Security Certification: Beyond the Acronyms
The disparity between the supply and demand of skilled IT security workers is among the largest for all tech skills right now. Skilled security professionals with solid experience and security certification have it especially good these days. It is not hard to notice the proliferation of acronyms behind so many security professionals’ names, each indicating a specific industry certification. In recent years, there has been a sharp increase in the number and variety of certifications offered in the Internet security industry.
Reasons for getting technical certifications vary. Many of the security professionals who are obtaining various security certifications are doing so primarily to increase their marketability. Certifications can translate into higher pay and better job security. Other common benefits include more respect from co-workers, higher confidence on the job and the ability to be more productive with the knowledge gained through the certification process. Some security certifications require prior work experience; others do not. Even veterans of the information security industry have found that certification is necessary to prove that their understanding of the technologies involved is up-to-date. It is also necessary to prevent them from falling behind peers who may have less experience, but who also have more certifications behind their names.
Proponents of obtaining security certification, no matter how much on-the-job experience one has, say this: The world of information security is never stagnant. As a result, security professionals’ learning curve should not be stagnant either. To that end, most security certifications require renewal after a certain number of years, usually less than five.
The Big Three
With so many certifications available, how does one know which are truly worthwhile? Below are details about the three most widely recognized certifications in the industry:
- Certified Information Systems Security Professional (CISSP)
This is an internationally accredited certification that attests to the holder’s detailed knowledge of the 10 domains in the Common Body of Knowledge (CBK), as designated by the (ISC)2. They are:
- Access control systems and methodology
- Application and systems development security
- Business continuity and disaster recovery planning
- Investigations and ethics
- Operations security
- Physical security
- Security architecture
- Telecommunications and network security
To receive CISSP certification, one must pass the test administered by the (ISC)2 and have a minimum of four years of work experience in one or more of the CBK domains. (In 2004, that minimum requirement will extend to five years.) CISSP certification is based on a broad range of knowledge, making it an appropriate certification for security managers.
- Certified Information Systems Auditor (CISA)
Backed by the Information Systems Audit and Control Association (ISACA), CISA certification has been around since 1978 and is another globally recognized symbol of achievement, with a focus on a different area of security from CISSP. CISA applicants must have a minimum of five years of professional information systems auditing, control or security work experience under their belts before they can take the CISA exam, and they must follow up with continuing education courses each year. A CISA’s special areas of knowledge include IT compliance and auditing.
- SANS Global Information Assurance Certifications (GIAC)
Often, security workers involved with day-to-day security operations will have GIAC certification. GIAC is the only certification that requires candidates to submit a practical assignment in order to demonstrate this real-world, hands-on mastery of security skills. In addition, GIAC certifications must be renewed every two to four years so that holders are always up-to-date on the latest threats, technology and security best practices.
Most major vendors offer their own certification programs that cover a specific proprietary product or application. You may want to pursue a vendor-neutral certification program first. This way, you can gain an overall understanding of the technology itself before learning the ins and outs of a specific vendor’s product. Obtaining only vendor-specific certifications can limit your options when moving to another employer, especially if that employer doesn’t use the vendor you’re certified with.
Nothing Like the Real Thing
As with most aspects of the Internet world, there is not a governing body for the Internet security industry to determine which security certifications are the best. Balancing the value between experience and certification is difficult. In the end, certifications can’t make up for what is gained through real experience, but the growing demand and cache of security certifications might leave those who lack them left in the proverbial dust.
At last check, the number of vendor-neutral security certifications totaled 33, and that number isn’t going to decrease any time soon. Obtaining security certifications is an investment of time and money. Future and current security professionals should learn more about the concentrations of the various certifications so they can find the one that will be most beneficial in their career. Experience still counts, but you might find that security certification counts more.
Kathleen Coe is director of education for Symantec and has more than 25 years of experience working with organizations to develop technology training and certification programs. Her current focus and interests are specific to helping information security professionals meet the learning and competency requirements of Symantec customers.