Security Certification: A Marketplace Overview
Nobody can argue that information security is not a hot technical topic, nor that it has failed to attract a lot of interest in the IT certification community. You need look no further for ample evidence of this than to survey the many security certifications covered in this overview—more than 30 vendor-neutral and more than 15 vendor-specific credentials in all—to get a sense that this is a crowded topical area with lots of choices for IT professionals.
If anything, this space is much like the automobile industry at the beginning of the 20th century, before the big Detroit and foreign automakers took over leadership positions in that industry. It’s full of individual players with good ideas, lots of skill and knowledge, but nobody has established an unassailable lead position either on the basis of market share, name recognition or the size of the certified populations represented.
Distinguishing Security Certifications
That’s why it’s important to understand what kinds of information security certifications are available, so you can examine those that are most germane to your needs, be they purely educational or primarily aimed at career development. In this story, I divide security certification programs by the kind of focus they take and by the degree to which they focus exclusively on information security principles, practices, policies and procedures from an information technology perspective.
When it comes to focus, I distinguish between two types:
- Vendor-Neutral: These are security certifications that focus more on concepts, policies, practices and principles as they relate to information security as it exists in the workplace in general. They do not focus on specific product, platform or technology implementations, except where there is no realistic alternative. Vendor-neutral security certifications are good because they force candidates to develop a sense of the whole field and its history and conceptual underpinnings. You’ll find a mixture of user and industry associations behind such programs, as well as training companies, consortia and other groups of like-minded IT professionals from all walks of life.
- Vendor-Specific: These are security certifications that originate from some particular vendor and usually concentrate on how to design, install, configure, maintain and troubleshoot specific solutions, platforms, tools or technologies that relate to information security. Vendors create such certifications to help manage the costs for technical support and to make sure organizations have ready access to trained, knowledgeable professionals who know how to implement and work with their solutions.
This distinction is what separates specific Check Point and Cisco security certifications (which focus on their maker’s products and systems in particular) from more general security certifications from CompTIA and SANS (which focus on information security in general, with an emphasis on basic concepts, theory, implementations and best practices). This distinction is what defines the primary difference between Table 1 and Table 2 (see below).
On the degree side of information security certifications, this distinction hinges on whether information security is the sole or primary focus for the certification, or whether it fits into some larger frame of overall reference. Following this distinction, we can distinguish the Cisco, Check Point, CompTIA (Security+) and SANS GIAC certifications, all of which concentrate more or less exclusively on information security topics, from credentials like the Certified Fraud Examiner (CFE), Certified Internal Auditor (CIA) and Certified Information Systems Auditor (CISA), all of which cover information security at some depth in their exams, but also cover topics outside the immediate purview of information security. This distinction is noted in a column that appears only in Table 1; it’s labeled “Type,” where the values that appear may be either “infosec” for programs that concentrate exclusively on information security or “other” where programs concentrate on other areas (which are identified in the description or are obvious from the program’s name, as in the foregoing examples).
Picking Security Certifications
It’s easy to describe the rationale for vendor-specific credentials, so I’ll deal with those first. If your employer (or a prospective employer) uses the products, platforms or technologies that some vendor-specific credential covers, that’s usually all you need to know to select the right program. When it comes to deciding whether or not to pursue those credentials, the presence or absence of financial support (or means, if you have to pay for it yourself) will play a big factor, as will your time, energy and interest in related subject matter.
When it comes to picking vendor-neutral security certifications, I urge a more hard-boiled approach, then provide a means for possible mitigation:
- Consider name recognition: How well is the program known? Does it appear in any job postings online or classified ads that you can find? Do your peers or co-workers know about this program?
- Consider size of the certified population: Most big players in the certification industry believe that a program isn’t “for real” unless it can claim 10,000 or more certified professionals among its ranks. If you can’t find numbers on the size of a program’s population, this usually means they’re smaller and don’t want you to know that.
- Consider the costs involved in obtaining the credential and the resulting benefits: How much do exams costs? How long will it take you to prepare? How long does the certification last? What’s the impact on your paycheck? How long will it take to pay back the investment of money, time and energy versus career or employability benefits? If the benefits don’t match or outweigh the costs, don’t do it!
In general, I don’t recommend pursuing a vendor-neutral security certification unless it’s one of the top three programs in its category, which also identifies each credential’s level—as in beginning, intermediate or advanced.
On the other hand, if you feel compelled to pursue some credential outside the top three, you can justify this choice if you’re ready to explain why that cert was worth obtaining and what benefits it can bring to an employer. Just as early automobile enthusiasts had to explain the general benefits of cars before they could wax eloquent about their particular vehicles, so must certified security practitioners be able to explain why information security is important and to recount the knowledge, skills and other benefits their certification enables them to bring into the workplace. This is an easier sell with a top-three credential, but it is a skill that all information security professionals should cultivate!
Ed Tittel is president of LANwrights Inc. and is contributing editor for Certification Magazine. Ed can be reached at firstname.lastname@example.org.
The Tables Tell the Story
Tables 1 and 2 contain the real meat of this story. What Table 1 does for vendor-neutral programs, table 2 does for vendor-specific ones. Please note that I identify the top three players by level by appending numbers (1, 2 and 3) to the letter codes used to identify certification level (beginner, intermediate, advanced), but I do this for vendor-neutral certifications only. Because the rationale for selecting vendor-specific information security programs is so different, this isn’t worthwhile information in Table 2. (That said, Cisco, IBM and Check Point occupy the top three positions at all levels where their credentials fit.) Use these tables to help you explore programs of interest to you, and to identify the best-recognized vendor programs.