IT Security Certifications?

certifiedSecurely asks: "Network security seems to be a hot topic these days, but I have seen very little on Security Certifications. Searching the web has turned up several offerings: http://www.securitycertified.net/ and http://www.isc2.org/ are two examples. I was wondering if any of the readers had any insight into the various security certifications and their respective market value and dominance, future longevity, etc."

certifications in general

[BRO_HAM]

I think your experience and what you have on your resume is what matters most, but if you're looking for something to get you in the door as an entry level network-security guy - you might want to check out one of the various cisco certifications [cisco.com]. Might not be specifically catered to security, but as most will tell you - setting the network up properly is the first step in securing the beast. Plus, cisco certs still hold up fairly well with managerial types and big companies.

Re:certifications in general

[netsplit]

I remember reading about the five day CCNA+S (cisco certified network associate + security?) course SANS provides at their security conferance. This seems as the logical place to start, not to mention the networking potention of a SANS event.

The value...

[Snowfox]

The value of a certification is pretty much proportionate to its popularity. If you've never heard of a certification before, that may clue you in on the value an interviewer is going to assign to it.

If you're stretching to find a certification that matches for job seeking and similar, you may be better off donating some time to security assistance for non-profits or small companies. Experience speaks more loudly than an obscure certification, IMHO.

Re:The value...

[jon doh!]

not necesarrily. different people in different fields know different things. i may not know what the different certs are for auto mechanics, but the auto mechanics would be hard pressed to list any computer-field certs too.

CISSP for me...

[Ocelot Wreak]

HI, I have a CISSP designation, and have found it to be VERY useful, both professionally and as a practical job door opener for consulting gigs. It covers a wide base of security knowledge, and also requires some dedication to "real" security work for a few years first, rather than just passing a test based on some memory work.

The "Certified Information Systems Security Professional" ® (CISSP) designation is a recently developed international designation for people involved in information security work. It is handled by the non-profit organization called "(ISC)2", the "International Information Systems Security Certification Consortium, Inc." They administer, test, and have a trademark on CISSP®.

The first CISSP designations were conferred in 1994, and its numbers are increase rapidly.

With certification of computer professionals becoming more important, and the incursion of the Engineering field into computer-related work areas, it's a good idea to consider getting a formal designation.

The ISSA and CIPS organizations have also been very supportive in promoting professional certification among their members. I've discovered that certification makes a difference in getting consulting contracts, and provides a higher level of trust, ethics, and expected professionalism in client relations. Recently, an incresing number of government RFP's for INFOSEC-related services have requested that consultants preferably have CISSP accreditation.

Applicants must subscribe to a formal code of ethics, and must have at least three years of direct work experience in one or more of the ten information security domains of the information systems security Common Body of Knowledge, in order to sit for the examination.

The ten domain areas are:

• Access Control;
  
• Communications Security;
  
• Risk Management & Business Continuity Planning;
  
• Policy, Standards, and Organization;
  
• Computer Architecture & Systems Security;
  
• Law, Investigation, & Ethics;
  
• Application Program Security;
  
• Cryptography;
  
• Computer Operations Security; and
  
• Physical Security.

The exam questions are multiple choice, and are oriented towards knowledge gathered by experience. Someone who just read some text books would have a very hard time passing the exam. Exam preparation training seminars, and a study guide with sample questions are available from (ISC)2.

For more details, see (ISC)2's new WWW site at: http://www.isc2.org/ [isc2.org]

Regards,
-wjc.

CISSP & GIAC

[Jeremiah Cornelius]

To paraphrase Bruce Schneier [counterpane.com] Security is a set of procesess and a means of approach for systems.

I can vouch for the CISSP certification from (isc)2 as reinforcing this view of security. The CISSP is a significant valuator for businesses, who can be confident that candidates with this certification are literate in both technology and business considerations. This certification is exactly that: a CERTIFICATION. It is not a vendor technology program. It can be likened to a CPA designation for auditors and accountants.

The GIAC [giac.org] certifications from SANS are an excellent instruction in the working mechanisms of security technology. The curricula and basis for certification by SANS are under continous revision and are the most current in the industry.

The fact is that the CISSP is currently highly valued by employers as a valid assesment of domain awareness, best-practice assesment and professionalism. To combine this with specific GIAC tracks is a good way to identify formidable security personnel.

CISSP candidacy requires 3-5 years of work experience in one of the 10 domains identified. Additionally, (isc)2 will require a BS in an associated major, beginning in 2003. Studying for this is no piece of cake!
Some resources:

http://www.cissp.com/default.html [cissp.com]
CISSP Library of Free Study References [http]
The CISSP Open Study Guide [cccure.org]

Re:CISSP & GIAC

[Gopher]

I just wanted to second the recommendation for GIAC. I've learned a lot from SANS/GIAC, and as the number of GIAC certified professionals grow, I believe it will be a valuable certification to have.

I would rate the GIAC certifications as moderately hard to acquire -- not as hard as CISSP, but definately harder than certs like MCSE.

Re:CISSP & GIAC

[mattsouthworth]

I didn't know about the CISSP BS clause. i sit for the CISSP in a couple months, think they'll be a grandfather clause for those of us without such a degree?

Re:CISSP & GIAC

[Jeremiah Cornelius]

Yes, All CISSP's from 2002 and earlier will be grandfathered on the 3-4 year degree requirement.

I suspect that the prerequisite was added because of this [securityfocus.com].

These certs can't be valid...

[fro_less]

I couldn't find any braindumps on them.

CISSP

[rakerman]

The CISSP seems to be reasonably well-recognized in the North American IT security community, but personally I think most certifications are primarily money-making ventures for the certification organizations.

The basic run down

[eldub1999]

There are basically four security certification that merit mention when someone asks about it.

CISSP - Focuses on policy and practice. The most recognized out of the certifications (meaning people have heard of it. No comment on quality). Sponsored by ISC2 (www.isc2.org).

CISA - Certification for IT auditors. Accountants are probably the primary audience, but anyone can take it. Probably the second most recognized. Sponsored by ISACA (www.isaca.org/cert1.htm).

GIAC - The new kid on the block. Balances policy and technical knowledge. Third most recognized. Sponsored by SANS (www.giac.org).

SSCP - ISC2's more "technical" oriented certification. Few people have heard of this yet. Sponsored by ISC2 (www.isc2.org).

*Hard dose of truth follows*
Knowledge is only useful if a person can apply it. In cognative theory there is the concept of "transfer". This is the ability of a person to apply knowledge gained to real world situations. Cognative theorists would argue that without transfer you haven't really learned anything. *None* of these exams test for anything more that your ability to memorize large amounts of data. To that end, you will find many people with security certifications who have absolutely no ability to solve simple real-world, security-oriented business problems. Do not mistake certification for experience and the ability to solve problems.

*Cynical reality follows*
At this moment in time, the CISSP has the most value in the job market, and arguably in the industry. This is because it is the most recognized certification. It is also the certification that is easiest to gain through rote memorization. One of life's great catch-22s.

I won't comment as to which is the "best" as this is highly subjective. Do your homework. Figure out which one has the buzz in your specific area of knowledge/expertise and memorize on!

-Laudon

I found this book to be fairly helpful

[dfelznic]

I got started but never finished it. I found this book to be pretty helpful:
The CISSP Prep Guide: Mastering the Ten Domains of Computer Security [amazon.com]
Good luck. From what I hear this book is also useful but somewhat over kill for the junior CISSP cert...

focus, value, and experience

[plcurechax]

I have never heard of the SCP before, and a quick look at it didn't impress me.

There is an article in the September 2001 issue of Secure Computing Magazine [scmagazine.com]. (a "trade rag" - so it never says anything bad about a potential advertiser)

Pay Your Dues [infosecuritymag.com] by Jay Heiser in Information Security Magazine is also worth reading.

A small reader survey, May 2001 - Talkback [infosecuritymag.com].

Security Focus [securityfocus.com] offers several mailing lists [securityfocus.com] that you may wish to subscribe to, or at least read the archives about. In particular Security Certification, CISSP Study, and security-basics. One recent message [securityfocus.com] is certainly worth reading. Similar questions have been also asked in cryptography [mail-archive.com] and firewall wizards - Nov 2001 [nfr.com] mailing lists, and I believe has come up several times before.

A review of one IS manager's experience from Computerworld secuirty Column [computerworld.com].

A so-so review [certcities.com] of different security certificates from CertCities.

The main points I would make are choose a certificate that has the right focus for your career. CISSP is the best known cert, but it is aimed at IT/IS Security Managers and Consultants not at senior technologists / engineers / "in the trenchs" types. The best features of this is requiring 3 years of computer / network / audit security experience and having a broad overview of computing security (the 10 common bodies of knowledge, CBK). This makes it out of reach for many people new to info sec, and that's okay, they likely should focus on another certification anyhow. Next is the SANS/GIAC certificates which are more focused and hands on. The best feature is that they require a "practical" part to the certification, which is doubly good because it is not just exam cramming and lets the student practice her communicaton skills, which is important in the security field since you should be able to work in a team and with others (non-technical other) in an organization outside your team for the common benefit of the business.

Certifications tend to be expensive to get, and don't forget most of them have requirements for maintaince such as x number of contuning education credits, re-examinations, or conference attendance. This is a mixed bag, it is good that it justifies staying up to date, but it can also be very expensive for a member working as a new contractor or for a small company that isn't pre-IPO throwing money around.

Cisco's Security Certs

[aries78]

Being the Cisco bigot that I am, I would go with the Cisco route (no pun intended).

Cisco offers the Cisco Security Specialist 1 [cisco.com] certification, and the Cisco Certified Internetwork Professional (CCIP) [cisco.com] with a Security elective [cisco.com].

Just my dos centavos.