer $192,500Director Of Security $178,333Cyber Security Lead $175,000Lead Security Engineers $174,375Cybersecurity Engineer $170,000Application Security Manager $165,000

Indeed Sample of Required or Desired Security Certifications in Job Postings• Security certifications preferred / preference to candidates with a CISSP• Security+ certification would be a plus• CISSP, Security+, or relevant vendor security certifications• Certification - One or more of the following: CISSP, IAM, IEM, SAN Certs• Information security management qualifications such as CISSP or CISM• Hold at least one certification, i.e.: CISSP, CEH, CSIH, CISM, CISA, GIAC...• IT security certifications (CISSP, CISA, CISM) a plus (or preferred)• Masters degree in Business, Computer Science, or equivalent work

experience; Security Certifications – CISSP, CISM• Certifications in CISSP, CCSP, CCIE-Security, or CEH highly desirable• CISSP required, CISM preferred, GISM or CCSP certification a plus• Professional certification such as CISSP, CISM, CISA, CRISC, or other

security credentials, is preferred - Multiple listings (similar wording)

Reasons for Security Certifications(Employee)

Employees benefit from professional certifications in several ways:• Skills validated and acknowledged by an independent third party• Differentiates individuals from others in the hiring process • Facilitates the ability to command higher pay• Helps individuals remain competitive and employable• Enables job proficiency more quickly (getting up to speed)• Shows dedication to the individuals career• Can enable an IT professional not currently in Information Security to

retool and potentially change to Information Security career paths• Certification necessitate staying current, continuously learning new skills,

and networking with peers while staying engaged in, and committed to, the field of Information Security

Reasons for Security Certifications(Employer)

Employers also benefit from professional certifications:• Professional certification is a quality marker that helps an employer

gauge the effectiveness and qualifications of a potential hire• Employers want their hires to stay current and continue to grow in their

profession• They are a driver of continuing education and training• Employers can use achievement of professional certification as a

requirement for advancement or pay increases as well• Certified professionals with proven knowledge and competency will

contribute more to an organization• Investing in Security training and certifications can increase employee

satisfaction and retention

What are not Good Reasons to getSecurity Certifications?• If Certifications are so great, why would a person not get a Security

Certification?• There are many benefits, but here are some reasons not to:• Assuming an expectation that the Certification will result in an

increase in one or more of these areas *:• Compensation• Responsibilities• Marketability• Job satisfaction

(*i.e. Have realistic expectations of the outcome)• Just for the sake of having a Certification – there must be a purpose• For any nefarious activities (most if not all associations have a

required code of conduct, passing the requirements may be difficult or impossible with such an intent)

Choosing the Right One(s) for You?It depends…….

• What are your career goals and objectives?• What are you trying to accomplish with a Certification(s)?• If it’s just about money – one could choose the one highest in

demand – but it should be more than that• Do you have a roadmap that will help you achieve your short and

long-term career goals? – If not, plan one:• Security Technical Expert (hands-on)• Security Architect (hands-on)• Risk and Compliance Expert (administrative role)• Team Leader or Managerial (administrative role)

• Start with a certification within your wheelhouse rather than taking the most challenging one available as your first certification

Are all Security Certifications Created Equal?

This is a tricky question…

• A number of Security Certifications have only recently become available riding the demand for Certified Security Professionals but may not have the reputation of mature certifications

• Some require formal classroom training or highly encourage formal training, or make it difficult to pursue self-study options

• And some are just downright extremely expensiveSo….• Stick with the more well known Organizations (mentioned during the

introduction) and their associated Security Certifications • There’s always time down the road to complete the most demanding

certifications or dabble in more esoteric ones

Are Certifications Expensive?• Certifications can range in cost from a few hundred dollars to many

thousands (particularly if formal classroom training is utilized)….• Structured training expenses:• Formal classroom training can cost up to $5,000 for a week• Online training programs range from several hundred dollars up to

several thousand• Self-study training expenses can include:• Books, study guides, CBT’s, etc. from $200 to $1,000• Exam-prep, test-question databases, etc. can add another $50-$200

• The exam itself is typically around $500 or more• The actual application for Certification can add $50 to $100• And, if you want the fancy wood engraved plaque, that’s an extra $99• My rule of thumb: plan on $1000 per certification

How to Pay for a Security Certification?• Self-funded including:• Self-study, personally paying for exam and cost for the certification…

(hopefully a worst case scenario)• May be necessary if you’re in a hurry• At least it may be a tax deduction (YMMV)

• Partially Company Funded – many companies support this:• Paying for study materials• Or reimbursing for an exam after successfully passing it

• 100% Company Sponsored – obviously the best case scenario (fortunately more companies are undertaking this commitment)

Certification RequirementsWhat it takes….• Experience – Meeting minimum requirements (hours or years)

• Comprehensive Examination – Multiple choice (60 to 250 questions, 2 hours to 6 hours)

• Application for Certification including 3rd party verification of work experience by someone attesting to your qualification for Certification (ex. A manager or existing Certificate holder)

• Rigorous review of your application, and Association board approval

• Fees (Application & recurring Annual maintenance)

What if I don’t meet the Requirements?• There are entry level Certifications – such as the (ISC)2 SSCP®

(Systems Security Certified Practitioner) or CompTIA Security+

• Some Certifications allow for a candidate to sit for an examination and then to complete the experience requirements at a later date (within an allowable, defined, period)

• There is no penalty for studying the materials even if you don’t sit for the exam (though course materials typically change regularly - annually or every couple of years)

• A vendor certification may make sense as these typically don’t have defined experience requirements (such as a MCSE or CCNA)

Alternatives to Certification• Experience, Experience, Experience….• Company training programs (formal or informal)• Join a local Security Chapter such as ISSA, ISACA, SMBA/(ISC)², OWASP, etc. and

Attending Meetings• Reading – always a good idea and necessary to stay on top of a rapidly evolving

Security landscape• Articles, White papers, Reports• Books (including Cert Prep books even if you don’t intend to take the certification)

• Podcasts, Youtube, Webcasts• Vendor demos and presentations• College Degrees: Undergraduate (Associate or Bachelors) or Graduate (though

Certifications are a lot less expensive, and perhaps better value)• Did I happen to mention experience – “Advanced degrees and sound technical

certifications can help to establish professional credibility, but there is no substitute for real-world experience.”*

*TECH CRUNCH NETWORK - The Horizon For Information Security Jobs

Preparing for a Certification

• Don’t kid yourself, it’s a significant investment (of time & potentially money)

• Plan on at least 100 hours of study (doing 2 hours a week could mean a year of study or more)

• Join a study group

• Lay out a schedule and stick to it

• You have to really want to complete the certification, you can’t just think ‘it would be nice to have one….’

Sitting for a CertificationDo:• Prepare as best as humanly possible• Have a positive attitude (reinforced with preparation)• Get plenty of rest the night before• Show up early and be ready• Pace yourself, it’s important to know how long you have for each

question• Complete the exam and review your answers (time permitting)Don’t:• Second guess yourself or get stuck on questions• Relate or compare test questions to your world, keep it theoreticalResults:• Some tests score the exam immediately – so you know your results• Others can take 5 to 8 weeks to get the results

Building Knowledge versusPoint of Diminishing Returns• To some extent the course materials from one exam can facilitate passing

another – Example:• ~100 hours of study for the ISACA CISM, passed first time• Which helped prepare for the CISSP (and only ~60 hours of study)

• But too many certifications can potentially lower their value:• There is such a thing as too many certifications - you don’t want to be known

as a Certification hound• In fact, it may not be wise to display all your certifications, or at least target

the most applicable to whatever opportunity you’re seeking• You may even let some outdated certifications lapse• It might make more sense to pursue an advanced degree, such as a

Cybersecurity degree, rather than another Certification• Keep in mind the cost of maintaining all the certifications can be prohibitive

(that is unless some reimbursement or subsidy is involved)• It’s most important for people to be able to recognize for your capabilities• The right balance of Certifications (no more, no less) can do that….

Two Real-World Examples

• A personal case – why I got my certifications and the results….

• A former employee successfully completed several security certifications and landed the Chief Information Security Officer job they wanted (and a lot more money)!

In Summary: Are Security Certifications Worth the Investment?• Statistically – Absolutely (but don’t necessarily expect it):• More (and better) opportunities• Within your existing organization• Or, on the other hand, if you do decide to make a move

• Higher Compensation• More responsibility

• Personally – Yes• A merit badge and achievement to be proud of• Better understanding of the subject matter• The ability to contribute more meaningfully• A member of an elite group

• Honestly, if you’re not getting certifications in today’s world you’re falling behind

Q & AAND THANK YOU!

(also feel free to see me after the presentation or email me)

Appendix & References

References• http://techcrunch.com/2015/06/07/the-horizon-for-information-secur

ity-jobs/• https://www.informatica.com/resources.asset.0dc802365c118d1353a

abd4f8f8ca4bc.pdf• http://images.globalknowledge.com/wwwimages/pdfs/2015_SalaryR

eport.pdf?utm_medium=email&utm_source=email• http://www.huschblackwell.com/~/media/files/businessinsights/busi

nessinsights/2015/03/white%20paper%20data%20breach/whitepaper_databreachresponsereadiness.pdf

• http://www.csoonline.com/article/2953258/it-careers/cybersecurity-job-market-figures-2015-to-2019-indicate-severe-workforce-shortage.html

• http://www.globalknowledge.com/training/generic.asp?pageid=3855&country=United+States

• http://certmag.com/subscribe/• http://www.tomsitpro.com/articles/information-security-certification

s,2-205.html• http://www.tomsitpro.com/articles/information-security-certification

s,2-205-7.html• http://www.sololearn.com/Blog/20/is-certification-important/• http://images.globalknowledge.com/wwwimages/pdfs/2015_SalaryR

eport.pdf?utm_medium=email&utm_source=email• http://blogs.cisco.com/security/forewarned-is-forearmed-announcing

-the-2016-cisco-annual-security-report• http://www.cio.com/article/2951115/certifications/8-most-in-deman

d-it-security-certifications.html• http://www.itworld.com/article/2999370/careers/jobs-and-salaries-in

-cybersecurity-are-booming.html