The State of Security Certification: Overview
Nobody can argue that information security is not a hot technical topic, nor that it has failed to attract a lot of interest in the IT certification community. You need look no further for ample evidence of this than to survey the many security certifications covered in this overview—more than 50 vendor-neutral and more than 20 vendor-specific credentials in all—to get a sense that this is a crowded topical area with lots of choices in store for IT professionals in search of information security credentials.
If anything, this space is much like the automobile industry at the beginning of the 20th century, before the big Detroit and foreign automakers took over leadership positions in that industry. It’s full of individual players with good ideas, lots of skill and knowledge, but nobody has established an unassailable lead position either on the basis of market share, name recognition or the size of the certified populations represented. But there are some relatively big players—and they’re getting bigger all the time—so it’s not exactly a complete free-for-all, either.
Distinguishing Security Certifications
That’s why it’s important to understand what kinds of information security certifications are available, so you can examine those that are most germane to your needs, be they purely educational or primarily aimed at career development. In this story, I divide security certification programs up by the kind of focus they take and by the degree to which they focus exclusively on information security principles, practices, policies and procedures from an information technology perspective.
When it comes to focus, I distinguish between two types:
- Vendor-neutral: These are security certifications that focus more on concepts, policies, practices and principles as they relate to information security. They do not focus on specific product, platform or technology implementations, except where there is no realistic alternative. Vendor-neutral security certifications are good because they force candidates to develop a sense of the whole field and of its history and conceptual underpinnings. You’ll find a mixture of user and industry associations behind such programs, as well as training companies, consortia and other groups of like-minded IT professionals from all walks of life.
- Vendor-specific: These are security certifications that originate from some particular vendor and usually concentrate on how best to design for, install, configure, maintain and troubleshoot specific solutions, platforms, tools or technologies that relate to information security. Vendors create such certifications to help manage the costs for technical support and to make sure organizations have ready access to trained, knowledgeable professionals who know how to implement and work with their solutions.
This distinction is what separates specific Check Point and Cisco security certifications (which focus on their maker’s products and systems in particular) from more general security certifications from CompTIA and SANS (which focus on information security in general, with an emphasis on basic concepts, theory, implementations and best practices).
On the degree side of information security certifications, this distinction hinges on whether information security or computer forensics is the sole or primary focus for the certification, or whether it fits into some larger frame of overall reference. Following this distinction, we can distinguish the Cisco, Check Point, CompTIA (Security+) and SANS GIAC certifications, all of which concentrate more or less exclusively on security topics, from credentials like the Certified Fraud Examiner (CFE), Certified Internal Auditor (CIA) and Certified Information Systems Auditor (CISA), all of which cover information security at some depth in their exams, but which also cover topics outside the immediate purview of information security. Likewise, we can identify numerous credentials that focus on computer forensics, investigations and related activities such as the Certified Forensics Examiner (CFE), the Certified Information Forensics Investigator (CIFI) or the CyberSecurity Forensic Analyst (CSFA).
Picking Security Certifications
It’s easy to describe the rationale for vendor-specific credentials, so I’ll deal with that kind first. If your employer (or a prospective employer) uses the products, platforms or technologies that some vendor-specific credential covers, that’s usually all you need to know to select the right program. When it comes to deciding whether or not to pursue those credentials, the presence or absence of financial support (or means, if you have to pay for it yourself) will play a big factor, as will your time, energy and interest in related subject matter.
When it comes to picking vendor-neutral security certifications, I urge a more hard-boiled approach, then provide a means for possible mitigation:
- Consider name recognition: How well is the program known? Does it appear in any job postings online or classified ads that you can find? Do your peers or co-workers know about this program?
- Consider size of the certified population: Most big players in the certification industry believe that a program isn’t “for real” unless it can claim 10,000 or more certified professionals among its ranks. If you can’t find numbers on the size of a program’s population, this usually means it’s smaller.
- Consider the costs and benefits: How much do exams costs? How long will it take you to prepare? How long does the certification last? What’s the impact on your paycheck? How long will it take to pay back the investment of money, time and energy versus career or employability benefit? If the benefits don’t match or outweigh the costs, don’t do it!
In general I don’t recommend pursuing a vendor-neutral security certification unless it’s one of the top three programs in its category, which also identifies each credential’s level—as in beginning, intermediate or advanced. On the other hand, if you feel compelled to pursue some credential outside the top three, you can justify this choice if you’re ready to explain why that cert was worth obtaining and what benefits it can bring to an employer. Just as early automobile enthusiasts had to explain the general benefits of cars before they could wax eloquent about their particular vehicles, certified security practitioners must be able to explain why information security is important, and to recount what knowledge, skills and other benefits their certification enables them to bring into the workplace.