Home > Security Tips > Careers and Certification Tips > The vendor-neutral information security certification landscape
Security Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

CAREERS AND CERTIFICATION TIPS

The vendor-neutral information security certification landscape


Ed Tittel and Kim Lindros
05.08.2008
Rating: -5.00- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


For this update to our survey we added only one new certification overall, the GIAC Certified Incident Manager or GCIM. We dropped a total of 39 vendor-neutral credentials this time around, including various moribund items (TICSA and all the CIW credentials), 5 individual BrainBench courses, since they don't really produce certifications, and 23 GIAC certificate and tune-up course offerings, which also don't produce certifications; certificates rather.

This drops the overall count of vendor-neutral certifications to under 100 for this year, while the count of vendor-specific certifications jumps to around 40. As we indicate in our vendor-specific survey, it's pretty easy to decide which vendor-neutral certs to pursue -- either earn those that apply to what your employer or customer uses, or those that some employer or customer you'd like to work for uses. Deciding what to pursue on the vendor-neutral side involves understanding where they fit in the overall scheme of coverage, which explains why we divide things up in the survey the way that we do, but also requires comparing similar programs to decide which ones to pursue.

In fact, with about 60 vendor-neutral certifications comprising the security certification landscape, there's obviously no shortage of options for would-be computer security experts to choose from. The question is, how do you know which certification is right for you? Here's a brief analysis of the landscape and a suggested educational path you can pick up at any point of your career.

Today, the Certified Information Systems Security Professional (CISSP), the SANS Institute's Global Information Assurance Certification (GIAC) and the Certified Protection Professional (CPP) are probably the best known and most widely followed IT security certifications/programs. The number of certified individuals in these programs varies from a low of 9,000 to a high of over 60,000. Broader programs such as the Certified Information Systems Auditor (CISA) or the Certified Fraud Examiner (CFE), which both cover more than information security topics, have populations as large as 80,000 or more.

CompTIA's Security+ has changed the entry-level security certification landscape as it continues to attract strong interest and participation. Today the number of Security+ certifications is over 40,000. Microsoft and IBM have incorporated Security+ into some of their own certification programs. Security+ can also substitute for one year of job experience for the Certified Information Security Manager (CISM) certification. Security+ remains our leading choice as the best recognized and arguably the best entry-level information security certification currently available. Be warned, however, that this exam hasn't been updated in four years and several experts have publicly expressed issues with some of its coverage, question clarity and intelligibility.

Thus, the entry-level credentials with the most "oomph" are CompTIA's Security+, SANS GIAC Security Essentials Certification (GSEC) and the ISC²'s Systems Security Certified Practitioner (SSCP). Today, the CISSP and the SANS GIAC intermediate and senior credentials remain the best bets for those seeking more senior security credentials, with the Certified Ethical Hacker (CEH) coming on strong for those interested in current system penetration techniques and counter-hacks. The Certified Protection Professional (CPP), Professional Certified Investigator (PCI), Physical Security Professional (PSP) and the various CISSP concentrations are restricted to the most senior members of the security community, simply because they require five to nine years of work experience in the security field for candidates to qualify for the exam!

Given this landscape, we recommend the following security certification ladder that individuals can start and climb at any point depending on their current knowledge, skills and experience.

  • Start your adventure with a broad, but still entry-level security cert. This could be one of the following credentials, any of which will provide you with an excellent and thorough background in computer security theory, operations, practices and policies:
    • CompTIA's Security+
      CompTIA's Security+ certification has become the entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. That's why it's our first choice and leading recommendation at this level.

    • ISC²'s Systems Security Certified Practitioner (SSCP)
      The International Information Systems Security Certification Consortium is also home to the best-known senior-level security certification (senior-level certs are covered later in this article). If you're of a mind to go that route, the SSCP is a great way to prepare.

    • SANS GIAC Security Essentials Certification (GSEC)
      The SANS Institute is an ongoing and well-recognized powerhouse in the security industry. Likewise, its certifications continue to accrue visibility and acceptance. The GSEC opens the door to other certifications in the SANS GIAC program.
  • Finally, you'll be ready to tackle a premium or senior-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many require submitting papers or research results in addition to passing exams; some also require taking specific classes. Of these, three are particularly worthy of mention, and pick up where the previous three leave off:
    • ISC²'s Certified Information Systems Security Professional (CISSP)
      The CISSP is arguably the best-known senior-level security certification in North America. It frequently shows up in top 10 certification wish and want lists, and is often requested by name in job postings and classified ads. Those who are interested in extending their CISSP credentials should also look into its three add-on credentials. Although one of them applies only to those working in national security-related positions, the other two deal with policy and practice matters and are of definite value and interest to security practitioners outside the national defense infrastructure.

    • SANS GIAC Security Specialist Certifications
      The SANS Institute offers numerous topical specializations that extend on the GSEC, including firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer and systems and network auditor certifications. This is a topical, timely and highly technical program based on outstanding training online or at SANS conferences. For those willing to acquire three of these individual credentials and sit for two lengthy exams, moving on to the GIAC Security Engineer (GSE) certification probably makes sense.

    • Qualified Information Security Professional Certification
      Security University's certification requires some of the best, most intense and hands-on information security training around. Highly popular with government and industry security heavies, this program is expensive, demanding and time-consuming, but it's worth the intensive investment it requires to complete.
  • For additional information on these certifications and more, visit the SearchSecurity.com Guide to Infosec Certifications. Don't hesitate to let us know if our analysis of this landscape has missed anything. We can't claim to know, see or be able to find everything, so all feedback will be gratefully acknowledged. As always, feel free to e-mail us with comments or questions at etittel@yahoo.com.


    About the authors
    Ed Tittel is a full-time freelance writer, trainer and consultant who has written more than 130 books, including his latest (with lead author, Laura Chappell), Guide To TCP/IP, third edition, (Course Technology, 2006, ISBN: 1418837555). He has been active in the computing industry for more than 20 years and has worked as a software developer, manager, writer and trainer.

    Kim Lindros has more than 15 years of experience in the computer industry, from technical support specialist to network administrator to book and course content manager. She has edited and developed more than 200 IT-related books and online courses, and co-authored two certification books and numerous online articles with Ed. Kim runs Gracie Editorial, a content development company.

    Rate this Tip
    To rate tips, you must be a member of SearchSecurity.com.
    Register now to start rating these tips. Log in if you are already a member.




    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Careers and Certification Tips
    SearchSecurity.com guide to information security certifications
    Guide to vendor-specific information security certifications
    Advice from the pros: What infosec newbies need to know
    How to break into security
    Spring 2004 update: Survey of vendor-specific security certs
    Information security in academia: Training options abound
    Choosing the right vendor-specific security cert
    Taking a closer look at a Homeland Security certification
    Security certification landscape: Vendor-neutral certs abound
    Security certification landscape, part 2: Climbing the certification ladder

    CISA Certification
    Defining your security certification objective
    Rethinking certifications
    What's the difference between CompTIA and CISSP certifications?
    Employers to seek more security talent in '07
    Podcast: Security certifications pay could rebound in '07
    Security certification recommendations
    Intermediate-level security certifications
    Microsoft pads security partner competency
    Week 27: Credentials -- To be or not to be certified
    Ability to find employment with a CISA

    SANS Certifications
    SearchSecurity.com guide to information security certifications
    Guide to vendor-specific information security certifications
    Rethinking certifications
    New SANS program a critical leap forward
    Will SANS exam program lead to more secure coding?
    SANS: New exam program about more secure code
    Employers to seek more security talent in '07
    Podcast: Security certifications pay could rebound in '07
    Security certification recommendations
    Survey: It pays to be a security pro

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary

    DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    SearchSecurity.com
    HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy
      TechTarget - The IT Media ROI Experts