Here is an excerpt of an article I wrote on this topic for www.cramsession.com:
If you visit recent stories I've written for SearchSecurity, you'll obtain a systematic overview of all the security certifications I've been able to uncover in the marketplace.
Since you're starting out cold in this subject, the following is a great sequence of credentials and exams you could pursue:
The BrainBench Internet and network security exams are simple, straightforward and relatively easy. Because these exams are also inexpensive, and offer basic coverage of information security topics, use these to assess your background and your interest in the subject matter.
A good next step is the Certified Internet Webmaster (CIW) Security Professional exam. If you have an MCSE, or any of a number of other sysadmin credentials, passing this exam makes you a CIW Security Analyst. This is a decent entry-level exam on security, albeit one with a pronounced Web emphasis.
At this point you should be ready to tackle one of the many entry-level security certifications available today. Choose any of the following; each of them provides great coverage of security theory, operations, practices and policies.
ISC2 System Security Certified Professional (SSCP): The International Information Systems Security Certification Consortium is where the best-known senior level security certification lives. If you're thinking about obtaining a CISSP (see below), the SSCP cert is a good way to start.
SANS GIAC Security Essentials Certification (GSEC): The SANS Institute is gaining lots of visibility in infosec circles, as are its certifications and programs. A GSEC starts you down the path toward higher-level GIAC certs.
TruSecure ICSA Computer Security Associate (TICSA): The International Computer Security Association is a long-time fixture on the infosec scene. This entry-level certification is new but is gaining market and mindshare.
Once you get this far down the road, you'll want to climb to the highest rung on most security ladders -- senior-level or premium certs. Most such programs require three or more years of work experience with security; some also demand that you write papers or conduct research as well as pass their exams; some even require you to take classes. The following three certs pick up where the preceding three leave off:
ISC2 Certified Information Systems Security Professional (CISSP): This is the security certification most often requested by name in classified ads and job postings. Besides that, it's also a well-respected and challenging certification.
SANS GIAC Security Specialist Certifications: SANS offers numerous specialty certs that extend from the GSEC. Topics covered include firewalls, intrusion analysis, UNIX security administration, Windows security administration, plus role-related certs for information security officers, and systems and network auditors.
TruSecure ICSE Computer Security Expert (TICSE): A senior-level security certification that extends on the TICSA credential. It is a new program
Beyond this ladder, you will indeed find other options. SANS offers its GIAC Security Engineer credential, which requires the GSEC, all the GIAC specialties, plus an additional exam and other work. The Espionage Research Institute offers its Certified Counterespionage and Security Information Manager credential. Also, there's the elite Certified Protection Professional certification from the American Society for Industrial Security; it requires seven-to-nine years of work-related experience, among its numerous other stringent requirements.
Also, don't forget that lots of vendors offer security certifications for their products and environments, too. Once you get to the mid-tier credentials range in the preceding ladder, you can start thinking about branching into vendor security.
This was first published in April 2002