Editor's note: View our updated vendor-neutral certification guide, available here.
On Jan. 23, 2001, SearchSecurity published a tip entitled "The Security Certification Landscape: Choices and Benefits." I updated this tip on Aug. 23, 2001, as I prepared to host a chat on security certifications. As a companion to another survey I'm preparing on vendor-specific security certifications (which will publish on March 28), I'm updating this column, as well. This time, the landscape has changed a bit, including extensive elaboration of the Systems Administration and Network Security (SANS) Institute's security certifications, as well as the introduction of a new player to the scene: the Security Certified Program, which offers mid- and senior-level credentials.
There is a large number of security certifications available today, so it's important to understand what's worth supporting for employee development and what's not. I've listed all of the vendor-neutral security certifications I was able to find, along with information to help you evaluate the programs covered. If your organization has significant investments in vendor technologies (such as those available from Cisco, CheckPoint, Internet Security Systems or ISS and so forth), don't overlook the possibility that those vendors might also offer their own more focused security certifications, as well. You'll find them covered in a companion survey in the next Executive Security Briefing.
To begin, let's revisit our big bowl of alphabet soup by exposing all the security-related certification programs -- and their inevitable acronyms -- that occupies this landscape. For each program I mention, I'll provide a brief explanation and provide a pointer to more information if you want to learn more.
BIS -- Brainbench Internet Security Certification
Seeks to identify individuals with a good working knowledge of Internet security practices, principles and technologies. Aimed at full-time network or system administrators who must manage systems with Internet connections or access.
BNS -- Brainbench Network Security Certification
Seeks to identify individuals with a good working knowledge of network security practices, principles and technologies. Aimed at full-time network administrators who must deal with external threats through boundary devices like routers, firewalls or intrusion-detection systems, as well as more typical internal threats.
CCISM -- Certified Counterespionage and Information Security Manager
To prepare individuals to study potential sources of threat, defeat attacks and manage information security at an organizational level. CCISM is a management-level certification, where CCISMs generally manage, work with or consult IT organizations, technical specialists and other IT security professionals.
Source: Espionage Research Institute
CCSA -- Certification in Control Self-Assessment
Demonstrates knowledge of internal control self-assessment procedures, primarily aimed at financial and records controls. Of primary interest with those professionals who must evaluate IT infrastructures for possible threats to financial integrity, legal requirements for confidentiality and regulatory requirements for privacy.
Source: Institute of Internal Auditors
CFE -- Certified Fraud Examiner
Demonstrates ability to detect financial fraud and other white-collar crimes. Of primary interest to full-time security professionals in law, law enforcement or who work in organizations (such as banking, securities trading or classified operations) with legal mandates to audit for possible fraudulent or illegal transactions and activities.
Source: Association of Certified Fraud Examiners
CIA -- Certified Internal Auditor
Demonstrates knowledge of professional financial auditing practices. Of primary interest to financial professionals responsible for auditing IT practices and procedures, as well as standard accounting practices and procedures to insure the integrity and correctness of financial records, transaction logs and other records relevant to commercial activities.
Source: Institute of Internal Auditors
CISA -- Certified Information Systems Auditor
Demonstrates knowledge of IS auditing for control and security purposes. Of primary interest to IT security professionals responsible for auditing IT systems, practices and procedures to make sure organizational security policies meet governmental and regulatory requirements, conform to best security practices and principles and meet or exceed requirements stated in an organization's security policy.
Source: Information Systems Audit and Control Association
CISSP -- Certified Information Systems Security Professional
Demonstrates knowledge of network and system security principles, safeguards and practices. Of primary interest to full-time IT security professionals who work in internal security positions or who consult with third parties on security matters. CISSPs are capable of analyzing security requirements, auditing security practices and procedures, designing and implementing security policies, and managing and maintaining an ongoing and effective security infrastructure.
Source: International Information Systems Security Certifications Consortium (aka (ISC)2 pronounced "ISC-squared")
Certified NetAnalyst -- Security
This is an intermediate-level, but highly specialized security certification that has one foot in the protocol analysis world and the other foot in the security world. Individuals who obtain this certification understand security issues including security policy, risk assessment, vulnerabilities and exploits, intrusion-detection techniques, security auditing and assessment and incident-handling practices and procedures. Individuals who obtain this certification must obtain entry-level network analysis credentials as a pre-requisite, and this credential involves substantial work with attack signatures, traffic patterns and analysis, and so forth.
Source: Pine Mountain Group
CIW Security Analyst
Individuals who take and pass the CIW-SP exam, and who hold one of the following certifications qualify as a CIW Security Analyst (CIW-SA):
Microsoft Certified Systems Engineer (MCSE) 4
Microsoft Certified Systems Engineer (MCSE) 2000
Certified Novell Engineer (CNE) 4
Certified Novell Engineer (CNE) 5
Cisco Certified Network Professional (CCNP)
Cisco Certified Internetwork Expert (CCIE)
Linux Professional Institute (LPI) Level 2
SAIR Level 2 LCE
Individuals who hold this credential can carry out security policy, identify and handle security threats, and apply countermeasures using firewalls, intrusion detection and related systems. The program's Web focus also includes coverage of online payments, transaction processing and related security matters.
Source: Prosoft Training
CIW-SP -- Certified Internet Webmaster-Security Professional
Demonstrates knowledge of Web- and e-commerce-related security principles and practices. Of primary interest to Web administrators who must implement and manage a secure and working Web presence that may also include e-commerce capabilities.
Source: Prosoft Training, Inc.
CPP -- Certified Protection Professional
Demonstrates thorough understanding of physical, human and information security principles and practices. The most senior and prestigious IT security professional certification covered here, the CPP requires extensive on the job experience (seven to nine years), as well as a profound knowledge of technical and procedural security topics and technologies. Only those who have worked with and around security for some time will be able to qualify for this credential.
Source: American Society for Industrial Security (ASIS)
Certified Web Professional (CWP) Security Specialist
This vendor-neutral, Web-oriented program includes a CWP Security Specialist credential. As it happens, obtaining this credential requires passing the CIW Security Professional exam and meeting additional work experience requirements. Please see the CIW-SP listing for more information.
Source: International Webmasters' Association (IWA)
GIAC -- Global Information Assurance Certification
Demonstrates knowledge of and the ability to manage and protect important information systems and networks. The SANS organization is well-known for its timely, focused and useful security information and certification program. A rising star on the landscape, the GIAC is aimed at serious, full-time security professionals responsible for designing, implementing and maintaining a state-of-the-art security infrastructure that may include incident handling and emergency response team management.
Certifications available include the following:
GIAC Security Essentials Certification (GSEC)
GIAC Certified Firewall Analyst (GCFW)
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Certified Windows Security Administrator (GCWN)
GIAC Certified UNIX Security Administrator (GCUX)
Senior-level (all specializations, plus additional exams and work)
GIAC Security Engineer (GSE) track
GIAC Information Security Officer -- Basic (GISO -- Basic)
GIAC Systems and Network Auditor (GSNA)
Source: The SANS Institute
IT Security Certificate Program
Entry-level credential for basic and advanced internetworking security technologies training and cert program, this program aims to certify general IT security knowledge and ability. Aimed primarily at network and system administrators with some (but not heavy) security responsibilities.
Source: Colorado Computer Training Institute (CCTI)
NSCP -- Network Security Certified Professional
Demonstrates ability to design and implement organizational security strategies, securing the network perimeter and component systems. An intermediate level IT security certification aimed at network or systems administrators with heavy security responsibilities or those who work full-time on IT security matters.
Source: Learning Tree International
SCNA -- Security Certified Network Architect
This is a mid- to senior-level security certification that focuses on concepts, planning and implementation of Private Key Infrastructure and biometric authentication and identification systems. Individuals who attain this certification will be able to implement either or both of these technologies within organizations or as consultants to such organizations.
Source: Security Certified Program
SCNP -- Security Certified Network Professional
This is an entry- to mid-level security certification that focuses on two primary topics: firewalls and intrusion detection. Related curriculum and exams cover network security fundamentals and network defense and countermeasures. Individuals who attain this certification will be able to work as full-time IT security professionals with an operations focus.
Source: Security Certified Program
TICSA -- TruSecure ICSA Certified Security Associate
Demonstrates basic familiarity with vendor-neutral system and network security principles, practices and technologies. An entry-level security certification for network or system administrations and for those interested in climbing the first rung in a security certification ladder suitable for full-time IT security work.
Source: TruSecure Corporation
TICSE -- TruSecure ICSA Certified Security Engineer
Demonstrates deep and serious knowledge of vendor-neutral system and network security principles, practices and technologies. ICSA is pre-requisite. An intermediate to advanced level IT security certification aimed at full-time security professionals and consultants.
Source: TruSecure Corporation
TICSP -- TruSecure ICSA Certified Security Professional
Trainer certification to enable individuals to teach ICSA and ICSE classes. A specialized security credential aimed at IT-focused trainers and instructors who seek to teach the ICSA curriculum.
Source: TruSecure Corporation
Another entry-level contender is also looming on this landscape. The Computing Technology Industry Association (CompTIA) recently announced it is working on a certification for "foundation-level IT security workers." CompTIA has been quite successful with its A+ and Network+ certifications; it remains to be seen if they can succeed with this new program, currently known as CompTIA Security Certification (I've heard it called Security+ in some circles, but an official name has yet to be announced).
Obviously, there is no shortage of options for would-be computer security experts to choose from. Today, the CISSP, the SANS GIAC and the CPP are probably the best-known and most widely-followed IT security certifications. Numbers of certified individuals in these programs vary from a low of 3,000 to a high of 9,000. With the release of the ICSA and ICSE programs and exams, those credentials are starting to gain momentum, but it's not yet clear how much market and mind share these programs will garner. For the time being, the CISSP and the SANS GIAC remain the best bets for those seeking serious security credentials, and the CPP is restricted to the most senior members of the security community, simply because it requires seven-to-nine years of work experience in the security field to qualify for the exam!
Given this landscape, I can also recommend a "security certification ladder" that individuals can start at any point (depending on current knowledge, skills and experience) and climb from there:
- Start out gentle with the BrainBench Internet and network security exams. You'll find them listed at www.brainbench.com; they're cheap, provide good basic coverage of the subject and will get you motivated to make progress. This should take you two-to-four months.
- Next, tackle the Certified Internet Webmaster (CIW) Security Professional exam. Combined with your MCSE, passing this exam makes you a CIW Security Analyst and may enhance your "merit badge count." This is a good entry-level exam on basic Internet, network and systems security. This will take you another two-to-four months to complete. After that, a broader, more formal, but still entry-level security cert is what you should tackle. This could be any of the following credentials, any of which will provide you with an excellent and thorough background in computer security theory, operations, practices and policies:
- TruSecure ICSA Computer Security Associate (TICSA)
The International Computer Security Association is well-known and highly regarded; their entry-level program requires a minimum of two years of work-related security experience or equivalent classroom training hours.
- ISC-squared's System Security Certified Professional
The International Information Systems Security Certification Consortium is also home to the best-known senior level security certification (see below). If you?re of a mind to go that route, the SSCP is a great way to prepare.
- SANS GIAC Security Essentials Certification (GSEC)
The SANS Institute is a growing powerhouse in the security industry. Likewise, its certifications are gaining increased visibility and acceptance. The GSEC opens the door to other certifications in the SANS GIAC program. Finally, you'll be ready to tackle a premium or senior-level security certification. Most such certifications require three or more years of relevant, on-the-job experience. Many require submitting papers or research results in addition to passing exams; some also require taking specific classes. Of these, three are particularly worthy of mention, and pick up where the previous three left off:
- TruSecure ICSE Computer Security Expert (TICSE)
This is an expert-level computer security certification that builds on the platform of the TICSA. A relatively new program, this credential is well-conceived but does not yet enjoy the same clout or recognition as the other two senior-level credentials mentioned here.
- ISC-squared?s Certified Information Systems Security Professional (CISSP)
CISSP is the best-known senior-level security certification in North America and the one most often requested by name in job postings and classified ads.
SANS GIAC Security Specialist Certifications
The SANS Institute offers numerous topical specializations that extend on the GSEC including firewalls, incident handling, intrusion analysis, Windows and UNIX administration, information security officer, and systems and network auditor certs. A topical, timely and highly technical program based on outstanding training online or at SANS conferences.
Please let me know if my revised survey of this landscape has missed anything. I can't claim to know, see or be able to find everything, so all feedback -- especially if it adds to this list -- will be gratefully acknowledged. As always, feel free to e-mail me with comments or questions at firstname.lastname@example.org.
About the author
Ed Tittel is the president of LANWrights, Inc., a wholly-owned subsidiary of iLearning.com. Tittel has been working in the computing industry for 20 years and has worked as a software developer, manager, writer and trainer. As an expert on SearchSecurity, he answers your infosec training and certification questions in our Ask the Expert feature.