Navigating your IT security certifications, part 2

Martin Schaeferle

This is part 2 of a two-part series. To read part 1, click here

Welcome back. Previously we discussed some of the basic certifications you will need to jump start your journey into the IT Security field and open many opportunities for you. But what if you want to take it to the next level. Perhaps you are aspiring for a Director of Security or CISO role. What certifications lay the foundation to purse that direction?


There are actually many other specialty areas in security available for us to discuss (like those created by industry leaders like Cisco, GIAC, SANS, ISACA, (ISC)2 and many others). But for the interest of brevity, I’d like to highlight some of the more popular ones. The first two I’d like to introduce are from ISACA and are favorable certifications for those who wish to move into management positions. Those two are: Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).

There are more than 140,000 professionals certified globally with CISA and it is one of the top paying IT certifications of 2018 as reported by Global Knowledge. As companies are faced with increasingly more security challenges including new global threats (e.g. ransomware), new government regulations (e.g. GDPR), and new technologies to secure; they are under enormous pressure to hire the right talent to manage it. With the CISA certification, you will be recognized as someone that can take a comprehensive view of information systems and their relationship to a success business-wide security initiative. In addition to passing the exam, this certification requires the submission of a formal application which requires certain levels of education and work experience. Check out their web site for more information.

The CISM certification is different and comes at security from a company policy standpoint. It covers four key areas: information security governance, Information risk management, information security program development and management, and information security incident management. Passing this certification demonstrates that you understand security and how it relates to the overall business goals. It shows that you not only understand security, but also how to build and manage an information security program within the company.

But perhaps you’re looking to achieve an even higher position, one that leads all of the company’s security needs, such as Chief Information Security Officer (CISO) and Director of IT Security. Moving into these roles require digging much deeper into all the individual niches in the security field. The first one to consider is CompTIA’s Advanced Security Practitioner (or CASP). CASP is a relatively new certification from CompTIA and is meant to test the student on a broad range of security skills. In fact, it meets the ISO 17024 standard and is compliant with regulations in the Federal Information Security Management Act (FISMA).

Once you pass the CASP certification, you’ll likely be feeling pretty good about your skills, a Luke Skywalker of Security experts if you will. But what if you want to go for Yoda status? One of the top respected certifications is undoubtedly the (ISC)2 Certified Information Systems Security Practitioner (or CISSP), which is not your average certification and will require significant work to achieve. It is meant to demonstrate a clear and deep knowledge of all things security and is fast becoming a requirement for many of the very top positions in IT security.

Although CASP and CISSP are great options for some of the top IT positions and cover a broad range of security topics, they are very different in what the exam covers. The CASP exam tests whether you know HOW to implement many of common security concepts, so their questions will be mostly unambiguous. For example, “what command line tool is used to create a 128-bit hash?” The CISSP exam, on the other hand, tests whether you know what the best practices are when dealing with complex security situations. Here, the options available to choose from may, in fact, all be technically correct. For example, take the following question, “Which of the following is the PRIMARY advantage of data classification for an organization?” Here, all the options could be valid examples of legitimate advantages, but the correct answer is the one that has the most advantages.

Be sure to check out many of the training titles we have in security, and good luck my young Jedi.

About the Author:

Martin Schaeferle

Vice President of Technology | LearnNowOnline | Eden Prairie, MN

Martin Schaeferle is the Vice President of Technology for LearnNowOnline. Martin joined the company in 1994 and started teaching IT professionals nationwide to develop applications using Visual Studio and Microsoft SQL Server. He has been a featured speaker at various conferences including Microsoft Tech-Ed, DevConnections and the Microsoft NCD Channel Summit. Today, he is responsible for all product and software development as well as managing the company’s IT infrastructure. Martin enjoys staying on the cutting edge of technology and guiding the company to produce the best learning content with the best user experience in the industry. In his spare time, Martin enjoys golf, fishing, and being with his wife and three adult children. 


Go1 helps millions of people in thousands of organizations engage in learning that is relevant, effective and inspiring.
Latest stories and insights