Security for privacy practitioners: What security certification suits?

We are often asked by privacy practitioners to recommend security training to help them get up to speed with security concepts and terminology: just enough to be able to understand their information security team.

We’ve done a review of the best known security certifications, with a view to what would be most useful for privacy practitioners.  The results of our analysis are included below, separated into entry level focused certifications and those that are more advanced. We hope you find something that suits.

Entry level security certifications

These include:

• ISACA’s CSX Cybersecurity Fundamentals
• (ISC)² CC Certified in cybersecurity
• SANS Information Security Fundamentals Certification
• CompTIA Security+
• (ISC)² SSCP Systems Security Certified Practitioner

ISACA CSX Cybersecurity Fundamentals (CSX)

The CSX Cybersecurity Fundamentals Certificate is relatively new to the ISACA certification program and was designed to fill the entry-level niche.

Geared toward recent post-secondary graduates and those seeking career changes, this certificate covers five cybersecurity related domains:

• concepts;
• architecture principles;
• network, system, application and data security;
• incident response; and
• security of evolving technology.

There are no pre-requisites for this course.

There is an 8-hour prep course available and the labs are the same, so perhaps 15 – 20 hrs total study time would be around the right amount.

Pros:

• It is a good entry level certification, focusing on some of the main information security areas.
• ISACA is also a great organisation to be a member of, with lots of really helpful resources.
• The certification does not expire and there are no on-going CPE requirements.

Cons:

• It is a new certification so there are not many external resources available.
• It also does not have the recognition of other more established certifications.

More information.

(ISC)² Certified in Cybersecurity (CC)

Billed by (ISC)2 as the “ultimate starting point for an exciting and rewarding career in cybersecurity”.

This is a brand new certification still in the pilot program stage. It’s designed to be a starting point for people wanting to pursue a career in cybersecurity (or get basic knowledge). There are no experience requirements.

It covers the following domains:

• Security Principles
• Network Security
• Access Controls Concepts
• Security Operations
• Business Continuity, Disaster Recovery, Incident Response Concepts

There are no prerequisites for this course.

Based on the available on-line training courses, perhaps 15 – 20 hrs total study time would be around the right amount. The training options give you 14 hours of content

Pros:

• It is a good entry level certification, focusing on more operational information security domains than the ISACA CX Certification.
• (ISC)2 is also a great organisation to be a member of, and tends to be more technically focused than ISACA.

Cons:

• The certification is still in pilot stage so might be a bit immature.
• Because it’s new, there are few external resources available.
• It also does not have the recognition of other more established certifications.
• CPE requirements are not clear.

More information.

SANS GIAC Information Security Fundamentals Certification

This course and certification is aimed at the total beginner. They suggest you ask yourself these questions to determine if you should take this course:

• Are you new to cyber security and in need of an introduction to the fundamentals?
• Are you bombarded with complex technical security terms that you don’t understand?
• Do you need to be conversant in basic security concepts, principles, and terms, but do not need “deep in the weeds” detail?
• Have you decided to make a career change to take advantage of the job opportunities in cyber security and need formal training/certification?
• Are you a manager who lays awake at night worrying that your company may be the next mega-breach headline story on the 6 o’clock news?

There is a five-day comprehensive course that covers everything from core terminology to the how computers and networks function, security policies, risk management, a new way of looking at passwords, cryptographic principles, network attacks & malware, wireless security, firewalls and many other security technologies, web & browser security, backups, virtual machines & cloud computing.

All topics are covered at an easy to understand introductory level.

This course is for those who have very little knowledge of computers & technology with no prior knowledge of cyber security. The hands-on, step-by-step teaching approach enables you to grasp all the information presented, even if some of the topics are new to you. You’ll learn real-world cyber security fundamentals to serve as the foundation of your career skills and knowledge for years to come.

The affiliated training course for this certification is SEC301 Introduction to Information Security

Training is available on demand, live or in person

The cost for the SANS training however is quite prohibitive at $6,660 USD for any of the options and the exam and renewal costs are equally high.

There appears to be very little in terms of non-official training resources.

Pros:

• SANS workshops and teaching are outstanding.
• The SANS certifications are very mature and supported by excellent materials.
• SANS is another great security organisation to be a member of and is possibly the most technically focused of ISACA and (ISC)².

Cons:

• The training is expensive and there are on-going CPE and maintenance fee requirements.
• There seems to be little available outside of the SANS training materials.
• The training is quite technical and perhaps better suited to someone looking to start a career in cybersecurity.

More information.

CompTIA Security+

Very popular course for beginners. Frequently appears in “top” IT Certification lists. It is a vendor-neutral security certification that is a good place to start. It teaches basic security concepts and is seen by many as the first port of call on the way to studying more advanced certs. Because it is aimed at entry-level security professionals, it offers generalized information that will help candidates build a foundational understanding of information security.

CompTIA says “the only baseline cybersecurity certification emphasizing hands-on practical skills, ensuring the security professional is better prepared to problem solve a wider variety of today’s complex issues.”

Security+ is aligned to the latest trends and techniques – covering the most core technical skills in risk assessment and management, incident response, forensics, enterprise networks, hybrid/cloud operations, and security controls, ensuring high-performance on the job.

There are no pre-requisites for the certification, but CompTIA recommends 2+ yrs IT admin exp and first obtaining the Network+ certification.

CompTIA offers a range of resources, including an official Study Guide as an eBook, eLearning options, virtual labs and Instructor Led training.

Pros:

• Many job roles turn to Security+ as evidence of baseline cybersecurity skills which are applicable across more of today’s job roles to secure systems, software and hardware.
• Due to its popularity, there are also many low cost self-paced exam prep courses and eBooks available on sites such as Udemy

Cons:

• There are on-going fees and CPE requirements
• Recommended study time is 60 hours which is quite long
• It is recommended that you take the Network+ certification first which can make it quite an undertaking.

More information

(ISC)2 Systems Security Certified Practitioner (SSCP)

The SSCP is billed by (ISC)2 as the “Premier Security Administrator Certification”.  The SSCP role is targeted toward IT infrastructure security — and correlates to roles such as database manager, network security engineer, system administrator or analyst, systems engineer, security administrator, security consultant, and network systems analyst.

The SSCP certification demonstrates you have the advanced technical skills and knowledge to implement, monitor and administer IT infrastructure using security best practices, policies and procedures established by the cybersecurity experts at (ISC)².”

This certification definitely requires a greater degree of technical experience and knowledge than the CompTIA+ Security, but is generally still considered either entry level or at most intermediate.

There is an experience requirement before you can get the certification: 1 yr full time paid experience.  If you don’t meet the experience requirements you can still take the exam and become an (ISC)2 associate. You then have 2 years to meet the experience requirement.

(ISC)2 offer Certification training through authorised training partners. This tends to be quite expensive and is around $3000 to $4000.

Again, there are less expensive self-paced options, but it might be a challenge for a non technical person to achieve this certification outside of an instructor led environment.

The certification is valid for 3 years and requires 60 CPE’s for recertification.

Pros:

• It’s a good entry level certification for those who’ve had a little security experience and want to move to the next stage in their careers.

Cons:

• There are on-going fees and CPE requirements
• This certification is not as well known as other (ISC)2 certifications – like the CISSP.
• It is possibly a little too technical for a privacy practitioner.

More information

More advanced security certifications

• ISACA Certified Data Security Privacy Engineer (CDPSE)
• (ISC)² Certified Information Systems Security Professional (CISSP)
• ISACA Certified Information Security Manager (CISM)

ISACA Certified Data Security Privacy Engineer (CDPSE)

This certification is relatively new having been launched in May 2020, but demand seems to already be on the increase. ISACA rolled out the certification due to what they perceived as a gap in the industry landscape.

This certification mainly concentrates on the implementation of privacy solutions from both a governance and technical perspective.

“Modern privacy laws and regulations require organizations to implement privacy by design and by default into IT systems, networks, and applications,” says Kim Cohen, ISACA Senior Director of Credentialing. “To do so, privacy professionals must partner with software developers, system and network engineers, application and database administrators, and project managers to build data protection and information security measures into new and existing data processing environments. We designed the CDPSE certification to promote privacy-enhanced design that works cross-functionally with legal, policy, DBAs, engineers, software developers, and back-end and front-end experts.”

The CDPSE is focussed on validating the technical skills and knowledge it takes to assess, build and implement a comprehensive privacy solutions. CDPSE holders can fill the technical privacy skills gap so that your organization has competent privacy technologists to build and implement solutions that mitigate risk and enhance efficiency.

The CDPSE is recommended for IT professionals engaged in creating and implementing technical privacy solutions and data scientists / analysts who mine and analyse data for customer insights.

There is a significant experience pre-requisite.

Candidates who want to achieve certification must have at least three years of experience across the three domains of: privacy governance, privacy architecture and data lifecycle. You can however, obtain the required experience in the 5 years after taking the exam.

There are the usual options for CDPSE exam preparation on the ISACA website, including Manuals (both printed and digital), Online review courses, live courses and practice exam questions.

Given the newness of this certification, there isn’t a lot of additional material out there. We were only able to find one practice exam available on Udemy and nothing on Pluralsight.

The certification is valid for 3 years subject to meeting a minimum of 20 CPE’s annually and a total of 120 CPE’s required for recertification over a 3-year period.

Pros:

• This certification definitely fills a gap between privacy and security technical requirements
• It provides useful information on technical solutions for privacy issues

Cons:

• It is a new certification and not hugely well known
• The body of knowledge will be developed over time and should mature

More information

(ISC)² Certified Information Systems Security Professional (CISSP)

The CISSP is billed by (ISC)2 as the “The World’s Premier Cybersecurity  Certification”. Job board surveys would tend to support that assertion with CISSP being listed as a desirable or required qualification more than twice as often as other popular certifications.

The CISSP focusses on IT security and cybersecurity as it relates to management and oversight.

This certification is aimed squarely at experienced security practitioners. It is an advanced-level certification for IT pros who are serious about careers in information security. Unless you have worked in at least 2 of the 8 domains for a minimum of 5 years, you can’t earn the certification. Even a 4-year college degree would only reduce the experience requirement by one year.  This is definitely not the certification for beginners or those who don’t intend to work full time in cybersecurity.

(ISC)2 offer Certification training through authorised training partners. This tends to be quite expensive and is around $3000 to $4000.  However, due to the popularity of this certification there is no shortage of other training options.  These include classroom-based training offered by (ISC)2, as well as online video courses, practice exams and books from third-party companies.

The CISSP is notoriously hard to pass.

Instructor led training goes over 5 days – 36+ hours, plus reading and further study will be required. It is recommended that between 40-70 hours preparation is required, depending on prior experience.

Pros:

• The CISSP is a very highly regarded certification and can bring higher salaries
• It’s been around for over 20 years and is very mature (lots of resources, really well thought out official training materials, great testing methodology)

Cons:

• The CISSP is a highly technical certification and probably not suited for most privacy professionals who are interested in increasing their security knowledge
• To get the certification you need to have 5-years experience, that can be reduced to 4 years depending on other qualifications held
• It is a really, really hard exam to pass, it’s expensive and requires heaps of preparation …

More information

ISACA Certified Information Security Manager (CISM)

The CISM certification is a top credential for IT professionals who are responsible for managing, developing and overseeing information security systems in enterprise-level applications or for developing organizational security best practices. The CISM credential was introduced to security professionals in 2003 by the Information Systems Audit and Control Association (ISACA).

Like the CISSP, it is a mature and well-regarded certification.

ISACA’s organizational goals are specifically geared toward IT professionals who are interested in the highest-quality standards with respect to the auditing, control and security of information systems. The CISM credential targets the needs of IT security professionals with enterprise-level security management responsibilities. Credential holders possess advanced and proven skills in security risk management, program development and management, governance, and incident management and response.

Candidates must have at least five years of experience in information security management.

Training and study materials are available in various languages, together with information on job practice areas. There are primary references, publications, articles, the ISACA Journal, review courses, an exam prep community, terminology lists, a glossary and more available at ISACA.org.

The costs for the exam and CPE requirements are similar to those for the CISSP.

Pros:

• The CISM is more management focused that the CISSP and includes detailed consideration of governance and risk management, which is useful for privacy professionals
• Like the CISSP, the CISM is a well recognised and resourced credential.
• It’s easier to pass than the CISSP

Cons:

• There are extensive experience requirements, plus on-going maintenance fees and CPEs to be completed.

More information

Hope that helps…

Any questions – please Contact Us