Certifiably Secure: Microsoft Security Specializations
For just over a year now, Microsoft has offered security specializations for its MCSA and MCSE credentials on Windows 2000 and on Windows Server 2003. Basically, the specialization moniker indicates that candidates take security-focused core exams wherever and whenever they apply, and that they take only security-focused elective exams.
This specialization actually requires candidates to take and pass one more exam than is required for the “plain vanilla” version of the related credential (five exams instead of four for MCSA; seven exams instead of six for MCSE on Windows 2000; and eight exams instead of seven for MCSE on Windows Server 2003). Though Microsoft has yet to define upgrade paths from Windows 2000 to Windows Server 2003 MCSAs and MCSEs who specialize in security, it will probably mean replacing specific required electives for one version with those for the other, in addition to taking relevant upgrade core exams (#70-292 for MCSAs, #70-292 and #70-296 for MCSEs).
In mid-July 2004, Microsoft published updates to its certification numbers that included recent counts for MCSAs and MCSEs holding security specializations. Though these counts don’t distinguish those who specialized in Windows 2000 from those who specialized in Windows Server 2003, the MCSE count at 3,100 is higher than the MCSA count at around 2,550. Since more people typically earn the MCSA than the MCSE nowadays, this may seem upside-down as a ratio, until you stop to think that taking five exams instead of four is 20 percent more work and expense than adding a single exam to six (Windows 2000, about 14 percent) or seven (Windows Server 2003, about 12 percent) for the MCSE.
Overall ratios are pretty interesting, too: In roughly the same time frame, more than 18,000 individuals have earned MCSA on Windows Server 2003, but only about 2,550 have obtained security specialization in either track. Likewise, more than 10,000 have earned MCSE on Windows Server 2003, with 3,100 obtaining security specialization in either track. Given how popular and important security topics are in the Microsoft world, I’m surprised that the ratio is this low. I suspect it means that security-savvy IT professionals are turning to other sources of security certification—most notably, SANS GIAC and (ISC)2 CISSP, both of which experienced much more impressive growth rates in the same period—instead of looking to Microsoft to cover security topics, tools and technologies as well as Windows servers, platforms, tools and technologies. It will be interesting to watch this trend over the next year, to see if Microsoft’s noticeable change in security strategy and focus can incline more people to turn to them for security training and certification as well.