With more than 55 vendor-neutral certifications comprising part one of Security certification landscape, there is obviously no shortage of options for would-be computer security experts to choose from. The question is how do you know which certification is right for you?
Today, the CISSP, the SANS GIAC and the CPP are probably the best known and most widely followed IT security certifications (or programs, since GIAC includes numerous certs). The numbers of certified individuals in these programs vary from a low of 3,500 to a high of 17,000 to 18,000. Broader programs such as the CISA or CFE (which cover more than information security topics) have populations as large as 30,000 or more.
Security+ appears to be changing the entry-level security certification landscape. It hasn't yet demonstrated the same level of uptake that the most popular CompTIA certs such as A+ and Network+ enjoy. (Both have certified populations over 100,000. If Security+ had broken the 10,000 mark we'd be surprised, but it should happen by early 2004.) Regardless, Security+ continues to attract strong interest and participation. For example, Microsoft, Symantec and IBM have incorporated Security+ certification into some of their certification programs. Security+ also plays a role in other certifications. It's a recommended pre-certification for the Certified Wireless Network Administrator (CWNA) credential and can substitute for one year of job experience for both CISM and the CIFI certifications. Security+ bears continued watching and remains our leading choice for the best entry-level information security certification currently available.
Thus, today the entry-level credentials with the most "oomph" are CompTIA Security+, SANS GSEC (GIAC Security Essentials Certification) and the (ISC)2's SSCP (Systems Security Certified Professional). Today, the CISSP and the SANS GIAC intermediate and senior credentials remain the best bets for those seeking more senior security credentials, whereas the CPP, PCI and PSP are restricted to the most senior members of the security community, simply because they require five to nine years of work experience in the security field for candidates to qualify for the exam!
Given this landscape, we can also recommend a "security certification ladder" that individuals can start at any point (depending on current knowledge, skills and experience) and climb from there:
- BrainBench Internet and network security exams
Start out gentle with the BrainBench Internet and network security exams. They're cheap, provide good basic coverage of the subject and will get you motivated to make progress. This should take you two to four months.
- Certified Internet Webmaster -- Security Professional
Next, tackle the CIW -- Security Professional exam. Combined with your MCSE (or similar credential), passing this exam makes you a CIW Security Analyst and may enhance your "merit badge count." This is a good entry-level exam on basic Internet, network and systems security. This will take you another two to four months to complete.
After that, a broader, more formal, but still entry-level security cert is what you should tackle. This could be any of the following credentials, which will provide you with an excellent and thorough background in computer security theory, operations, practices and policies:
- CompTIA's Security+
The Security+ certification is emerging as an entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. Today, it's our first choice and leading recommendation at this level.
- (ISC)2's Systems Security Certified Professional (SSCP)
The International Information Systems Security Certification Consortium is also home to the best-known senior-level security certification (see the senior-level certs covered later in this article). If you're of a mind to go that route, the SSCP is a great way to prepare.
- SANS GIAC Security Essentials Certification
The SANS Institute is a growing powerhouse in the security industry. Likewise, its certifications are gaining increased visibility and acceptance. The GSEC opens the door to other certifications in the SANS GIAC program.
Finally, you'll be ready to tackle a premium or senior-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many require submitting papers or research results in addition to passing exams; some also require taking specific classes. Of these, three are particularly worthy of mention and pick up where the previous three leave off:
- (ISC)2's Certified Information Systems Security Professional
CISSP is the best-known senior-level security certification in North America and the one most often requested by name in job postings and classified ads.
- SANS GIAC Security Specialist Certifications
The SANS Institute offers numerous topical specializations that extend on the GSEC including firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer and systems and network auditor certs. This is a topical, timely and highly technical program based on outstanding training online or at SANS conferences. From this point, moving on to the GIAC Security Engineer (GSE) certification probably makes a lot of sense.
- Advanced Information Security Certification
Security University's cert requires classroom training, but it is some of the best, most intense and hands-on information security training around. Highly popular with government and industry security heavies, this program is expensive, demanding and time-consuming but well worth the intensive investment it requires to complete.
Good luck on your climb up the security career ladder. If you have any questions along the way, you can submit them to Ed via SearchSecurity's Ask the Expert. Likewise, please let us know if our revised survey of this landscape has missed anything. We can't claim to know, see or be able to find everything, so all feedback -- especially if it adds to this list -- will be gratefully acknowledged. Feel free to e-mail us at firstname.lastname@example.org. In the meantime, stay tuned next month for our updated semi-annual survey of vendor-specific security certifications.
About the authors
Ed Tittel is the president of LANWrights, Inc., a wholly owned subsidiary of iLearning.com. Ed has been working in the computing industry for 20-plus years and has worked as a software developer, manager, writer and trainer. As an expert on SearchSecurity.com, he answers your infosec training and certification questions in our Ask the Expert feature.
Kim Lindros has more than 10 years of experience in the computer industry, from technical support specialist to network administrator to project editor of IT-related book at LANWrights. She has edited more than 25 books, and co-authored two certification books and numerous online articles with Ed.