Cisco updated its CCNP Security certification to help engineers master security job roles and tasks rather than...
individual security devices. The company also added a new Cybersecurity Specialist certification that trains security analysts to identify and remediate threats.
The CCNP (Cisco Certified Network Professional) Security program originally consisted of training and exams that evaluated an engineer's abilities with individual security devices, particularly Cisco products. The four exams that tested an engineer's abilities included the following:
- Deploying Cisco ASA Firewall Solutions (FIREWALL)
- Implementing Cisco Intrusion Prevention Systems (IPS)
- Securing Networks with Cisco Routers and Switches (SECURE)
- Deploying ASA VPN Solutions (VPN)
The revised CCNP Security curriculum scraps this device-centric approach and teaches engineers to approach security more systemically and use a variety of devices to solve different security issues. The names of the certification's four new exams reflect this change:
- Implementing Cisco Edge Network Security
- Implementing Cisco Threat Control Solutions
- Implementing Cisco Secure Access Solutions
- Implementing Cisco Secure Mobility solutions
"We're moving away from the idea that you are putting in a specific box to do this and a box to do that and the whole headache around the administration of how the boxes work together," said Danny Tomic, business operations manager for Cisco's High Touch Technical Support Group. "Large organizations want to see an umbrella security architecture. They are moving away from individual components of the network and instead focusing on solutions [to security problems]."
The revisions to CCNP Security align with changes Cisco has made to many of its certifications in recent years, where curricula has become more focused on tasks and job roles than individual devices.
"In most cases, enterprise roles are not segregated based on devices," said Paul Stewart, a CCIE Security-certified engineer and Cisco instructor. "Management divvies up technology tasks that are more task-focused. The approach to security roles may focus on layers of the OSI model, types of technologies or specific business needs. So having training that focuses on tasks across all tools helps prevent security engineers from only considering the one solution they are most familiar with."
Leke Oluwatosin, a network engineer with Data Networks, a Hunt Valley, Md.-based IT services provider, abandoned his pursuit of the older version of the CCNP Security certification when he realized that the device-centric approach of the program wouldn't serve his career.
"It was geared toward certification and not a real-world experience," he said. "I stopped taking the exams for those reasons. The FIREWALL and VPN [exams] were OK because those are things we deal with on a daily basis. But when it came to IPS, we don't use [it]. Even Secure, which has a lot about securing routers and switches, has a lot of things we don't really use on production networks at all."
Oluwatosin said he will complete the CCNP Security certification now that Cisco has revised it. He is pleased that Cisco has emphasized a mobility component, something that is increasingly important as enterprises adopt bring-your-own-device policies. He is particularly happy that the curriculum now includes training to use the Identity Services Engine (ISE), Cisco's policy management and access control system that works across wired, wireless and VPN connections.
"ISE was not in the curriculum before, and a lot of enterprises would want a security engineer to know how to work with it. I had to get a book and study ISE because I couldn't find [training] anywhere. Adding it to the curriculum makes so much sense," he said.
Cybersecurity Specialist certification for network firemen
The Cybersecurity Specialist certification, in the meantime, was added to train and certify frontline responders to cybersecurity threats, Cisco's Tomic said. The curriculum will teach security analysts how to monitor networks, identify threats and false alarms, and remediate attacks.
"The training we've created is very much lab-intensive and extremely hands-on," he said. "Within the training, we use real-world data, run it through the systems and train people on how to monitor it, work out what the alarms are, and how you investigate and thwart attacks. This is probably one of the biggest areas of growth we've seen [in the network security job market]."
Oluwatosin will consider the Cybersecurity certification, but he thinks Cisco should have incorporated this training into the CCNP Security track.
"If I am a security pro and I am Cisco-certified at a professional level, of course I need to be able to handle cybersecurity," he said. "It should all be on the CCNP Security track. A lot of enterprises are now battling threats that are getting bigger and bigger. A lot of engineers don't understand the nature of these threats. They only understand how to mitigate them because Cisco said that this is the way I should do it. Cisco [should] include some things [in CCNP Security] to let engineers understand threats from a theoretical standpoint."
Stewart agreed that enterprises need cybersecurity experts who can identify and remediate threats. He noted that the SANS Institute offers vendor-neutral cybersecurity training programs.
"While I think the role and the required skills are very important, I have to wonder what Cisco is trying to accomplish that isn't being addressed in the SANS program," Stewart said. "It will be interesting to see if the industry adopts a vendor-branded certification and how it is perceived against a vendor-agnostic security certification like the one from SANS."
Skills that network engineers should develop for SDN
F5 Networks pushes ADC training through University of Phoenix
Network engineering salaries: Underpaid but loving it
CCIE Data Center: Take a leadership role
Dig Deeper on Network Security Best Practices and Products