Evaluating Security Certifications
Over the past few years, we’ve seen both IT certifications and information security grow in importance. It’s therefore not surprising to see the emergence of information securityrelated certifications. Although certification certainly doesn’t guarantee competence or skill, holding the right certifications can enhance an information security professional’s career. Beyond confirming that you passed an exam, the right information security certification can lend you credibility, can demonstrate that you’re serious about the information security field and that you have experience in the field, and can even attest that you subscribe to certain professional ethics and have an unmarred background. But although certification can boost your prospects in today’s competitive job market, beware—not all certifications are created equal. That being the case, how do you decide which certification is right for you?
What Information Security Hat Do You Wear?
Different certifications test different skill sets and bodies of knowledge, so although one certification might fit your career path, another might not. For example, the Certified Information Systems Auditor (CISA) certification is a good choice for IT auditors, but Certified Information Systems Security Professional (CISSP) is a better choice for information security professionals involved in designing, implementing, operating, or administering IT security. There are other, more specific certifications that focus on specific areas of information security, including forensics (e.g., Security Certified Network Architect—SCNA), intrusion detection (e.g., GIAC Certified Intrusion Analyst—GCIA), VPNs and firewalls (e.g., Security Certified Network Professional—SCNP), and wireless (e.g., Certified Wireless Security Professional—CWSP). Think about what kind of job you want in the future or what certification might help you advance in your current position, then find a certificate that matches your goals. Talk to colleagues and managers to learn from their experiences with and thoughts about certification. Web Table 1 (http://www.windowsitpro.com/windowssecurity, InstantDoc ID 44650) can help you become familiar with existing security information certifications. Pay attention to the objectives associated with each certification, as well as to the specific careers that the certification targets.
Keep in mind also that any company or organization can create a certification, but not every company or organization commands a high level of respect and authority in the information security field. Not much exists to stop a company from jumping on the certification bandwagon and creating a certification designed for no other reason than to reward the information security professionals who pass several of the company’s courses.
Let’s take a look at some factors to consider when selecting a certification. Certifications can be divided into two main types: vendor neutral certifications (e.g., CISSP, Systems Security Certified Practitioner—SSCP, CISA) and vendor certifications (e.g., MCSE: Security, Cisco Certified Security Professional—CCSP), which certify you to play a specific security-related job role with one or more of the sponsoring vendor’s products. Both certification types have value.
Vendor Neutral Certification
Vendor neutral certifications, which tend to command more industry respect than vendor certifications, require candidates to have a minimum level of work experience in the related field and to focus on a body of knowledge that relates to the certification area. The body of knowledge is non-vendor-specific and stresses best practices, proven methodologies, and concepts that transcend specific products. These certifications are valuable because they signal that certificate holders understand something of the theory and science behind various products in a given area and can bring strategic skills to bear in their work—they can do more than merely change configuration settings for a particular product. An additional benefit is that vendor neutral certifications aren’t tied to one product that might fall out of favor in the industry or in your enterprise.
An important factor to consider when researching a particular certification is the organization or company that grants the certification. Any organization that offers certification faces certain conflicts of interest. Look carefully at the motives of the organization offering the certificate. A good motive for implementing a certification process is to foster a community of qualified practitioners.
Training companies that offer proprietary certifications face a conflict of interest. Does the company grant the certificate to anyone who attends a certain combination of courses, or is there a qualifying exam? If a qualifying exam is offered, is the candidate required to pass the exam (usually with a score of 70 percent to 75 percent)? To earn certification, are candidates required to take training from the same organization that grants the certification, or do they have a choice of training options from other organizations? Are candidates who don’t take specific training free to take the training company’s certification exam without incurring a penalty?
Vendor neutral certifications from nonprofit professional associations such as International Information Systems Security Certification Consortium, or (ISC)2, and Information Systems Audit and Control Association (ISACA) have the most credibility, but exceptions exist with both for-profit and nonprofit organizations that grant certificates. Some organizations that claim to be nonprofit don’t appear to be nonprofit when you scrutinize their certification policies. Some organizations entrust the exam process to a respected testing center, whereas others administer their own certification exams. One organization, The SANS Institute, has a unique certification requirement that candidates complete a written “practical assignment” in addition to passing an exam.
Some practices compromise the legitimacy of vendor neutral certifications. For example, one certification requires several years of experience but allows candidates to substitute a few days of approved training in place of that experience. And, you guessed it, the approved training is available only from the company that offers the certification and one of its partners. Another organization’s certification requires you to spend thousands of dollars on company-approved training and take an exam but is unclear about whether passing the exam is a prerequisite for achieving certification.
Vendor Certification
It’s possible to be a technical-theory ace but lack the practical knowledge to effectively implement a specific vendor’s products. As complex, quirky, poorly documented, and fast-changing as many IT products are today, all the theory in the world can’t make you successful if you don’t know how to work with a specific OS, firewall, Intrusion Detection System (IDS), or other information securityrelated product. And therein lies the value of vendor certification. Even IT architects and infrastructure-level security professionals can realize value from knowing as much as possible about various products. Why? Because, in IT in general, but even more so with information security, the devil is in the details. Therefore, a vendor security certification such as MCSE: Security or CCSP can show that you thoroughly understand the security aspects of a given product.
Beyond the Exam: Additional Factors
When considering a security certification, thoroughly research the certification prerequisites. Sometimes, you must offer more than passing grades on an exam. For example, are you required to have a certain number of years of experience? With some certifications, you can substitute a specified college degree for a portion of that experience. Make sure you can meet the burden of proof for that substitution. Some certifications, such as CISSP and CISA, require signed affidavits by a candidate’s supervisors and qualified colleagues. Determine whether the certification you’re interested in requires a clean criminal record. Does the certification require specific training, and if so, how much does the training cost? Is the certification permanent, or must you periodically requalify by taking an exam? Are you required to obtain a certain number of Continuing Professional Education (CPE) credits each year to maintain certification? Be aware that some certifications require that you obtain a minimum number of CPE credits per year and an additional total requirement over a 3-year period. For example, you might face a requirement of 20 CPE credits for each of 2 years but a total of 120 CPE credits by the end of the third year. Many certifications recommend that you earn a lower-level certificate before obtaining a higher-level certification (e.g., obtaining a Security+ before earning an SCNP), but a few high-level certifications actually require that you hold another specific high-level certification.
Desirable Certifications
The traditional gold standard among information security professionals is the CISSP from (ISC)2. The CISSP is vendor neutral and targets 10 areas within the security common body of knowledge (CBK), ranging from cryptography to law, investigation, and ethics. The certification exam has 250 multiple-choice questions, and candidates have as many as 6 hours to complete it. Plenty of study aids exist online and for sale as book and CD-ROM combinations, and (ISC)2 and many training companies offer CISSP exam preparation classes. If you join the Information Systems Security Association (ISSA), an organization closely related to (ISC)2, you can participate in yearly study groups led by a CISSP. The CISSP requires 4 years of direct full-time security professional work experience in one or more of the exam’s test domains.
The CISSP covers a broad subject area, and some of its domains are areas that a more technical IT security pro might never touch. Or, perhaps you haven’t worked for 4 years as a full-time security professional. In those cases, an alternative certification to the CISSP is the (ISC)2 ‘s SSCP, which targets more hands-on, practical areas of information security. The SSCP exam contains half the number of questions that the CISSP exam does and requires only 1 year of cumulative work experience in one or more of seven test domains. However, don’t assume that the SSCP is just a subset of the CISSP. The SSCP goes into more detail in certain areas than the CISSP does. The SSCP is a good place to start if you already have some experience, a good understanding of information security at the technical level, and don’t want to spend a lot of time preparing for the CISSP exam’s 10 domains.
A security certification that’s well suited for IT professionals who are fairly new to the information security field is the Security+ certification from the nonprofit Computing Technology Industry Association (CompTIA). The Security+ targets individuals with at least 2 years of on-the-job networking experience. Although such experience is recommended, CompTIA doesn’t require it for certification. The Security+ exam is timed for a total of 90 minutes, contains 100 questions, and covers five networking security objectives. The certification is a respected, solid first-step certification for a career in information security.
If you want a certification that focuses on network security, check out Security Certified Program’s (SCP’s) Security Certified Network Professional (SCNP) and Security Certified Network Architect (SCNA) certifications. Each certification requires you to pass two exams. Although SCP is a for-profit organization, it doesn’t require candidates to take training for its certification exams, nor does it charge candidates who forgo training extra to take the exams. The SCNP covers subject areas such as router ACL, TCP/IP packet structure, signature analysis, VPN, IDS, and firewall. The SCNP certification requires the Security+ or equivalent experience as a prerequisite. The SCNA requires SCNP certification as a prerequisite and covers enterprise security subjects, including law, forensics, biometrics, PKI, and cryptography.
Considering wireless networking’s meteoric rise in popularity and the challenges involved in securing it, you might be interested in the CWSP certification from Planet3 Wireless. Although it’s a for-profit training company, Planet3 Wireless has done a good job with the CWSP of crafting a certification that represents an important area of expertise. The CWSP requires that you hold Planet3 Wireless’s Certified Wireless Network Administrator (CWNA) certification. However, although Planet3 Wireless offers training for the CWSP and CWNA that amounts to approximately $2500, the company doesn’t require candidates to take the training before sitting for the exams, and both exams together cost a total of $350 whether you take the training or not. Each certification exam contains 60 questions and allows 60 minutes to take the exam. Each certification is valid for 3 years and targets wireless LAN (WLAN) intrusion, security policy, and solutions.
Go for It
If you’re serious about becoming certified, measure the costs and set a realistic goal. As a holder of certifications, I can state without hesitation that experience will help you prepare for any certification exam and greatly reduces the investment you must make in study time and training expenses. Make sure you know how much the certification might cost after you account for training, self-study materials, practice exam tools, exam fees, and any traveling to training sessions or to take the exam. When you select a certificate, plan ahead. At minimum, you’ll need enough time to prepare for the exam. And bear in mind that some certification exams are held only once a year. Before you start studying for an exam, a helpful practice is to take a practice exam to help you identify objectives or the subject areas that need most of your attention. (Some exams assign more or less of your overall score to various subject areas within the exam. If you need to brush up on two areas, but one counts for 30 percent of the overall score and the other counts only for 15 percent, you know where to spend more of your study time.) Whatever certification you settle on, you can’t help but be enriched by the experience of setting and achieving a worthwhile goal. Good luck!