Getting started in Cyber 

One of the most common questions I’m asked by non-cyber professionals is “How do I start a career in cyber?” and fortunately I think there’s a relatively easy answer. 

The British Computer Society (BCS) have an entry level qualification called the Certificate in Information Security Management Principles (CISMP). It’s typically a five day course and covers most aspects of information security at a high level, digging in to some in a bit more detail. It was the first security course I attended, many years ago, and I can thoroughly recommend it for beginners, even for those with limited IT knowledge. 

If you’re looking for a company that provides this course in fantastic surroundings with outstanding instructors, look no further than these guys below (it’s who I work for). This is one of the courses that I teach, but I don’t think I’m scheduled to teach this particular one. If you do book on it, let me know and I’ll make sure I come along and see you. 

To certify or not

I published this article on LinkedIn on May 3rd 2017. Here it is in its entirety for you.

The age old question of whether certification is important or not reared its head again recently. I was talking to two prospective clients, and they held opposing views.

One wanted their staff to be well trained, but didn’t want them to complete any certifications. They were concerned that once the member of staff was trained they’d look elsewhere for [and get] a better paid job.

The other wanted their staff to be well trained, and saw the certification process as a way of validating that the learning on the course had stuck. They thought they would be able to market themselves better with certified staff, and make more money that way.

I can see both side of the arguments, as I’m sure you can. Perhaps the main differentiator is that in the first case, they may not be able to charge their clients as much, and will therefore have lower income / profit margins, which would mean they couldn’t pay their staff as well. In the second case, their ability to charge higher rates could be reflected in higher income and therefore they may be able to meet the wage demands of their teams.

To be honest though, neither of these scenarios floats my boat. I’d much rather employ someone with appropriate experience than just take someone who has passed a course and may have a piece of paper telling you that.

Many years ago – you’ll realise how long ago shortly – I received a salutary lesson in this very topic. I had a member of staff come to me to say that they had done a lot of self study and had not only passed their Microsoft CSE but their Novell CNE (I told you it was a long time ago). As a result, they wanted a massive pay rise – something like 35% as I recall. Naturally I said I would have to think about it and, if appropriate, ask approval from my manager.

Fast forward to the following week. I was disinclined to award the rise as I had concerns about the person’s ability, but had yet to tell them that. They came to me (because at the time I was still relatively hands on technically) and asked how to bind an IP address to a network card. (Again a sign of how long ago this was, TCP/IP was only just starting to appear on Windows-based networks.) Naturally, my first question was whether this had been covered in either the Microsoft or Novell courses – it was – and I then suggested that the staff member in question focus on getting experience before thinking about pushing for a pay rise.

I recently had cause to consider the benefits of certification for, shall we say, more senior people (myself included). Some clients seem to not worry too much about the letters after your name and prefer to see the experience you can bring to bear on their needs.

It is very helpful being able to speak from first hand knowledge about the process for obtaining various certificates and accreditation, but I find that I don’t get to talk to prospective clients because I’ve done a few exams. They are more interested in what experience I’ve had, where, and whether any of it has relevance to their requirements / situation.

My advice is therefore this: make sure you gain experience in several sectors including SME, government, public sector, etc, and make sure you know how to apply that experience in a range of scenarios. Being flexible and adaptable in your approach to client requirements is what you should be aiming for. Having some experience of the certification process and perhaps even a degree is helpful, but it’s not what is really needed by the clients out there.

Choosing your certification

There is a wide range of different security courses available, and a mind-boggling array of certification and acronyms which go with them. This article focusses on three of the most common, highlights the differences between them and provides guidance on how you choose one over the other.  I hold all of these certifications, and I’ve linked to a couple of previous articles where I’ve described the learning experience in a bit more detail. 
CISMP has been developed by the British Computer Society (BCS), and is the Certificate in Information Security Management Principles. It is a well-known and common entry-level qualification, which is typically attained by people who are looking to start their careers in information- or cyber- security. It covers, at a very high level, a wide range of topics and provides a good foundation level of understanding. It can be viewed as a preparatory course which you then build on, perhaps specialising in one area or another.

It covers the following topics, and typically these subject areas are covered over five days on a course, with a one hour multiple choice exam at the end:

  • Information security principles
  • Information risk
  • Information security framework
  • Procedural and people security controls
  • Technical security controls
  • Software development and life cycle
  • Physical and environmental security
  • Disaster recovery and business continuity management
  • Other technical aspects

CISSP is the Certification Information Systems Security Professional from (ISC)2, and is one of the two most popular high level certifications (the other being CISM – more on that shortly). Of the two, CISSP is more focussed on technical skills and management, and is based on 8 domains:

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communications and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

In order to achieve certification, you must pass a 6 hour exam consisting of 250 multiple choice questions, and be able to evidence at least 5 years’ experience in at least two of the domains listed above. You also need to have an existing CISSP verify your claims of experience. 

The Certified Information Security Manager (CISM) from ISACA is the other major certification which companies typically look for. It focusses more on governance and risk than technical skills, and is allied to the Certified Information Security Auditor (CISA) certification, also from ISACA. There are only 4 domains, namely:

  • Information Security Governance
  • Information Risk Management
  • Information Security Program Development and Management
  • Information Security Incident Management

Those applying for CISM need to be able to demonstrate at least 5 years’ experience in 3 or more of these domains, and also have to pass a 250 question multiple choice exam which lasts up to 4 hours. This is currently a paper based exam which is only available twice a year (all exams globally run at exactly the same time), though it is understood that this is moving to a computer based test in the near future. 

For both CISSP and CISM, certification is maintained by completing and evidencing a minimum of 20 hours Continuing Personal Development / Continuing Professional Education each year over 3 years, with a minimum of 120 hours CPD / CPE required in that time. Activities which qualify include attending seminars and conferences, contributing to papers, presenting on one of the domain topics etc. 

 Summary

CISMP is a good foundation to start a cyber- or information- security career. Candidates cover the basics of the topics involved, and will have a sound understanding for each area covered, which will in turn help them decide which they want to pursue in order to further their career. CISMP has no ongoing CPD requirement.

It can also be seen from above that there is little difference in terms of qualification requirements between the CISSP and CISM: the former is more suited to those with a technical, more hands on, background while the latter is better for those who have spent more time on the policy, process and governance side of things. They both require 5 years’ experience in the industry and endorsement from an existing holder of the certification. The exams can be lengthy, but time allowed to complete them is plenty, and candidates should not find them too daunting. 

(ISC)2 and ISACA are aiming to ensure that, because candidates must have experience as well as pass an exam, their qualifications have merit and are valuable for the individual and the company. The requirement for CPEs also helps to ensure that knowledge is being maintained and refreshed over the course of the certification.