Building a Career in Information Security
I conduct exhaustive, twice-yearly surveys of information security certifications, and it’s become painfully obvious to me that IT professionals seeking information security certifications have an embarrassment of riches to choose from. My most recent survey was conducted in late October 2003. It produced the following counts: There were 56 vendor-neutral information security credentials and 20 vendor-sponsored or vendor-specific information security certifications available in North America and throughout much of the rest of the world.
A quick follow-up shows that four vendor-neutral programs have disappeared, but three new specializations have been introduced for the Certified Information Systems Security Professional (CISSP) certification from (ISC)2, bringing that count down to 55. Adding the Microsoft Certified Systems Administrator (MCSA) and Microsoft Certified Systems Engineer (MCSE) security specializations to the information covered in the survey likewise increases that count by four to 24. (Windows 2000 and Windows Server 2003 variants for each credential are available.) These counts do not include collegiate information security certificate programs, which are also widely available at both graduate and undergraduate levels from numerous academic institutions, both within specific degree programs and outside such programs. Here, I concentrate on certification programs that include formal examinations, well-documented exam objectives and various forms of exam preparation that include some or all of the following: official curricula, public examinations, various forms of classroom and computer-based or online training, study guides, exam crams, practice tests and so forth.
In thinking about working in the field of information security, however, it’s often reasonable to consider following one certification with another, to create a certification path that can track an IT professional’s career growth and development. For the purposes of this story, let’s break the universe of information security credentials into four categories:
- Entry-level credentials: These usually identify IT professionals with up to three years of experience who are able to implement and maintain information security, but are not necessarily able to plan or design information security policies, conduct security audits or evaluate security tools and technologies and so forth.
- Intermediate credentials: These usually identify IT professionals with three to six years of experience who can not only implement and maintain information security, but who also may be able to assist with planning and design of information security policies, conduct security audits and evaluate security tools and technologies and so on.
- Advanced general credentials: These usually identify IT professionals with seven or more years of experience who understand information security thoroughly and completely and can handle related planning, design, implementation, maintenance and other tasks as needed.
- Specialist credentials: These identify IT professionals who focus on specific areas of information security that range from physical security to computer forensics to various platforms or technologies. Individuals who collect such credentials usually fall into intermediate or higher levels of general information security. Often, such individuals may have 10 or more years of IT experience and six or more years of information security experience.
In the sections that follow, we’ll look at various credentials that fall into these categories. We’ll also discuss leading options in each category, as well as rationales for choosing among options available.
Although there are numerous entry-level credentials available, the most popular include the CompTIA Security+ and the SANS GIAC Security Essentials Certification (GSEC). Check Point’s Security Principles offering is also good (and general) for a vendor-specific offering. Ordinarily, only those who work in vendor-specific information security environments benefit from obtaining vendor-specific credentials. See Table 1 for a more complete listing of entry-level information security credentials.
A single entry-level information security certification is usually enough to get people started down the information security certification path, though some people may find it useful to pick up more than one at this level (especially when vendor-specific credentials also apply to their situations).
On the job, those who hold only entry-level information security certifications are unlikely to work full-time as information security professionals. Usually, such people work full-time as systems administrators or network administrators, help-desk or technical-support professionals or somewhere in communications or networking infrastructure. For these individuals, information security is only a part of their job and daily routine (albeit an important part). It’s usually necessary to upgrade your skills and knowledge to the intermediate (and sometimes even the advanced) level to move into full-time information security job roles.
Table 1: Entry-Level Information Security Credentials
Brainbench Internet Security Certification