I got my first certification in Information Security! Here is everything you need to know about the process, the exam and the final steps to this short experience I made.
I was recently job hunting after my PhD contract expired and for some positions, both “entry-level” and junior positions, they asked about certifications. I can tell you that, compared to my last job hunt in 2019, certifications have moved from required qualification to nice-to-have, which is great for jobseekers for a number of reasons. Let’s start with a short introduction on IT security certifications and later, I am going to explain the process of getting the ISC2 Certified in Cybersecurity (CC) certification.
Disclaimer: I am a member of ISC2 (more on that below), and I am not getting paid for this post. This is just me sharing my experience.
Why certifications?
The information security industry heavily relies on certifications for products and services, often based on the ISO/IEC 27001 standard. Both companies and products can get a certification based on it that proves that they follow best practices and implement appropriate standards in IT security.
Since IT security is such a complex concept, the industry has decided to accept and partly require security professionals to get certified as a person, as there are only few accredited study programs that might prove proficiency in security. If you are in the infosec industry or tried to enter, you might have heard of the following certifications:
- Certified Ethical Hacker (CEH)
- Certified Information Systems Security Professional (CISSP)
- Certified Cloud Security Professional (CCSP)
- CompTIA Advanced Security Practioner (CASP+)
All of these have different requirements, such as “X years of work experience”, and you typically need to become a member of the relative association to be able to take an exam. Needless to say, a whole industry branch evolved around the certifications, because… capitalism. ¯\_(ツ)_/¯
About ISC2 CC
The (ISC)² is such an organization, a “member association for cybersecurity professionals”. They sell some of the above industry certifications, and also offer trainings to be able to pass their exams. They are doing an initiative called One Million Certified in Cybersecurity, where they offer the entry-level security certification ISC2 Certified in Cybersecurity, an entry-level certification for people without previous experience in information security.
What this means: You get free access to their web-based e-learning platform, to learn about security principles, and also they waive the exam fee of $184, and you can take it for free. Of course, you can buy more learning material from them, but I would say you could manage using only the free stuff.
The process
It works as follows: You register on their website, create an account, and you get access to their e-learning platform. There, you can click through the lessons at your own pace. These are the different chapters, with a short description on what it entails:
- Security Principles
- Incident Response
- Access Control
- Network Security
- Security Operations
At the end of every chapter, there is a very small quiz where you can test your knowledge. The questions are examples for what you will encounter in the exam, and you can repeat it as often as you want. I will not put an actual example here, but you have questions like:
A door lock is a type of
___________measure
[ ] A
[ ] B
[ ] C
[ ] D
After training, you can register for the actual examination.
The exam
After you finish your training, you get a discount code which you need to use when registering for the exam. Then you need to fix an appointment for an exam.
The exams are carried out by companies certified by Pearson VUE, the organization that creates and manages these exams. You can select a facility in your country, there might be multiple ones to choose from.
For Germany, there were several locations, mainly in big cities, so I had to travel a bit to get there. The exam can be done in the following languages: English, Chinese, Japanese, Korean, German, Spanish
This might be easier for non-native English speakers, but I feel that security topics are best learned in an English-speaking context, like a lot of IT related topics. So my suggestion is to learn, if you can, and take also the exam in English.
The exam outline shows which topics are covered by the questions (surprise: the same as in the training) and contains all the relevant information, such as:
- You have 120 minutes (but I actually had 90 minutes)
- There are 100 questions
- Multiple choice, you have to choose 1 of 4 options
- You pass with 700 / 1000 points
- No idea how the points are calculated, but I suppose you need to correctly answer 70% of questions.
For the registration, you need to provide some details about you, and they will take a photo of you at the examination center, as well as check your signature with your ID documents. A palm vein scan, as described on the ISC2 website, was not required in Germany. I was very conflicted about doing such a scan, so I am glad I did not have to do it.
Some insights by me at the exam center I went to: It was a really nice office space with a relax-area, a (free) coffee machine, snacks and comfy seating. The exam room was a small room with office cubicles with a computer mouse and a screen. You are not allowed to bring anything into the room, but you get material to take notes, if you need to. You basically sit in front of a screen and click through the 100 questions until you are done.
I was done after around 30-40 minutes. Really, nothing to worry about, even if you do not know all the answers, you can make out the correct answer by excluding at least 1-2 nonsense choices.
Hidden costs
After the exam, you are presented with the surprise: Pay up!
Okay, let’s be less dramatic. Directly after taking the exam, I got a printed confirmation that I passed the exam, preliminarily. The paper only says that they need to do other checks before the actual exam confirmation.
The day after I got a congratulations mail by ISC2, which said I passed the first of three steps to become certified. The next step was an online application form in order to attest to fully support the ISC2 Code of Ethics. For example, you need to specify that you have no criminal background, especially not in IT.
Also, here comes the weirdest part of the process. You are explained that you need another ISC2 member to endorse you. My expectation was that you need to name someone. But the application form does not offer this. You never hear of this again.
Anyway. You need to choose to become a member, and you are presented with the member fee, an annual $50 membership fee. Not only that, but you can not get the certification if you do not become a member, partly because the ISC2 Code of Ethics is part of the certification. So your membership is part of the “proof” that you are a CC professional. Your certification lasts for 3 years before it requires renewal. I do not know yet how that works, but I will probably write a new post when the time has come.
Final remarks
I am slightly disappointed in the result. I got a certificate as a PDF. Now, this text includes your name and the dates, but the rest of the text is embedded as an image, so it does not scale and is crazy pixelated. At least they could make it high-quality so if you print a physical copy, it does not look that bad.
The hidden fee was surprising, and I have mixed feelings about it. It is not that high for working people, but I still do not like that it is mandatory.
The exam process was really smooth. You need to consider the costs to get to the certification center. I paid around $50 for the train to get to the place, and it took half a day. But it was worth it, for the experience. And I got this nice blog post out of it. But I highly recommend it, if you have no or really limited experience in information security, and you want to start in the industry.
Be First to Comment