Security has become a major concern for a lot of executives. So it's not surprising people are looking to security certifications to help them break into the field or give their careers a jump-start.
Security salaries are among the fastest growing in IT, according to David Foote, president and chief research officer for Foote Partners, which does extensive research in IT salaries.
Increasingly, companies are looking within their own ranks to fill security positions. Companies are using training and certifications to entice system and network administrators to the security team, Foote said.
When surveying the security certification landscape, you see two varieties: vendor-specific, offered by vendors for their specific technology; and vendor-neutral, offered by industry consortiums and similar organizations.
"A vendor cert takes you down the educational path that the vendor believes is the minimum required to support their product at that level," said Stan Hoffman, senior network engineer with Houston-based RealEC, who is a CISSP and has several other certifications. "A vendor-neutral certification leads you to study the fundamental issues of that field and develop a broader understanding of the environment in which the products live."
So, which type of certification should you acquire? The answer to that question depends on where people are in their career and what they specifically want to do. Each kind of certification has
The difference between vendor-neutral and vendor-specific certifications
Generally, vendor-specific certifications are sought by people wishing to improve their skills for a specific job -- such as a firewall administrator, said Ed Tittel, president of LANWrights, Inc. and a well-known certification expert.
By contrast, vendor-neutral certifications are generally geared toward people wishing to break into the security field. Those certifications tend to offer a more general, higher-level survey of security.
Both types have their strengths and weaknesses, Tittel said. For example, vendor-neutral certifications can have long lead times that make the material less cutting edge when one finally takes the exam. Much of the material covered may not be germane to specific career plans. Additionally, some such certifications don't have as many review materials.
Vendor-neutral certifications can also be more expensive because there isn't a vendor. Vendors can subsidize their certifications programs with money made from selling their actual products.
Conversely, vendor-specific certifications can be too forward thinking at the company's newest products, neglecting older versions that are still in use. Also, these certifications often focus on the vendor's terms rather than industry accepted terminology.
Which one is right?
Deciding which certification to get is governed by the aim of the person seeking it.
Tittel recommends vendor-neutral certifications for people needing general information about security for breaking into the field. They are also good for people who want to double-check their general security knowledge.
The reason to acquire vendor-specific certifications is governed more by a specific job a person wants or plans to do, Tittel said.
Here is a list of top security certifications that Tittel compiled:
- CISA (Certified Information Systems Auditor)
- CFE (Certified Fraud Examiner)
- CPP (Certified Protection Professional)
- CISSP (Certified Information Systems Security Pro)
- SANS GIAC (Global Information Assurance Cert)
- Cisco Security Specialist
- Checkpoint Certified Security Program
- RSA Certified Professional Program
- Symantec Certified Security Professional
- IBM SecureWay Specialist
The CISSP is probably the best-known security certification. It's a vendor-neutral one requiring knowledge of many areas, but holders will only be an expert in two or maybe three of the 10 areas, said security consultant Jeff Posluns, who holds a CISSP and many other security certifications. "I may not know all the intricate details of swipe card systems, but I do know the considerations and policies one would need to think about when setting up such a system," he said.
On the other hand, Stan Hoffman had a colleague who earned a Check Point Certified Security Expert certification that dealt with how to implement various strategies in a firewall scenario. "Little of the test covered the reasons for selecting a given approach or the supporting infrastructure required to maintain that approach," he said.
Vendor-specific certifications do serve a role. "If someone is being tasked with implementing and supporting specific products, the vendor cert is an efficient way to get up to speed on that product," Hoffman said.
Why get a security certification in the first place?
Hoffman likens certifications to the finish line at the end of a race. "It is running the race that creates the real value, not breaking the tape," he said.
Certifications also provide "an external validation of a baseline standard of knowledge," he said. "Much like a degree, a cert helps to establish a common set of experiences when dealing with others in that field. Where you take your learning from there is what sets you apart."
In his past life as a CTO, Posluns said he hired people with a better understanding of the technologies behind devices like firewalls, rather than picking a person certified in the specific firewalls used in his and his clients' shops. "I would rather someone understand IP networks and know how and why a firewall functions, rather than know how to set up one particular vendor's product," he said. "That person could then pick up how to use a Check Point, Cisco or other firewall in a few hours by learning the syntax of configuration files, because they know the underlying technologies."
Hoffman can't say which certification was any more useful than another as each was a logical extension of his career path. "When I am parsing IDS logs, I'm truly thankful for my GCIA (GIAC Certified Intrusion Analyst) experience. When I am trying to wrestle a routing table into shape, my CCNP (Cisco Certified Network Professional) background is a lifesaver," he said.
"And, when I am begging management for additional resources for security, my CISSP breadth of knowledge helps me to present the optimal solution set with supporting data."
This was first published in August 2002