Moderator: Welcome to today's live discussion with certifications expert Ed Tittel. Our focus today will be: "Security certifications: What they are, and why you need them." For more background on this topic, go to a recent article on SearchSecurity by today's speaker: http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html

scushman194783: How many security certifications are there, exactly?

Ed_Tittel : Security certifications are like a lot of other IT certifications -- they tend to pop up every time it rains, just like mushrooms. More seriously, the last time I did a systematic check on 1/23/2001, I turned up 17 such certifications. But it's possible that I could have missed some, or that more have popped up since that time. To read more about what I found, please go to this SearchSecurity article that I wrote as an introduction for today's discussion: http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html

mlewis4303: Who's got the most certified professionals in their security certification program right now?

Ed_Tittel : This is kind of a tough one, because hard numbers are hard to find. SANS GIAC is probably the leader with over 5,000 certified individuals; CISSP has a population of around 3,500 in the number 2 slot; CIW Security Professional is coming on strong with numbers getting ready to top 3,000. ICSA is still in its infancy (just launched in January 2001) so numbers aren't there, but they don't tell the whole story on this certification, either.

amalloy47248: How long does it take to get certified in IT security?

Ed_Tittel : That depends on which certification you pursue. Omitting required classes versus self-study concerns for the time being, most certified security professionals report that anywhere from 3 months to a year elapse between the time they start studying seriously and when they pass the exam. Closer examination shows that this range is in part a function of how many hours candidates devote to the program on a monthly or weekly basis, and that those with less hours to spend in any given interval usually take longer to finish than those with more hours to spend. Count on spending anywhere from 80 to 200 hours preparing for most such credentials, spread out as your schedule permits (or requires).

bvigil77144: For somebody who wants to get a job as a computer and network security professional, which credentials are most worth pursuing?

Ed_Tittel : This is an interesting question, because the landscape is shifting in this space. If you look at the list of security certifications available today, about half of them come from training companies that don't necessarily represent an industry group or focus; of the other half, one half come from industry and trade groups with a clear security focus, while the other half comes from vendors or consulting companies whose initial goal may be to sell you on a security certification, but who may also seek to sell you products, services, or some combination thereof to create a customer relationship. An important part of figuring out which credentials are worthwhile lies in answering the question, "What's in it for them if I get certified?" as well as the more typical question, "What's in it for me?" That said, I think the SANS GIAC, ICSA, CISSP, and CIW Security Professional credentials are the most worthwhile of the bunch, from the perspective of their inherent information or learning value, as well as for their inherent employability enhancement potential.

cketcher565173: How much does a security certification cost?

Ed_Tittel : Great question! The costs depend on how you approach these various programs. At the low end of the scale, a purely self-study approach will run you around $300, counting about $100-150 for the exam, and the remainder for study guides and practice exams to help get you ready. At the high end of the scale, you can take 5 to 15 days of training at about $500, then spend another $100-150 for the exam, and as much as you like for study guides and practice tests. Call a practical high end range $2,800 to 8,500

mtripp128827: What's the market demand like for security professionals?

Ed_Tittel : According to figures from the US Labor Department released in October 2000, there are approximately 2 jobs for every IT professional in the US. According to Gartner and Meta group studies quoted at numerous security-related Web sites, that ratio goes to 1 person for every 13 jobs in the security field. I guess this means that I can say, "demand is strong" without overstating the case!

lthing: How much do IT security professionals make?

Ed_Tittel : As with all averages, wages need to be adjusted for location and related factors like cost of living. Other important factors include years of experience, education, and whether or not a job includes management responsibilities. According to the SANS Salary Survey Summary for 2000, here's what things look like by job function: "Security consultants earned an average of $79,395. Security auditors were next in line at $71,404. Security administrators earned $63,598. System administrators earned an average of $61,440, while network administrators earned an average of $58,399." http://www.sans.org/newlook/publications/salary2000.htm In general, security professionals make more money than their purely operations-focused brethren, and often do more interesting work.

gthompson521319: Are security certifications really worth the effort and expense involved?

Ed_Tittel : Great question! I'm a firm believer in the "you get out what you put in" philosophy of education. If you work hard to learn the material, try hard to apply what you're learning, and really grab hold of the concepts, policies and procedures so important to practicing professional security, you can't help but succeed in the field. Is certification required? Heck, no. Is is a good way to get exposed to the important materials, and those concepts, policies and procedures I was just talking about? Heck, yes! If you make certification part of a career growth strategy designed to change your work focus and to improve your professional capabilities, it will help. If you think that obtaining a certification will solve all your problems, get you a better job, and end world hunger, think again! Work is what you make it, and you must work to make your security certification as valuable as you want it to be.

tdichiara179640: What's a good combination of security certifications, if I want to start with something easier, then move on to more difficult subjects?

Ed_Tittel : The Prosoft CIW Security Professional is a good single-exam cert that provides a strong general background, and can lead to other certifications like the SANS-GIAC or the CISSP. TruSecure is building its own certification ladder, starting with the ICSA, moving on to the ICSE, and even continuing on to the ICSP for those who may want to teach others to become security professionals.

jbazzy952885: Which of the currently available security certifications are the best?

Ed_Tittel : I don't mean to equivocate, but that depends on what you mean by "best." To a degree, the security certifications you choose may depend on your background or career interests. Thus somebody with an auditing background might be most interested in credentials like the CCSA or CISA, whereas somebody interested in network and systems security would be most interested in credentials like the SANS GIAC, CISSP, ICSA, or the CIW Security Professional.

williamt232936: Where can I find information on preventing denial of service attacks and which certification would cover this and similar events in detail?

Ed_Tittel : There are tons of resources that cover DoS attacks, including right here at SearchSecurity, but also at the various well-run security mailing lists and Website (Bugtraq, SANS, cert-advisory, and so forth). Because DoS attacks are part and parcel of the current security landscape, all the network and security majors (by which I mean SANS-GIAC, CISSP, ICSA, and CIW Security Professional) and most of the minors (the remaining items covered in my piece on the security certification landscape available at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html) cover this important topic. I would suggest checking out that article and visiting the various Web sites it points to

anitadu186867: What are the prerequisites for the certification entrance? I've been in the security field for 2 and 1/2 years.

Ed_Tittel : Depends on which certification you're talking about. If you check my piece for SearchSecurity on the security certification landscape at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html, it will provide you with pointers to Web sites that include objectives for the various exams. I'm guessing that except perhaps for nit-picky matters like reviewing physical security and security policy information (which are not part of our typical workaday security routine) you should be able to pass most of the exams without a great deal of studying (at least the entry or intermediate level ones).

cecil_thompson731885 : Where is the primer list spoken of in the e-mail?

Ed_Tittel : You'll find a description of the security certification landscape at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html. It should provide a good place to start investigating your options. Let me know if you have other questions.

rmahoney48384: I work on an AS/400 platform. Is there a certification that would be best suited to this platform?

Ed_Tittel : I don't see anything specific on security in the list of IBM's own AS/400 certifications at http://www-1.ibm.com/certify/certs/a4_index.shtml. However, if you're using TCP/IP on that platform, you should be able to apply most or all of what you learn for general security certifications like CISSP, SANS-GIAC, and so forth to the AS/400 world. When it comes to SNA-based security matters, color me clueless!

phillipr518813: I've just started a position as LAN Administrator, where do I start with this issue?

Ed_Tittel : That's easy: start slowly and educate yourself on the basic subject matter before you start thinking about certification. Depending on your OS platform, I'd recommend at least one platform specific book, plus a good general security primer like Hacking Exposed, 2nd Edition, or the Northcutt/Novak book "Network Intrusion Detection, 2e". Please let me know if you have any further questions or concerns.

javedjabbar65489: I want to know how security certifications are distributed and what are they?

Ed_Tittel : If by distributed you mean how do you go take the tests, they're normally administered at the Prometric or VUE testing centers as is common for most certification exams. To get a pretty complete list of what's out there by way of security certifications, please check out my story at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html for a quick and dirty survey.

bill.baer445501 : How important will TruSecure's certifications be in the industry? Are their certifications more valuable then others?

Ed_Tittel : Since TruSecure's ICSA certifications are just hitting the public, it's probably too early to tell FOR SURE how they're going to do. But given that all other security cert programs have fewer than 10,000 certified individuals (CISSP has around 3,500 for example), the game is still up for grabs. Because TruSecure is so highly regarded and carries lots of clout in the security community, their certification might be more valuable than others over time (and I certainly believe that this is possible, if not completely predictable as such). But like I say, it's a little too early to tell... Right now, SANS seems to have the most buzz and momentum right now.

dskagen314561: In your opinion where is the best "Hands On" security training available and does it contribute to a certification?

Ed_Tittel : Because I haven't sampled all the programs out there, I have to go partly on reputation. But today, the SANS training classes and the CCTI courses appear to have the best reputation. I know TruSecure is working very hard right now to beef up Global Knowledge's original ICSA course offerings, and I expect them to take a leadership position some time in the next 6 months.

lahannenterprises140749: How do you feel the SANS security cert stacks up?

Ed_Tittel : Today, I think their certs are some of the best games in town. In addition to the SANS-GIAC, they've also got great training and coverage of intrusion detection topics in general. If TruSecure doesn't challenge them for leadership with their newly minted ICSA certifications, SANS will continue to rule!

gbrown8593962: What certifications would you suggest for someone just starting an IT Security career?

Ed_Tittel : I'd recommend starting with a simple, straightforward security cert like the Prosoft CIW Security Professional exam, then examining the landscape for more advanced programs like those from SANS, TruSecure, and the CISSP. Pick the one whose objectives, coverage, costs, and availability coincide most nearly with your own interests and needs.

lviviano30234: What are the most respected security certifications?

Ed_Tittel : Right now, I'd rank them in the following order:

1. SANS-GIAC
2. CISSP
3. CCO

mjs0048134: Who would you say are some of the top security consulting/software firms to work for today?

Ed_Tittel : Great question! I would point at some of the organizations behind the certifications themselves (such as SANS, TruSecure, and the ICS-squared), but I would also point at leading security vendors such as PGP, Symantec, CheckPoint, and so forth. You'll find a great set of security pointers as part of our Interop security class at http://www.lanw.com/training/interop/securityurls.htm if you read through our list of stuff with care and attention. It should definitely lead you to the movers and shakers in today's industry.

mferrodriguez326640: Do you know of certification procedures outside the U.S.?

Ed_Tittel : Many of the players are offering only limited access outside the US, and that primarily in Europe and the Pacific Rim. Check the various Web sites cited in my landscape story at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html for information about access to these programs outside North America.

jdangler52708: How many recognized, professional certifications are there?

Ed_Tittel : I assume you meant to ask about only security certifications. If you check my landscape story at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html, you'll see I've documented 21 there. There may be more in the wild so to speak, but I covered all those I could find.

jdangler52708: Is there a 'generalized' program for certification with 'specialty' training for specific technologies?

Ed_Tittel : Several of the programs are laid out in that fashion, most notably the SANS-GIAC which begins with a security quickstart class and a level 1 security class and exam that everyone must take, then continues on to a variety of level 2 topics that individuals must test out of 2 or more of. Likewise, the CCTI program and the ICSA programs show tendencies in that direction as well. Check my story at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html for pointers to all these cert providers.

bill.baer445501 : Have you heard of Global Knowledge? I understand that they will be offering the ICSA Certifications as part of their IT training program. Are they a viable provider?

Ed_Tittel : Of course I've heard of GK. They developed the first round of training for the ICSA certs, and are working with my friend and colleague Fred Avolio (who's consulting for TruSecure on their courses and exams) to refine and enhance their offerings. Indeed they are a viable provider, but TruSecure does not plan to keep them as an exclusive provider of that training (as far as I know at this point).

trippr35614: Security is ever more important, especially in MS networks as we've seen recently. Do you have a recommended path for gaining security certifications or even just security knowledge in general for someone who's been on Microsoft's MCSE path (NT 4.0 certified, working on 2K)

Ed_Tittel : Well, for sure you want to take the 70-220 Designing Secure Windows 2000 network exam. You should also bone up on the many good Windows 2000 security books out there, especially the Jeff Schmidt and Phil Cox Windows 2000 Security Handbook offerings (note: these are two separate titles, from two different publishers). I'd also recommend the Northcutt/Novak Intrusion Detection, 2e, book and the "Hacking Exposed" 2e book as basic tools. After that, if you decide you want to get certified, the SANS GIAC and ICSA certs will probably meet your needs best.

mjs0048134: Do you recommend people take vendor-specific certification classes or vendor-neutral certification classes?

Ed_Tittel : The answer depends in large part on what kind of environment you work in. If it's mostly homogeneous and focused on a single vendor's offerings, then a vendor-specific cert won't hurt you. If you work in a heterogeneous environment and have to manage cross-platform security a vendor-neutral program will not only provide the training you need, it will probably do a better job of addressing cross-platform issues than typical vendor exams or programs would do

fxthomas447666: Since I, and maybe others, have not read the article yet - Why are these certs desirable? Are IT orgs requesting certified individuals? This has to be compared to time spent getting other types of certs!

Ed_Tittel : According to SANS and other security organizations, there are 13 positions in security available for every self-professed security professional right now. Great job opportunities is the short answer, find the article at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html for more information on the subject.

tabrown289181: What is the best way to network with other IT professionals interested in IT security, i.e., how does one "break" into the field?

Ed_Tittel : Try attending security related professional events like the various SANS shows, ICSA meetings, the Internet Security Conference (tisc.corecom.com), and so forth. Meeting with and talking to security professionals is a great way to break into the industry. It's not free (or necessarily even cheap) but it will pay dividends!

rob.meinecke16179 : Is a general security background, such as that provide by SANS GIAC level 1, preferred to a product specific certification, such as Firewall-1?

Ed_Tittel : Depends on what kind of work you want to do and what kind of environment you want to do it in. If you're working on specific equipment and systems inside a company and that's your job, the more focused your credentials the better. OTOH, if you want to work as a security consultant across all kinds of different environments, a more general vendor-neutral credential will probably be preferable.

steven.l.southerland82173 : Which certification crosses the most Hardware/Software platforms (biggest bang for buck/time invested)?

Ed_Tittel : For that kind of band, vendor neutral broad-based certs like SANS-GIAC, CISSP, and ICSA are the way to go. For more information on these and other programs check my survey at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html.

dstorie775139: Have you compared the security cert in win2k with any of the industry certs - is it comparable?

Ed_Tittel : Yes I have, and no it's not. The 70-220 exam doesn't stress general security principles and practices enough, and it's completely Windows-centric. It's also more focused on how to design a secure network (as the exam title indicates) than it is on managing a day-to-day security routine within the context of a proper set of security policies, practices, and procedures. Those latter areas are of course where the industry certs focus their attention, and what gives them their appeal and value.

mfrank790295: As a chief security officer, which certification do you think is more important, a CISSP or ICSA certification?

Ed_Tittel : Hard to say, because CISSP is older and a bit outdated right now, whereas ICSA is only available at level 1 and level 2 is coming in early Q2 of this year AFAIK. If I were spending the time and money, I'd go for ICSA as a matter of currency and clout, but you might also want to look at the CCTI cert that focuses particularly on the issue of security management (rather than operations). It may actually be more up your alley.

rpm12985: If a person with 5 -10 years of networking/systems experience gets say a CISSP, what kind of salary range could they expect to find or should they be looking for?

Ed_Tittel : I'm extrapolating from the SANS salary survey I mention in one of my earlier postings, but I'd guess $75-90K would be a normal neighborhood for that kind of thing.

sean185792: From a consulting aspect, which certification is either most recognized or most marketable to my customers?

Ed_Tittel : Depends on who your customers are. I'd probably say that SANS and CISSP have the best name recognition right now, but that the SANS-GIAC cert is presently the most up-to-date and usable of the two certs in the field.

quincyj989558: Which certification do you recommend for a Unix system admin who is looking to get into intrusion detection or penetration testing?

Ed_Tittel : The SANS guys have what some might call a "strong UNIX background" and others might call "a serious UNIX bias." I think you would find yourself at home with that crew, not only because of their platform allegiances but also because they are great at the topics of Intrusion Detection and penetration testing. Be sure to check out Stephen Northcutts "Network Intrusion Detection" 2e from New Riders--he's the director of their cert programs, and a former DoD security guy, and a pretty good writer, too!

anitadu186867: What types of certification exist?

Ed_Tittel : See my story at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html for a pretty complete survey. I count about 20-odd at this point in the security field.

mdhazelrigg58676: What self-study guides would you recommend?

Ed_Tittel : Depends on what cert you're going after. In general, I recommend the books from Sybex and New Riders where appropriate, but self-study guides for security certs are not in big supply right now. My team is working on a CIW security professional book right now, and we plan a general security title to cover SANS, CISSP, ICSA, and CIW for another publisher later this year.

gtruax62500: Do you know of any useful certifications for commercial Web site, such as the SunTone certification being developed by Sun?

Ed_Tittel : The Prosoft Certified Internet Webmaster Security Professional exam is only purely Web-focused security cert I know of right now. For best results, I'd combine it with a general security cert like the CISSP, ICSA, or SANS GIAC.

dstorie775139: If you already have MSCE 4, CCNA 2.0, and pro server from Windows 2000, should you stop and get a security cert, or finish the win2k stuff first?

Ed_Tittel : Finish the Win2K stuff first, because it has an expiration date. If you have 5-plus exams to go to upgrade to Win2K, do that first. If you take 70-220 as your designing exam, it will give you a taste of part of what you'll encounter later, when you go after a security cert.

aflynn910357: What is the corporate view of these certifications? Do you see organizations sending their own personnel to get trained, or do you see organizations outsourcing consulting work to various firms who have certified employees?

Ed_Tittel : Great questions! The field is new enough that many bigger corporations are following both strategies at the same time (buying certified expertise on the outside while "training up" their inside staff). I see this dilemma as mostly a matter of scale: organizations big enough to grow their own in-house security teams will normally want to do so, to avoid vesting that kind of knowledge in outsiders. Those too small to afford full-time expertise in security will normally outsource it. Both kinds of organizations should create strong demand for more certified professionals (especially if you believe what the cert organizations are saying--I do).

earlgpz750139900: How do you get into the INFO SEC field?

Ed_Tittel : By learning and doing as much security related work as you can. Security is still uncommon enough for certification to be a "nice-to-have" rather than a "must-have" credential. I say start reading, start learning and start applying what you learn as best you can. If you troll back through the posts you'll see some specific bibliography and resources I've mentioned that will help you get started.

mcaldwell764714: About how many certified security professionals are there in the US?

Ed_Tittel : Gee, I'm going to have to guess that across all known security certifications at present, the population can't exceed 20-25,000. I could be off by 5-10,000 on the plus side, but I don't think I'm under on this number. I've been trying to put a number like this together for a while, but the data is pretty hard to come by (most organizations choose not to publicize membership levels until they hit some kind of threshold, in my experience. Many of these groups are reticent about disclosing their numbers right now.)

rhunter697107: What certifications do the bank regulators, such as the OCC or dept of treasury recognize?

Ed_Tittel : They are mostly interested in the security audit, fraud detection, and confidentiality officer certs such as: CCO, CCSA, CFE, CIA, and CISA. See my story at http://searchsecurity.techtarget.com/Tips/searchSecurity_Tips_Single_Listing_Page/1,286550,516426,00.html for pointers to more specifics.

abautista859148: "Security" is such a broad, open-ended term. What areas and applications of Security are more in demand and we should focus on?

Ed_Tittel : You're absolutely right. These days, most active security issues focus on several topic areas, most notably:

1. formulating and applying effective security policies
2. managing organization boundaries and external security
3. managing internal organizations boundaries and internal security
4. anti-virus and other potential attack monitoring and prevention
5. intrusion detection and termination
6. active penetration and other self-testing strategies

alaye719550: What did you think about Cisco pix firewall certification? Are they worth spending time on?

Ed_Tittel : Whenever it comes to vendor specific certifications, security or otherwise, the answer is the same: if that's mostly what you work on, and teaches you what you need to know to do your job, yes it's worth a lot. If it's only part of your job, or tangential to your primary workload, then it's probably not worth it. If you work with or around security, and it's not entirely Cisco/pix focused, a general, vendor-neutral security cert may be more valuable to you...

deborahm85497: Are individual company certifications worth having, or is it better to have more generic ones?

Ed_Tittel : Depends on what you do. If your work is mostly or entirely focused on specific vendor products and technologies, vendor-specific is the way to go. If you do general security work in a cross-platform environment, or want to work as a security consultant for multiple clients (who'll have different environments almost as a rule) a general-purpose security cert will be best.

polson657835: Is there a specific part of the U.S. where demand is highest?

Ed_Tittel : Major metro areas like NYC, Boston, Washington, Chicago, Dallas, etc. have more big companies who are likely to want to hire or retain security professionals. Other than obvious high-tech areas, which run first in that hit parade, major metro areas is the place to concentrate job search efforts. Short answer to your question: not really!

talib_ruhi964812 : How do you compare totally software-based security solution certification with a combination of software-based and hardware- based solutions cost wise and what would you recommend in those terms?

Ed_Tittel : Gee that's kind of a big question, so let me sketch out a broad but not necessarily detailed answer. The closer you can place security controls to hardware, the better they usually work because they're harder to defeat. OTOH, software changes all the time, and vulnerabilities, patches, and fixes change along with them. I don't think there's any way to go totally hardware or software when it comes to security, but most big companies try to do the basic filtering and blocking in hardware, and leave more complex policy applications to software.

adamkiewiczd97965: With the growth of embedded internet devices what do you see as the best alternative to provide security for small, cost constrained embedded devices?

Ed_Tittel : There are companies that are starting to offer small-scale boundary devices like combination routers/cable modems that can be widely distributed but centrally managed via a downloadable (and secure) security policy from a central location. I see this as an important direction, but I also advise constant vigilance as part of any professional's ongoing security routine.

chesserm542282: Which courses are a good place to start?

Ed_Tittel : There are lots of good courses to choose from. The CIW Security Professional course is pretty good, the SANS Security QuickStart is great, the ICSA intro classes are good, and the CCTI intro classes are good, too.

Gail: Which certification gets me the most money in the marketplace?

Ed_Tittel : I really don't know the answer to that question in today's security certification marketplace. Unlike other areas (like Cisco CCIE) there's no obvious answer to this based purely on certification. According to the SANS salary survey other factors that weigh heavily are years of experience, knowledge base, and name recognition.

earlgpz750139900: I am going for the ISCA.net course, I have a few years experience in the IT field, with 10 years personal experience. This is to elaborate on question ID#685. I want to get into the infosec field most urgently, but my company will not sponsor it. What do you recommend?

Ed_Tittel : I wrote a story recently for Cert Magazine on financing a certification, and covered loan and grant programs and so forth. If your company won't back you, you'll need to be prepared to spend anywhere from $1,500 to 10,000 or more depending on how nice a ride you want to give yourself along the way. E-mail me at etittel@lanw.com and I'll send you my draft of that story, if it hasn't been published yet (I don't think it has).

llanzoni835180: How well recognized and valued are these certifications among employers and do you see these becoming more prevalent a la CNE/MCSE?

Ed_Tittel : Recognition of security certs is a mixed bag right now: SANS GIAC and CISSP are pretty well-known, ICSA is starting to generate some buzz; most of the others are relatively unknown and the notion of critical mass (that is a population of certified individuals of at least 3-5,000) indicates they may stay that way. I do see them becoming more prevalent, but it will probably also involve some simplification of the game board (less total number of certs, but more well-known ones) as the process continues.

dbranch114274: Is it a securities administrator job to be proficient at all OS's like windows and Unix?

Ed_Tittel : That depends. If your job is to maintain security on both Windows and Unix systems, then the answer is clearly yes, because maintaining OS security requires both deep and broad knowledge of an OS. OTOH, if you are only responsible for perimeter security (let's say) and all perimeter devices use the same OS and systems, then it's probably not necessary. I'd say the tendency in the industry these days is to ask scare security experts to know more about more systems, than to know more about fewer systems.

harvey_rothenberg33762 : Does work-related experience in the field carry any advantage both in obtain a certificate and obtaining a position?

Ed_Tittel : You bet! As with other fields where certification is available, experience counts as much or more than certification, particularly if you can tell a good story about your knowledge, experience and ability to an interviewer. Thus, experience will help you get the job, perhaps even more than it will help you get through the certification.

golsam832223: Hi Ed , I have been a Solaris System Admin for the last 4 years, and now I would like to become a master/expert in the security -intrusion/detection field. I know there are a couple of security/training sites SANS , ISC2 ....Can you please guide me re: the Security Training path?

Ed_Tittel : For a Sun/Solaris guy like yourself, SANS is probably the best way to go, but be sure to check out Sun Education's own security classes and other related online offerings, too.

dbranch114274: Which platform do you feel is the hardest to secure?

Ed_Tittel : According to the SANS survey of system vulnerabilities, Linux/Unix is actually more subject to vulnerability than Windows, and NetWare is the most secure of all network OS platforms. Given that kind of data, I think it's important to weigh the knowledge levels and console driving expertise required to do the securing. From that perspective I call Linux/Unix and Windows dead even.

dstorie775139: Which cert will be more valuable in the short term, say 12 months - Win2K or a security cert?

Ed_Tittel : Depends on what you do (or want to do) for a living. According to SANS, security certs are worth more than network admin certs like MCSE across the board. But if you can finish an MCSE faster than a security cert, you may want to factor in the opportunity costs of staying in training at lower pay longer versus finishing training sooner and getting higher pay sooner. It's not a simple question, so I really can't give a simple answer, either

dstorie775139: Have you written any books for the security tests or do you plan to?

Ed_Tittel : My company's working on a CIW Security Professional exam book right now, and we plan to work on a Cert Security Omnibus book later this year, to cover objectives common to CISSP, ICSA, SANS-GIAC, and CIS-SP.

steven.l.southerland82173 : I need to start with Business Recovery, then Network Security, What is a good starting place?

Ed_Tittel : I don't know the Business Recovery space all that well. I haven't covered that much. If I were in your shoes, I'd surf the key sites in that area, try to get a sense of what's going on, and get that knocked off first. After that, it's pretty easy--just survey the top 4 (SANS, ICSA, CISSP, and CIW-SP) then pick the one that meets your needs and budget best.

jreed519163: Is it possible to find sample exams for the various certs to see how you currently would score and where you need more training?

Ed_Tittel : Spotty coverage at best right now. Some of the sites offer self-assessment tests, which is kind of what you're looking for, but practice test vendors like Transcender, MeasureUp, and so forth, haven't really moved into this space just yet. When they do, you'll have much better tools to work with in the way I believe you wish to use them. Right now, it's "take the exam, and hope you pass" if perusing the objectives and the review materials isn't enough to make you completely comfortable.

Moderator: We'd like to thank you all for joining us today. And many thanks to speaker Ed Tittel, a certifications expert and principal author at LANWrights, a network-oriented writing, training and consulting firm. You can reach Ed at: etittel@lanw.com