A Q&A with Professor Mike Wills on the Value of Security Certification.

Mike Wills, CISSP, SSCP, CAMS, is an assistant professor at Embry-Riddle Aeronautical University (ERAU). He is also the Applied Information Technologies Programs chair and academic chair of the school’s Microsoft Software & Systems Academy (MSSA) program a partnership with Microsoft, ISC2, St. Martin’s University, and University of Texas San Antonio’s Center for Infrastructure Assurance and Security. The program teaches foundational IT knowledge and skills to transitioning active duty military and honorably discharged veterans of the U.S. Armed Forces.

Throughout his professional life, he’s been a risk manager at many levels. He recently spoke with ISC2 about why he pursued security certifications and how it has enhanced his career path.

Why did you decide to add a security certification to your professional resume?
As we brought ISC2 into the partnership to teach the SSCP, I thought it only proper to go through the certification process myself. If we’re going to have an effective in-classroom intensive teaching program that equips our veterans for a new profession of service as information security professionals, I asked myself: How can we do that credibly if we have not been through the material, end to end, and experienced the certification process and exam?

One concern I had as an educator and as an information security specialist was how to keep our teaching of the SSCP from succumbing to the type of pass-it-today, can’t-remember-it-tomorrow syndrome that oftentimes is associated with bootcamp-style cram session programs. Going through the certification process, making use of the self-paced materials, and partaking in instructor-led training helped give me the confidence to say that the three certifications I now hold are not prone to that kind of morning-after uselessness.

A year later, our university was looking into how well the CISSP aligned with our degree programs. For much the same reason, I investigated the CISSP’s domains, its self-training material, and what differentiates the certifications from each other.

And, quite frankly, I wanted to calibrate both the SSCP and the CISSP and my own knowledge and experience against each other. Both include domains and topic areas that forced me to grow – to go beyond my comfort zone – if I were to honestly assess those certifications and myself. I had the same experience with becoming a Certified Anti-Money Laundering Specialist.

Do you feel certification was a worthwhile investment of time and money?
Absolutely! I was (and still am) investing that time and energy in growing and changing my knowledge and skills about a particular subject domain. And I was also investing in myself. Taking on the certifications challenged me to get the facts right, find the data and let it speak for itself, and then follow where it led. Follow the money; follow the access control accounting records; ask what that indicator is trying to tell me, and dig, think, keep looking, and keep asking, ‘what does that indicator imply or suggest has already happened?’

On a personal level, forcing myself to excel at these certifications challenged me to prove what I know, what I can learn, and just how much more I still have to learn. So they were all great confidence boosters and humbling experiences at the same time. But there’s just so much out there to keep learning about all of this!

Making the business case to my department chair was easy. My university has invested its money and my time in earning these certifications and in putting them to work in our various teaching and learning programs. Demonstrating the ROI we’d achieve, and then making that payoff happen, has been straightforward. It’s also been great fun!

How has the knowledge you’ve gained from the process helped you in your work?
Immensely! On a very practical level, it’s triggered a lifelong ambition to write books. When ISC2 needed to update the SSCP Study Guide, they told their publisher they wanted a book that would teach as well as guide, that took its readers along a learning journey through the domains in ways that made sense. They wanted it to reflect how these domains are taught. The marriage of ERAU’s teaching of the SSCP, as a cornerstone of our MSSA program’s cybersecurity administrator specialization, and this book project were a natural. My recently earned SSCP became the linchpin in putting that book, and then its CBK follow-on, together.

Having these credentials has also opened me up to other possibilities. They open doors into organizations and industries other than the ones I’ve been part of for much of my life. More importantly, they open doorways within myself. Getting certified let me see things – things within their domains and well outside of them – in wholly new ways. It’s exciting!

What other thoughts would you offer for those considering a security certification?
Let’s face it: Opportunity goes to the well-prepared. And living in dangerous and dynamic times, each of us needs to be so much better prepared to face tomorrow than we were today. We’re all at risk. Everything we value, everyone we hold dear, is held hostage to the badly misinformed decisions of the well-intended; is a target of opportunityto those with malice at heart. That last group of people, the “bad guys,” the black hats, is already outspending most legitimate businesses and organizations when it comes to investing in their knowledge, skills and abilities to attack.

The right certification, earned at the right time in your journey, is part of being prepared.

Ninety-nine percent of the headline-grabbing data breaches, the ransom attacks, the intrusions into information systems have been blamed on management making the wrong decisions. Managers and leaders in every organization desperately need people who can marry the technologies of IT security to the business needs for dependability, safety, reliability, confidentiality, and privacy for their information and information systems. They need us. I keep hearing recruiters and industry groups saying that the North American market has over a million jobs begging for people who can collaborate with end users and their managers to keep the lifeblood of their companies and organizations secure.

Getting certified – in any domain – can and should be mind-expanding. It’s the opportunity to see things in different ways, while at the same time benchmarking what you know, what you can do with that knowledge, and how you think.