IT Security Certifications? 17
certifiedSecurely asks: "Network security seems to be a hot topic these days, but I have seen very little on Security Certifications. Searching the web has turned up several offerings: http://www.securitycertified.net/ and http://www.isc2.org/ are two examples. I was wondering if any of the readers had any insight into the various security certifications and their respective market value and dominance, future longevity, etc."
certifications in general (Score:2, Informative)
Re:certifications in general (Score:2, Informative)
The value... (Score:2)
If you're stretching to find a certification that matches for job seeking and similar, you may be better off donating some time to security assistance for non-profits or small companies. Experience speaks more loudly than an obscure certification, IMHO.
Re:The value... (Score:1)
CISSP for me... (Score:3, Informative)
The "Certified Information Systems Security Professional" ® (CISSP) designation is a recently developed international designation for people involved in information security work. It is handled by the non-profit organization called "(ISC)2", the "International Information Systems Security Certification Consortium, Inc." They administer, test, and have a trademark on CISSP®.
The first CISSP designations were conferred in 1994, and its numbers are increase rapidly.
With certification of computer professionals becoming more important, and the incursion of the Engineering field into computer-related work areas, it's a good idea to consider getting a formal designation.
The ISSA and CIPS organizations have also been very supportive in promoting professional certification among their members. I've discovered that certification makes a difference in getting consulting contracts, and provides a higher level of trust, ethics, and expected professionalism in client relations. Recently, an incresing number of government RFP's for INFOSEC-related services have requested that consultants preferably have CISSP accreditation.
Applicants must subscribe to a formal code of ethics, and must have at least three years of direct work experience in one or more of the ten information security domains of the information systems security Common Body of Knowledge, in order to sit for the examination.
The ten domain areas are:
The exam questions are multiple choice, and are oriented towards knowledge gathered by experience. Someone who just read some text books would have a very hard time passing the exam. Exam preparation training seminars, and a study guide with sample questions are available from (ISC)2.
For more details, see (ISC)2's new WWW site at: http://www.isc2.org/ [isc2.org]
Regards,
-wjc.
CISSP & GIAC (Score:3, Insightful)
I can vouch for the CISSP certification from (isc)2 as reinforcing this view of security. The CISSP is a significant valuator for businesses, who can be confident that candidates with this certification are literate in both technology and business considerations. This certification is exactly that: a CERTIFICATION. It is not a vendor technology program. It can be likened to a CPA designation for auditors and accountants.
The GIAC [giac.org] certifications from SANS are an excellent instruction in the working mechanisms of security technology. The curricula and basis for certification by SANS are under continous revision and are the most current in the industry.
The fact is that the CISSP is currently highly valued by employers as a valid assesment of domain awareness, best-practice assesment and professionalism. To combine this with specific GIAC tracks is a good way to identify formidable security personnel.
CISSP candidacy requires 3-5 years of work experience in one of the 10 domains identified. Additionally, (isc)2 will require a BS in an associated major, beginning in 2003. Studying for this is no piece of cake!
Some resources:
http://www.cissp.com/default.html [cissp.com]
CISSP Library of Free Study References [http]
The CISSP Open Study Guide [cccure.org]
Re:CISSP & GIAC (Score:1)
I would rate the GIAC certifications as moderately hard to acquire -- not as hard as CISSP, but definately harder than certs like MCSE.
Re:CISSP & GIAC (Score:1)
Re:CISSP & GIAC (Score:2)
I suspect that the prerequisite was added because of this [securityfocus.com].
These certs can't be valid... (Score:1)
CISSP (Score:2)
The basic run down (Score:5, Insightful)
CISSP - Focuses on policy and practice. The most recognized out of the certifications (meaning people have heard of it. No comment on quality). Sponsored by ISC2 (www.isc2.org).
CISA - Certification for IT auditors. Accountants are probably the primary audience, but anyone can take it. Probably the second most recognized. Sponsored by ISACA (www.isaca.org/cert1.htm).
GIAC - The new kid on the block. Balances policy and technical knowledge. Third most recognized. Sponsored by SANS (www.giac.org).
SSCP - ISC2's more "technical" oriented certification. Few people have heard of this yet. Sponsored by ISC2 (www.isc2.org).
*Hard dose of truth follows*
Knowledge is only useful if a person can apply it. In cognative theory there is the concept of "transfer". This is the ability of a person to apply knowledge gained to real world situations. Cognative theorists would argue that without transfer you haven't really learned anything. *None* of these exams test for anything more that your ability to memorize large amounts of data. To that end, you will find many people with security certifications who have absolutely no ability to solve simple real-world, security-oriented business problems. Do not mistake certification for experience and the ability to solve problems.
*Cynical reality follows*
At this moment in time, the CISSP has the most value in the job market, and arguably in the industry. This is because it is the most recognized certification. It is also the certification that is easiest to gain through rote memorization. One of life's great catch-22s.
I won't comment as to which is the "best" as this is highly subjective. Do your homework. Figure out which one has the buzz in your specific area of knowledge/expertise and memorize on!
-Laudon
I found this book to be fairly helpful (Score:2, Informative)
The CISSP Prep Guide: Mastering the Ten Domains of Computer Security [amazon.com]
Good luck. From what I hear this book is also useful but somewhat over kill for the junior CISSP cert...
focus, value, and experience (Score:2)
There is an article in the September 2001 issue of Secure Computing Magazine [scmagazine.com]. (a "trade rag" - so it never says anything bad about a potential advertiser)
Pay Your Dues [infosecuritymag.com] by Jay Heiser in Information Security Magazine is also worth reading.
A small reader survey, May 2001 - Talkback [infosecuritymag.com].
Security Focus [securityfocus.com] offers several mailing lists [securityfocus.com] that you may wish to subscribe to, or at least read the archives about. In particular Security Certification, CISSP Study, and security-basics. One recent message [securityfocus.com] is certainly worth reading. Similar questions have been also asked in cryptography [mail-archive.com] and firewall wizards - Nov 2001 [nfr.com] mailing lists, and I believe has come up several times before.
A review of one IS manager's experience from Computerworld secuirty Column [computerworld.com].
A so-so review [certcities.com] of different security certificates from CertCities.
The main points I would make are choose a certificate that has the right focus for your career. CISSP is the best known cert, but it is aimed at IT/IS Security Managers and Consultants not at senior technologists / engineers / "in the trenchs" types. The best features of this is requiring 3 years of computer / network / audit security experience and having a broad overview of computing security (the 10 common bodies of knowledge, CBK). This makes it out of reach for many people new to info sec, and that's okay, they likely should focus on another certification anyhow. Next is the SANS/GIAC certificates which are more focused and hands on. The best feature is that they require a "practical" part to the certification, which is doubly good because it is not just exam cramming and lets the student practice her communicaton skills, which is important in the security field since you should be able to work in a team and with others (non-technical other) in an organization outside your team for the common benefit of the business.
Certifications tend to be expensive to get, and don't forget most of them have requirements for maintaince such as x number of contuning education credits, re-examinations, or conference attendance. This is a mixed bag, it is good that it justifies staying up to date, but it can also be very expensive for a member working as a new contractor or for a small company that isn't pre-IPO throwing money around.
Cisco's Security Certs (Score:1)
Cisco offers the Cisco Security Specialist 1 [cisco.com] certification, and the Cisco Certified Internetwork Professional (CCIP) [cisco.com] with a Security elective [cisco.com].
Just my dos centavos.