Ron Baklarz is a big fan of security certification. In fact, Baklarz, chief information security officer (CISO) of the American Red Cross in Falls Church, Va., has his staff studying for the same two security certifications that he holds, the Certified Information Systems Security Professional (CISSP) certification and GIAC Security Essentials Certification (GSEC). "It's very important these days," he says. "It's a differentiator — it gives some indication that a person has some sort of knowledge and cares enough to go out and get the certification."
Interest in security certifications has soared in the past year or so, and employers increasingly look for that telltale string of letters on candidates' resumes when they hire. Companies scan resumes for certifications and screen accordingly, says David Foote, president of Foote Partners LLC, a research company based in New Canaan, Conn. "Certifications have become a way to get interviewed and can eliminate you from consideration if you don't have them," he says.
IS has always been a certification-mad kingdom, and the fiefdom of security is no exception.
In fact, security certifications and certifying bodies are growing at such a rate that Deb Peinert, vice president of education at the International Systems Security Association (ISSA), expresses concern that chaos could result. "Proliferation of certifications could dilute their value," she says. "It could be difficult to figure out which
When you're faced with a bewildering array of security certifications in a slow economy, it's sensible to identify the courses that will deliver the most value for the money. The following tips can help you find — and fund — a security certification that will deliver the goods.
Choose between vendor-specific and vendor-neutral certifications
Analyze your job situation before selecting a course, as your professional experience and goals will drive your choice of training. For example, somebody working in a Cisco-heavy shop might do well to choose a certificate course on Cisco firewalls, as it offers thorough training in that vendor's technology, says Marc Thompson, vice president of International Information Systems Security Certifications Consortium Inc. (ISC)2, the organization that manages CISSP certification.
But a job hunter who wants to spruce up his resume might opt for a more general firewall course that would appeal to a wider array of prospective employers. "If I wanted to work on firewalls and didn't have a target company, I'd be more likely to take a general course from somebody like SANS," says Thompson.
Study on the cheap
If you're paying for the certification yourself -- 35% of prospective test-takers surveyed by Foote say they are self-funding their studies -- there are less expensive ways to study than through a formal training course. For example, the ISSA sponsors peer-led study groups through its local chapters, says Peinert. The courses typically meet once a week for eight to 10 weeks, and the cost is minimal. (You can find your local chapter at www.ISSA.org.)
Analyze your current skill level
Security certifications require varying levels of technical expertise, practical experience and managerial skill, so it's important to take a class that fits your professional station. Most analysts divide certifications into several categories:
- Entry-level technical track
For people looking to get their feet wet, Thompson recommends the Computing Technology Industry Association (CompTIA), which offers a new entry-level security certificate called Security+. "It's the best initial course for deciding [whether] to get into the security field," he says. "When employers see this on an entry-level resume, it [will say] that this person is serious." The exam, which will be available in December, will cost between $100 and $200. The certificate does not need to be renewed.
- Advanced technical track
"Heavy-duty technical folks gravitate toward certifications from the SANS Institute," says Roberta J. Witty, a research director at Gartner Inc. in Stamford, Conn. The classic is Global Information Assurance Certification (GIAC), a collection of technical certifications from Bethesda, Md.-based SANS. Students can take programs on a wide range of topics, such as security essentials, intrusion detection, incident handling and operating system security. SANS offers both online and classroom courses, which vary in cost according to subject matter and length. The course cost is generally in the $1,000 to $2,000 range. Certification exams are included in the courses. Exams alone cost $425.
- Managerial track
At the top of the heap is the CISSP certificate from (ISC)2, which is based in Framingham, Mass. The CISSP is recommended for security professionals with five to six years of experience. "It's more of a higher level of information security," says Witty. "It covers things such as risk assessment, physical security, training, policy development. I've taken the exam, and it's not a piece of cake." The exam includes 250 questions and can take as long as six hours to complete. It costs $450. This certification lasts three years.
Security certifications are hot today, and are likely to remain so as long as companies make information security a priority. By taking the time to secure a certification that matches employers' technical priorities, security professionals will gain a sought-after skill. And in this economy, that's nothing to sneeze at.
A SearchWin2000.com webcast provides information on the latest trends in IT job skills and certifications.
Certification guru Ed Tittel analyzes the various security certifications available.
Learn more about the importance of security certifications in the current job and economic climates.
This was first published in November 2002