Let’s first address certifications as a whole. There are many. One might argue too many. As a software developer, manager, security consultant or sales person, to have to make decisions about such an overwhelming number of certification options, can be daunting. Let’s not forget as well that these certifications aren’t free. You need to spend real money and real time to acquire and then to maintain each one.
Breaking down the options:
Let’s first focus on the ISC2 (International Information Systems Security Certification Consortium) certifications. You’ve got potentially the most popular and arguably highly regarded CISSP or (Certified Information Systems Security Professional) which concentrates on operational security for the most part but does have a nice over-arching perspective. Let’s not stop there though as there are plenty more of course like CCSP (Cloud security), and CSSLP (Software Lifecycle Security) or HISCPP (Health care security) to name just a few and that’s just ISC2. If we extend our reach into the GIAC certs (Global Information Assurance Certification) there are, at the time of recording this, 34(!) more certifications you can study for and achieve covering everything from Incident Response, Security Leadershipa to Language specific certifications like Secure Java and .NET. You could spend a lot of time AND MONEY getting certifications.
But wait… there’s more. There’s also the EC Counil (The International Council of E-Commerce Consultants) certifications like the CEH or Certified Ethical Hacker cert along with others like CCISO or Certified CISO and a whole raft of others that roughly overlap with offerings from ISC2 and GIAC.
What’s number one though? Which should you get?
Well it depends on what you do and what you want to do of course. The number one certification for software security that looks good on LinkedIn is possibly the CISSP. The next most popular is one of the EC-Council certs like Certified Ethical Hacker (CEH) or the EC-Council or GIAC certs for Pen Testing and your choice of which might simply depend on your location. GIAC, in the USA, is regarded highly especially if you plan to work with the Department of Defence.
The number one certification … is possibly the CISSP
As my role requires me to have a solid foundation in securing the software development life cycle (or SDLC) I made a decision to opt for the Certified Software LifeCycle Professional (CSSLP). A recent article ranked that as number 8 on the huge list of potential certifications and because it aligned well with my actual job, I decided to dive in.
But what exactly did I do when I say “dive in”? What needs to be understood is that each certification itself costs money, but that’s only at the end of the process. If you’re not entirely sure you are completely up to date with all subjects in the domains of study you’ll need to buy books! It seems a bit archiac I know but that seems to be a most common technique. I’ll come to online training in a moment. The CISSP all in on series book can set you back between £60 or $80 new. You can buy these books used but… be wary as used copies can be early editions that might miss key areas of study such as changes in regulatory requirements or even new technologies like fingerprint recognition which means you might get caught out. It’s actually in your interest to make sure your materials are up to date. With respect to online training there is no shortage of courses online that offer to get you “exam ready” and you can be damn sure that each of the representing certifying bodies are happy to offer you one of theirs. They have the upper hand of actually knowing how the exams are written so while they might be more expensive than other offerings it is tempting to go directly to the source for both study and exam. It’s an interesting economy. The certification game is one of those concepts I wish I’d thought of. Offer an “official” certification which requires a rather lengthy test (most certification tests are between 4-6 hours long) and then as they become a “requirement” or an “advantage” for career progression you helpfully offer the course to assist candidates achieve a success certified status and also charge a yearly subscription to maintain that status. While I get that an infrastructure to maintain this certification governance requires funding, it does seem like an interesting and potentially corruptable model seeing as there are already 3 different competing bodies offering certifications implying that there doesn’t appear to be anybody regulating who can offer a certification. That’s a whole other podcast.
The first thing I did was take an online course. I went down the typical route of taking the course offered by ISC2 which was a CSSLP eLearning course. At the time it was called the Official (ISC)² CSSLP eLearning Self Study. I did the whole course. It cost $695 US. Thankfully my employer (Synopsys… let’s give them credit) covered the cost which is very helpful. I was already fairly up to speed but found it was well made and entertaining enough that I stayed awake and appreciated the modern approach to the concepts and domains within the CSSLP program. I definitely learned new things and solidified others I had a foundation of expertise in. I also passed all of the quizes along the way and got to the end of the course. If the course suggested it would take about 8 hours of solid study, it really took about 24 hours. I did an hour or so a day after work for a month.
Feeling confident I took a practice exam. I scored a rather weak 55%. You need approximately 70% on the real example to pass. I saw approximately because really you need 700 out of 1000 available points in the case of ISC2. Why is that not 70%? This is because there are not 1000 questions on the real test and all questions are not graded with an equal value. That can make studying a bit more “fun” because it’s not really clear if you’re doing well or not. I’ll come back to this later.
all questions are not graded with an equal value
I took another practice exam and got just over 60%. My improvement was really just a product of having learned not only some material from taking the previous exam but I had learned how the exam questions would be presented. I was a bit disappointed that so much of the practice exam touched on material that just didn’t exist in the course. I have to imagine that an online course must be harder to keep up to date than a book but still… this was the course offered by the certifying body.
A little dismayed I read one of the books available called CSSLP All In One Exam Guide. It was only £30. Not too bad. I read this cover to cover and again proceeded to take the practice exams. I was scoring about 70% which is in fact the requirement for a pass on the CSSLP test. This was better but hardly something that established enough confidence to walk into the exam centre knowing a 69% was a lot of wasted money and time.
Let me take a moment to talk about the types of information you’ll find you want to remember during your study effort. There are a lot of standards, acronyms, and methodologies that just don’t lend themselves to memory for example the Clark Wilson (lookup) model and the Biba for security blah blah. The authors of these established methods were egotistical to name them after themselves instead of just calling it something more intuitive like f*cking Database Intrigty model. Thanks. That’s about as memorable as my calling this blogcast the Giguere Article. A good knowledge absorbance attitude can be difficult to achieve when it’s more than certain you’ll always have the internet available to consult when asked for detail. It’s already being shown that millienials and beyond are essentially now learning how to find information instead of actually memorizing/knowing it. That sounds unfair but to an degree I understand why that would be. The reality which I’ll come to shortly is that, the exams themselves, at least for the ISC2 ones as of 2017, concentrated on applying the knowledge more than just straight memorization which is thankfully why I felt I actually passed the damn thing.
Getting back to the study before I finish; with a 70% after a single book of study I had 4 days before my exam and I decided to order another book. This time it was the ISC2 book with the black cover for CSSLP Study Guide (picture?). This covered subject matter which wasn’t taught in the gold book! I have no idea why that was as they had similar pubication dates and claimed to be the ideal single study guide. I went through this book at a pace that was frightening. It is much thicker than the gold book but because I’d already completed a course and the gold book it was possible to “skim” a good bit of subject detail I’d seen before. It was definitely essential reading but more so, the practice exams had a very different vibe about them. They were far closer to the end result in terms of the style of questioning and the subject matter. They were less memorisation focused and more application of knowledge driven. They created scenarios and asked for answers of which in the multiple choice offering, many were potentially correct but only one was really the best.
So ended my study. I went to the exam at the Pearson Exam Centre and after about 80% of the alloted time I was complete. My initial feeling was that I had failed. This was because of one of three reasons.
1. I had actually failed the test. I hope this isn’t correct but I’ll expand on this theory shortly.
2. The questions were very much stories about situations and asking for the best possible outcome. The style of questioning was best represented by the Black book but was different yet again. It left you feeling a little paranoid that you might have not chosen the best answer but that could be simply given the tension of an exam state of mind.
3. I had passed the questions with high value but not the ones with low value. For the ISC2 exams, not all questions are weighted equally but they don’t tell you which are worth what. Essentially you can miss enough questions to fail but still pass because you got the right ones right. Kind of like how Trump won the election.
It’s worth mentioning that not a single question I had in the real exam was in any of the practice exams and I had done 10 exams, many short quizzes and over 1000 questions. Familiarity breeds confidence and it was low when I left the test pod. You sign a document saying you cannot give up exam questions once you leave which I understand so I clearly won’t do that but what I will say is if you get stuck on a question, it is worth “marking” it because sometimes later questions give up the answers to earlier ones. It happens. It did so for me and many other colleagues I know who have taken certification exams.
…not a single question I had in the real exam was in any of the practice exams
What is quite nice about these exams that you tend to find out immediately that you’ve either passed or failed. I had passed. What is rather irritating is that they do not tell you your score if you pass but only if you fail. I don’t understand that but I have an idea (ok fine it’s a bit of a conspiracy theory) and that idea is this. Going back to my option 1 of having actually failed the test, I can, from a business perspective, see that the certifying body needs to have a certain percentage of passing grades to keep the business model up. It is possible that sometimes they made an exam too hard much like Universities have done in the past. They then adjust the pass numbers up to keep the success rate as acceptable levels other wise people will take a different course, or in this case, take the course of a competing certifying body. Word will get out of the exams are impossible with GIAC and take the ISC2 ones instead or vice versa. It is a business after all. I’ve no proof to back any of that up but the theory has come up in several discussions on certifications with colleagues. It’s worth saying as well that if this is happening it isn’t in a gross way. It might even just a tendency to allow for a +/- pass margin or an even more complex pass decision mechanism that is completely justified but difficult to explain so… why do it if you don’t have it and nobody is complaining if people are generally achieving their goals and happy with the system in place. If you want to read the FAQs on the ISC2 exam scoring feel free. When it makes complete sense, fire us an email at codifyre AT gmail dot com and explain it. That’ll also let us know that somebody is actually listening/reading!
The big question in the end is, “Is all worth it?” I believe so! In spite of the skepticism and conspiracy theorizing it does have real value. First, it did ensure a solid baseline in a certain field of knowledge and second, and probably more important, it looks good on LinkedIn and also to your employer and future employers. It is, if anything, a demonstration to the world that you realise staying relevant in technology is critical and that keeping your blades sharp is an essential part of your career building philosophy.
The big question in the end is, “Is all worth it?” I believe so!