That being said, I think there are two situations in which certifications are helpful. The first is when a person has no direct experience in the security industry and no credibility to convince an employer that he or she can do the job. In this case, getting a certification can show initiative, focus and a willingness to make an investment in one's future. It's one of the ways to get from Point A (not having a job in information security) to Point B (having a job in the security industry).
The other situation is when there is a real economic dollar value to getting the certification. There are some companies that highly value capital letters behind an employee's name, and they are willing to pay for it because it makes the security organization as a whole seem more knowledgeable. That doesn't make much sense to me, but if a company will pay more for a certified employee, then by all means get certified.
In terms of what else to do to get a job in the security business, I would recommend informally increasing personal skills, which means breaking and fixing stuff. Build a home network and break into it. Fix it and try it again. Offer to secure the networks of neighborhood businesses. These things will provide a person with real experiences that can be relayed during the interview process.
- Learn about vendor-specific information security certifications.
- The vendor-neutral information security certification landscape is changing. Learn which are worth pursuing.
This was first published in January 2008