Editor's note: View our updated vendor-neutral certification guide, available here.
Pursuant to my agreement with SearchSecurity.com, this is the second semi-annual update to my "security certification landscape" article (which also applies to the vendor-specific survey as well) every six months. Since the last update occurred in late September 2002, it's only natural that Spring, would witness a revision to both of my information security certification surveys. As usual, the landscape has changed somewhat, including the pending introduction in summer 2003 of what may become a potential major player in the intermediate to senior-level portion of this landscape -- namely ISACA's Certified Information Security Manager or CISM certification. I've also re-evaluated the importance of several older elements in this landscape as you'll read in the analysis portion at the end of this article.
New additions to the survey are numerous. They include the Security University's Advanced Information Security Certification, the ISACA's CISM, plus seven new credentials in the SANS Global Information Assurance Certification or GIAC program, and a couple of wireless security credentials (CWSE and CWA, see below). That's a total of 11 new entries offset by no removals in this survey.
As is my usual practice, I list all the vendor-neutral security certifications I am able to find, along with information to help you evaluate programs mentioned. After all these adjustments, this vendor-neutral security certification landscape features more security certifications than ever listed before (a total of 44, counting all individual GIAC credentials). That's why it's important to understand what's worth supporting for employee development and what's not. But if your organization has significant investments in vendor technologies related to information security (such as those available from Cisco, Check Point, RSA and so forth), don't overlook the possibility that those vendors might also offer their own security certifications. You'll find them covered in a companion survey on the vendor-specific security certification landscape, which will run in SearchSecurity.com's Expert Advice Tip.
To begin, let's revisit this great big bowl of alphabet soup by exposing all the security-related certification programs -- and their inevitable acronyms -- that occupy this landscape. For each program, I provide a brief explanation and a pointer to more information so you can learn more if you like.
AIS -- Security University's Advanced Information Security Certification
Offered by a premier training and certification organization, Security University's AIS program combines coverage of key information security topics, tools and technologies with perhaps the best overall hands-on, lab-oriented learning and testing program around. To obtain AIS certification, security professionals must complete eight courses, including six tools-oriented classes on topics like network penetration testing; firewalls and VPNs; virus analysis, patch management and incident response; PKI; intrusion detection and computer forensics, plus two management classes on network security policy and architecture security. They must also take and pass a demanding exam.
Source: Security University
BIS -- Brainbench Internet Security Certification
The BIS seeks to identify individuals with a good working knowledge of Internet security practices, principles and technologies. Aimed at full-time network or system administrators who must manage systems with Internet connections or access.
BNS -- Brainbench Network Security Certification
The BNS seeks to identify individuals with a good working knowledge of network security practices, principles and technologies. Aimed at full-time network administrators who must deal with external threats through boundary devices like routers, firewalls or intrusion-detection systems, as well as more typical internal threats.
CCCI -- Certified Computer Crime Investigator (Basic and Advanced)
The CCCI is one of two computer forensic certifications aimed at law enforcement and private IT professionals seeking to specialize in the investigative side of the field. Basic requirements include two years of experience (or a college degree, plus one year of experience), 18 months of investigations experience, 40 hours of computer crimes training and documented experience from at least 10 cases investigated. Advanced requirements bump experience to three years, four years of investigations, 80 hours of training and involvement as a lead investigator in 20 cases, with involvement in over 60 cases overall.
Source: High Tech Crime Network certifications
CCFT -- Certified Computer Forensics Technician (Basic and Advanced)
The CCFT is one of two computer forensic certifications aimed at law enforcement and private IT professionals seeking to specialize in the investigative side of the field. Basic requirements include two years of experience (or a college degree, plus one year of experience), 18 months of forensics experience, 40 hours of computer forensics training and documented experience from at least 10 cases investigated. Advanced requirements bump experience to three years, four years of investigations, 80 hours of training and involvement as a lead investigator in 20 cases with involvement in over 60 cases overall.
Source: High Tech Crime Network certifications
CCISM -- Certified Counterespionage and Information Security Manager
The purpose of CCISM is to prepare individuals to study potential sources of threat, defeat attacks and manage information security at an organizational level. CCISM is a management-level certification, where CCISMs generally manage, work with or consult IT organizations, technical specialists and other IT security professionals.
Source: Espionage Research Institute
CCSA -- Certification in Control Self-Assessment
The CCSA demonstrates knowledge of internal control self-assessment procedures, primarily aimed at financial and records controls. Of primary interest with those professionals who must evaluate IT infrastructures for possible threats to financial integrity, legal requirements for confidentiality and regulatory requirements for privacy.
Source: Institute of Internal Auditors
CFCE -- Computer Forensic Computer Examiner
One of a growing number of law enforcement related forensic IT credentials, the International Association of Computer Investigative Specialists (IACIS) offers this credential to law enforcement and private industry personnel alike. Candidates must have broad knowledge, training or experience in computer forensics, including forensic procedures and standards, as well as ethical, legal and privacy issues. Certification includes both hands-on performance-based testing as well as a written exam.
Source: Computer Forensic Certification
CFE -- Certified Fraud Examiner
The CFE demonstrates ability to detect financial fraud and other white-collar crimes. Of primary interest to full-time security professionals in law, law enforcement or those who work in organizations (such as banking, securities trading or classified operations) with legal mandates to audit for possible fraudulent or illegal transactions and activities.
Source: Association of Certified Fraud Examiners
CIA -- Certified Internal Auditor
The Certified Internal Auditor demonstrates knowledge of professional financial auditing practices. Of primary interest to financial professionals responsible for auditing IT practices and procedures, as well as standard accounting practices and procedures to insure the integrity and correctness of financial records, transaction logs and other records relevant to commercial activities.
Source: Institute of Internal Auditors
CISA -- Certified Information Systems Auditor
The CISA demonstrates knowledge of IS auditing for control and security purposes. Of primary interest to IT security professionals responsible for auditing IT systems, practices and procedures to make sure organizational security policies meet governmental and regulatory requirements, conform to best security practices and principles, and meet or exceed requirements stated in an organization's security policy.
Source: Information Systems Audit and Control Association
CISM -- Certified Information Security Manager
The CISM demonstrates knowledge of information security for IT professionals responsible for handling security matters, issues and technologies. Of primary interest to IT professionals responsible for managing IT systems, networks, policies, practices and procedures to make sure organizational security policies meet governmental and regulatory requirements, conform to best security practices and principles, and meet or exceed requirements stated in an organization's security policy.
Source: Information Systems Audit and Control Association
CISSP -- Certified Information Systems Security Professional
The CISSP demonstrates knowledge of network and system security principles, safeguards and practices. Of primary interest to full-time IT security professionals who work in internal security positions or who consult with third parties on security matters. CISSPs are capable of analyzing security requirements, auditing security practices and procedures, designing and implementing security policies, and managing and maintaining an ongoing and effective security infrastructure. Please note that experience requirements for the CISSP increased from three to four years as of Jan. 1, 2003.
Source: International Information Systems Security Certifications Consortium (aka (ISC)2 pronounced "ISC-squared").
CIW Security Analyst
Individuals who take and pass the CIW-SP exam, and who hold one of the following certifications qualify as a CIW Security Analyst (CIW-SA):
Microsoft Certified Systems Engineer (MCSE) 4
Microsoft Certified Systems Engineer (MCSE) 2000
Certified Novell Engineer (CNE) 4
Certified Novell Engineer (CNE) 5
Cisco Certified Network Professional (CCNP)
Cisco Certified Internetwork Expert (CCIE)
Linux Professional Institute (LPI) Level 2
SAIR Level 2 LCE
Individuals who hold this credential can carry out security policy, identify and handle security threats, and apply countermeasures using firewalls, intrusion detection and related systems. The program's Web focus also includes coverage of online payments, transaction processing and related security matters.
Source: Prosoft Training
CIW-SP -- Certified Internet Webmaster-Security Professional
The CIW-SP demonstrates knowledge of Web- and e-commerce-related security principles and practices. It is of primary interest to Web administrators who must implement and manage a secure and working Web presence that may also include e-commerce capabilities.
Source: Prosoft Training, Inc.
CPP -- Certified Protection Professional
The CPP demonstrates a thorough understanding of physical, human and information security principles and practices. The most senior and prestigious IT security professional certification covered here, the CPP requires extensive on the job experience (seven to nine years), as well as a profound knowledge of technical and procedural security topics and technologies. Only those who have worked with and around security for some time will be able to qualify for this credential.
Source: American Society for Industrial Security (ASIS)
CWA -- Certified Wireless Administrator
The CWA requires working knowledge and skills in concepts and technologies related to wireless data networking. Completion of a GlobalNet training course is a prerequisite for the CWA exam.
Source: GlobalNet Training
CWSE -- Certified Wireless Security Expert
The CWSE requires a strong working knowledge of security risks associated with deploying and using wireless networks, and how to apply appropriate considerations, tools and methodologies to mitigate and manage such risks. Candidates must be able to design, deploy and maintain secure wireless networking infrastructures. Completion of the CWA certification is a prerequisite, and candidates must also take and complete the GlobalNet CWP course to be eligible to take the CWSE certification exam.
Source: GlobalNet Training
Certified Web Professional (CWP) Security Specialist
This vendor-neutral, Web-oriented program includes a CWP Security Specialist credential. Obtaining this credential requires passing the CIW Security Professional exam and meeting additional work experience requirements. Please see the CIW-SP listing for more information.
Source: International Webmasters' Association (IWA)
FCSS -- Field Certified Security Specialist
Still under development, this set of performance-based certifications permits individuals to specialize in Cisco, Check Point, or cross-platform topics (which is why we list it in both the vendor-specific -- though the parent organization points out that these certs are "vendor-independent" -- and vendor-neutral surveys). Check the Web site for more information on this emerging program, which is scheduled for release in 2003.
Source: Field Certified Security Specialist (FCSS) Certification Information
GIAC -- Global Information Assurance Certification
This cert demonstrates knowledge of and the ability to manage and protect important information systems and networks. The SANS organization is well-known for its timely, focused and useful security information and certification program. A rising star on the landscape, the GIAC is aimed at serious, full-time security professionals responsible for designing, implementing and maintaining a state-of-the-art security infrastructure that may include incident handling and emergency response team management. Seven new credentials have been added to this program since the last update.
Certifications available include the following:
GIAC Security Essentials Certification (GSEC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
GIAC Information Security Officer (GISO)
GIAC Certified Forensic Analyst (GCFA)
GIAC IT Security Audit Essentials (GSAE)
Senior-level (all specializations, plus additional exams and work):
GIAC Security Engineer (GSE) track
GIAC Information Security Officer -- Basic (GISO -- Basic)
GIAC Certified Security Leadership Certificate (GSLC)
GIAC Systems and Network Auditor (GSNA)
GIAC Gold Standard Certificate (GGSC-0100)
IT Security Certificate Program
An entry-level credential for basic and advanced internetworking security technologies, this program aims to certify general IT security knowledge and ability. Aimed primarily at network and system administrators with some (but not heavy) security responsibilities.
Source: Colorado Computer Training Institute (CCTI)
NSCP -- Network Security Certified Professional
The NSCP demonstrates ability to design and implement organizational security strategies, securing the network perimeter and component systems. It is an intermediate-level IT security certification aimed at network or systems administrators with heavy security responsibilities or those who work full-time on IT security matters.
Source: Learning Tree International
PCI -- Professional Certified Investigator
This is a high-level certification from the American Society for Industrial Security (also home to the CPP and PSP certifications) for those who specialize in investigating potential cybercrimes. Thus, in addition to technical skills, this certification concentrates on testing individuals' knowledge of legal and evidentiary matters required to present investigations in a court of law, including case management, evidence collection and case presentation. Requires seven-to-nine years of investigation experience, with at least three years in case management (a bachelor's degree or higher counts for up to two years of such experience) and a clean legal record for candidates.
Source: ASIS International: Certified Protection Professional
PSP -- Physical Security Professional
Another high-level security certification from ASIS, this program focuses on matters relevant to maintaining security and integrity of the premises and access controls over the devices and components of an IT infrastructure. Key topics covered include physical security assessment, and selection and implementation of appropriate integrated physical security measures. Requirements include five years of experience in physical security, a high school diploma (or GED) and a clean criminal record.
Source: ASIS International: Physical Security Professional
SCNA -- Security Certified Network Architect
This is a mid- to senior-level security certification that focuses on concepts, planning and implementation of Private Key Infrastructure and biometric authentication and identification systems. Individuals who attain this certification will be able to implement either or both of these technologies within organizations or as consultants to such organizations.
Source: Security Certified Program
SCNP -- Security Certified Network Professional
This is an entry- to mid-level security certification that focuses on two primary topics: firewalls and intrusion detection. Related curriculum and exams cover network security fundamentals and network defense and countermeasures. Individuals who attain this certification will be able to work as full-time IT security professionals with an operations focus.
Source: Security Certified Program
This is an entry-level security certification that focuses on important security fundamentals related to security concepts and theory but also related to best operational practices as well. The buzz continues strong for this exam, which remains rumored for possible inclusion in Microsoft and other security certification pre-requisites, in addition to functioning as a standalone exam. For an excellent review of this exam, check out Robert Shimonski's review at www.cramsession.com.
Source: CompTIA Security+ Certification Overview
SSCP -- System Security Certified Professional
The entry-level precursor to the ISC-squared's CISSP covered previously in this survey, this exam covers seven of the 10 domains in the CISSP Common Body of Knowledge and focuses more on operational and administrative issues relevant to information security and less on information policy design, risk assessment details and other business analysis skills more germane to a senior IT security professional (and less so to a day-to-day security administrator, which is where the SSCP is really focused).
Source: (ISC)2 SSCP Certification
TICSA -- TruSecure ICSA Certified Security Associate
TICSA demonstrates basic familiarity with vendor-neutral system and network security principles, practices and technologies. It is an entry-level security certification for network or system administrations and for those interested in climbing the first rung in a security certification ladder suitable for full-time IT security work.
Source: TruSecure ICSA Practitioner Certification
Obviously, there is no shortage of options for would-be computer security experts to choose from. Today, the CISSP, the SANS GIAC and the CPP are probably the best known and most widely-followed IT security certifications (or programs, since GIAC includes numerous certs). Numbers of certified individuals in these programs vary from a low of 3,000 to a high of 15,000. Broader programs such as the CISA or CFE (which cover more than information security topics) have populations as large as 30,000.
Now that the TICSA (formerly known as the ICSA) has been out for over half a year, uptake has picked up somewhat. But based on current numbers, this program may still fail to reach the same population levels as other programs mentioned in the preceding paragraph. Security+ does indeed appear to be changing the entry-level security certification landscape. It hasn't yet demonstrated the same level of uptake that popular CompTIA certs such as A+ and Network+ enjoy (both have certified populations over 100,000), but is nevertheless attracting strong interest and participation. Security+ bears continued watching, and it is now my leading choice for the best entry-level information security certification currently available.
Thus today, the entry-level credentials with the most "oomph" are CompTIA Security+, SANS GSEC (GIAC Security Essentials Certification) and the ISC-squared's SSCP (System Security Certified Professional). Today, the CISSP and the SANS GIAC intermediate and senior credentials remain the best bets for those seeking more senior security credentials, where the CPP,PCI and PSP are restricted to the most senior members of the security community, simply because they require five to nine years of work experience in the security field for candidates to qualify for the exam!
Given this landscape, I can also recommend a "security certification ladder" that individuals can start at any point (depending on current knowledge, skills and experience) and climb from there:
- Start out gentle with the BrainBench Internet and network security exams. You'll find them listed at www.brainbench.com. They're cheap, provide good basic coverage of the subject and will get you motivated to make progress. This should take you two-to-four months.
- Next, tackle the Certified Internet Webmaster (CIW) Security Professional exam. Combined with
your MCSE (or similar credential), passing this exam makes you a CIW Security Analyst and may
enhance your "merit badge count." This is a good entry-level exam on basic Internet, network and
systems security. This will take you another two-to-four months to complete.
After that, a broader, more formal, but still entry-level security cert is what you should tackle. This could be any of the following credentials, any of which will provide you with an excellent and thorough background in computer security theory, operations, practices and policies:
Comptia's Security+ certification is emerging as an entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. Today, it's my first choice and leading recommendation at this level.
The International Information Systems Security Certification Consortium is also home to the best-known senior-level security certification (see below). If you're of a mind to go that route, the SSCP is a great way to prepare.
- SANS GIAC Security Essentials Certification (GSEC)
The SANS Institute is a growing powerhouse in the security industry. Likewise, its certifications are gaining increased visibility and acceptance. The GSEC opens the door to other certifications in the SANS GIAC program.
Finally, you'll be ready to tackle a premium or senior-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many require submitting papers or research results in addition to passing exams; some also require taking specific classes. Of these, three are particularly worthy of mention and pick up where the previous three leave off:
- ISC-squared's Certified Information
Systems Security Professional (CISSP)
CISSP is the best-known senior-level security certification in North America and the one most often requested by name in job postings and classified ads.
- SANS GIAC Security Specialist Certifications
The SANS Institute offers numerous topical specializations that extend on the GSEC including firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer, and systems and network auditor certs. A topical, timely and highly technical program based on outstanding training online or at SANS conferences. From this point, moving on to the GIAC Security Engineer or GSE certification probably makes a lot of sense.
- Advanced Information Security
Security University's cert does require classroom training, but it is some of the best, most intense and hands-on information security training around. Highly popular with government and industry security heavies, this program is expensive, demanding and time-consuming but well worth the intensive investment it requires to complete.
Please let me know if my revised survey of this landscape has missed anything. I can't claim to know, see or be able to find everything, so all feedback -- especially if it adds to this list -- will be gratefully acknowledged. As always, feel free to e-mail me with comments or questions at email@example.com.
About the author
Ed Tittel is the president of LANWrights, Inc., a wholly-owned subsidiary of iLearning.com. Ed has been working in the computing industry for 20 years and has worked as a software developer, manager, writer and trainer. As an expert on SearchSecurity.com, he answers your infosec training and certification questions in our Ask the Expert feature.
With sponsorship from Certification Magazine (www.certmag.com), contributing editor and regular columnist (and regular TechTarget contributor and expert) Ed Tittel has prepared a survey for IT professionals interested in that intensive form of certification training often called the "boot camp." The results of this survey will supply the focus for a feature story on boot camps in the September issue of Certification Magazine. All interested IT professionals -- especially those who've attended one or more boot camps -- are invited to take this survey. Three winners will be selected from the pool of people surveyed who also supply an e-mail address; winners can select 3-5 titles of their choice from Tittel's and Certification Magazine's extensive collection of IT and certification books. Please help us out, and take this survey!
This was first published in May 2003