Q: How much does a security certification cost?
A: The costs depend on how you approach these various programs. At the low end of the scale, a purely self-study approach will run you around $300, counting about $100- $150 for the exam, and the remainder for study guides and practice exams to help get you ready. At the high end of the scale, you can take 5 to 15 days of training at about $500, then spend another $100-$150 for the exam, and as much as you like for study guides and practice tests. Call a practical high-end range $2,800 to $8,500.
Q: What's a good combination of security certifications, if I want to start with something easier and then move on to more difficult subjects?
A: The Prosoft CIW Security Professional is a good single-exam certification that provides a strong general background and can lead to other certifications like the SANS-GIAC or the CISSP. TruSecure is building its own certification ladder, starting with the ICSA, moving on to the ICSE and even continuing on to the ICSP for those who may want to teach others to become security professionals.
Q: Do you recommend people take vendor-specific certification classes or vendor-neutral certification classes?
A: The answer depends in large part on what kind of environment you work in. If it's mostly homogeneous and focused on a single vendor's offerings, then a vendor-specific certification won't hurt you. If you work in a heterogeneous environment and have to manage cross-platform security, a vendor-neutral program will not only provide the training you need, it will probably do a better job of addressing cross-platform issues than typical vendor exams or programs would do.
Q: How much money do IT security professionals make?
A: As with all averages, wages need to be adjusted for location and related factors, like cost of living. Other important factors include years of experience, education and whether or not a job includes management responsibilities. According to the SANS Salary Survey Summary for 2000, here is what things look like by job function: "Security consultants earned an average of $79,395. Security auditors were next in line at $71,404. Security administrators earned $63,598. System administrators earned an average of $61,440, while network administrators earned an average of $58,399." (See: SANS .) In general, security professionals make more money than their purely operations-focused brethren and often do more interesting work.
Q: What is the corporate view of these security certifications? Do you see organizations sending their own personnel to get trained, or do you see organizations outsourcing consulting work to various firms who have certified employees?
A: Great questions! The field is new enough that many bigger corporations are following both strategies at the same time (buying certified expertise on the outside while "training up" their inside staff). I see this dilemma as mostly a matter of scale: organizations big enough to grow their own in-house security teams will normally want to do so, to avoid vesting that kind of knowledge in outsiders. Those too small to afford full-time expertise in security will normally outsource it. Both kinds of organizations should create strong demand for more certified professionals.